Delivering Sustained Success
Countries Regional
  • Blog Header

Blog

ISO 19011:2011 - ONE for ALL

Posted on January 2, 2013 in Articles


ISO 19011 has been first published in the year of 2002 to provide guidance on auditing management systems, as well as the guidance on the evaluation of competence of individuals involved in the audit process; however this Standard back then was only to cover mainly on auditing the Quality Management System (QMS) and the Environmental Management System (EMS) as the title of the Standard explains it well - “Guidelines for Quality and/or Environmental Management Systems audit”. However, after the year of 2002, a number of new management system standards have been introduced and trigger a need to consider a broader scope of management system auditing, as well as providing guidance that is more generic.

The second edition of ISO/IEC 17021 that was published in 2011 is also another catalyst that pushes for a consideration in upgrading the first edition of ISO 19011.  Moreover, I’m sure there are also questions / concerns from auditors in regards to which guidelines to be used if they are to conduct auditing on management systems besides the QMS and EMS.

As a result, the second edition of ISO 19011 – “Guidelines for auditing Management Systems has been published in 2011 to replace the first edition. Among the main differences compared with the first edition are as follows:
 

  • The scope has been broadened from the auditing of quality and environmental management systems to the auditing of any management systems
    -  ISO 19011:2011 now can be used as guidelines in auditing management systems as it is no
       longer restricted to QMS and/or EMS
  • The relationship between ISO 19011 and ISO/IEC 17021 has been clarified;
    - ISO/IEC 17021 published in 2011 was extended to transform the guidance offered in this
      International Standard into requirements for management system certification audits. It is in this
      context that this second edition of this International Standard provides guidance for all users,
      including small and medium-sized organisations, and concentrates on what are commonly
      termed “internal audits” (first party) and “audits conducted by customers on their suppliers”  
      (second party). While those involved in management system certification audits follow the
      requirements of ISO/IEC 17021:2011, they might also find the guidance in this International
      Standard useful.
    - The scope of this International Standard and its relationship with ISO/IEC 17021:2011

    Internal Auditing External Auditing
    Supplier Auditing Third Party Audit
    Sometimes called First Party Audit
    Sometimes called Second Party Audit
     
    For legal, regulatory and similar purposes
    For certification
    ISO 19011:2011  provides guidance for all audits
      ISO/IEC17021:2011 is a requirement for certification purpose only

     
  • Remote audit methods and the concept of risk have been introduced;
    - Remote audit methods are as the table below

    Extent of involvement between the auditorand the auditee Location of an auditor
    On-Site Remote
    Human interaction Conducting interviews.
    Completing checklists and questionnaires with auditee participation.
    Conducting document review with auditee participation.
    Sampling.
     
    Via interactive communication means:
    — conducting interviews;
    — completing checklists and
    questionnaires;
    — conducting document review with auditee participation.
     
    No human interaction Conducting document review (e.g. records, data analysis).
    Observation of work performed.
    Conducting on-site visit.
    Completing checklists.
    Sampling (e.g. products).
     
    Conducting document review (e.g. records, data analysis).
    Observing work performed via surveillance means, considering social and legal
    requirements.
    Analysing data.
     
    On-site audit activities are performed at the location of the auditee. Remote audit activities are performed at any place other than the location of the auditee, regardless of the distance.

    Interactive audit activities involve interaction between the auditee’s personnel and the audit team.
    Non-interactive audit activities involve no human interaction with persons representing the auditee but do involve interaction with equipment, facilities and documentation.
     

    - Risk-based auditing is introduced as it is known that there are many different risks associated
      with establishing, implementing, monitoring, reviewing and improving an audit programme that
      may affect the achievement of the auditing objectives.
     
  • Confidentiality has been added as a new principle of auditing;
    - Auditors should exercise discretion in the use and protection of information acquired in the
      course of their duties. Audit information should not be used inappropriately for personal gain
      by the auditor or the audit client, or in a manner detrimental to the legitimate interests of the
      auditee. This concept includes the proper handling of sensitive or confidential information.

  • Illustrative examples of discipline-specific knowledge and skills have been included;
    - Illustrative examples of discipline-specific knowledge and skills of auditors such as in
      Transportation Safety Management, Environmental Management, Record Management and
      Information Security Management are included in this second edition of International Standard to
      serve as guidance to auditors.

With this second version of ISO 19011, it clears the question marks that auditors have as it is now been made common and generic for the use for auditing of management systems.


**Information used in this write-up is from the ISO 19011:2001 standard.

Interested in discussing your requirements? Let’s talk.

Training  /  Online training  /  Capacity building

 

Contact Us