New Standard for System Auditors

For those of you who are not familiar with ISO 19011, this is a set of guidelines for auditing management systems first issued in 2002. A revised version of the standard is expected to be published before the end of 2011.

What impact will this have on your business?

Two things have changed significantly in the 2011 edition…

1. Initially called a ‘Guideline for Quality and Environmental Management System Auditing’, the number of applicable standards has increased dramatically which is reflected in the revised title and content of ISO 19011 now titled “Guidelines for Auditing Management Systems”.

2. ISO 19011:2002 also provided guidance for all users, including internal company audits, supplier audits and certification body audits. ISO 17021:2011 now identifies the requirements for certification bodies such as BSI and LRQA so the revised ISO 19011:2011 standard focuses on internal (first party) audits and, supplier (second party) audits.

What’s new in ISO 19011:2011?

The standard sets out good practice for Managing an Audit Programme and Performing an Audit which has been updated to reflect current best practice and current trends.

These sections provide flexible guidance according to the size, level of maturity of an organisation’s management system, and the nature and complexity of the organisation to be audited. The concept of risk in auditing is also introduced.

Guidance is also given on combined audits, where two or more management systems of different disciplines are audited together (e.g. QMS & EMS).

The use of technology in remote auditing is discussed and how, for example, remote audit interviews should be conducted and recorded.

Although this may acknowledge current trends in auditing, the basics of how to manage and conduct an audit remain similar to the original ISO 19011:2002 standard.

Competence & evaluation of your audit team…

More significant changes have been introduced in the guidance on competence and evaluation of auditors to cover the audit of multiple systems and integrated systems.

For example, the standard now identifies an understanding of risk management techniques and legal requirements for OHSAS 18001 auditors.

Annex B of ISO 19011 goes a stage further by defining how competency is achieved (e.g. a Risk Assessment Training Course) and how evidence of the competency is shown and evaluated (e.g. training records and interview).

This change recognises that education, work experience, training and audit experience are enablers to competence and effective auditing.

What does this mean in practice?

Although ISO 19011 is, and only ever will be, a set of best practices it provides good guidance to improve the skill base of your audit team when auditing multiple management systems.

Also expect the certification bodies to start to use the standard as a way to define internal auditor competency and to drive improvement in this area.