ISO 19011:2011 Guidelines for Auditing Management Systems

John Coady Chief Audit Manager

FSAI

ISO 19011:2011 Guidelines for Auditing Management Systems

Second edition of ISO 19011:2011
Cancels and replaces the first edition (ISO 19011:2002), which has been technically revised

Main differences are as follows:

Scope Relationship between ISO 19011 and ISO/IEC 17021 Remote audit methods Concept of risk Confidentiality Clauses 5,6 & 7 reorganised Annex B additional information Competence determination & evaluation process strengthened Annex A discipline-specific knowledge & skills ISO public website (www.ISO.org/ISO19011Auditing)
FSAI

Scope
Scope has broadened to provide guidance on auditing management systems rather than auditing quality and environmental management systems Annex A illustrates the application of the guidance in Clause 7 (Competence and Evaluation of Auditors) to different disciplines Title of Standard amended in line with new scope

FSAI

Relationship between ISO 19011 and ISO/IEC 17021

Internal Auditing External Auditing Supplier Auditing Sometimes called Second Party Audit Third Party Auditing For legal, regulatory and similar purposes*

Sometimes called First Party Audit

*See also the requirements in ISO/IEC 17021:2011

FSAI

Remote Audit Methods

Remote audit activities are performed at any place other than the location of the auditee, regardless of the distance - on-site activities are performed at the location of the auditee The feasibility of remote audit activities can depend on the level of confidence between auditor and auditees personnel It should be ensured that the use of remote and on-site application of audit methods is suitable and balanced, in order to ensure satisfactory achievement of audit programme objectives

FSAI

Concept of Risk
ISO 19011:2011 introduces the concept of risk to management systems auditing

The approach adopted relates both to the risk of the audit process not achieving its objectives and to the potential of the audit to interfere with the auditees activities and processes
ISO 19011:2011 does not provide specific guidance on the organisations risk management process, but recognises that organisations can focus audit effort on matters of significance to the management system

FSAI

Confidentiality
New Principle of Auditing in Clause 4 Confidentiality: security of information

Auditors should exercise discretion in the use and protection of information acquired in the course of their duties Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interest of the auditee
Concept includes the proper handling of sensitive or confidential information
FSAI

Clauses 5,6,7 Reorganised

Clause 5 - Provides guidance on establishing and managing an audit programme, establishing the audit programme objectives, and coordinating auditing activities Clause 6 - provides guidance on planning and conducting an audit of a management system Clause 7 - provides guidance relating to the competence and evaluation of management system auditors and audit teams

FSAI

Annex B - Removal of Help Boxes

ISO 19011:2002 provided supplementary guidance or examples on specific topics in the form of practical help in boxed text. In some instances, this is intended to support the use of this International Standard in small organisations The help boxes have been removed in the ISO 19011:2011: Some information has been moved to new Annex B Some information has been incorporated into the text Some information is no longer included e.g. examples of audit programmes Annex B contains extra information e.g. additional guidance on conducting a document review
FSAI

Competence Determination and Evaluation Process has been Strengthened

Clause 7 provides guidance relating to the competence and evaluation of management system auditors and audit teams The evaluation should be conducted using two or more of the methods selected from those in Table 2 of Clause 7.4 i.e.
Review of records Feedback Interview Observation Testing Post-audit review

ISO 19011:2002 stated that evaluation should be undertaken using 1 or more of the methods above

FSAI

Annex A - Discipline-Specific Knowledge & Skills

Illustrative example of discipline-specific knowledge and skills of auditors in: Transportation safety management Environmental management Quality management Records management Resilience, security, preparedness and continuity management Information security Occupational health and safety management

FSAI

ISO Public Website

More information has been made available on an ISO public website (www.ISO.org/ISO19011Auditing).

FSAI

 FSAI