ISO 19011 2011 Auditing Standard

EXECUTIVE SUMMARY

ISO 19011 2011 is a standard for auditing management systems.
It was developed by ISO Technical Committee 176, Subcommittee 3.
ISO/TCC176176 is responsible for "quality management and quality
assurance" and SC 3 is responsible for "supporting technologies".

The official name of this standard is ISO 19011:2011 Guidelines
for auditing management systems. They're referred to as guidelines
because they’re voluntary. They’re not requirements or contractual
obligations. These guidelines can be found in the following four
sections:

4. Audit Principles
5. Audit Program
6. Audit Activities
7. Auditor Competence

Part 4 outlines the principles that are (or should be) the foundation
of management system auditing. They define the essential nature
of auditing and should therefore influence how audit programs
are designed, how audit activities are carried out, and how
auditor competence is evaluated.

Part 5 explains how management system audit programs are
designed and managed. It discusses how program objectives are
established and how audit programs are developed, implemented,
monitored, reviewed, and improved.

Part 6 explains how audit activities are planned and performed.
It discusses how audits are initiated, how auditors prepare for
audits, how they carry out audits, how audit results are
reported, and how audits are completed.

Part 7 explains how the competence of management
system auditors is evaluated. It discusses how competence
requirements are defined, how auditor evaluation criteria are
developed, how auditor evaluation methods are selected,
and how competence is evaluated and improved.

ISO 19011 2011 vs ISO 19011 2002

ISO first published this standard in 2002. This second edition
was published on November 15, 2011. It cancels and replaces
the first edition. If you compare the first and the second edition,
you'll notice some important differences.

New Scope. Perhaps the biggest difference relates to the
scope of the standard. The old standard applied only to quality
and environmental management systems. The new standard
now applies to all types of management systems.

New Focus. There are two auditing standards that apply to
management systems: ISO 19011 2011 and ISO IEC 17021 2011.
The relationship between these two standards has now been
clarified. ISO 19011 2011 applies to first and second party
audits while ISO 17021 2011 applies to third party audits.

New Principle. The standard now wants you to care about
confidentiality and information security. It wants you to handle
information with due care and discretion. It wants you to protect
information that is sensitive or confidential. In general, it now
wants you to be careful about how you and your clients manage
information acquired during the course of an audit.

New Concept. The new standard now wants you to think about
risk. It now expects you to consider the risks that could affect the
achievement of audit program objectives. It also suggests that you
allocate audit program resources so that more significant matters
receive priority. Adding more resources to more important matters
is called risk-based auditing.

New Method. The new standard now asks you to consider
using remote audit methods in addition to onsite audit methods.
Remote audit methods are carried out away from the auditee's
physical location. They include long distance interviews and
the use of interactive electronic communications.

New Annexes. Finally, the standard now has two annexes. Annex A
describes the type of knowledge and skill that management system
auditors should have and Annex B is designed to help auditors to
plan and perform their work.

ISO 19011 2011 has also been rewritten, reorganized, and
expanded. And because it's a new standard, many sections
have been strengthened and improved.

ISO 19011 2011 vs ISO IEC 17021 2011

The following table will show how the ISO 19011 and ISO IEC 17021
standards are related. As you can see, ISO 19011 should be used if
you're interested in first or second party audits and ISO IEC 17021
should be used if you're interested in third party audits.

INTERNAL AUDITS	EXTERNAL AUDITS
FIRST PARTY	SECOND PARTY	THIRD PARTY
ISO 19011	ISO 19011	ISO IEC 17021
Organizations audit themselves.	Customers audit their suppliers. Regulators and other interested parties audit organizations.	Certification bodies and regulators audit organizations.

Organizations use first party audits to audit their own performance.
First party audits are used to confirm or improve the effectiveness of
management systems. They're also used to declare that an organization
complies with a standard (this is called a self-declaration).

Second party audits are external audits. They’re usually done by
customers (or by others on their behalf) when they wish to audit their
suppliers. However, they can also be done by regulators or any other
external party that has a formal interest in an organization.

WHO SHOULD USE ISO 19011 2011

As the previous table shows, ISO 19011 2011 should
be of interest to both internal and external auditors.

Use ISO 19011 if:

You need to improve your audit process.
You need to develop your own audit program.
You need to train management system auditors.
You need to manage and control audit activities.
You need to do audits to comply with contracts.
You need to certify management system auditors.
You need to evaluate the competence of auditors.
You need to audit your own management systems.
You need to make a self-declaration of compliance.
You need to carry out audits for regulatory reasons.
You need to audit your supplier's management system.

Use ISO 19011 if you audit:

Risk management systems
Safety management systems
Health management systems
Quality management systems
Energy management systems
Service management systems
Disaster management systems
Records management systems
Document management systems
Emergency management systems
Food safety management systems
Sustainability management systems
Environmental management systems
Business continuity management systems
Information security management systems
Transportation safety management systems
Supply chain security management systems
Organizational resilience management systems
Occupational health and safety management systems

ISO 19011 can be used by any organization no matter what
size it is or what it does. It can be used by both public and private
organizations and by groups, associations, and enterprises of all
kinds. It is not specific to any sector or industry and can be used
to improve any audit process.

However, exactly how you apply ISO 19011 is up to you and will
depend on your organization’s needs, objectives, and challenges,
and should reflect what it does and how it operates.

ANNEXES

ISO 19011 2011 has two Annexes. Plain English versions
of this material can be found at the end of this publication.

According to ISO 19011, auditors need to have discipline-specific
and sector-specific knowledge and skill in order to be able to audit
specialized management systems and sectors, to evaluate auditees'
activities, processes, and products, and to generate appropriate audit
findings and reach valid conclusions. Annex A describes the type of
knowledge and skill that management system auditors need to have.
Use this material to help you select and evaluate your auditors.

Annex B will help management system auditors to plan and perform
their work. It discusses audit methods, document reviews, audit
sampling, working papers, information sources, onsite visits,
audit interviews, and audit findings.

Home Page	Our Libraries	A to Z Index	Our Customers
How to Order	Our Products	Our Prices	Our Guarantee
Praxiom Research Group Limited help@praxiom.com 780-461-4514