IRCA Briefing nte: ISO/FDIS 19011:2011 Guidelines fr auditing management systems Intrductin The Internatinal Register f Certificated Auditrs (IRCA) has prepared this briefing nte t cmmunicate t IRCA Certificated Auditrs, IRCA Apprved Training Organisatins and ther interested parties ur understanding f ISO/FDIS 19011:2011. The cntent f this briefing nte is prvided in gd faith and is the pinin f the IRCA. It shuld nt be reprduced nr used fr cmmercial purpses. IRCA Certificated Auditrs and IRCA Apprved Training Organizatins are advised t familiarise themselves with ISO 19011:2011 when it is published. FDIS released t the Natinal Standards bdies July 2011 ISO 19011:2011 expected t be issued Octber 2011 Since initial publicatin in 2002 a number f new management system standards have been published. This has resulted in a need t cnsider a brader scpe f management system auditing as well as prviding guidance that is mre generic. This is reflected in the revised title Guidelines fr auditing management systems and in the cntent. ISO 19011:2011 prvides guidance fr all users, including small and medium sized rganizatins and cncentrates n what are cmmnly termed internal (first party) and secnd party audits as ften cnducted by custmers n their suppliers. Relatinship between ISO/IEC 17021:2011 and ISO 19011:2011 ISO 19011 is intended t prvide useful guidance in: Internal auditing External auditing Cmmnly called 1 st party audit Supplier auditing 3 rd party auditing e.g. legal, certificatin and similar purpses cmmnly called 2 nd party audit ISO/IEC 17021:2011 Cnfrmity assessment- Requirements fr bdies prviding audit and certificatin f management systems Page 1 f 10
With the publicatin f ISO 17021:2011 we nw have tw independent standards: ISO 19011:2011 - Guidelines fr auditing management systems. And ISO 17021:2011 - Cnfrmity assessment - Requirements fr bdies prviding audit and certificatin f management systems. Sme may view the guidance in ISO 19011:2011 as a substantial change. Others may think it largely captures gd practices already implemented. The IRCA s view is that publicatin f ISO 19011:2011 prvides auditrs, rganizatins implementing management systems and rganizatins needing t cnduct audits f management systems an pprtunity t re-assess their wn practices and identify imprvement pprtunities. Summary f the changes within ISO 19011:2011 Overview ISO 19011 has been revised t prvide persns invlved in management system auditing with gd audit practice guidance relevant t tday s envirnment where many rganizatins perate a management system cvering multiple disciplines, fr example quality, envirnment, ccupatinal health and safety and infrmatin security etc. The Principles f auditing n which the guidance is based have been revised and expanded t include the new principle f Cnfidentiality security f infrmatin. A principle that requires auditrs t be prudent in the use and prtectin f infrmatin acquired in the curse f their duties. The main bdy f ISO 19011:2011 sets ut gd practice fr Managing an Audit Prgramme and Perfrming an Audit. Updated t reflect current thinking and in parts expanded significantly. These sectins prvide detailed guidance; intended t be used flexibly accrding t the size, level f maturity f an rganizatin s management system, the nature and cmplexity f the rganizatin t be audited. The cncept f risk in auditing is intrduced. Sme guidance is given n cmbined audits, where tw r mre management systems f different disciplines are audited tgether (e.g. EMS and OHSAS). Als, the use f technlgy in remte auditing is acknwledged. Fr example cnducting remte interviews and reviewing recrds remtely. Althugh significantly rewritten, the verall apprach t managing an audit prgramme and planning and cnducting audits described in these tw sectins is cnsistent with the previus issue and with requirements f ISO 17021:2011. Page 2 f 10
Changes have been intrduced in the guidance n Cmpetence and evaluatin f auditrs. As wuld be expected given that ISO 19011:2011 addresses auditing management system cvering multiple disciplines sme f these are wide ranging. The significant changes include: ISO 19011:2011 identifies that necessary auditr cmpetence cmprises generic knwledge and skills f management systems, plus discipline (e.g. EMS) and sectr (e.g. aerspace) knwledge and skills. Annex A (infrmative) gives examples f discipline-specific knwledge and skills f auditrs, including: Transprtatin safety management Envirnmental management Quality management Recrds management Resilience, security, preparedness and cntinuity management Infrmatin security Occupatinal health and safety N guidance is given n sectr specific knwledge and skills f auditr. These may be develped later and published separately. ISO 19011:2002 gave guidance n educatin, wrk experience, auditr training and audit experience that cntribute t develpment f the knwledge and skills needed t perfrm audits and lead audit teams. ISO 19011:2011 als gives guidance n knwledge and skills f management system auditrs and an audit team leader but n lnger makes reference t auditrs having cmpleted educatin, wrk experience, auditr training and audit experience. This change recgnises that educatin, wrk experience, training and audit experience are enablers t cmpetence, which ISO 19001:2011 and ISO 17021:2011 define as ability t apply knwledge and skills t achieve intended results. Als, ISO 19011:2011 and ISO 17021:2011 recgnise that cmpetence needs t be evaluated, which can be dne in a variety f ways, fr example a cmbinatin f testing and examinatin, interview and bserved audits. Page 3 f 10
Detail review 1. Scpe n significant changes. 2. Infrmative references previus reference t terms and definitins given in ISO 9000 (QMS) and ISO 14050 (EMS) deleted. 3. Terms and definitins definitins fr Observer and Guide intrduced and als fr Risk. The term risk is used in ISO 19011:2011 in cntext f risk-based auditing and als audit prgramme risks. The definitin f cmpetence is revised and althugh the change in wrding appears slight it requires rganisatins t determine cmpetence t achieve intended results. The starting pint fr which is t define the intended results fr the varius activities invlved in managing an audit prgramme and perfrming audits. This change is cnsistent with ISO 17021:2011. 4. Principles f auditing expanded frm five t six. Principles (a) (d) relate t auditrs and the persn managing the audit prgramme. Principles (e) and (f) relate t the audit. Integrity - the fundatin f prfessinalism. Replaces and expands the previus principle f Ethical cnduct. Fair presentatin the bligatin t reprt truthfully and accurately. Minr expansin. Due prfessinal care the applicatin f diligence and judgement in auditing. Having the necessary cmpetence is an imprtant factr is replaced with An imprtant factr in carrying ut their wrk with due prfessinal care is having the ability t make reasned judgement in all audit situatins. Cnfidentiality security f infrmatin. A new principle that addresses the need fr auditrs t exercise discretin in the use and prtectin f infrmatin acquired in the curse f their duties. The principle refers t inapprpriate use f such infrmatin fr persnal gain r in a manner detrimental t the legitimate interests f the auditee. Independence the basis fr the impartiality f the audit and bjectivity f audit cnclusins. Prvides mre specific guidance n the extent f independence that needs t be achieved, whilst recgnising that in small rganizatins it may be difficult fr internal auditrs t be fully independent. Nw refers t internal auditrs being independent frm the perating managers f the functin being audited. Reflects the interpretatin f independence that certificatin bdies generally apply. Evidence-based apprach the ratinal methd fr reaching reliable and reprducible audit cnclusins in a systematic way. Minr rewrding. Page 4 f 10
5. Managing an audit prgramme Cnsiderable revisin. Clarity f the guidance has been imprved, structuring the sectin t fllw a prcess flw: 5.1 - General 5.2 Establishing the audit prgramme bjectives 5.3 Establishing the audit prgramme 5.4 Implementing the audit prgramme 5.5 Mnitring the audit prgramme 5.6 Reviewing and imprving the audit prgramme General this sectin recgnises that an rganizatin may implement a number f management system standards. Where the previus issue f ISO 19011 referred t an rganizatin establishing ne r mre audit prgrammes ISO/FDIS 19011:2011 refers t an audit prgramme that can include audits cnsidering ne r mre management system standards. In practical terms this makes little difference. This sectin refers t allcating audit resurces t audit thse matters f significance within the management system. It ntes that this cncept is cmmnly knwn as risk-based auditing. This reflects the requirements f many management system standards, fr example ISO 9001:2008, althugh the term risk is nt always used. Establishing the audit prgramme bjectives sectin title revised; therwise little practical change althugh the list f cnsideratins t take accunt f when establishing audit prgramme bjectives has been extended; nw includes fr example results f previus audits and maturity f the management system being audited. Als, fr clarity in structuring the cntent t fllw the prcess flw guidance n the extent f an audit prgramme has been transferred t sectin 5.3.3. Establishing the audit prgramme revisin f what was previusly titled Audit prgramme respnsibilities, resurces and prcedures. New t this issue is guidance n Cmpetence f the persn managing the audit prgramme. Als new is guidance n Identifying and evaluating audit prgramme risks. Fr example risks assciated with ineffective cmmunicatin f the audit prgramme. Implementing the audit prgramme mre extensive guidance is given, including describing mre clearly what the persn managing the audit prgramme shuld d t implement it. The need t Define the bjectives, scpe and criteria fr an individual audit is a sub-sectin. This identifies that each audit shuld have a clear bjective, fr example identificatin f areas fr ptential imprvement f a management system. This addresses weakness ften fund in audit systems where audits are scheduled and carried ut with n clearly defined purpse r bjective. Page 5 f 10
This sectin als highlights issues t cnsider when tw r mre management systems f different disciplines are audited tgether. There is a new sub-sectin Selecting the audit methds and additinal guidance n this is given in Annex B. The previus simplistic apprach t audit methds f n-site r ff-site has been revised t take accunt f the use f technlgy in remte auditing. Fr example cnducting remte interviews and accessing recrds remtely. Other sub-sectins include: Selecting the audit team members Assigning respnsibilities fr an individual audit t the team leader Managing the audit prgramme utcme Managing and maintaining audit prgramme recrds In summary, sectin 5.4 f ISO 19011:2002 has been extensively rewritten t prvide cmprehensive guidance t what was previusly a list f headline tpics that needed t be addressed when implementing the audit prgramme. Sectin 5.5 f ISO 19011:2002 Audit prgramme recrds is nw part f sectin 5.4 Mnitring the audit prgramme and Reviewing and imprving the audit prgramme - These tw sectins replace what previusly was ne, Audit prgramme mnitring and reviewing. Minr expansin and reference t cnsider the need t: evaluate the perfrmance f audit team members cnsider as part f a review, alternative r new auditing methds review the effectiveness f the measures t address the risks assciated with the audit prgramme review cnfidentiality and infrmatin security issues relating t the prgramme 6. Perfrming an audit As with sectin 5, the guidance has been imprved and in parts mre detail is given. The sectin is structured t fllw the audit prcess flw, which is largely as it was presented in ISO 19011:2002. 6.1 General 6.2 Initiating the audit 6.3 Preparing audit activities 6.4 Cnducting the audit activities 6.5 Preparing and distributing the audit reprt 6.6 Cmpleting the audit 6.7 Cnducting audit fllw-up Sme, but nt all, f the changes are described belw t illustrate the extent and nature f the revisins. Page 6 f 10
Initiating the audit n lnger refers t appinting the team leader r defining audit bjectives, scpe and criteria as these are dealt with under Managing an audit prgramme. Nw fcuses n Establishing initial cntact with the auditee and Determining the feasibility f the audit. Preparing audit activities cmbines what were previusly tw sectins Cnducting dcument review and Preparing fr the n-site audit activities. Nw cvers: Perfrming dcument review in preparatin fr the audit Preparing the audit plan Assigning wrk t the audit team Preparing wrk dcuments As described in ISO 19011:2011, the purpse f perfrming dcument review fr preparatin is t gather infrmatin t prepare audit activities and applicable wrk dcuments. Als t establish an verview f the extent f the system dcumentatin t detect pssible gaps. What sme have previusly referred t as a dcumentatin review - reviewing dcumentatin t determine cnfrmity f the system with audit criteria - is nw dealt with as part f cnducting audit activities. Cnducting audit activities nw cvers: Cnducting the pening meeting Perfrming dcument review while cnducting the audit Cmmunicating during the audit Assigning rles and respnsibilities f guides and bservers Cllecting and verifying infrmatin Generating audit findings Preparing audit cnclusins Cnducting the clsing meeting Preparing and distributing the audit reprt n substantial changes. Cmpleting the audit n substantial changes. Cnducting audit fllw-up n substantial change. Text clarifies that pst audit actins may be crrectins, crrective actin, and preventive r imprvement actins. Reference t crrectins added. 7. Cmpetence and evaluatin f auditrs Sme significant changes have been intrduced, as wuld be expected given that ISO 19011:2011 addresses auditing management system cvering multiple disciplines. New guidance includes: Determining auditr cmpetence t fulfil the needs f the audit prgramme a sectin that identifies factrs t cnsider when deciding apprpriate knwledge and skills, fr example the management system disciplines t be audited. This sectin then ges n t describe: Page 7 f 10
Persnal behaviur behaviurs auditrs shuld display during the perfrmance f audit activities, fr example bservant, perceptive, pen t imprvement, culturally sensitive and cllabrative. Sme expansin n ISO 19011:2002. Knwledge and skills sectin cmprises: Generic knwledge and skills f management system auditrs a sectin expanded t incrprate knwledge and skills needed t audit multiple discipline management systems and implement ther parts f ISO 19011:2011. Fr example, understand the types f risk assciated with auditing, have knwledge f rganizatinal types, general business and management cncepts, prcesses and related terminlgy, including budgeting and management f persnnel. Many f the additins in this sectin address the need fr auditrs t be able t psitin discipline and sectr requirements and audit findings in the wider cntext f the rganizatin s business activities, gverning agencies, business envirnment, legal and cntractual requirements and management s plicies and intentins fr the rganizatin. Discipline and sectr specific knwledge and skills f management system auditr (discipline, fr example EMS and sectr, fr example aerspace). ISO 19011:2002 prvided guidance fr quality management system auditrs and envirnmental management system auditrs, each having its wn sectin prviding guidance n auditr knwledge and skill requirements. In ISO 19011:2011 these tw sectins are replaced by ne that identifies knwledge and skills that need t be applied t all management systems. Fr example, knwledge f: Legal requirements relevant t the specific discipline. Fundamentals f the discipline and the applicatin f business and technical discipline-specific methds, techniques, prcesses and practices sufficient t enable the auditr t examine the management system and generate apprpriate audit findings and cnclusins. Risk management principles, methds and techniques relevant t the discipline and sectr t enable the auditr t evaluate and cntrl the risks assciated with the audit prgramme. ISO 19011:2011 Annex A prvides guidance n discipline-specific knwledge and skills f auditrs fr: Transprtatin safety management Envirnmental management Quality management Recrds management Resilience, security, preparedness and cntinuity management Infrmatin security Occupatinal health and safety Page 8 f 10
N guidance is given n sectr specific knwledge and skills. These culd be develped later and published separately. Generic knwledge and skills f an audit team leader nw includes knwledge and skills t: Balance the strengths and weaknesses f the individual audit team members Develp a harmnius wrking relatinship amng the audit team members Manage the uncertainty f achieving audit bjectives Knwledge and skills fr auditing management systems addressing multiple disciplines previusly limited t auditrs wh audit bth quality and envirnmental management systems and quite prescriptive. Nw describes in principle the knwledge and skill requirements. Fr example, understanding f the interactin and synergy between the different management systems. Achieving auditr cmpetence a sectin that largely replaces previus quite prescriptive guidance. Fr example ISO 19011:2002 refers t five years wrk experience and twenty days f audit experience etc. Nw acknwledges that auditr knwledge and skills can be acquired using a cmbinatin educatin, auditr training prgrammes, experience in relevant technical, managerial r prfessinal psitins and audit experience withut detailing specific guidance. Auditr evaluatin ISO 19011:2011 gives guidance n: Establishing the auditr evaluatin criteria as previus, these shuld be qualitative, fr example having demnstrated audit skills, and quantative, fr example number f audits cnducted. Selecting the apprpriate auditr evaluatin methd as previus, guidance is given n evaluatin methds, fr example review f recrds, feedback, interview etc. Cnducting auditr evaluatin a simple statement that infrmatin cllected abut the persn shuld e cmpared against criteria set. And when the criteria set are nt met additinal training, wrk r audit experience and subsequent re-evaluatin shuld be perfrmed. Overall the guidance given is largely unchanged; hwever its presentatin has been simplified and ease f understanding imprved. Maintaining and imprving auditr cmpetence largely unchanged in stating that auditrs and team leaders shuld cntinually imprve their cmpetence thrugh participatin in management system audits and cntinual prfessinal develpment. The guidance makes it clear that the persn managing the audit prgramme shuld establish suitable mechanisms fr the cntinual evaluatin f the perfrmance f the auditrs, and team leaders. Page 9 f 10
Annex A (infrmative) Illustrative examples f discipline-specific knwledge and skills f auditrs. Prvides guidance that rganizatins may chse use t supprt the develpment f their wn auditr cmpetence criteria and selectin f auditrs. Annex B (infrmative) Additinal guidance fr auditrs planning and cnducting audits. Mre practical guidance, f a type ften given in Auditr/Lead Auditr training curses. Extracts frm Annex B include fr example: Selecting surces f infrmatin a list f surces f infrmatin t select frm, e.g. interviews, bservatin f activities, databases and websites. Cnducting dcument review a list f things auditrs shuld cnsider, e.g. if the infrmatin in the dcuments is cmplete, crrect, cnsistent and current. Preparing wrking dcuments cnsideratins fr each dcument, e.g. wh will be the user f this wrk dcument? Sampling guidance n selecting sampling methds, judgementbased sampling, statistical sampling. Guidance fr visiting auditee s lcatin practical guidance n planning and cnducting n-site activities, e.g. cnfirm with the auditee that any required PPE will be available, if taking phtgraphs ask fr authrisatin frm management in advance and cnsider security and cnfidentiality matters. Other guidance cvers cnducting interviews, audit findings (determining audit findings, recrding cnfrmities and recrding nncnfrmities) and dealing with findings related t multiple criteria. END Page 10 f 10