There are many different types of audits, such as financial audits, safety audits, and operational audits. For ISO Management System Standards, audits are a major component of the Certification process, requiring different types of audits along this journey.
To be Certified, a business needs to go through Certification Audits with an Accredited Certification Body. However, the ISO Management System Standards also require Internal Audits both before a business goes for their Certification Audits, and after achieving their certification, to meet ongoing requirements and to facilitate continual improvement.
Having the Internal Audits conducted by a competent auditor will ensure that a business will get the most out of this process, where gaps, non-conformances and areas for improvement can be identified, facilitating continual improvement.
Continue reading to find out why it is important to be a competent auditor, and what the ISO 19011:2018 standard is.
What is ISO 19011:2018?
ISO 19011:2018 is a set of guidelines for auditing management systems.
ISO 19011:2018 is designed to advise organisations on how to go about auditing management systems for conformance to standards such as ISO 14001:2015 for Environmental Management Systems and ISO 9001:2015 for Quality Management Systems. The standard provides guidance on preparing audit programs, management of an audit programme, on the planning and conducting of management system audits, as well as on the competence and evaluation of an auditor and an audit team.
It’s important to note that since the standard is not a set of requirements, it means that it is not a standard that a business can get certified to.
The ISO 19011:2018 standard focuses on applying the principles of continual improvement to audits. This will include ensuring that the audit program’s objectives align with the key objectives of the organisation being audited, guaranteeing that the needs and best interests of customers and other stakeholders are prioritised.
The guidance provided by the standard is intended to be flexible. The size and level of maturity of an organisation’s management system, as well as the nature and complexity of an organisation being audited should be considered, so that an appropriate audit schedule can be planned.
Did you know that ISO 19011:2018 contributes to two of the 17 United Nations Sustainable Development Goals? Businesses could help contribute to Goal 8: Decent Work and Economic Growth, and Goal 9: Industry, Innovation and Infrastructure by applying the ISO 19011:2018 guidelines. If you want to learn more about how ISO contributes to the SDGs, you can read more here.
Types of audits
In a nutshell, an audit is a systematic process where objective evidence is obtained and evaluated to determine if a business has fulfilled a set of criteria or requirements.
The ISO 19011:2018 guidelines document concentrates on Internal Audits, and audits conducted by organisations on their external providers and other external interested parties. However, before we get further into the blog, let’s get you up to speed with the different types of audits.
First party audits, commonly referred to as Internal Audits, are conducted by the organisation being audited, or by someone on behalf of the organisation. The internal audit will measure effectiveness of management systems implementation and conclude if the organisation has met the requirements of the relevant ISO Management System Standard(s).
Second party audits are performed on a supplier or provider’s systems or operations by their client or a contracted organisation on their behalf. For example, an organisation might hire someone to audit its supplier’s system to ensure that an organisation meets contractual obligations and requirements.
Third party audits, also referred to as Certification Audits, are independent impartial audits with the objective of assessing the level of conformity of Business Management Systems against ISO Standards. These Audits will be conducted by a Conformity Assessment Body (CAB), who will, upon successful audit outcomes, issue the Certifications against the chosen Standard(s), e.g. ISO 9001:2015.
is another standard related to auditing Management Systems. However, different from ISO 19011:2018, this standard provides requirements for auditing management systems for third party certification only
– meaning audits conducted by Conformity Assessment Bodies, as well as specifying requirements relating to the certification services they’re providing. If you want to find out more about the ISO/IEC 17021-1:2015 Standard, click here
The seven auditing principles
It’s crucial that an audit is conducted effectively and with reliability, to support management and drive improvement across the business. In order to achieve this, ISO 19011:2018 provides 7 auditing principles that act as a prerequisite for consistent audit practices. They are as follows:
Integrity – This is the foundation of professionalism. Uphold fairness, honesty, and responsibility when managing audit programs, and conducting audits.
Fair presentation – The obligation to present audit findings and conclusions with accuracy, objectivity, timeliness, and completeness.
Due professional care – Applying diligence and reasonable judgement-making in all auditing situations.
Confidentiality – The security of the information accessed and audited, especially sensitive or confidential information.
Independence – The basis for an impartial, bias-free judgement throughout the audit process.
Evidence-based approach – The logical method of achieving reliable and reproducible audit conclusions in a systematic audit process.
Risk-based approach – Incorporate risks and opportunities throughout the entire audit process lifecycle, from plans to communication materials.
Working in accordance with these 7 principles enables auditors to reach similar audit conclusions in similar circumstances, even when working independently from one another anywhere in the world.
Competence of Internal Auditors
Like many roles and processes in organisations, confidence in the audit process and the ability to achieve its objectives depends on the competency of the individuals performing the audits. The ISO 19011:2018 Standard refers to the competence of management systems auditors.
In deciding the necessary competence for an internal audit, it’s important to consider an auditor’s knowledge and skills in relation to:
The size, nature, complexity, products, services and processes of auditees
The methods for auditing
The management system disciplines to be audited
The complexity and processes of the management system being audited
The types and levels of risks and opportunities addressed by the management system
The objectives and extent of the audit program
The uncertainty in achieving the audit objectives
Any other requirements imposed by relevant interested parties
An individual’s competence should be evaluated through a process that considers personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience, which will be discussed next.
Auditors personal behaviour
Auditors need to ensure that they are always exhibiting professional behaviour while performing audit activities. Most of these personal behaviours will stem from the 7 auditing principles which were previously mentioned. The main traits of an auditor’s personal behaviour should be as follows:
Ethical, open-minded, diplomatic and observant
Perceptive, versatile, tenacious and decisive
Self-reliant and able to act with fortitude
Open to improvement, culturally sensitive and collaborative
Knowledge and skills
In relation to knowledge and skills, auditors should possess:
The knowledge and skills necessary to achieve the intended results of the audits they’re expected to perform; and
Generic competence and a level of discipline, and sector-specific knowledge and skills.