Blog

Why is it Important to be a Competent Internal Auditor? Understand the ISO 19011:2018 Guidelines for auditing management systems Standard

Published on: September 29, 2022

Like many roles and processes in organisations, confidence in the audit process and the ability to achieve its objectives primarily depends on the competency of the individuals performing the audits. This blog explains why Internal Auditor competence is important, and how it can be achieved.

There are many different types of audits, such as financial audits, safety audits, and operational audits. For ISO Management System Standards, audits are a major component of the Certification process, requiring different types of audits along this journey.

To be Certified, a business needs to go through Certification Audits with an Accredited Certification Body. However, the ISO Management System Standards also require Internal Audits both before a business goes for their Certification Audits, and after achieving their certification, to meet ongoing requirements and to facilitate continual improvement.

Having the Internal Audits conducted by a competent auditor will ensure that a business will get the most out of this process, where gaps, non-conformances and areas for improvement can be identified, facilitating continual improvement.

Continue reading to find out why it is important to be a competent auditor, and what the ISO 19011:2018 standard is.

What is ISO 19011:2018?

ISO 19011:2018 is a set of guidelines for auditing management systems.

ISO 19011:2018 is designed to advise organisations on how to go about auditing management systems for conformance to standards such as ISO 14001:2015 for Environmental Management Systems and ISO 9001:2015 for Quality Management Systems. The standard provides guidance on preparing audit programs, management of an audit programme, on the planning and conducting of management system audits, as well as on the competence and evaluation of an auditor and an audit team.

It’s important to note that since the standard is not a set of requirements, it means that it is not a standard that a business can get certified to.

The ISO 19011:2018 standard focuses on applying the principles of continual improvement to audits. This will include ensuring that the audit program’s objectives align with the key objectives of the organisation being audited, guaranteeing that the needs and best interests of customers and other stakeholders are prioritised.

The guidance provided by the standard is intended to be flexible. The size and level of maturity of an organisation’s management system, as well as the nature and complexity of an organisation being audited should be considered, so that an appropriate audit schedule can be planned.

Did you know that ISO 19011:2018 contributes to two of the 17 United Nations Sustainable Development Goals? Businesses could help contribute to Goal 8: Decent Work and Economic Growth, and Goal 9: Industry, Innovation and Infrastructure by applying the ISO 19011:2018 guidelines. If you want to learn more about how ISO contributes to the SDGs, you can read more here.

Types of audits

In a nutshell, an audit is a systematic process where objective evidence is obtained and evaluated to determine if a business has fulfilled a set of criteria or requirements.

The ISO 19011:2018 guidelines document concentrates on Internal Audits, and audits conducted by organisations on their external providers and other external interested parties. However, before we get further into the blog, let’s get you up to speed with the different types of audits.

First party audits, commonly referred to as Internal Audits, are conducted by the organisation being audited, or by someone on behalf of the organisation. The internal audit will measure effectiveness of management systems implementation and conclude if the organisation has met the requirements of the relevant ISO Management System Standard(s).

Second party audits are performed on a supplier or provider’s systems or operations by their client or a contracted organisation on their behalf. For example, an organisation might hire someone to audit its supplier’s system to ensure that an organisation meets contractual obligations and requirements.

Third party audits, also referred to as Certification Audits, are independent impartial audits with the objective of assessing the level of conformity of Business Management Systems against ISO Standards. These Audits will be conducted by a Conformity Assessment Body (CAB), who will, upon successful audit outcomes, issue the Certifications against the chosen Standard(s), e.g. ISO 9001:2015.

Note

ISO/IEC 17021-1:2015 is another standard related to auditing Management Systems. However, different from ISO 19011:2018, this standard provides requirements for auditing management systems for third party certification only – meaning audits conducted by Conformity Assessment Bodies, as well as specifying requirements relating to the certification services they’re providing. If you want to find out more about the ISO/IEC 17021-1:2015 Standard, click here.

The seven auditing principles

It’s crucial that an audit is conducted effectively and with reliability, to support management and drive improvement across the business. In order to achieve this, ISO 19011:2018 provides 7 auditing principles that act as a prerequisite for consistent audit practices. They are as follows:

  • Integrity – This is the foundation of professionalism. Uphold fairness, honesty, and responsibility when managing audit programs, and conducting audits.
  • Fair presentation – The obligation to present audit findings and conclusions with accuracy, objectivity, timeliness, and completeness.
  • Due professional care – Applying diligence and reasonable judgement-making in all auditing situations.
  • Confidentiality – The security of the information accessed and audited, especially sensitive or confidential information.
  • Independence – The basis for an impartial, bias-free judgement throughout the audit process.
  • Evidence-based approach – The logical method of achieving reliable and reproducible audit conclusions in a systematic audit process.
  • Risk-based approach – Incorporate risks and opportunities throughout the entire audit process lifecycle, from plans to communication materials.

Working in accordance with these 7 principles enables auditors to reach similar audit conclusions in similar circumstances, even when working independently from one another anywhere in the world.

Competence of Internal Auditors

Competence of Internal Auditor

Like many roles and processes in organisations, confidence in the audit process and the ability to achieve its objectives depends on the competency of the individuals performing the audits. The ISO 19011:2018 Standard refers to the competence of management systems auditors.

In deciding the necessary competence for an internal audit, it’s important to consider an auditor’s knowledge and skills in relation to:

  • The size, nature, complexity, products, services and processes of auditees
  • The methods for auditing
  • The management system disciplines to be audited
  • The complexity and processes of the management system being audited
  • The types and levels of risks and opportunities addressed by the management system
  • The objectives and extent of the audit program
  • The uncertainty in achieving the audit objectives
  • Any other requirements imposed by relevant interested parties

An individual’s competence should be evaluated through a process that considers personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience, which will be discussed next.

Auditors personal behaviour

Auditors need to ensure that they are always exhibiting professional behaviour while performing audit activities. Most of these personal behaviours will stem from the 7 auditing principles which were previously mentioned. The main traits of an auditor’s personal behaviour should be as follows:

  • Ethical, open-minded, diplomatic and observant
  • Perceptive, versatile, tenacious and decisive
  • Self-reliant and able to act with fortitude
  • Open to improvement, culturally sensitive and collaborative

Knowledge and skills

In relation to knowledge and skills, auditors should possess:

  • The knowledge and skills necessary to achieve the intended results of the audits they’re expected to perform; and
  • Generic competence and a level of discipline, and sector-specific knowledge and skills.
5 Key Skills of a Good Management Systems Auditor
Click here to read about the 5 Key Skills of a Good Management Systems Auditor

Achieving Internal Auditor competence

Achieving Internal Auditor competence

Internal Auditor competence can be achieved via a combination of four aspects, including:

  1. Successfully completing an Internal Auditor Training program that covers auditing theory, tools and skills;
  2. Training, knowledge, and/or experience in the specific management system discipline(s) to be audited (for example, ISO 9001:2015 for Quality, ISO 45001:2018 for Safety, ISO 14001:2015 for Environmental, and/or ISO 27001:2013 for Information Security);
  3. Existing experience in an organisation and/or industry which can provide organisational context and knowledge; and
  4. Being deemed competent by an already-competent auditor in the same management system discipline who has supervised or witnessed the individual conducting an internal audit.

Some businesses may choose to engage an expert external consultant to conduct their Internal Audits, instead of using their own internal resources. This ensures that a business is getting the most out of their audits as the consultants have professional experience, and a fresh and unbiased perspective that provides valuable insights to facilitate business improvement.

In order for someone in the business to be deemed competent to conduct Internal Audits of ISO Management Systems, the first step is training. With our Management Systems Internal Auditor Training, you can achieve three levels of internationally recognised certificates, including the one for Competency after successful assessment of your first internal audit by one of our experts. Our Internal Auditor training also provides the tools to develop all the skills and resources needed to become a competent internal auditor, in line with the guidelines of ISO 19011:2018.

Click here to learn more about our internationally recognised Internal Auditor eLearning course. Delivered via video lessons, this training combines theory, practical real-life examples, and templates, so even those new to the internal audit world can succeed when performing management system Internal Audits!
Erica Smith
Erica Smith
Managing Director at ICExperts Academy and ISO Certification Experts

Erica is the Managing Director of ISO Certification Experts and ICExperts Academy. She has been helping businesses with their ISO Certification needs for over 20 years. Erica is also a Certified trainer, implementer and auditor for ISO 9001, ISO 14001, ISO 45001 and ISO 27001 standards. Erica primarily heads up the day-to-day operations of the businesses, and is also a current member of the Australian Organisation for Quality and Brand Integrity Committee.

All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ICExperts Academy and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.

We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.