Published on: September 29, 2022
There are many different types of audits, such as financial audits, safety audits, and operational audits. For ISO Management System Standards, audits are a major component of the Certification process, requiring different types of audits along this journey.
To be Certified, a business needs to go through Certification Audits with an Accredited Certification Body. However, the ISO Management System Standards also require Internal Audits both before a business goes for their Certification Audits, and after achieving their certification, to meet ongoing requirements and to facilitate continual improvement.
Having the Internal Audits conducted by a competent auditor will ensure that a business will get the most out of this process, where gaps, non-conformances and areas for improvement can be identified, facilitating continual improvement.
Continue reading to find out why it is important to be a competent auditor, and what the ISO 19011:2018 standard is.
ISO 19011:2018 is a set of guidelines for auditing management systems.
ISO 19011:2018 is designed to advise organisations on how to go about auditing management systems for conformance to standards such as ISO 14001:2015 for Environmental Management Systems and ISO 9001:2015 for Quality Management Systems. The standard provides guidance on preparing audit programs, management of an audit programme, on the planning and conducting of management system audits, as well as on the competence and evaluation of an auditor and an audit team.
It’s important to note that since the standard is not a set of requirements, it means that it is not a standard that a business can get certified to.
The ISO 19011:2018 standard focuses on applying the principles of continual improvement to audits. This will include ensuring that the audit program’s objectives align with the key objectives of the organisation being audited, guaranteeing that the needs and best interests of customers and other stakeholders are prioritised.
The guidance provided by the standard is intended to be flexible. The size and level of maturity of an organisation’s management system, as well as the nature and complexity of an organisation being audited should be considered, so that an appropriate audit schedule can be planned.
Did you know that ISO 19011:2018 contributes to two of the 17 United Nations Sustainable Development Goals? Businesses could help contribute to Goal 8: Decent Work and Economic Growth, and Goal 9: Industry, Innovation and Infrastructure by applying the ISO 19011:2018 guidelines. If you want to learn more about how ISO contributes to the SDGs, you can read more here.
In a nutshell, an audit is a systematic process where objective evidence is obtained and evaluated to determine if a business has fulfilled a set of criteria or requirements.
The ISO 19011:2018 guidelines document concentrates on Internal Audits, and audits conducted by organisations on their external providers and other external interested parties. However, before we get further into the blog, let’s get you up to speed with the different types of audits.
First party audits, commonly referred to as Internal Audits, are conducted by the organisation being audited, or by someone on behalf of the organisation. The internal audit will measure effectiveness of management systems implementation and conclude if the organisation has met the requirements of the relevant ISO Management System Standard(s).
Second party audits are performed on a supplier or provider’s systems or operations by their client or a contracted organisation on their behalf. For example, an organisation might hire someone to audit its supplier’s system to ensure that an organisation meets contractual obligations and requirements.
Third party audits, also referred to as Certification Audits, are independent impartial audits with the objective of assessing the level of conformity of Business Management Systems against ISO Standards. These Audits will be conducted by a Conformity Assessment Body (CAB), who will, upon successful audit outcomes, issue the Certifications against the chosen Standard(s), e.g. ISO 9001:2015.
ISO/IEC 17021-1:2015 is another standard related to auditing Management Systems. However, different from ISO 19011:2018, this standard provides requirements for auditing management systems for third party certification only – meaning audits conducted by Conformity Assessment Bodies, as well as specifying requirements relating to the certification services they’re providing. If you want to find out more about the ISO/IEC 17021-1:2015 Standard, click here.
It’s crucial that an audit is conducted effectively and with reliability, to support management and drive improvement across the business. In order to achieve this, ISO 19011:2018 provides 7 auditing principles that act as a prerequisite for consistent audit practices. They are as follows:
Working in accordance with these 7 principles enables auditors to reach similar audit conclusions in similar circumstances, even when working independently from one another anywhere in the world.
Like many roles and processes in organisations, confidence in the audit process and the ability to achieve its objectives depends on the competency of the individuals performing the audits. The ISO 19011:2018 Standard refers to the competence of management systems auditors.
In deciding the necessary competence for an internal audit, it’s important to consider an auditor’s knowledge and skills in relation to:
An individual’s competence should be evaluated through a process that considers personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience, which will be discussed next.
Auditors need to ensure that they are always exhibiting professional behaviour while performing audit activities. Most of these personal behaviours will stem from the 7 auditing principles which were previously mentioned. The main traits of an auditor’s personal behaviour should be as follows:
In relation to knowledge and skills, auditors should possess:
Internal Auditor competence can be achieved via a combination of four aspects, including:
Some businesses may choose to engage an expert external consultant to conduct their Internal Audits, instead of using their own internal resources. This ensures that a business is getting the most out of their audits as the consultants have professional experience, and a fresh and unbiased perspective that provides valuable insights to facilitate business improvement.
In order for someone in the business to be deemed competent to conduct Internal Audits of ISO Management Systems, the first step is training. With our Management Systems Internal Auditor Training, you can achieve three levels of internationally recognised certificates, including the one for Competency after successful assessment of your first internal audit by one of our experts. Our Internal Auditor training also provides the tools to develop all the skills and resources needed to become a competent internal auditor, in line with the guidelines of ISO 19011:2018.
Erica is the Managing Director of ISO Certification Experts and ICExperts Academy. She has been helping businesses with their ISO Certification needs for over 20 years. Erica is also a Certified trainer, implementer and auditor for ISO 9001, ISO 14001, ISO 45001 and ISO 27001 standards. Erica primarily heads up the day-to-day operations of the businesses, and is also a current member of the Australian Organisation for Quality and Brand Integrity Committee.
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ICExperts Academy and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.
Once subscribed, you’ll receive regular updates about ICExperts Academy and monthly blog posts straight to your inbox.
We respect your privacy. Easily unsubscribe at anytime.