ISO 19011 - Audit

ISO 19011:2011 – Guidelines for
Auditing Management Systems
John Coady
Chief Audit Manager
ISO 19011:2011 – Guidelines for Auditing
Management Systems
• Second edition of ISO 19011:2011
Cancels and replaces the first edition (ISO 19011:2002),
which has been technically revised
• Main differences are as follows:
Relationship between ISO 19011 and ISO/IEC 17021
Remote audit methods
Concept of risk
Clauses 5,6 & 7 reorganised
Annex B – additional information
Competence determination & evaluation process
• Annex A – discipline-specific knowledge & skills
• ISO public website (
• Scope has broadened to provide guidance on auditing
management systems rather than auditing quality and
environmental management systems
• Annex A illustrates the application of the guidance in
Clause 7 (Competence and Evaluation of Auditors) to
different disciplines
• Title of Standard amended in line with new scope
Relationship between ISO 19011 and
ISO/IEC 17021
Internal Auditing
Sometimes called
First Party Audit
External Auditing
Supplier Auditing
Third Party Auditing
Sometimes called
Second Party Audit
For legal, regulatory
and similar
*See also the requirements in ISO/IEC 17021:2011
Remote Audit Methods
• Remote audit activities are performed at any place
other than the location of the auditee, regardless of the
distance - on-site activities are performed at the
location of the auditee
• The feasibility of remote audit activities can depend on
the level of confidence between auditor and auditee’s
• It should be ensured that the use of remote and on-site
application of audit methods is suitable and balanced, in
order to ensure satisfactory achievement of audit
programme objectives
Concept of Risk
• ISO 19011:2011 introduces the concept of risk to
management systems auditing
• The approach adopted relates both to the risk of the
audit process not achieving its objectives and to the
potential of the audit to interfere with the auditee’s
activities and processes
• ISO 19011:2011 does not provide specific guidance on
the organisation’s risk management process, but
recognises that organisations can focus audit effort on
matters of significance to the management system
New Principle of Auditing in Clause 4
Confidentiality: security of information
• Auditors should exercise discretion in the use and
protection of information acquired in the course of their
• Audit information should not be used inappropriately for
personal gain by the auditor or the audit client, or in a
manner detrimental to the legitimate interest of the
• Concept includes the proper handling of sensitive or
confidential information
Clauses 5,6,7 Reorganised
• Clause 5 - Provides guidance on establishing and
managing an audit programme, establishing the audit
programme objectives, and coordinating auditing
• Clause 6 - provides guidance on planning and
conducting an audit of a management system
• Clause 7 - provides guidance relating to the competence
and evaluation of management system auditors and
audit teams
Annex B - Removal of Help Boxes
• ISO 19011:2002 provided supplementary guidance or
examples on specific topics in the form of practical help
in boxed text. In some instances, this is intended to
support the use of this International Standard in small
• The help boxes have been removed in the ISO
 Some information has been moved to new Annex B
 Some information has been incorporated into the
 Some information is no longer included e.g.
examples of audit programmes
• Annex B contains extra information e.g. additional
guidance on conducting a document review
Competence Determination and Evaluation
Process has been Strengthened
• Clause 7 provides guidance relating to the competence
and evaluation of management system auditors and
audit teams
• The evaluation should be conducted using two or more
of the methods selected from those in Table 2 of Clause
7.4 i.e.
Review of records
Post-audit review
ISO 19011:2002 stated that evaluation should be undertaken using
1 or more of the methods above
Annex A - Discipline-Specific Knowledge
& Skills
Illustrative example of discipline-specific
knowledge and skills of auditors in:
Transportation safety management
Environmental management
Quality management
Records management
Resilience, security, preparedness and continuity
Information security
Occupational health and safety management
ISO Public Website
More information has been made available on an ISO
public website (

similar documents