ISO 19011: 2018 – Guidelines for Auditing Management Systems

Jonathan Brun

Organizations increasingly seek certification for many different types of management system standards, from common ones for quality or environmental management systems, standards for food safety, anti-bribery management, information security, the list goes on and on. The International Organization for standardization, ISO, publishes guidelines for auditing these management systems. It’s just published a new version of the standard called ISO 19011: 2018, which is intended to be more useful across diverse standards for management systems, not just for environments or quality.

Denise Robitaille is a principal at Robitaille Associates and she chaired the committee that wrote this new version. She joined to talk about the changes.

Una Jefferson: Denise, thank you for coming on the podcast. To provide a bit of context, can we go back in time a little bit and just talk about what the impetus was for the creation of the ISO 19011 standard?

Denise: Okay. So if we go back in history, this was a joint venture between TC176, which is the ISO technical committee responsible for quality management system standards and TC207, which is the ISO committee responsible for environmental management system standards. So those two had been developed by a ISO committees at about the same time and there seem to be enough synergy for them to create this joint venture, to have one auditing standard.

So it’s been going along like that for, um, well over 20 years. And then, you know, the second part of that is what was the impetus for the latest revision? Well, all ISO standards are required to go through a systematic review every five years and that occurred with 19011.

And just about that time we also became aware of the fact that there were many other management systems standards in a lot of disciplines who are also availing themselves of the use of this document. So it became apparent that not only did this mean to change, but it’s part of that change. We needed to do a better job of being inclusive in terms of, adding in all of those other management systems, standards and other, other disciplines.

So we went from something that started out as just two standards, to having this one little document that they shared, to having something that over time evolved into having a much broader applicability that was reflective and usable by all of those disciplines.

Una Jefferson: So just to provide a little bit more context, can you describe, who uses ISO 19011, what types of organizations and what are their reasons for using it generally?

Denise: I think one of the big things with ISO 19011 is that this actually is the goto document for people to know about auditing. This is really important too because ISO 19011, has over 1.2 million certified organizations around the world. This standard is referenced specifically in 9001 as the guidance document to know how to develop an internal audit program and how to conduct internal audits. And for some really small organizations, this is all they’ve done.

The other interesting thing about it is that it did start off from being just for quality and environmental, but it’s grown and is used by all kinds of organizations, even used by regulatory organizations in the US, by the FDA specifically as the guidance on how to setup your audit program and how to conduct those audits.

So these people are using it because it’s clear, it’s simple, it’s generic enough to have that broad applicability.

Una Jefferson: So as you were entering the process of drafting these 19011:2018, what was the feedback that you’ve received from all these users? What was your personal sense of what needed to change?

Denise: So we already knew that some of the things occurred because of changes to other documents. There’s been an increased focus out in the marketplace having to do with risk or changes in technologies and things of that nature.

In terms of specific feedback, what happened was, in the early stages of this process, we did an outreach to as many different disciplines as possible, to establish liaisons and have them actively engaged in the process of this revision. That’s how we got our feedback, that’s how we got the information about what works in this for them, what things we could not include because they would be restrictive for them.

We had representation from environmental management, from the new standard for occupational health and safety, from aerospace, telecommunications, petroleum industry, and the medical device industry. We had so many different disciplines and scheme representatives who provided us with that feedback. A really informed decision really helped us to make a generic document that was specific enough to actually work, but had enough of that generic nature to it so that it could be usable by all of them.

Una Jefferson:  So, how did the process of becoming more generic to address this very broad range of management systems, change the actual content of the auditing principles in this standard?

Denise: Well, specifically for the auditing principles we added a principal having to do with risk.

Risk comes out of this from different angles. So, so it was added as an additional principle. There used to be seven principles, now there are eight. The last one was the risk based approach.

Here we look at the different variety of risks that are engendered in any audit program. We look at the risks having to do with the program itself, the things that would make it impossible for us to actually achieve the objectives of our audit program.

For example, if we’re talking about audit program for internal audits, the objectives having to do with gathering enough information to address problems and be able to experience improvement, so what are things that might be constraints on that and what are the risks associated with not having a good program.

Well, the risk would be not doing audits frequently enough so that we actually get good data or not having enough trained auditors or auditors not having enough time. All of those are risks to the program. What would be the risks to the audit team? What would be the risk to the auditor? A great example of that is, when an auditor comes on site, there’s, for example, the prohibition against an auditor being left unescorted. So the risk in that particular case is twofold. The risk to the auditee is that an auditor would wander into areas in which he or she should not and would either see proprietary information that they by law are not supposed to be looking at because it’s outside of the scope of the audit. or they wander into an area without adequate protection and they are harmed. So there’s danger on both sides. There’s risk to the audit team and also risk to the auditor. Risk to the audit team might be that the manner in which the audit is conducted becomes very burdensome to the audit team, to a supplier audit, um, and it becomes impossible for the audit team to be able to actually engage appropriately. So there’s those kind of risks. So that’s an example of a risk to the auditee.

So now we looked at from the other perspective, which is that risk has been incorporated into the language of many new management system standards and that um, situation is going to be accelerated over the next few years because it is now added in as a requirement within the high level structure for all ISO systems and there are over 70 of them. So it is appropriate for an auditor to be able to have the tools to perceive whether or not the organization has established appropriate, processes in order to be able to identify risks, to make informed decisions about what actions they should take about risk, whether or not processes that are in place that engender risk, whether or not risk is being addressed.

So all of those things are examples of elements that an auditor should be able to audit objectively and be able to make a determination based on what they observed as to whether or not the auditee actually has good practices in place in order to be able to engage in risk-based thinking and to address risks appropriately.

So risk comes out, at a whole bunch of different directions, very, very important, not a whole bunch of language in the original or the previous version having to do with that. So that was a huge change.

Una Jefferson: I just want to get a more concrete sense of how this risk based approach would change, the obligations of someone running an auditing system. So for example, if they need to look at the auditee’s risk management system, would this just require them to have kind of a broader range of knowledge about the organization’s strategy or functioning before they embark on their audit? How would that manifest?

Denise: Um, well, you know, it’s the requirement that the auditor, not necessarily before they arrive, but upon their arrival, are able to look at what is in place in order to have, for example, the organization’s strategic direction and to look at the processes that are in place in order to move towards that strategic direction.  So they have to have a better sense. They’ve got to be able to ask those questions.

For example, a great place to look at a lot of this is in the management review. So an auditor has to have that additional thing and with a lot of management system standards, 9001 being the primary one, there is this one input that says, has management, reviewed the actions that were taken in order to address risks and opportunities. So it would be appropriate for an auditor to understand the strategic direction, look at things like, for example, quality objectives, look at other identified issues and whether or not the organization has identified their issues and look at what risks there are within those issues and whether or not they have taken appropriate action and whether or not they’re monitoring that action. So those are some of the kinds of things that an auditor should know to do.

Una Jefferson: Is there anything else that’s kind of a key to know about this new version of ISO 19011?

Denise: Um, a couple of things.

I want to once again reinforce that we did endeavour to make sure that this had brought applicability. There used to be an annex that dealt specifically with environmental management auditing and we took that out because there are so many others that all have their own unique little turn on these things that we decided that it would have been too laborious to try and put them all in. It would’ve made no sense. So we just have more general language and leave it to those schemes.

The other thing that we added was the concept of remote auditing and remote auditing isn’t a newfangled way of auditing. It is simply a different method of achieving the same results. It’s another tool that you use. And that’s important because it is a reflection of the changes in the world that we live in. 20 years ago there was not as much of a need for auditors to know how to deal with auditing multiple facilities that were on two different continents in multiple different time zones, having to deal with skype, having to deal with requesting access to, for example, someone’s electronic documentation, sharing screens, so there’s some technological stuff that has to happen. People have to be capable to handle that technology and understand the constraints around that, so we added in language recognizing the fact that as our world changes, this new tool, a remote auditing is something that’s going to gain in prominence over the years.

Una Jefferson: Well, thank you very much for taking the time to share your expertise on this. I really appreciate it.

Denise: Well I thank you for your time as well.