ISO 19011 Report

Report
ISO 19011:2018
Understanding the International Standard
Ideagen provides software and expertise to help the world’s
leading brands to improve efficiency, prevent undesirable events
and ensure compliance by managing quality, safety, audit and
every aspect of operational risk.
With over 4,000 customers in more than 90 countries,

Ideagen’s products and services are at the forefront of
quality, safety, risk, operational performance and compliance
management for some of the world’s best-known organizations
including PwC, Heineken, NHS, Emirates and Harvard University.
Ideagen is dedicated to promoting enterprise-wide quality

management through compliance with standard such as ISO
9001 and many more.
© 2018 Chartered Quality Insitute. All Rights Reserved

Contents
1. Foreword by Ideagen 3
2. Introduction 4
3. Message from Denise Robitaille 7
4. Executive summary 9
5. Interpretation and comment 10
6. Clause by clause evaluation 11

Foreword 11
Introduction 11
1. Scope 12
2. Normative References 12
3. Terms and Definitions 13
4. Principles of Auditing 13
5. Managing an Audit Programme 14
6. Conducting an Audit 26
7. Competence and Evaluation Of Auditors 40
ISO 19011:2011 Annex A (Informative) 48
ISO 19011:2018 Annex A (Informative) - Additional
guidance for auditors planning and conducting audits 49
Bibliography
7. Implications for specific audit roles 61
8. Conclusion 65
9. ISO 19011:2011 vs ISO 19011:2018 clause comparison 67
10. Acknowledgements 72
www.quality.org | 1
2 | ISO 19011:2018 | Understanding the International Standard
1. Foreword by Ideagen
The release of ISO19011:2018 highlights the and gives less mature organizations a worthy
emergence of the “business focused auditor.” standard to aspire to. Regardless of maturity, the
Gone are the days of the auditor being a nature of risk is evolving, bringing new challenges.
detached observer, policing processes and The nature of risk is evolving to include digital
procedures. Today’s auditors are relied upon by business, increasing ownership of supply chain risk
their businesses to focus on what is important. and an assurance remit over increasingly focused
Auditors are now leading conversations with management systems.
senior management about areas of risk and
the reasons why the business is not meeting Whilst a rapidly changing risk environment can
its objectives. be extremely daunting, adopting a risk-based
Ideagen has partnered with audit professionals perspective to audit planning and execution
for over twenty years, supplying the technology decreases organization risk by:
required to manage the complexity that an
audit programme demands. The discipline has • Improving the integrity of the organization
matured in that time, along with the management
• Identifying potentially significant risks and issues
systems themselves, but the pace of change has
in a timely manner
accelerated rapidly in the previous few years.
• Holding management to account, and
We have seen audit professionals proactively
adopt a far more strategic audit methodology • Identifying and communicating improvement
where the risk assessment process is the key that would benefit the organization.
driver of the audit plan. Audit departments
are maintaining an up-to-date view of overall
risk levels across the organization, becoming ISO 19011:2018 will go a long way to support
more agile in their approach to target the areas auditors of all maturity levels to adopt a business
of real concern. focus, proving that quality is about performance,
not just conformance.
ISO19011:2018 reflects the best practices that
auditors have shown over the last few years;
www.quality.org | 3
2. Introduction
Following its introduction in October 2002, ISO 19011 quickly established itself as the premier source
of guidance for quality professionals whose roles encompassed management systems audit. Whereas the
2002 edition focussed solely on the audit of quality and environmental management systems, it became
the de facto standard for auditors of all other disciplines. The 2011 edition recognised this, as does the
latest 2018 edition, in providing guidance which is designed to be applicable to any type of management
system audit, irrespective of technical discipline or whether the management system under examination
is based on an ISO standard or otherwise.
For those commissioning management system audits, those tasked with audit programme delivery, those
engaged in planning, conducting and reporting single audits and those who are subject to being audited
this is the generic standard that establishes the framework within which management system audit
activity typically takes place.
ISO 19011 provides detailed guidance regarding;
• Managing audit programmes

• Planning and conducting management system audits
• The competence of personnel involved in planning and conducting audits and how this
can be evaluated.
Additionally, it outlines common terms and definitions relating to audit and identifies principles which
should govern the overall approach to audit. For those new to management system audit or those
seeking to expand their existing understanding, ISO 19011:2018 also contains specific guidance on a
range of related topics in an enhanced annex to the main standard.
It is important to remember that ISO 19011 is a guidance standard. As such, it does not contain
requirements that organizations must meet, nor is it a standard that organizations can secure third party
certification against. Its focus is instead orientated towards first party audits (internal audits) and second
party audits (audits conducted by organizations on external providers and other external interested
parties). And while requirements for third party management system certification are contained within
the ISO 17021-X series of standards, ISO 19011 is recognised as providing useful third part conformity
assessment, or certification.
For the Chartered Quality Institute (CQI) and International Register of Certificated Auditors (IRCA),
the importance of ISO 19011 is immense. Over 70,000 delegates each year attend IRCA approved
auditor training courses, all of which adopt ISO 19011 as the basis for their course criteria. There are
also 10,000 IRCA certificated auditors registered against sector or standard specific schemes on this

standard. Additionally, the 10,000 CQI members are impacted by management system audit, either as
auditors, audit clients, or auditees, and as such have a direct interest in how these audits are performed.
While requirements standards such as ISO 9001, ISO 14001 and ISO 45001 tend to steal the limelight,
ISO 19011 is arguably more important because it underpins them all. This is because effective audit
provides an organization and its stakeholders with critical assurance based on clear evidence that these
systems are delivering their intended outcomes. In the absence of assurance, uncertainty increases,
confidence diminishes, trust is lost.
Audit also provides a means to detect developing issues, to limit damage, for root cause corrective
action and an opportunity to address problems internally before they have a wider impact. But audit
should not be just about ‘policing’ the business. First and second party audits should also be used to
drive ongoing improvement, something which the 2018 edition of ISO 19011 emphasises throughout.
It’s not by accident that all ISO management systems place considerable importance on the role of
internal audit.
Purpose of this report

This report provides a detailed review of the contents of the International Standard (ISO 19011:2018),
explaining each clause in ‘plain language’ before moving on to consider the implications of the guidance
from the perspective of specific stakeholders in the management system audit process.
It is intended to assist both CQI members and IRCA auditors in aligning their audit activities to meet
the revised and enhanced best practice set out in ISO 19011:2018.
Involvement of the CQI and IRCA

ISO 19011:2018 was developed by ISO/PC 302, a committee to which the CQI and IRCA was
awarded Category A liaison status in October 2016. This special recognition permitted the CQI and
IRCA to attend plenary meetings of the Committee at all stages of the development process, from
the production of the initial Committee Draft (CD) in November 2016 through to the Final Draft
International Standard (FDIS) in December 2017.
At each stage, the CQI and IRCA put forward comments and suggestions on behalf of its members
in respect of what it believed the standard should contain. The most significant of these interventions
took place at the Draft International Standard (DIS) stage. Using CQI and IRCA standards commenting
system (SCS) software, CQI and IRCA members registered over 120 comments on the proposed
revision. As a result, CQI and IRCA members have had a material input into shaping the contents of
ISO 19011:2018.
www.quality.org | 5
3. Message from Denise Robitaille
Message from Denise Robitaille, Chair of ISO/PC 302, the committee

that supervised the development of ISO 19011:2018
ISO 19011 – The Revision and Why It Matters

The latest version of ISO 19011 has recently been released. It brings with it some significant additions
and some changes that reflect how standards have evolved in the last decade.
A little history
When ISO 19011 was first conceived it was a joint venture between two technical committees
TC 176 and TC207 with responsibility for quality management system standards and environmental
management system standards, respectively. It resided in the portfolio of TC176/SC3
ISO Technical Management Board recognized that the sphere of management system standards had
mushroomed to more than 70 and that more sectors outside of ISO were making use of the guidance.
TMB created a new PC to accommodate the broader scope of users. Why is this important?
In the last few years we’ve seen the introduction of new management system standards dealing with
occupational health and safety, information management and energy management. Also, the most
popular standards underwent major revisions. PC302 was founded to reflect the broader range of users.
It has liaisons with many of the other ISO committees and sector specific organizations. Representatives
from these liaisons engaged with PC302 bringing their valuable input and concerns. This resulted in a
document that reflected myriad users, increasing its relevance and reach around the globe.
What’s changed?
Many organizations either choose or are required to implement and maintain multiple integrated
management system schemes. Technology has changed, and with it the opportunity to conduct remote
(or virtual) audits. Consideration of risk has become endemic. And, ISO 9001 introduced the concepts
of the context of the organization.
Key changes in the 2018 version include the addition of a risk-based approach to the principles of
auditing. There was a need to reflect the enhanced focus on risk in both management standards and in
the marketplace. Additionally, like any other process, auditing itself engenders certain risks.
www.quality.org | 7
There has been an expansion of guidance
on managing an audit program, and
planning and conducting audits. Due to
the burgeoning number of management
system standards, the language has been
revised to be more generic – allowing
for applicability across a broader range.
Annex A (A.10) provides tips on auditing
risks and opportunities while clause
A.8 addresses challenges in auditing
organizational context. Annex A (A.10)
also introduces the concept of applying
risk-based thinking to the audit process.
Annex A (A.16) covers Auditing virtual
activities and locations.
The good news

ISO 19011:2018 continues to provide the
guidance auditors have come to rely on.
It facilitates the deployment of an internal
audit program that reflects multiple
management system requirements. It
addresses the enhanced focus on risk and
gives great tips on the expanding practice
of remote auditing. It provides consistency
in the audit profession and is written in
language comprehensible to all levels of
users. Finally, it is the go-to document for
anyone needing guidance on auditing.

4. Executive summary
The CQI and IRCA is a global player in the world of management system
audit, with its IRCA brand being widely recognised as representing the ‘gold
standard’ for auditor certification and training. It is committed to ensuring that
the highest standards of auditor competence, professionalism and integrity are
implemented worldwide.
The development of ISO 19011:2018 provided an opportunity for CQI

and IRCA to successfully argue the case for improvements it believes are
necessary to make management system audit fit for the 21st century. With
the support of the UK and other National Standards Bodies, many of these
recommendations have been adopted.
The most significant changes incorporated into ISO 19011:2018 are;
• adding a new seventh audit principle – Risk-based approach to audit

• expanding the guidance on managing an audit programme, including
audit programme risk
• expanding the guidance on conducting an audit, particularly in respect
of audit planning
• expanding the generic competence requirements for auditors
• a focus on processes and not just outputs – e.g. audit planning, not audit
plan, audit reporting, not audit report.
• removing ISO 19011:2011’s Annex A – guidance and illustrative examples
of discipline-specific knowledge and skills of auditors.
• expanding ISO 19011:2011’s Annex B (now ISO 19011:2018’s Annex A)
– ‘Additional guidance for auditors for planning and conducting audits’, to
include guidance on a range of new concepts including but not limited to,
auditing organizational context, auditing leadership and commitment, supply
chain audit, virtual audits and auditing compliance.
www.quality.org | 9
5. Interpretation and comment
The interpretation and comments contained within this document are those of the CQI and IRCA.
Other organizations may interpret this guidance differently. As such, this document should not be viewed
as a definitive reference source for this International Standard; indeed, only documentation sourced
directly from ISO/PC 302 can fulfil this purpose.

6. Clause by clause evaluation
This next section of this document sets out to:
• simplify the language used in each clause of ISO 19011:2018 to make its meaning
easier to understand;
• identify whether the guidance provided in ISO 19011:2018 is new, is an amended version of the
2011 text, or whether it is taken directly from the 2011 edition of the standard
• identify the implications of the 2018 guidance for stakeholders such as audit programme managers,
auditors, audit clients and auditees
Note: The CQI and IRCA is not permitted to reproduce the direct contents of the standard
due to copyright restrictions. Those individuals who need access to the actual content of ISO
19011:2018 should make their own arrangements to source a copy of the standard directly from
an authorised supplier.
ISO 19011:2018 – Guidelines for auditing management systems
Foreword
The foreword to ISO 19011:2018 notes that this is a technical revision to the 2011 edition. This is
important as it signals that the changes it contains are significant. The main differences between the two
editions are then listed. These are replicated in the executive summary.
The foreword recognises that the 2018 edition was prepared by Project Committee (ISO/PC 302) –
Guidelines for auditing management systems. This represents a change in ownership; the 2011 edition
was developed by Technical Committee (ISO/TC 176) - Quality management and quality assurance’.
Finally, it confirms that the publication of ISO 19011:2018 replaces and automatically cancels
ISO 19011:2011.
Introduction
The standard opens by stating that, since the publication of the 2011 edition, a range of new and
revised management systems standards have been published which share a common high-level
structure, identical core requirements, and common terms and definitions based on the ISO Annex SL
www.quality.org | 11
requirements. This approach has presented a need for the new edition to provide audit guidance which
is more generic, as opposed to the previous version which was discipline specific.
The standard recognises the range of criteria against which audits may be conducted. These include
requirements defined in one or more management system standards, policies and requirements
specified by stakeholders, statutory or regulatory requirements, management system processes as
defined by the organization or others, or quality plans/project plans. The standard notes that this list
is not definitive and that a single audit may be conducted against one or several criteria. The guidance
contained in the standard is also applicable to the use of combined audits and the audit of integrated
management systems.
There is a statement that the standard provides guidance which is intended for use by all organizations,
irrespective of their size or type, and for audits of varying scopes and scales ranging from a single auditor
in a small organization to a large audit team in a large organization. The guidance is intended to be
flexible and may be adapted by organizations to suit their own, audit-related programmes.
While ISO 19011:2018 is primarily focussed on internal audits (first party) and audits performed by
organizations on external providers (second party), it also complements ISO/IEC 17021-1 Conformity
assessment — Requirements for bodies providing audit and certification of management systems — Part
1: Requirements which is only applicable to certification (third party) audits. ISO 19011:2018 can also
be used as guidance input for any organization which wishes to develop their own audit process. The
standard can be deployed by organizations which contribute to the audit sector through training and
personnel certification of auditors, such as CQI and IRCA.
ISO 19011:2018 can be used by organizations for self-declaration, i.e. the organization can claim that
it has adopted the guidance contained within the Standard and adheres to its principles, however
organizations are not able to obtain accredited, independent certification to this effect.
1. Scope
The scope of the applicability of this revision has not changed apart from minor changes in terminology.
The purpose of ISO 19011:2018 remains to provide guidance on auditing management systems.
This includes guidance on the principles of auditing, managing an audit programme and conducting
management system audits.
The standard recognises that it is applicable for all organizations that have a requirement to ‘plan
and conduct’ internal or external management system audits (previously just ‘conduct’), and that the
guidance contained can be applied to other types of audit provided that organizations give special
consideration to the specific competence required for such audits.
2. Normative References
ISO 19011:2018 is intended to be used as a standalone document and does not need to be read in
conjunction with any other standard (i.e. it has no normative references). In this respect it replicates
ISO 19011:2011.

3. Terms and Definitions
A number of the terms and definitions used within ISO 19011:2018 have been revised. Six new
terms and definitions have been added to the 20 which appear in ISO 19011:2011 (combined audit,
joint audit, objective evidence, requirement, process, performance) and several of the existing terms
and definitions have been modified from the text in ISO 9000:2015 Quality management systems —
Fundamentals and vocabulary. It should be noted that the definition of ‘audit’ itself has been revised –
this now becomes ’a process for obtaining objective evidence’ (previously ‘a process for obtaining audit
evidence’). There have also been significant changes to the notes to entry. The structure of this clause
has also been fundamentally changed, with a new ordering of the terms and definitions.
Due to the extent and nature of these changes, those involved in audit should familiarise themselves
with the revised terminology. The 2018 edition of the standard points readers to two websites where
terms and definitions used in standardisation can be accessed for free – https://www.iso.org/obp and
http://www.electropedia.org/
4. Principles of Auditing
ISO 19011:2011 identifies six principles of auditing, the ‘pillars’ on which effective audit is built.
These are integrity, fair presentation, due professional care, confidentiality, independence and an
evidence-based approach.
These are essentially unchanged but ISO 19011:2018 now adds a seventh principle –
risk-based approach.
This requires auditors to determine the effect of uncertainty, positive or negative, on the overall
audit process.
Adopting a risk-based approach ensures audits focus on those processes where the effect of uncertainty
on the management system is greatest, i.e. those which are of most importance to the audit client. This
approach also considers risks and opportunities that could affect the success of the audit programme’s
achieving its objectives. This requires auditors to determine the effect of uncertainty, positive or negative,
on the overall audit process.
Adopting a risk-based approach ensures audits focus on those processes where the effect of uncertainty
on the management system is greatest, i.e. those which are of most importance to the audit client.
This approach also considers risks that could affect the success of the audit programme in achieving
its objectives.
ISO 19011:2018 identifies two reasons for adhering to these principles. First, they are prerequisite
to audit conclusions which are reliable and sufficient. Secondly, adopting them should enable auditors
working independently of each other arrive at similar conclusions in similar circumstances.
The wording of the existing principles remains largely unchanged with one important caveat added to
the principle ‘Independence’ (e). This now advises that internal auditors should be independent from the
function being audited ‘if practicable’. Formerly this was independence ’from the operating managers of
the function etc.’ This recognises that for small and medium sized enterprises, securing full independence
from management may not always be practically possible and that the best that can be achieved is for
the auditor to be impartial and objective despite any management connection.
There has also been a change to the wording of the principle ‘Integrity’ (a). Auditors and individuals
(previously ‘person(s)’ managing an audit programme should now act ethically, honestly and responsibly
(previously ‘honestly, diligently and responsibly’) and must only undertake audit activities if they are
competent to do so.
5. Managing an Audit Programme

5.1 General
The guidance in the general coverage of audit programming has been revised extensively to reflect
the evolving nature of auditing. This includes the complexity introduced through outsourcing audited
processes, and the deployment of risk-based thinking.
ISO 19011:2018 advises that an audit programme should be established to include audits which
address one or more management system standards or other audit requirements. These audits may be
conducted separately or in combination (combined audit). In other words, no audit activity is too small
nor too big to exclude the need for an audit programme.
The extent of the audit program will depend on many factors. These include the size and nature of the
auditee as well the nature, functionality, complexity, types of risks and opportunities and the level of
maturity, of their management system(s).
The design, planning and validation of the audit programme requires careful consideration, particularly
where an organization operates in multiple sites and/or where important functions or processes are
outsourced and managed by an external provider with related consequences for leadership decisions.
When designing audit programmes, it is important to fully address the context of the auditee.
Information will be required on their organizational objectives, external and internal issues, the relevant
interests of their stakeholders and any specific information security and confidentiality requirements
pertaining to them that also need to be brought into the design consideration. The scope and extent of
this consideration of context is new.
The individual(s) managing the audit programme is responsible for ensuring that the integrity of the
programme is maintained and that undue influence is not exerted over any part of the audit process.
Note that the audit programme may be manged by a team, not necessarily an individual.
Audit resources should be directed to those areas of the management system which carry the most
risk to its performance or where its performance differs from what is desired (previously ‘matters of
significance within the management system’).

The extent of information needed in the audit programme has been enhanced in ISO 19011:2018.
The information contained within the programme should now include audit programme objectives,
the scope of each individua audit contained within the programme, the audit criteria to be used, audit
methods to be employed, and the audit type (i.e. internal or external). In addition, the programme
should include a schedule showing the number, duration and frequency of planned audits, any risks
and opportunities associated with delivering the programme, the criteria used for selecting audit team
members, plus any other relevant documented information.
More emphasis has been placed on monitoring and measuring the implementation of the audit
programme by suggesting it should be done on an on-going basis to ensure the audit programme
objectives are being achieved and to identify both the need for changes to the audit programme and
possible opportunities for improving the programme.
The audit programme process in the context of applying the Plan, Do, Check, Act cycle has been
extensively reworked, as shown in Figure 1, to better reflect the structure of the revised standard.
5.2 Establishing audit programme objectives

In ISO 19011:2011 top management was responsible for ensuring audit programme objectives were
established and that the audit programme was being implemented effectively. This responsibility now
widens out to the audit client in general. In ISO 19011:2018, audit programme objectives should be
consistent with the audit client’s strategic direction, as well as supporting their management system
policy and objectives.
The list of considerations on which objectives should be based has been extensively revised, primarily
to reflect the Annex SL changes. The standard now suggests that the following should all be considered
when setting programme objectives;
• stakeholder needs and expectations

• the characteristics of and requirements for processes, products, services and projects (and any
changes to them)
• management system requirements
• the need to evaluate external providers
• the auditee’s level of performance
• the auditee’s levels of risk and opportunity
• the maturity of their management system(s)
• the results of their previous audits.
ISO 19011:2018 provides examples of audit programme objectives. These examples have been revised
from those appearing in the 2011 edition, adopting Annex SL terminology.
5.3 Determining and evaluating audit programme risks
and opportunities
INTERPRETATION:
ISO 19011:2018 refers to ‘determining and evaluating’ audit programme risk’, compared with ‘identifying
and evaluating’ in the 2011 version, i.e. a call for a more considered approach. It explicitly references the
need to determine opportunities as well as risks. The individual(s) managing the programme should now
present to the audit client the risks and opportunities they have determined during the development
of the audit programme along with the programme’s associated resource requirements, presumably to
ensure accuracy.
Note that in the 2011 edition, audit programme risks did not need to be communicated
back to the client.
This sub-clause then sets out examples of audit programme risk. This has been updated and expanded
upon from that which appears in ISO 19011:2011. Examples of audit programme improvement
opportunities are provided also. These are new and include; allowing multiple audits to be conducted at
a single site visit, minimising travel time/distance to the audit location, matching the level of competence
needed for the audit to that of the audit team sent, and aligning audit dates with the availability of the
auditee’s key staff. Such improvements are designed to ensure maximum efficiency and effectiveness of
the audit process.
5.4 Establishing audit programme

5.4.1 Roles and responsibilities of the individual(s) managing audit programme
The role and responsibilities of the individual(s) managing the audit programme has substantively
changed both in respect of their duties and who they should report to.
Note: ISO 19011:2018 uses the term ‘individual(s)’ as opposed to the 2011 edition version which
uses person(s).
When establishing the extent of the audit programme the individual(s) concerned should bear in mind
the programme objectives including any limitations which may need to be considered. The 2011 edition
simply called for the extent of the programme to be established, it did not add any caveats.
The individual(s) managing the audit programme should also;
• determine any internal or external risks and opportunities that could impact the programme
(previously just ‘the risks’) and should implement actions to address these (previously simply
evaluating them was sufficient) by integrating them into relevant audit activities.
• ensure audit teams are selected such that they possess the overall competence necessary to carry
out the required auditing activities. The individual(s) managing the audit programme can achieve this
by assigning roles, responsibilities and authorities and by supporting audit team leaders as required.
• establish all relevant processes within the audit programme (previously ‘procedures’) including for the
coordination and scheduling of audits, for establishing audit objectives, scopes and criteria for audits,
for determining audit methods, for selecting audit team members and for evaluating auditors.
• establish internal and external communications processes, dispute resolution and complaint
handling, audit follow-up (if applicable), and audit reporting to the audit client and other relevant
interested parties.
• determine (and now also ‘ensure’) provision of the resources necessary to deliver the
audit programme.
• ensure appropriate documented information (previously ‘records’) are prepared (previously
‘managed’) and maintained, including audit programme records.
• monitor, review and improve the programme.
• communicate the programme to the audit client (previously ‘top management’) and to other relevant
interested parties as may be appropriate.
Finally, the individual(s) managing the programme should seek approval for the programme from the
audit client. In the 2011 edition approval was sought ‘where necessary’ from ‘top management’.
5.4.2 Competence of individual(s) managing audit programme

There have been some important additions to the competence of individual(s) managing the audit
programme. As well as the necessary competence to manage audit programme risk, ISO 19011:2018
highlights the need for competence in realising audit programme opportunities and in dealing
efficiently and effectively with any identified internal and external issues which can adversely impact
the programme.
A knowledge of audit principles, processes (previously procedures) and methods is still recommended,
as is knowledge of management system standards, other relevant standards, and relevant reference
and /or guidance documents. Additionally, the individual(s) managing the audit programme should have
knowledge of the auditee’s context and business activities, in addition to their processes, products and
services. They should also have knowledge of any statutory or regulatory requirements (previously
‘legal’) or other requirements relating to the auditee’s business functions.
Newly added is the recognition that individual(s) may need knowledge of risk management, project
and process management, and of information and communications technologies, necessary for them to
perform their audit programme management role.
The 19011:2011 recommendation that the individual(s) managing the audit programme should engage
in continual professional development (CPD) to maintain the knowledge and skills necessary to manage
audit programmes is carried forward into the 2018 edition.

5.4.3 Establishing extent of audit programme
The factors that could influence the extent of an audit programme which appear in ISO 19011:2011
are supplemented by management review outputs, downstream supplier issues, and business risk
management issues. The other factors remain essentially the same, albeit with subtle revisions
to their wording.
It is again noted that an audit ‘programme’ could consist of a single audit, e.g. an audit of a specific
project or of a specific supply contract.
Additionally, it is noted that the extent of the audit programme can also vary depending on the level
of information provided by the auditee in respect of its context. Where little information is provided,
uncertainly is higher and, as a result, the programme could be more extensive.
5.4.4 Determining audit programme resources

The individual(s) managing the audit programme should determine (previously ‘identify’) the resources
necessary to successfully deliver the programme. The standard provides a list of considerations which
has been expanded to include the impact of different time zones; the availability of any required
specialist tools, technology or equipment; the availability of any required documented information; and
requirements relating to the auditee’s facility, including security clearances and equipment.
5.5 Implementing audit programme

5.5.1 General
An introductory paragraph has been added which states that once the audit programme has been
fully established in line with 5.4.3 and 5.4.4, it is necessary to move on to the operational planning
and management stage. Responsibility for this still resides with the individual(s) managing the audit
programme however their duties have been expanded. ISO 19011:2018 states that they should
communicate relevant parts of the audit programme, including the risks and opportunities involved,
to relevant interested parties. They should also periodically inform those interested parties of the
programme’s progress ‘using established external and internal communication channels’.
The individual(s) managing the programme are also tasked with selecting the audit methods to be used.
There is useful additional guidance on this subject in Annex A (A.1). They should provide the necessary
‘individual(s) and overall resources’ (previously just ‘resources’) to the audit team and should manage
all operational risks, opportunities and issues as they arise during the audit programme’s deployment.
Additional new responsibilities include defining and implementing the necessary operational controls
to allow the audit programme’s delivery to be monitored, and the review of the audit programme to
identify any opportunities for improvement. These issues are covered more fully later in the standard.
5.5.2 Defining the objectives, scope and criteria for a single audit
As previously, the revised standard deals with the requirements for setting up a single audit within the
audit programme. A number of subtle but important changes have been made.
ISO 19011:2011 advised that each ingle audit should be based on documented audit objectives, scope
and criteria. The recommendation to document is removed from this sub-clause in ISO 19011:2018
which simply calls for the objectives, scope and criteria to be ‘defined’. The 2011 edition explicit
identifies the definition of objectives, scope and criteria as the responsibility of the person managing the
programme. This text has been removed from sub-clause 5.5.2 in the 2018 edition.
The audit objectives now need to consider the context and strategic direction of the auditee, the
effectiveness of the management system in setting and delivering its objectives and its effectiveness in
dealing with risks and opportunities. Further useful guidance on auditing context is given in Annex A (A.8).
ISO 19011:2018 reminds us that the audit scope should be consistent with both the audit programme
and the audit objectives, and that conformity or otherwise should be determined against the audit
criteria. These statements are mostly unchanged from ISO 19011:2011. Audit criteria can now include
information provided by the auditee on context, risks and opportunities faced by the organization.
If the audit objectives, scope or criteria change, the audit programme should be revised. New
for the 2018 edition is the explicit recommendation that the revised programme should then be
recommunicated to relevant interested parties for approval, if this is appropriate.
When two or more management systems of different disciplines are audited together (referred to as a
combined audit) the audit objectives, scope and criteria for each discipline must be mutually consistent.
The 2018 edition recognises that, when conducting combined audits, there may be instances where
the audit scopes for different disciplines are not the same i.e. the audit boundaries for one discipline,
e.g. environment, could encompass the entire organization whilst for another discipline they may be
restricted to a subset of defined processes of the organization e.g. quality. This is new text which does
not appear in ISO 19011:2011.
5.5.3 Selecting and determining audit methods

When selecting the methods to be used to conduct the audit, the individual(s) managing the audit
programme should consider not just the method’s effectiveness but also its efficiency, based on the audit
objectives, scope and criteria. The 2018 edition suggests that the use of methods should be ‘suitably
balanced’ and based on considerations including each method’s associated risks and opportunities.
Further guidance on the variety of audit methods which might be employed is given in Annex A (A.1).
As was the case for ISO 19011:2011, the 2018 edition states that in instances where two or more
organizations are to conduct a joint audit of the same auditee, the individual(s) responsible for managing
each programme should jointly agree the audit methods to be employed. They should also consider the
implications of joint-working for audit planning and resourcing.
In cases where the auditee operates two or more management systems of different disciplines, ISO
19011:2018 recognises that combined audits may be included in the audit programme.
5.5.4 Selecting audit team members

There is no change from the 2011 edition in respect of the individual(s) managing the audit programme
being responsible for appointing the audit team leader, members of the audit team and any technical

experts. When making this selection they must consider the collective competence of the team required
to achieve the objectives of the single audit, within the audit’s defined scope.
An audit ‘team’ may consist of just one auditor who should perform all the duties associated with the
audit team leader role.
Both ISO 19011:2011 and ISO 19011:2018 contain text relating to the steps to be taken by the
individual(s) managing the audit programme to assure the overall competence of the team. These steps
include initially identifying the competence needed to achieve an audit’s objectives, followed by the
selection of audit team members who can demonstrate these areas of competence.
The considerations for deciding the size and composition of the audit team for a specific audit that
appear in the 2011 version have been subject to some change. The most important of these is ‘the
need to ensure independence from the activities being audited’ has been replaced in ISO 19011:2018
with ‘ensuring objectivity and impartiality’. Those selecting audit team leaders and members should be
cognisant of potential conflicts of interest.
The standard identifies the need to interact effectively not just with the auditee but also ‘with other
interested parties’. These could include trainee auditors, appointed observers, interpreters and
consultants. Another important addition to the 2018 edition is the recommendation that the type and
complexity of the processes to be audited should also be a consideration during team selection.
The ISO 19011:2011 recommendation that technical experts operate under the direction of an auditor
has been removed from this sub-clause in the 2018 edition. Technical experts with their additional
competence are recognised as a support for the team, and not as team members with auditing
responsibilities. The team leader should direct the use of technical experts.
Both the 2011 and 2018 versions note that auditors in training may be included in the audit team,
however they should operate under the direction of a competent auditor. Both editions also recognise
that the membership of the audit team may need to be changed during an audit should a competence
issue or a conflict of interest come to light. Consultation with all relevant parties should take place prior
to such change.
New for 2018 is an explicit recommendation that the individual(s) managing the audit programme
should consult the audit team leader in respect of audit team composition, where appropriate.
5.5.5 Assigning responsibility for a single audit to the audit team leader
As is the case for the 2011 edition, ISO 19011:2018 recommends that the individual(s) managing the
audit programme assigns responsibility for each single audit contained within the audit programme to an
audit team leader (often described as the Lead Auditor). This should be done sufficiently in advance of
the scheduled audit date to permit effective planning.
The information to be made available to the audit team leader is similar in the 2018 edition to that
which appears in the 2011 edition. This includes information relating to audit objectives, criteria, scope
and methods, composition of the team, contact details for the auditee, the audit location(s), dates and
durations, as well as details of the resources that are being allocated to the audit. This information will
usually be sourced from the audit programme and should now include any information which the audit
team leader needs to deliver an effective audit while working with the auditee.
Carried over from the 2011 edition is the recommendation to provide the audit team leader with
information relating to risks (and now opportunities) associated with meeting the audit objectives.
The assignment information provided to the audit team leader should also include details relating to
the working and reporting language of the audit and details as to whom the audit reporting output
(previously ‘audit report) is to be provided. It should also include applicable matters relating to
confidentiality, information security, security and authorisations, follow ups from previous audits, and any
pertinent information relating to the coordination of other audit activities such as joint audits.
New for 2018 is the need for communication of information relating to health, safety and environmental
arrangements (previously ‘health and safety requirements’) for auditors as well as any requirements for
travel to or access of remote sites.
The importance of reaching agreement on the respective responsibilities for each organization involved
in a joint audit (where two or more parties audit together) is carried across from the 2011 edition. This
should be achieved before the joint audit is performed. In particular, the authority of the appointed
audit team leader should be agreed with all parties in advance of audit beginning.
5.5.6 Managing audit programme results

Once a single audit within the audit programme has been concluded and produced results, the
individual(s) involved in audit programme management have further responsibilities.
ISO 19011:2018 uses the term ‘results’ whereas the 2011 edition refers to ‘outcomes’. This may seem
like semantics but ‘results’ may more accurately describe the outputs from an evaluation process
such as an audit.
Added for 2018 is the recommendation that the individual(s) managing the audit programme should
ensure that an evaluation of the achievement of the objectives for each audit takes place within the
context of the audit programme. They should also ensure the review and approval of audit reports in
respect of the fulfilment of each single audit’s scope and objectives. The distribution of audit reports to
‘top management and other interested parties’ simply becomes ‘to relevant interested parties’.
The 2018 revision deletes the need for a review of root cause analysis and the effectiveness of
corrective and preventive action. This is replaced with a review of the effectiveness of actions taken
to address the audit findings. This change removes any doubt about the auditor’s involvement in
determining the root cause of a nonconformity which is the responsibility of the auditee.
New for 2018 is the suggestion that the individual(s) managing the audit programme should consider
communicating the audit results and any identified best practice to other areas of the organization and
that they should also consider the implications of the audit results for other processes operating within
the organization.

5.5.7 Managing and maintaining audit programme records
Minor changes have been made to the process of managing audit records. As for 2011, processes should
be established to ensure that any confidentiality requirements associated with audit programme records
are properly addressed. The 2018 edition additionally calls for ensuring any information security needs
relating to audit programme records are met through established processes.
The listing of typical records has been revised. These are still broken down into three categories;
• records related to the audit programme

• records related to single audits
• records related to the audit team (previously ‘audit personnel’).
In respect of the audit programme, ‘schedule of audits’ has been added as a new entry and ’documented
audit programme objectives’ becomes simply ‘audit programme objectives’. ‘Records addressing risk’
becomes ‘records addressing risk and opportunities, and relevant external and internal issues’, whilst
‘records reviewing audit programme effectiveness’ remains unchanged.
In respect of records relating to single audits, ‘audit plans’ and ‘audit reports’ are carried across from the
2011 edition as are ‘nonconformity reports’. Records of ‘corrections and corrective action reports’ and
‘audit follow up reports’ are included.
Note that any doubt about the applicability of follow up reports has been removed. New in the
2018 edition is the inclusion of records relating to ‘objective audit evidence and findings’.
In respect of records relating to the audit team at audit programme management level, the 2011
recommendations of records which evidence audit team members’ competence and performance, and
the maintenance and improvement of competence appear once more in the 2018 edition. The 2011
‘selection of audit teams and team members’ has been expanded to ‘criteria for the selection of audit
teams and audit team members and the formation of audit teams’.
As before, ISO 19011:2018 states that audit records should contain sufficient detail to demonstrate that
the objectives of the audit programme have been achieved.
5.6 Monitoring audit programme

This sub-section provides further guidance on the previously stated responsibility of the individual(s)
managing the audit programme to ensure that an evaluation takes place in respect of whether the
audit schedule is being met, and whether the audit programme objectives are being achieved. The
performance of the entire audit team and any technical experts should also be evaluated, as should
the ability of the audit team to implement the audit plan. These recommendations are consistent with
the 2011 edition.
The individual(s) responsible for managing the audit programme should also evaluate feedback from
audit clients (previously ‘top management’), auditees, auditors, technical experts (new for 2018),
and other relevant interested parties. To this guidance, the 2018 edition adds that audit programme
management should consider whether the documentation applicable to the whole audit process is
suitable for the purpose intended.
As was the case for the 2011 edition, the 2018 edition recognises that certain factors may require
the audit programme to be modified. These may include audit findings, the demonstrated level
of the auditee’s management system’s effectiveness, changes to the auditees management system,
changes to standards to which the organization is committed and changes to external providers
(previously ‘suppliers’).
To this list the 2018 edition adds changes to the demonstrated maturity of the auditee’s management
system, changes to the effectiveness of the audit programme, changes to either an audit’s scope or the
audit programme’s scope, identified conflicts of interest and changes to the audit client’s requirements.
5.7 Reviewing and improving audit programme

In addition to the audit programme being reviewed by audit programme management, ISO 19011:2018
suggests that the audit client should also be involved. It also states that the outcome from this review
should be used to further improve the audit programme, as in the 2011 version.
The individual(s) managing the audit programme should still also review the continual professional
development of auditors in accordance with clause 7.6 (previously ‘7.4, 7.5 and 7.6’) of the standard.
The review itself should consider;
• results and trends identified as a result of monitoring the audit programme

• conformity with audit programme processes (previously ‘procedures’) and relevant
documented information
• the evolving needs of relevant interested parties (previously ‘interested parties’)
• audit programme records
• alternative or new auditing methods
• the effectiveness of actions taken to address risks and opportunities, and internal and external issues
(previously ‘risks’) associated with the programme, and
• confidentiality and information security issues relating to the audit programme.
Subject to the minor wording revisions outlined above, this list remains the same as for ISO 19011:2011.
The results of the audit programme review should now be reported to relevant interested parties
(previously ‘top management’).

6. Conducting an Audit
6.1 General
Regarding a specific audit, section 6 continues from the preparation activities outlined in 5.5.5 when the
audit itself becomes the responsibility of the audit team leader.
Clause 6.1 advises that Clause 6 provides guidance on preparing and conducting a specific audit
(previously ‘audit activities’) as a part of an overall audit programme. Figure 2 (Typical audit activities)
found in the 2011 edition has been deleted since the process flow of audit activities is illustrated in the
context of the plan-do-check-act cycle in Figure 1. There is reference to a new Figure 2 (overview of a
typical process of collecting and verifying information) which also appeared in 2011 as Figure 3. As in the
2011 edition, there is a reminder that the extent to which Clause 6 is applicable is dependent on the
objectives and scope of each single audit.
6.2 Initiating audit

6.2.1 General
ISO 19011:2018 maintains the recommendation that the appointed audit team leader retains
responsibility for conducting the audit until the audit has been completed.
ISO 19011:2018 again recognises that the sequence of audit activities found in Figure 1 can be varied
depending on the auditee, their processes and/or the specific circumstances of the audit.
6.2.2 Establishing contact with auditee

The word ‘initial’ has been dropped from the communication between the audit team leader and the
auditee since earlier contact with the auditee is likely to have occurred.
Arrangements with the auditee for conducting the audit remains an audit team leader responsibility.
The list of matters to be discussed during these arrangements is essentially unchanged. The audit team
leader should confirm the communication channels to be used and their authority to conduct the audit.
They should provide relevant information on the audit objectives, scope, criteria, methods and audit
team composition, including details of any technical experts.
The audit team leader should request relevant information to assist with the planning of the audit which
now includes information on the risks and opportunities the organization has identified and how these
are being addressed.
In addition, the audit team leader should determine any applicable statutory and regulatory
requirements (previously ‘legal requirements’) and other requirements relevant to the auditee’s activities,
processes, products and services. They should confirm the date(s) for the audit and the necessary
arrangements for access, health and safety, security and confidentiality at the audit location(s).

Where there is an intention to use guides or observers, this should be agreed with the auditee.
New for 2018 is the recommendation that agreement be sought in respect of any interpreters that
may be required.
The audit team leader should also determine any specific areas of interest, concern or (new for 2018)
risk to the auditee, in relation to the audit. Finally, and also new for 2018, they should resolve any issues,
including potential conflicts of interest, regarding the composition of the audit team with the auditee
and/or the audit client.
6.2.3 Determining feasibility of audit

The text of clause 6.2.3 is essentially unchanged. The feasibility of carrying out the audit should be
determined in order to provide reasonable confidence that the audit objectives can be achieved. Factors
to be taken into consideration include whether there is sufficient and appropriate information available
for planning and conducting the audit, whether there has been adequate cooperation from the auditee
and whether adequate time and resources have been allocated to conduct the audit. This includes
provisions for access to information and any information technology involved.
If determined that it is not feasible to conduct the programmed audit, an alternative plan should be
proposed to the audit client subject to the agreement of the auditee.
6.3 Preparing audit activities

6.3.1 Performing review of documented information
Management system standards contain requirements for organizations to maintain and retain
documented information as part of the system. This important stage should allow the audit team to
determine whether these requirements have been met or otherwise.
Note that there is no guidance on who should conduct this stage or where it should be
conducted. This review activity is sometimes referred to as part of Stage 1 of an audit. Part of the
purpose of conducting this review is to allow the audit team to become familiar with the auditee’s
management system so that subsequent audit activities can be better planned.
The documented information examined should include (but not be limited to) management system
documents and records and previous audit reports. The review should take into account the auditee’s
context (this is new) and its size, nature and complexity. It should also take into account the auditee’s
related risks and opportunities (also new), the audit scope, criteria (also new) and objectives.
A new note is added in ISO 19011:2018 to advise that guidance on how to verify information is
provided in Annex A (A.5). This replaces the guidance on how to conduct document review contained
in Annex B.5 of the 2011 version.
6.3.2 Audit planning (previously ‘preparing the audit plan’).
6.3.2.1 Risk-based approach to planning

The principal change to this sub-clause is that it is now focussed on an activity i.e. audit planning and
not a product i.e. the audit plan. It also emphasises the need to adopt a risk-based approach in the audit
planning process using the information available.
Audit planning (previously ‘the audit plan’) should consider the risks (previously ‘the effect’) the audit
activities pose to the auditee’s processes and should provide the basis for agreement between the audit
client, audit team and auditee in respect of how the audit is to be conducted.
Planning (previously ‘the audit plan’) should help to ensure that audit activities are efficiently scheduled
and coordinated. This will assist in achieving the audit objectives in an effective manner.
The extent of the detail contained with an audit plan should be commensurate with the scope of the
audit and its complexity, as well as the degree of uncertainty of the audit not achieving its objectives.
When planning the audit (previously ‘when preparing the audit plan’) the audit team leader should
consider the composition and overall competence of the audit team, which sampling techniques are
appropriate, any opportunities to improve the effectiveness and efficiency of the audit activities and any
risks to the auditee arising as a result of the audit being conducted. Further useful guidance on sampling
techniques is given in Annex A (A.6).
ISO 19011:2018 notes that risks to the auditee (previously ‘organization’) may occur as a result of the
presence of the audit team. These include the team adversely influencing (previously just ‘influencing’)
the auditees arrangements for health, safety, environment and quality, and its products, services,
personnel or infrastructure.
For combined audits involving different management systems, specific attention should be paid to the
interactions of operational processes and any potential competing objectives and priorities.
6.3.2.2 Audit planning details

The principle change to this clause is it is now focussed on an activity i.e. audit planning and not a
product i.e. the audit plan although the guidance is largely unchanged from the 2011 version.
This sub-clause highlights that the scale and extent of audit planning (previously ‘the audit plan’) is likely
to differ between internal and external audits and between carrying out an initial audit and carrying out
subsequent audits.
The sub-clause also notes that as an audit progresses there may be a need to deviate from the original
plan. Audit planning (previously ‘the Audit Plan’) should be flexible enough to accommodate the need to
revise planned arrangements.
Audit planning should address or reference; the audit objectives, the audit scope (including the
identification of the organization, its functions and the processes to be audited) and the audit criteria
and any reference documented information (previously ‘documents’) to be used. It should also address

or reference both the physical and virtual locations where the audit will take place, along with audit
dates, timings and durations for audit activities, including meetings with the auditee’s management.
Also carried over from the 2011 edition is the need to address or reference the audit methods to be
used, (which should include the extent to which sampling is required to obtain sufficient audit evidence).
Note that the planned audit methods need to take any previous input from audit programme
management (refer to 5.5.3) into account. The roles and responsibilities of audit team members,
guides, observers and (new for 2018) interpreters, and the allocation of appropriate resources
should be included. The allocation of appropriate resources should be based on consideration of
the risks and opportunities (previously based on the ‘critical areas’ to be audited) ‘related to the
activities that are to be audited’ (new).
Added to this list for 2018 is that audit planning should address the need for the audit team to become
familiar with the auditee’s facilities and processes, for example by undertaking a tour of any physical
locations or by reviewing information and communications technology. Very often the audit team leader
and relevant team members will visit the audit location for audit planning purposes (referred to as a
Stage 1 audit).
As for 2011, audit planning should take into account (as is appropriate) the identification of the auditee’s
representative(s) for the audit, the working and reporting language of the audit where this is different
from the language of the auditor or auditee or both, the audit report topics, and any specific logistical
and communications arrangements related to the audit location(s).
Audit planning should also take into account any specific actions necessary to address risks to
(previously ‘the effect of uncertainty on’) achieving the audit objectives, matters relating to confidentiality
and information security, follow up actions from previous audits ‘or other sources e.g. lessons learned,
project reviews’ (new for 2018) and follow up activities to the planned audit and any necessary
coordination with other audit activities, for example in the case of a joint audit.
The result of audit planning should be the production of an audit plan which should be made available
to the auditee. Any need to resolve any issues with the audit plan should involve the audit programme
management if necessary (new for 2018).
6.3.3 Assigning work to audit team

The text of this sub-clause is similar to that contained within the 2011 edition except that the audit
team leader, as well as assigning responsibility for auditing specific processes, activities, functions or
locations to their audit team members, should also, as appropriate, assign responsibility for decision
making. This assignment should take place following consultation with the team.
When deciding to whom to assign specific work, the 2018 edition identifies the need for the audit
team leader to take into account the ‘impartiality, objectivity and competence’ of auditors (previously
‘independence and competence’). The audit team leader should also seek to make the best use of their
available resources regarding the roles of auditors, auditors in training and any technical experts.
Audit team meetings (previously ‘briefings’) should be held by the audit team leader in order to allocate
work and to determine whether any changes in responsibilities or existing work allocations are required.
Ideally, the audit team should meet prior to the audit to ensure that team members are comfortable
with their allocated tasks. As in the 2011 edition, changes to responsibilities and work allocations may be
made during the audit to facilitate achievement of the audit objectives.
6.3.4 Preparing documented information for audit

This clause has been updated in ISO 19011:2018 to cover the preparation of documented information
for the audit (previously ‘work documents’).
Relevant information, including that provided by the auditee, should be acquired and reviewed by audit
team members prior to conducting the audit. This should be used to prepare work documents to be
used for the audit such as physical or digital checklists (previously ‘checklists’), audit sampling details and
audio-visual information (previously ‘forms’). Further guidance on preparing audit work documents is
given in Annex A (A.13).
The ISO 19011:2011 text highlighting that checklists should not restrict the extent of audit activities is
carried over into the 2018 edition, as is the reminder that documentation information prepared for and
resulting from the audit (previously ‘work documents, including records resulting from their use’) should
be retained until the time that the audit is completed or the duration specified in the audit programme
(previously ‘audit plan’). The 2011 edition recommendation that audit team members safeguard
documented information (previously ‘documents’) containing confidential or proprietary information is
retained in ISO 19011:2018.
6.4 Conducting audit activities

6.4.1 General
This sub-clause reiterates that whilst audit activities are typically carried out in the sequence indicated
in figure 1 (figure 2 in the 2011 edition) the sequence may be varied to suit the circumstances of
a single audit.
6.4.2 Assigning roles and responsibilities of guides and observers

In the 2018 edition, this sub-clause appears earlier than in the 2011 edition. In the 2011 edition the
assigning of roles and responsibilities of guides and observers occurs three sub-clauses later (after
conducting the opening meeting, performing document review while conducting the audit and
communicating during the audit).
Guides and observers may accompany the audit team. New for the 2018 edition is that this should be
with approvals from the audit team leader, audit client and/or auditee if required, bearing in mind that
this should be raised at the initial contact (refer to 6.2.2).
Guides and observers should not influence the conduct of the audit. If this cannot be guaranteed the
audit team leader should be allowed to exclude them from certain audit activities.

If observers are to be present, any arrangements in relation to access (new for 2018), health and safety,
environmental (also new for 2018), security and confidentiality should be managed between the audit
client and the auditee.
Guides, appointed by the auditee, should assist the audit team under the direction of the audit team
leader or (new for 2018) the auditor to whom they have been assigned. The guide’s duties have not
changed and will typically include; identifying individual(s)s for interview, confirming timings and locations,
arranging access to specific locations, communicating location specific rules to the audit team and
addressing any associated risks, witnessing the audit on behalf of the auditee and providing clarification/
collecting information as needed without interfering with or influencing the audit.
6.4.3 Conducting opening meeting

The substantive content of this subsection remains essentially the same as before. The purpose of
the opening meeting is to confirm all participants (previously ‘parties’) agree with the audit plan, to
introduce the audit team and their roles (previously ‘introduce the team’) and to ensure all of the
planned audit activity can be performed.
Both the auditee’s management and any individuals whose functions and/or processes are to be audited
should be present at the opening meeting, if appropriate, and they should be given an opportunity to
ask questions.
The context of the opening meeting should be commensurate with its setting. It may be a formal affair,
chaired by the audit team leader, with a set agenda and records of attendance being retained or it may
simply consist of the audit team leader providing confirmation to management that an audit is being
conducted and explaining the nature of the audit e.g. for an internal audit.
Any other participants including observers, guides and (new for 2018) interpreters, should be
introduced and their roles should be explained.
The audit methods that will be employed in order to manage any risks to the auditee’s organization
arising from undertaking the audit should also be identified.
The opening meeting should also be used to confirm, as appropriate, the audit objectives, scope and
criteria, the audit plan and other relevant arrangements with the auditee (such as the date and time of
the closing meeting and any interim meetings), as well as the formal communication channels that will
be utilised between the audit team and the auditee. Any change needed to the planned arrangements
should be raised by the team leader.
The language to be used during the audit may need to be confirmed at the opening meeting, so too the
availability of resources and facilities needed by the audit team and any matters relating to confidentiality
and information security.
Necessary confirmations should also be sought in respect of relevant access, health and safety, security
and other arrangements for the team and for activities on site which could impact the conduct of the
audit. The audit team leader should additionally agree the arrangements to ensure that the auditee will
be kept advised of the audit’s progress.
During the opening meeting, the auditee should be advised as to how the audit findings will be reported
and graded (if applicable), under what circumstances the audit may be terminated, and how they should
deal with any possible findings arising from the conducting of the audit. The auditee should also be made
aware of any arrangements for providing feedback on the audit findings or conclusions, including how to
register complaints or appeals.
6.4.4 Communicating during audit

This sub clause recognises that whilst conducting an audit, formal arrangements for communication
between audit team members, the auditee, the audit client and/or external interested parties (previously
‘external bodies’) may need to be introduced, especially in instances where regulatory and statutory
requirements (previously ‘legal requirements’) mandate the reporting of non-conformities (previously
‘non-compliance’).
In any event, the audit team leader should periodically coordinate team meetings in order to share
information, assess progress and reassign work as may be required.
During the conducting of the audit, the audit team leader should communicate the progress of the audit,
any significant findings (added for 2018) and any concerns to both the auditee and the audit client. If the
evidence collected suggests an immediate and significant risk, it should be reported without delay to the
auditee and, as appropriate, the audit client. Agreement should then be reached between the parties as
to what action it would be appropriate to take.
Any concerns identified which fall outside of the scope of the audit should be noted and reported to
the audit team leader, for possible communication to the audit client and auditee.
Also, if the audit evidence indicates that the audit objectives cannot be realised, this should be
communicated by the audit team leader to the audit client and auditee in order that they can determine
necessary action. Examples of such action are revisions to audit planning, the audit objectives and/or
audit scope and the termination of the audit.
Any necessary changes to the audit’s planning which become apparent during the conducting of the
audit should be reviewed and accepted (previously ‘approved’) by both the individual(s) managing the
audit programme and the audit client (previously ‘the auditee’) and then communicated to the auditee.
6.4.5 Information availability and access

This sub-clause advises that the audit methods chosen for an audit depend on the defined audit
objectives, scope and criteria, as well as the audit’s duration and location. The Standard confirms that
‘location’ is where the information needed for a specific audit activity is made available to the audit team.
This could be a physical or a virtual location (e.g. the Cloud)
ISO 19011:2018 highlights that where, when and how to access information is critical to conducting an
audit. These are independent of where the information is created, used or stored.

Audit methods which take into consideration the availability of and access to information need to be
determined, and several different methods may need to be employed. Also, it may be necessary to
modify the originally identified methods as a result of changing audit circumstances.
Note that audit programme management has responsibility for selecting and determining the
audit methods so should be consulted prior to any significant changes.
6.4.6 Reviewing documented information while conducting audit

The title of sub-clause 6.4.3 has been changed from ‘Performing document review whilst conducting the
audit’. Essentially the text is unchanged, however references to documentation in the 2011 edition is
replaced by references to documented information in the 2018 edition. Such information is likely to play
a key role in the conduct of audit activities.
This sub clause confirms that the auditee’s relevant documented information should be reviewed
during the audit, in order to determine conformity of the auditee’s management system, (so as far the
documentation permits), with the audit criteria, and to amass information to support audit activities.
Annex A (A.5) provides further guidance on the verification of information which may be used as
objective evidence in an audit.
The review of documented information can take place alongside other audit activities and can extend
for the full duration of the audit providing it does not have a detrimental impact on the effective
conducting of the audit e.g. by taking up time which delays the audit progress.
If it proves impossible to acquire adequate documented information within the timeframe set out in the
audit plan, the audit team leader should advise both the individual(s) managing the audit programme
and the auditee. A decision should then be taken as to whether to continue with or to suspend the
audit until such time that the documented information issue is addressed.
6.4.7 Collecting and verifying information

ISO 19011:2018 introduces some important changes to the text contained in the 2011 edition.
Information still needs to be gathered during the audit process which is relevant to the audit objectives,
scope and criteria. This includes information relating to interfaces between functions, activities and
processes. The information should be collected by sampling. Further guidance on sampling techniques is
given in Annex A (A.6).
The 2011 edition called for this information to be verified and stated only information that has been
verified can form audit evidence.
The 2018 edition however has softened this position and calls for verification as ‘far as is practical’. It
advises that only information that can be ‘subject to some degree of verification’ should be accepted
as audit evidence, and in instances where the degree of verifiability is low auditors should use their
professional judgement to determine the degree of reliance that can be placed up it.
Both the 2011 and 2018 editions call for audit evidence to be recorded. If the audit team becomes
aware of any changed circumstance, risks or opportunities (previously ‘circumstances or risks’) whilst
collecting objective evidence (previously ‘evidence’) they should take these circumstances into account.
The 2011 figure 3 – ‘overview of the process of collecting and verifying data’ becomes figure 2 –
‘overview of a typical process of collecting and verifying information’, however the stages remain the
same. Sampling is used to draw information from its source. This information is subject to verification
after which it becomes audit evidence. The audit evidence is evaluated against the audit criteria which
generate audit findings in the event of any issues or concerns. The findings are reviewed, and audit
conclusions are drawn.
The 2011 methods for collecting information; (interviews, observations, review of documentation) are
carried across to ISO 19011:2018 (with documentation becoming documented information). Further
guidance on techniques associated with obtaining information is given in Annex A (A.14, A.15 and A.17).
6.4.8 Generating audit findings

Generating audit findings is perhaps one of the most crucial activities carried out by an auditor and will
have a bearing on meeting audit objectives. Many of the previous activities of the auditor up to this point
in the audit process will contribute directly to the effectiveness of the auditor’s evaluation.
Both the 2011 and 2018 editions reiterate that audit evidence should be evaluated against the audit
criteria in order to determine audit findings.
Note that, according to the definition, audit findings can include both conformity or non-
conformity with the audit criteria.
If the audit plan requires it, single audit findings should include recognition of conformity and
good practice (along with their supporting evidence), opportunities for improvement and any
recommendations to the auditee on the implications of the findings. Annex A (A.18) notes that, if
agreed by the audit client, the auditor may guide the auditee on the response to the findings. This is
more common in second party audit situations during client audits on suppliers.
Nonconformities and their supporting evidence should always be recorded. These ‘can be graded’ if
desired, to which the 2018 edition adds ‘depending on the context of the organization and its risks’. The
2018 edition also states that this grading can be either quantitative (the nonconformity is a level 1, 2, 3
etc.) or qualitative (the nonconformity is major, minor etc.). There is no universally agreed method for
grading of nonconformities although audit clients and auditing organizations often develop their own
standard practices.
Nonconformities should be reviewed with the auditee in order to confirm that the audit evidence is
accurate and to ensure that the auditee understands the nonconformity. If there is disagreement about
the audit evidence or the audit findings, every effort should be made to resolve this. If resolution is
impossible, the unresolved issue should be recorded for reporting to the audit programme management
and, if appropriate, to the audit client.

Note 1 to the sub-clause points to additional guidance contained in Annex A (A.18) in respect of
the identification and evaluation of audit findings. This note is identical to the 2011 edition. A new
note 2 has been added to the 2018 edition however. This is a reminder that when conformance
or non-conformance to statutory or regulatory requirements occurs, this is sometimes referred
to as compliance and non-compliance. These terms have often been used interchangeably without
taking cognisance of this distinction.
6.4.9 Determining audit conclusions
6.4.9.1 Preparation for closing meeting

Formerly the first paragraph of ISO 19011:2011’s sub-clause 6.4.8 ‘Preparing audit conclusions’. The text
appearing in the 2011 edition and 2018 edition is identical. The new title implies that the team meeting
to prepare audit conclusions is an activity that should just precede the closing meeting, as has long been
standard practice.
The purpose of this meeting is to review the audit findings, (as well as any other information collected
during the conducting of the audit), against the audit objectives.
The audit team should then agree audit conclusions, taking into account the uncertainty inherent in the
audit process. Recommendations, e.g. a decision on awarding certification, should also be prepared if a
requirement for such is specified in the audit plan.
Note that the audit team leader should make the final decision on the audit conclusions to be
presented to the auditee as the individual responsible to audit programme management.
Additionally, the audit team should discuss any required audit follow-up to be advised to the auditee and
recommended to audit programme management.
6.4.9.2 Content of audit conclusions

Formerly the second paragraph of ISO 19011:2011’s sub-clause 6.4.8 ‘Preparing audit conclusions’.
There are significant differences between the text appearing in the 2011 edition and that which appears
in the 2018 edition.
ISO 19011:2018 notes that the audit team’s conclusions may contain content relating to the extent of
conformity with the audit criteria and the robustness of the management system, including how effective
it is in meeting its intended outcomes (previously ‘stated objectives’) and (new for 2018) the audit
team’s evaluation of the risk-based approach taken by the auditee’s management system.
The team’s conclusions may also contain content relating to the effectiveness of the implementation,
maintenance and improvement of the management system, references to the achievement of the audit’s
objectives, coverage of the audit scope and/or the extent to which the audit criteria have been fulfilled.
The conclusions may also include details of similar findings made in different areas during the audit or
that were audited at an earlier time in order to identify trends.
The 2011 references to audit conclusions addressing the root causes of findings and the capability
of the management review process to ensure the continuing suitability, adequacy, effectiveness and
improvement of the system have been deleted. This recognises that determination of root cause is the
responsibility of the auditee as a component of any corrective action taken.
6.4.10 Conducting closing meeting

There have been some important changes to the text of the 2011 edition.
The purpose of the closing meeting is unchanged in the 2018 edition. It is still convened in order to
present the audit findings and conclusions. In the 2011 edition the closing meeting is ‘facilitated’ by the
audit team leader however in the 2018 edition the audit team leader now ‘chairs’ the meeting. Where
ISO 19011:2011 called for the participation of those responsible for the functions or processes which
were audited ‘where appropriate’ the 2018 edition drops the ‘where appropriate’, inferring that the
management of the auditee should be present at the closing meeting. ISO 19011:2018 suggests the
closing meeting includes these individuals, as well as the audit client, other members of the audit team
and relevant interested parties, as identified by the audit client and/or auditee (previously just the ‘audit
client and other parties’).
The audit team leader should still advise the auditee of any situations encountered during the
conducting of the audit which may affect the confidence that can be placed in the audit’s conclusions.
Also, participants at the meeting are still expected to agree on the timings for an action plan to address
the audit’s findings, if this is defined in the management system or has been agreed with the audit client.
The 2011 edition identified that the degree of detail provided at the closing meeting should be
dependent of how familiar the auditee is with the audit process. This is carried forward into the 2018
edition which additionally identifies that the degree of detail provided should also take into account the
effectiveness of the management system in achieving the auditee’s objectives, including consideration of
its context, risks and opportunities.

Both the 2011 and 2018 editions recognise that for some audit situations the closing meeting will be
a formal affair, with the need to keep minutes and records of attendance. For other audit situations
(typically internal audits) formal minutes of the closing meeting may not be necessary; in such instances
it may be sufficient to simply communicate the audit’s findings and conclusions.
During the closing meeting the auditee should be advised that the audit evidence was based on a
sample and (new for 2018) that this sample may not be fully representative of the overall effectiveness
of the auditee’s processes. The auditee should also be made aware of how the audit will be
reported, how the audit findings should be addressed based on the agreed process, and the possible
consequences to the auditee if they fail to address the findings.
The audit findings and conclusions should still be presented in a manner which ensures that they
are understood and acknowledged by the auditee’s management. The closing meeting should also
reference any post audit activities that may be considered, including the implementation and (new
for 2018) ‘review’ of corrective actions, the addressing of audit complaints and the operation of the
appeals process.
As for the 2011 edition, if the audit team and the auditee have divergent opinions on the audit findings
or conclusions, these should be discussed and ideally resolved.
Note that it is not necessary for the audit team leader to wait until the closing meeting before
communicating significant audit findings and concerns to the auditee (refer to 6.4.4). The closing
meeting is essentially a presentation meeting and the audit team leader should try to pre-empt
any contention at the meeting through this earlier communication. If resolution is not possible
then this should be recorded for reporting to audit programme management and, if required,
the audit client.
Opportunities for improvement may also be presented at the closing meeting, if specified in the audit
objectives. If opportunities for improvement are presented it should be emphasised that these are not
binding on the auditee and will not affect the determination of the audit objectives. In this respect there
is no difference between the 2018 edition and the 2011 edition.
6.5 Preparing and distributing audit report
6.5.1 Preparing the audit report
This report is sometimes known as the “audit summary report” and may be different from a separate
findings report issued by audit team members. In any event, the audit report should cover the full extent
of the audit process undertaken by the audit team.
As is the case for the 2011 edition, ISO 19011:2018 identifies that it is the audit team leader’s
responsibility to report the results of the audit in accordance with the audit programme.
Audit reports should still provide a complete, accurate, concise and clear record of the audit. They
should still include or refer to the audit objectives, the audit scope and in particular the identification
of the organization (i.e. the auditee) and any functions or processes that were audited, including all the
audit participants. Additionally, they should record the dates and locations of the audit, the audit criteria
which were applied and the audit findings and their related evidence. A statement should also be
included which identifies the degree to which the audit criteria have been fulfilled.
Other contents for the audit report, shared with the 2011 edition, are references to or the inclusion
of the audit plan including the time schedule, a summary of the audit process and any obstacles
encountered during the audit that may impact the audit conclusions, confirmation of the achievement
of the audit objectives (within scope and in accordance with the audit programme), a summary
of the audit conclusions and the main findings that support them, and recognition of any good
practice identified.
As for ISO 19011:2011, any agreed follow up should also be included or referenced in the audit
report as should a statement regarding the report’s confidentiality and any implications for the audit
programme or subsequent audits arising from conducting of the audit.
Newly added for the 2018 edition is the recommended inclusion of wording to reflect that audits
are a sampling exercise and consequently there is a risk that the evidence examined may not be
representative. The 2018 version also includes the addition of comment on any part of the audit
scope which may not have been not covered, possibly due to lack of access to evidence, resources or
confidentiality restrictions.
Dropped for the 2018 edition is the suggested inclusion of a distribution list for the audit report
(although the report still needs to be distributed as per 6.5.2) as well as the note to the sub-clause
which identifies that the audit report can be developed before the closing meeting.
6.5.2 Distributing audit report

Audit reports should still be issued within an agreed period of time. If this is not possible the
individual(s) managing the audit programme should advise the auditee as to the reason for the delay.
As in ISO 19011:2011, the audit report should be dated and reviewed but whereas 2011 calls for it
to be ‘approved in accordance with audit programme procedures’, 2018 calls for it to be ‘accepted, as
appropriate, in accordance with the audit programme’.

ISO 19011:2018 advises that the audit report should be distributed to relevant interested parties (previously
‘recipients’) as defined in the audit programme or audit plan (previously ‘audit procedures or audit plan’).
6.6 Completing audit

An audit is deemed to be complete when all the planned audit activities have been carried out (or as
otherwise agreed with the auditee). This means that the work of the audit team concludes with the
issue of the audit report unless there are particular circumstances agreed with the audit client.
Any documented information (previously ‘documents’) connected with the audit should be retained or
disposed of previously ‘destroyed’) by agreement between the participating parties, and in accordance
with the audit programme (previously ‘audit programme procedures’) and any applicable requirements.
Neither the individual(s) managing the audit programme nor members of the audit team should
disclose information (previously ‘the contents of documents and other information’) obtained during the
audit to any third party unless explicit permission to do so is obtained from the audit client, or unless
there is a requirement to disclose the information by law. ‘Information’ includes the audit report. Where
the contents of an audit document are to be disclosed for whatever reason, the audit client should be
informed as soon as is practically possible.
ISO 19011:2018 treats lessons learned from audits differently to the 2011 edition. Under 2011, lessons
learned from conducting the audit should be ‘entered into the continual improvement process of the auditee’s
management system’. In 2018, there is just an acknowledgement that both the auditee and audit programme
management should identify how the audit can contribute to risks and opportunities for both parties.
6.7 Conducting audit follow-up

On completion of the audit, audit programme management takes over responsibility for the outcome of
an audit (previously ‘the conclusion of the audit’) which may indicate a need for corrections, corrective
action or opportunities for improvement
Note the 2011 reference to preventive action has been dropped in the 2018 edition.
Correction, corrective actions and opportunities for improvement are normally decided and undertaken
by the auditee within an agreed timeframe. The status of the actions should be advised by the auditee to
the individual(s) managing the audit programme, as appropriate.
The completion and effectiveness of these actions should be verified. This is known as audit follow-up and
may involve another audit process being undertaken or the verification activity added to a subsequent audit.
Note that the any decision on audit follow-up should be taken by programme management
albeit taking into consideration any references to post-audit activities made at the closing meeting
(refer to 6.4.10)
7. Competence and Evaluation Of Auditors
7.1 General
The recognition continues that confidence in the audit programme depends to a significant degree
on the competence of those individuals involved in the audit process. The 2011 edition called for
this competence to be evaluated, (note the 2018 edition calls for regular evaluation) by means of
examining an auditor’s behaviours and their knowledge and skills gained through audit experience, work
experience, training and education.
The sub-clause recognises that some of the knowledge and skills an auditor should possess are generic
whilst others are discipline or sector specific. There is a reminder that not all auditors in an audit team
need to have the same levels of knowledge or skills as long as collectively the necessary competence to
achieve the audit’s objectives exists within the team as a whole.
It is suggested that the evaluation of auditor competence is planned, implemented and documented
in order to generate an outcome which is objective, consistent, fair and reliable. Four key steps are
identified; determine the required competence necessary to complete the audit programme, establish
the evaluation criteria based on the programme needs, select the evaluation method(s) and carry out
the evaluation.
The outcome of the evaluation process will provide a basis for audit team member selection and will
also identify any competence gaps (competence required vs competence possessed) that need to be
addressed. The outcome will also assist with the ongoing evaluation of auditors.
The importance of single auditors undertaking continual professional development to developed,

maintain and improve their competence is emphasised as well as the need to conduct audits on an
ongoing basis.
To underline the importance of this competence issue, there is a reference to a process for evaluating
auditors and audit team leaders in sub-clauses 7.3, 7.4 and 7.5. There is also recognition that auditors
and audit team leaders should be evaluated against the criteria set out in sub-clauses 7.1, 7.2.2 and
7.2.3. The competence required of the individual(s) managing the audit programme is referenced in
sub-clause 5.4.2.
7.2 Determining auditor competence

7.2.1 General
This sub-clause was previously titled ‘Determining auditor competence to fulfil the needs of the
audit programme’.
ISO 19011:2011 suggested that in deciding the appropriate knowledge and skills required of an auditor
in order to complete an audit, several considerations are necessary. These include the size, nature and
complexity of the organization to be audited, the management system disciplines to be audited and the
objectives and extent of the audit programme. The 2018 edition replaces ‘knowledge and skills’ with
‘competence’, and adds the products, services and processes of auditees to the main considerations.
Other considerations for determining auditor competence in the 2011 edition include; any other
requirements such as those imposed by external bodies, (in ISO 19011:2018 this becomes ‘imposed by
the audit client or other interested parties’), the role of the audit process in the management system of
the auditee (this has been deleted from the 2018 edition), the complexity of the management system
being audited (‘complexity and processes’ in the 2018 edition) and the uncertainty in achieving audit
objectives (no change).
Newly added for 2018 is another consideration relating to the competence of an auditor as regards the
risk-based approach found in the management system. This implies that the auditor may require a more
thorough knowledge of the auditee’s business sector than was previously necessary.
7.2.2 Personal behaviour

In line with the principles of auditing in Clause 4, the auditor needs to demonstrate certain attributes
which are essentially unchanged from the 2011 version.
Note - The 2018 edition replaces ‘qualities’ with ‘attributes’.
Also, the 2018 revision refers to ‘desired professional behaviours’ (previously ‘professional behaviours’).
This implies that not all attributes may be demonstrated fully by all auditors.
Otherwise, the list of behaviours remains the same. Auditors are expected to be ethical, open-minded,
diplomatic, observant, perceptive, versatile, tenacious, decisive, self-reliant, to act with fortitude, open to
improvement, culturally sensitive, collaborative.
7.2.3 Knowledge and skills
7.2.3.1 General
As in the 2011 version, all auditors should possess the necessary knowledge and skills to enable them to
achieve the intended results of the audits they are required to perform. This comprises of both generic
competence and a level of (previously ‘some’) discipline and sector specific knowledge and skills.
Audit team leaders should additionally possess the necessary knowledge and skills to enable them to
provide leadership to an audit team.
7.2.3.2 Generic knowledge and skills of management system auditors

Auditor should possess generic knowledge and skills in the areas of audit principles, processes and
methods, management system standards and other references, the organization and its context and
applicable statutory and regulatory requirements. These are similar to the four headline areas contained
in the 2011 edition. The first of these areas is audit principles, processes and methods. Both the 2018

and 2011 editions agree that knowledge and skills in this area should enable audits to be conducted in a
consistent and systematic manner.
The list of what an auditor should be able to do in respect of audit principles, processes and methods
has been supplemented in the 2018 revision by the ability to comprehend the risks and opportunities
involved in auditing as well as the principles of the risk-based approach. There is also the ability to
conduct audits of a complete process where the interactions with other processes and functions of a
process need to be considered. This is often referred to as ‘process auditing’.
The following are retained in the 2018 edition; to plan and organize work effectively, to perform the
audit within the agree time schedule and to prioritise on matters of significance. Also retained are; to
communicate effectively both orally and in writing, to collect information through interviews, listening,
observing and reviewing documented information (previously ‘documents’), to understand and consider
the views of technical experts, to verify the relevance and accuracy of information that has been
collected and to confirm whether the information collected is sufficient and appropriate enough to
support the audit findings and audit conclusions.
The final three entries carried over from the 2011 edition are; to assess factors which may affect the
reliability of the audit findings and conclusions, to document audit activities and findings and prepare
reports, and to maintain the confidentiality and security of audit information.
The 2011 edition entries ‘use work documents to record audit activities’ and ‘apply audit principles and
methods’ have been deleted from the ISO 19011:2018 list.
The second of the four areas relate to management system standards and other references (previously
‘management system and reference documents’). Both the 2011 and 2018 editions highlight that
knowledge and skills in this area enable the auditor to understand an audit’s scope and apply
audit criteria.
The necessary knowledge and skills should relate to management system standards or other normative
or guidance or supporting documents which are used to establish audit criteria or audit methods
(previously ‘management system standards or other documents used as audit criteria’). The auditor
should also have the knowledge and skills to understand how the auditee has applied the management
system standard(s) to their organization. They should understand the relationships and interactions
between processes (previously ‘components’) of the management system, and the importance
and respective priority of multiple standards or references (previously ‘the hierarchy of reference
documents’). They should also understand the application of standards or reference documents
(previously just ‘reference documents’) to different audit situations.
The third of the four areas relate to the organization and its context (previously ‘organizational context’).
Both the 2011 edition and the 2018 edition advise that knowledge and skills in this area enable the
auditor to understand the auditee’s structure, purpose and management practices. The knowledge and
skills that should be possessed include an understanding of the needs and expectations of relevant
interested parties that impact the management system (this is new for 2018).
Note that these particular auditor skills should be enhanced by the preparation activities
described in section 5.5.2. They should also cover organizational types, governance, size, structure,
functions and relationships and general business and management concepts, processes and
related terminology (including planning, budgeting and people management). Finally, the need for
knowledge and skills relating to the cultural and social aspects of the auditee is carried across
from ISO 19011:2011 to the 2018 edition.’.
The fourth of the four areas of generic knowledge and skills relates to the auditor’s ability to work
within the auditee’s applicable legal and statutory framework including other requirements which
may be imposed. Auditors should sufficiently understand the statutory and regulatory requirements
(previously ‘laws and regulations’) and their governing agencies, basic legal terminology and contracting
and liability law, in relation to the auditee’s activities, processes (new for 2018) products and services
(also new for 2018).
A new note has been added for 2018 which advises that awareness of statutory and regulatory
requirements does not imply legal expertise. As a result, a management system audit should not be
treated as a legal compliance audit by any of the audit participants. Such an audit requires a different
level of legal knowledge and expertise than that expected of a management systems auditor.
7.2.3.3 Discipline and sector-specific competence of auditors

One of the significant changes to the text of the 2011 edition states that audit teams should
collectively have the discipline and sector-specific competence to audit the particular types of
management systems and sectors which appear in the audit programme. In the 2011 edition, it was
single auditors that needed to have such knowledge and skills. This appears to slightly relax the sector-
specific level of competence of audit team members. The statement that not all team members need to
have the same competence has been removed along with other competences detailed below.
The 2018 edition advises that the discipline and sector specific competence auditors should possess
includes; knowledge of management system requirements and principles and how they are applied,
the fundamentals of the discipline(s) and sector(s) which relate to the management system standards
as applied by the auditee, and competence in the application of discipline and sector specific methods,
techniques, processes and practices which permit the team to assess conformity within the defined
audit scope and to generate appropriate audit findings and conclusions.
Additionally, auditors should possess competence in principles, methods and techniques which are
relevant to the discipline and sector, such that the auditor is able to evaluate risks and opportunities
associated with the audit objectives (previously knowledge of risk management principles, methods and
techniques relevant to the sector such that the auditor can evaluate and control risks associated with
the programme).
The 2011 edition recommendations that the discipline specific knowledge and skills should include
‘legal requirements relevant to the discipline or sector’ and ‘the requirements of interested parties
relevant to the sector’ have been removed, as has ‘sufficient knowledge of the particular sector, the

nature of operations or the workplace being audited to enable the auditor to carry out the audit and to
reach conclusions’.
Also removed for 2018 are discipline specific knowledge and skills relating to risk management,
principles and methods relevant to the discipline and sector and the text suggesting the possession of
knowledge and skills in respect of ‘the application of business and technical discipline specific methods,
techniques, processes and practices’.
7.2.3.4 Generic competence of audit team leader

The description of the generic competence applicable to audit team leaders primarily addresses the
leadership skills needed to manage the audit team and achieve the audit objectives.
The 2018 edition advises that audit team leaders should possess the necessary competence
(previously ‘additional knowledge and skills’) to facilitate (previously ‘manage’) the efficient and effective
conducting of the audit.
This should include the competence required to plan and assign audit tasks to audit team members
based on each team member’s specific competence (previously – ‘competence to balance the strengths
and weaknesses of individual(s) team members’). The audit team leader’s competence should include
an ability to discuss strategic matters with the auditee’s top management in order to determine whether
these matters were considered during the evaluation of the organization’s risks and opportunities
(this is new for 2018). The 2011 edition competence, ‘developing a harmonious working relationship
amongst audit team members’ becomes ‘develop and maintain a collaborative working relationship’ in
the 2018 edition.
The audit team leader should still possess the necessary competence to manage the conducting of
audits. This includes the competence to ensure that their available audit resources are effectively used,
that any uncertainty in respect of achieving the audit objectives is managed, that the health, safety and
security of their team is preserved, that audit team members are appropriately directed in their duties
and that auditors in training receive the direction and guidance that they require. The 2011 edition
text calling for competence to prevent and resolve conflicts is expanded in the 2018 edition to include
problems during the audit, including those within the audit team.
As was the case in the 2011 edition, ISO 19011:2018 also calls for audit team leader competence in
representing the audit team in communications with the individual(s) managing the audit programme,
the audit client and the auditee, in leading the audit team to reach conclusions, and in preparing and
completing the audit report.
7.2.3.5 Knowledge and skills for auditing multiple disciplines

The 2011 edition identified that audit team leaders should understand the requirements of each
management system standard and should recognise the limits of their knowledge and skills in each of
the disciplines. In the 2018 edition, ‘knowledge and skills’ is replaced by ‘competence’. Competence is
not simply possessing the necessary knowledge and skills, it is also the ability to apply these to achieve
intended results.
ISO 19011:2011 highlighted that single auditors in an audit team conducting multi-disciplined audits
should have the necessary competence to audit at least one of the management systems. This text has
been removed from the 2018 edition. The 2018 edition does however retain the 2011 text advising that
single auditors on the audit team should understand how the different management systems interact
and the synergies that should be present.
There is a new note which points out that multiple discipline audits can take place both in joint audits
and where an integrated management system involves two or more disciplines.
7.2.4 Achieving auditor competence

As with the 2011 version, the 2018 edition recognises that auditor competence (previously
knowledge and skills) can be acquired through a combination of factors. These include successfully
completing (previously no reference to ‘successful’ completion) training programmes which cover
generic knowledge and skills, and audit experience acquired working under the direction of an auditor
competent (previously ‘experienced’) in the same discipline.
Other identified methods for achieving competence include work experience in a relevant technical,
managerial of professional position where the exercising of judgement, problem solving, decision making
and effective communication with relevant interested parties were important, as well as education/training
and experience in a specific management system discipline and sector that contributes to the development
of overall competence (previously ‘experience in the sector that the auditor intends to audit in’).
Note that these are the same factors which are applied in the auditor certification schemes
operated by the CQI and IRCA.
7.2.5 Achieving audit team leader competence

This clause has been retitled from the 2011 edition corresponding sub-clause, 7.2.5 – ‘Audit team
leaders’. The 2011 edition recognised that audit team leaders could develop the necessary knowledge
and skills to lead an audit team as a result of additional audit experience, working under the direction
and guidance of another audit team leader. The 2018 edition takes this further by replacing ‘necessary
knowledge and skills’ with ‘necessary competence’.
Note that the CQI and IRCA auditor certification schemes require evidence of this direction and
guidance for certification as Lead Auditor.
7.3 Establishing auditor evaluation criteria

INTERPRETATION:
As in the 2011 version, both qualitative and quantitative auditor evaluation criteria should be developed.
Examples of qualitative criteria include demonstrating the desired professional behaviours, possession

of knowledge or performance of audit skills, either in training or ‘on the job’. Examples of quantitative
criteria include years of work experience, number of audits conducted and hours of audit training.
7.4. Selecting appropriate auditor evaluation method

The same table (Table 2) of auditor evaluation methods (‘possible evaluation methods’ in 2011)
as found in the 2011 version is used though there are subtle changes to the text appearing in the
objectives and examples columns.
Auditors should be evaluated using two or more methods. The Standard notes that not all the methods
may be applicable and that the different methods differ in their reliability. As a result, a combination of
methods is recommended.
Auditor evaluation methods include, review of records, obtaining feedback, conducting interviews,
observation, testing and the conducting of post-audit reviews.
7.5 Conducting auditor evaluation

In ISO 19011:2018, ‘person’ has been replaced by ’auditor under evaluation’ otherwise the
guidance is the same.
Information collected about the auditor under evaluation (previously ‘person’) should be compared to the
criteria established in clause 7.2.3 – knowledge and skills. If an auditor under evaluation does not meet the
defined criteria they should undertake additional training, work experience and/or audit experience to
address their competence gap. Once they have completed this their competence should be re-assessed.
7.6 Maintaining and improving auditor competence

As was the case for ISO 19011:2011, both audit team leaders and auditors are expected to maintain
and continually improve their competence through regularly participating in management systems audits
and through continuous professional development.
This can involve a variety of means including, but not limited to, additional work experience, self-study,
training, attendance at meetings, conferences and seminars.
The individual(s) managing the audit programme should establish suitable methods for continually
evaluating the performance of audit team leaders and auditors.
Continual professional development activities should take into account changes in the needs of the
individual(s) and the organization responsible for conducting the audit. They should also take into
account developments in the practice of auditing including the use of ICT and other new technologies
(new for 2018), relevant standards (including guidance/supporting documents) and other requirements,
and changes in the sector and/or discipline (new for 2018).
Now Deleted – 19011:2011 - Annex A (Informative) –
Guidance And Illustrative Examples Of Discipline-
Specific Knowledge And Skills Of Auditors
A.1 General
A.2 Illustrative example of discipline-specific knowledge and skills

of auditors in transportation safety management

of auditors in environmental management

of auditors in quality management

of auditors in records management
A.6 Illustrative example of discipline-specific knowledge and

skills of auditors in resilience, security, preparedness and
continuity management

of auditors in information security management

of auditors in occupational health and safety management
A.8.1 General knowledge and skills
A.8.2 Knowledge and skills related to the sector being audited.

This annex has been deleted in its entirety from the 2018 edition of ISO 19011.
Although there was a general acceptance that the contents of this section added value, the committee
working on the new standard (ISO/PC302) also accepted that from a practical perspective there were
significant challenges associated with keeping annex A up to date on an ongoing basis. These relate to
the ever-increasing number of published management system standards and the fact that there is no
planned role for the ISO/PC302 committee after the publication of ISO 19011:2018;

Consequently, the decision was taken to remove the annex altogether in preference to allowing its
contents to drift out of date over time.
This means ISO 19011:2011 annex B now becomes ISO 19011:2018’s Annex A.
Annex A (Informative) – Additional Guidance For

Auditors Planning And Conducting Audits
The purpose of Annex A is to provide further detailed guidance to auditors on how they might
approach the planning and conduct of audits. As such, it expands the previous further guidance (ISO
19011:2011 Annex B) to include the new concepts associated with organizational context, leadership
and commitment, virtual audits, compliance and supply chain. References to this further guidance are
made throughout the main text of ISO 19011:2018.
A.1 Applying audit methods

ISO 19011:2018 reiterates the previous guidance that audits can be performed using a range of audit
methods. The choice of methods will depend on the audit’s objectives, scope and criteria as well as it’s
duration, location and the competence of the available auditors. It is usually advantageous to employ
a range of methods. A table of audit methods is again provided which identifies a range of possible
methods based on whether the audit is to be conducted on site or remotely and whether human
interaction is required between the auditor and auditee. The only amendments to the table which
previously appeared in the 2011 edition are the insertion of ‘observing work performed with a remote
guide’ in the remote and human interaction quadrant and the retitling of ‘legal requirements’ to ‘statutory
and regulation requirements’ in the remote and non-human interaction quadrant. The audit methods
contained within the table remain focussed on interviewing, observing and the review of documentation
as a means of accessing audit information (refer to 6.4.5).
Responsibility for the effective application of audit methods for any given audit remains either with
the individual(s) managing the audit programme or the audit team leader who is also responsible for
conducting audit activities.
Additional considerations that could be considered when determining the feasibility for remote
audit have been included in ISO 19011:2018. These include the level of risk to achieving the audit
objectives that auditing remotely may present and the requirement to satisfy any applicable regulatory
requirements in respect of on-site versus remote audit. The relationship between the auditor and
auditee continues to be a contributory factor when considering a remote audit.
There should be a balanced use of on-site and remote audit methods in the audit programme in order
to ensure that the audit programme objectives can be achieved.
A.2 Process approach to auditing

The use of a process approach to auditing is a new concept in the 2018 revision which is essentially
driven by the ‘process approach’ requirement found in management system standards.
The process approach dictates that organizations will achieve more consistent and predictable results,
more efficiently and effectively, when their management system activities are managed as inter-related
processes that collectively function as a single, coherent system. Auditors can use this methodology by
focussing on the auditee’s processes and their interactions when planning and conducting audits.
A.3 Professional judgement

The Annex provides new guidance for the times when auditors will be required to exercise professional
judgement during the audit process, particularly when some ISO management system clauses do not
readily lend themselves to normal audit evaluation methods e.g. issues of leadership and commitment.
In these instances, auditors will be called on to use their professional judgement to determine whether
the intent of the clause has been met. Auditors should take a holistic view of the management system
performance when using their professional judgement rather than adopt a narrow focus on some
particular requirements.
A.4 Performance results

New guidance is given in this Annex that auditors should remain focussed on the intended results
of the management system(s) as they are auditing. This reinforces the holistic view mentioned in A.3
that, while individual(s) processes and their outcomes are important, the overall performance of the
management system is what matters most. This is effectively a warning to auditors not to be too fussy
over conformity issues when there is little or no consequence to the management system effectiveness.
For example, whilst the absence of a process or documentation can seriously compromise a high risk or
complex organization, it may not matter at all in other, smaller organizations.
When conducting combined or integrated system audits, auditors should consider the level of
integration of different management systems and their intended results when evaluating performance.
A.5 Verifying information

This further guidance replaces the annex titled ‘Conducting document review’ with emphasis on the
process of conducting a comprehensive review of the information contained in the management system.
This guidance is linked with the ‘review of documented information’ in clause 6.3.1. Auditors should
consider (as far as reasonably practical) whether information they receive is adequate to demonstrate
that requirements are being met. This should include whether the information is complete (whereby
all expected content is within the document), correct (whereby he content conforms to other reliable
sources e.g. standards and regulations), consistent (whereby the document does not contradict itself or
other related documents) and is current (whereby the content is up to date).
Information may be provided in a form or from a source other than that which the auditor was
expecting. In such cases the auditor should closely evaluate the integrity of the information.
The 2018 revision re-emphasises the need to pay particular attention to information security and
protection of data both within and outside of the audit scope, especially for legal reasons.
The previous note about document control effectiveness has been deleted.

A.6 Sampling
A.6.1 General
The use of reliable sampling techniques is an integral part of every auditor’s function when accessing
audit information. The comprehensive guidance given in the 2011 version is replicated in ISO
19011:2018 based on both judgement based sampling and statistical sampling techniques.
Audit sampling is required when it is not cost effective or practical to examine all the available
information during an audit. The evaluation can be based on particular specimens selected to
represent the characteristics of the whole batch with confidence that the outcome will be reliable,
depending on the integrity of the information. If the sampling method is not correct, incorrect
conclusions may be drawn.
The stages involved in sampling are; establish the objectives of sampling, determine the extent and
composition of the population to be sampled, select a sampling method, determine a sample size,
conduct the sampling and then finally, compile, evaluate, report and document the results.
A.6.2 Judgement-based sampling

Judgement based sampling is the selection of representative samples based on the competence
(previously ‘knowledge, skills and experience’) of the audit team. Note that audit team members may
contribute to sampling decisions, not just single auditors or team leaders. Factors influencing the decision
whether to undertake judgement-based sampling include previous audit experience within the audit
scope, the complexity of the requirements necessary to achieve the audit objectives, and the complexity
and interaction of the organization’s processes and management system components.
Other factors affecting the decision include the degree of change in technology, human factors or
the management system; previously identified significant risks and (new for 2018) opportunities for
improvement as well as the output from the monitoring of management systems.
Auditors should bear in mind that with judgement-based sampling it is not possible to determine
a scientifically defined, statistically based degree of uncertainty between the audit findings and the
audit conclusions. i.e. the level of the reliability of this method is based on intangible factors for which
measurement is often impossible.
A.6.3 Statistical sampling

Statistical sampling is the use of a mathematically determined ratio of probability of failure of the sample
such that the evaluation outcome will be acceptably representative of the whole.
The sampling plan should take the audit objectives into account along with knowledge of the target data.
Such sampling can either be attribute based or variable based.
Key elements to be considered are the context (new for 2018), size, nature and complexity of the
organization, the number of competent auditors available, the frequency of audits during the year, the
time allowed for each single audit, and any externally required confidence level (sometimes known

as the acceptable risk factor). An additional factor in ISO 19011:2018 is the existence of unusual or
exceptional circumstances surrounding the audit e.g. sudden loss of personnel or assets by the auditee.
The sample size will depend on the level of sampling risk that can be accepted, and it should be
determined beforehand (i.e. the acceptable confidence level). If the auditor is willing to accept that 5 out
of 100 items sampled will be unrepresentative of the population, then the acceptable confidence level
is 95%. The acceptable confidence level should be recorded, along with a description of the population
that was sampled, the statistical basis and methods used, the number of samples evaluated, and the
results obtained. Note that international and national standards are available for use in the application of
statistical sampling procedures.
A.7 Auditing compliance within a management system

New guidance has been introduced to help with the auditor’s evaluation of compliance with statutory
and regulatory requirements in management systems.
The audit team should consider whether the auditee has effective processes in place for identifying the
statutory and regulatory requirements and other requirements it has committed itself to, for managing
its activities, products and services in order to achieve compliance with these requirements, and to
evaluate its compliance status.
The audit team should also consider whether the auditee has an effective process for identifying changes
in compliance requirements and for considering these as part of its management of change.
There should be competent people responsible for managing compliance processes and the auditee
should be maintaining and providing documented information on its compliance status as required for
regulators or other interested parties. Auditors should also expect to see compliance requirements
covered by the internal audit programme.
Any instances of non-compliance should be addressed by the auditee, and compliance performance
should be considered by the auditee’s management review.
A.8 Auditing context

New guidance has been given for the way in which auditors should deal with the requirements in
management systems in relation to the organization’s context. This affects a number of aspects in audit
programming, planning and conduct.
Issues to be addressed include determining the needs and expectations of relevant interested parties
and the external and internal issues the organization faces.
Auditors should ensure that suitable processes have been developed by organizations to determine its
context such that the results of this exercise provide a reliable basis for the definition of scope and the
development of the management system. Objective evidence should be sought to confirm that is the
case. This can include identification of the processes or methods used, an evaluation of the suitability and
competence of individuals contributing to the process, an evaluation of the results of the process, an
examination of the application of the results of the process and confirmation that periodic reviews of
context are taking place, as appropriate.
Auditors should have the necessary sector specific knowledge and understanding of the management
system tools that organizations may employ to determine context, in order that they can then make a
judgement as to the effectiveness of the organization’s determination processes.
A.9 Auditing Leadership and Commitment

Due to the increased requirements in management systems for top management responsibilities, new
guidance is given in auditing these. These include demonstrating leadership and commitment by taking
accountability for the effectiveness of their management system(s). There are now responsibilities which
top management cannot delegate but must undertake themselves. This area is likely to involve a high
degree of professional judgement by the auditor (refer to Annex A.3)
Auditors should seek objective evidence to confirm the degree to which top management are fulfilling
their obligations, particularly those regarding the effectiveness of their organization’s management
system(s). This can be achieved by reviewing the results from relevant processes (e.g. creation and
maintenance of policy and objectives, provision of necessary resources, relevant communications from
top management to their organization) and by interviewing staff in order to ascertain the degree of top
management engagement.
Auditors should also interview members of the top management team to ensure that they understand
their own management system(s) responsibilities, any discipline specific issues relevant to their
management system(s), the context their organization operates in and the intended results of their
management system(s).
Auditors should note that it is not only top management that should be assessed under leadership
requirements. Leadership and commitment should be audited at all levels of management, not just
top management.
A.10 Auditing risks and opportunities

With the introduction of the risk-based approach in many management systems, new guidance is given
in auditing this issue.
In this case, the determination and management of the auditee’s risks and opportunities needs to be
audited. The principal objectives for doing so are to give assurance on the credibility of the risk and
opportunity identification processes, to give assurance that the risks and opportunities have been
correctly determined and to review how the organization has subsequently addressed the risks and
opportunities it has determined.
Auditors should take a holistic approach to audit an organization’s determination of risks and
opportunities rather than view them in isolation as this activity has repercussions throughout the system.

Auditors should access information regarding the inputs the organization has used in order to
determine its risk and opportunities, and the methods by which its risks and opportunities are evaluated
(which can differ between disciplines and sectors).
Inputs to the determination of risks and opportunities can include an analysis of external and internal
issues, the strategic direction of the organization, relevant interested parties and their relevant
requirements and other potential sources of risk such as environmental aspects.
The guidance states that the assessment of an organization’s treatment of risk and opportunities,
including the level of risk it has chosen to accept and how it is controlling this, will require the
application of professional judgement by the auditor (refer to Annex A.3).
A.11 Life cycle

Certain discipline specific management system standards e.g. ISO 14000 (Environmental MS) require the
application of a life cycle perspective to their associated products or services. This new guidance directs
auditors to consider whether a life cycle perspective may be relevant during their audits.
Adopting a life cycle perspective allows the organization to identify those areas where, in consideration
of its scope, it can minimise its impact on the environment whilst adding value to the organization. The
life cycle may include stages such as raw material acquisition, product or service design, production,
transportation and delivery, use, end of life treatment and final disposal.
In such cases an auditor should consider the extent of control and influence that the organization
has over the various stages of its product and/or service life cycle. They should use their professional
judgement to determine how the organization has applied a life cycle perspective in terms of its strategy,
the life of their product(s) and/or service(s), the organization’s influence on the supply chain, the length
of the organization’s supply chain and the technological complexity of the organizations product(s)
and/or service(s).
When an integrated management system is involved, the auditor should be mindful of any overlapping
life cycle considerations e.g. differing environmental, quality and regulatory requirements.
A.12 Audit of supply chain

New guidance is provided in respect of audit programmes applicable to auditing supply chains. In such
cases suitable criteria should be developed which depends on the nature of external providers. Auditors
should note that the scope of supply chain audits can differ, e.g. from a complete audit of the external
provider’s management system(s) to a review of a single process, single or multiple product(s) or one or
more contracts or projects.
A.13 Preparing audit work documents

The preparation of work documents for audits is a key activity and the guidance is replicated almost
unchanged from Annex B.4 of the 2011 version.
Audit work documents are used by the audit team to assist with the planning, conducting and reporting
of audits. Questions should be posed by the audit team linking the work documents to audit records,
audit activities, its use by auditors and source data for its compilation.
Audit work documents for combined audits should be developed such that duplication of audit activities
is avoided. This can be achieved by amalgamating similar requirements from different criteria into a single
audit work document and by coordinating the content of related checklists and questionnaires within
the audit team.
A.14 Selecting sources of information

Accessing information is a key audit activity and this guidance is replicated almost unchanged from the
2011 version e.g. ‘documented information’ replaces ‘documents’.
Auditors should draw this information from a number of sources including interviews with employees
and other individuals, observations of auditee activities, their work environment and surroundings,
reviews of documented information, and the examination of data summaries, analyses and
performance indicators.
Other potential sources include information gained from auditee sampling plans and measurement
processes, business reports, feedback and surveys, the contents of databases and websites and
information generated from simulations and modelling.
A.15 Visiting the auditee’s location

Additional guidance is provided to reflect the fact that an audit may involve virtual activities and that
‘documents’ can exist in physical (sometimes called ‘hard copy’) or electronic formats (sometimes
called ‘soft copy’).
When planning and conducting the audit, the audit team should take action to minimise their
interference in the auditee’s work processes.
At the off-site planning stage, permission should be sought to access those parts of the auditee’s
location necessary in order to conduct the audit. Adequate information should be provided to audit
team members regarding security arrangements, occupational health and safety matters, cultural norms
and (new for 2018) ‘working hours for the visit’. Any requirements for personal protective equipment
should also be clarified with the auditee as should the availability of such equipment. In instance other
than unannounced or ad hoc audits, auditees should be made aware of the audit scope and objectives.
New for 2018 is a paragraph relating to the use of recording equipment for the collection of evidence,
(the 2011 edition referenced ‘taking photographs or use of video’). If the use of such equipment is being
considered, permission should be obtained from the auditee at the planning stage, including a discussion
on any limitations for its use.
Once on site the audit team should avoid any unnecessary disturbance of the auditee’s operational
processes. The size of the audit team and the number of guides and observers may need to be adapted

to facilitate this. Also, any audit team/auditee communications should be carefully scheduled to avoid
causing disruption.
Audit team members should use the personal protective equipment they are provided with in the
proper manner. The auditee’s emergency procedures should also be communicated e.g. at a health and
safety induction. Should an incident occur on site, the audit team leader and auditee should review the
situation and agree whether the audit should be interrupted, rescheduled or continued.
During the audit, audit team members should seek permission in advance before taking copies of
documentation and should be mindful of any security or confidentiality arrangements that exist.
Additionally, personal information should not be obtained unless required by the audit objectives or
audit criteria.
New guidance is given in relation to virtual audit which is audit activity that is undertaken without the
auditor being physically present at the auditee’s location e.g. both parties are remote from each other
and are communicating through audio and/or visual means.
In this situation, the audit team should ensure it is using agreed remote access protocols. If screen
shots are to be taken, permission should be sought in advance to do so and any confidentiality and
security arrangements should also be respected. If an unforeseen incident, which impacts the audit
process, occurs during the remote access, the audit team leader should review this with the auditee and
agreement should be reached as to whether to interrupt, reschedule or continue the audit. Graphic
information such as floor plans or diagrams of the remote location should be used to provide context
for the auditor, and both the auditor’s and auditee’s privacy should be respected during any audit breaks.
Consideration should be given as to how information and audit evidence (irrespective of the media it
is held on) is disposed of once the need for its use by the audit team has expired e.g. downloaded files,
messages etc.
A.16 Auditing virtual activities and locations

Further new detailed guidance is provided for virtual audits conducted in instances where an
organization performs work or provides a service using an on-line environment which allows individuals
to execute processes in any location e.g. teleworking from home.
The same standard audit process used for face-to-face audits should be followed when using technology
to verify objective evidence. The audit team should ensure their technology and its operation, e.g.
software, is appropriate for conducting the audit. This includes ensuring that agreed remote access
protocols are used, ensuring that checks are completed ahead of the audit in order to identify and
address any technical issues and ensuring a contingency plan is in place and has been communicated,
should the technology fail to perform as planned.
Auditors should have the technical skills necessary to utilise the relevant technology for audit purposes
and they should also have experience in conducting virtual meetings.
The risks associated with virtual audit should also be considered. Floor plans / diagrams should be used
for references or for the mapping of electronic information.
Background noise and interruptions should be minimised, permission sought before taking screenshots
or recordings and privacy should be maintained during audit breaks e.g. pausing video streams
and muting sound.
A.17 Conducting interviews

Interviewing people is a key auditor competence and the guidance on good practice for auditors is
replicated almost unchanged from the 2011 version.
Interviews are an increasingly important means of accessing information especially when management
systems contain requirements such as to ‘determine’ whether various undocumented activities or
processes are in place. In such instances interviewing several auditees, for corroboration purposes,
provides the auditor with a means to verify whether that determination has taken place.
Interviews should be held with individual(s) from appropriate levels of the organization and from those
functions which are performing activities that fall within the audit scope. They should be conducted
during working hours and, ideally, at the normal workplace of the auditee.
Auditors should attempt to put individuals being interviewed at ease. They should explain the reason
why they are conducting the interview and should confirm that notes are being taken, not to identify
issues, but simply to ensure there is a record of what is being discussed.
The standard recognises auditees may be nervous and suggests a good starting point may be to ask
them to explain the work they do. Auditors should include a mix of open, probing and closed questions
to help establish facts and should avoid the use of leading questions where possible.
Non-verbal communication, e.g. tone of voice, body language, etc., is also important, and auditors
should be aware of this. They should also recognise that in virtual audit situations, the benefit of non-
verbal communication is lost and hence additional emphasis should be placed on adopting good
questioning techniques.
A.18 Audit findings

A.18.1 Determining audit findings
Further guidance in the 2018 edition adds several factors to the list in the 2011 version that auditors
should consider when making a finding; the accuracy, sufficiency and appropriateness of objective
evidence to support the audit findings, and the extent to which planned audit activities are realised and
planned results achieved.
Retained in the list are any follow-up actions from previous audits and their conclusions, the
requirements of the audit client, any findings exceeding normal practice or opportunities for
improvement, the sample size they have taken and the categorisation (if any) of the findings.

A.18.2 Recording conformities
New guidance for recording conformity is the recording of evidence to demonstrate the effectiveness
of the management system, not just conformity. 19011:2011 required ‘identification of ’ the audit criteria
conformity is demonstrated against; ISO 19011:2018 replaces this with ‘a description of or reference to’
the audit criteria which conformity is demonstrated against.
A.18.3 Recording nonconformities

When recording a nonconformity, an auditor should clearly specify the audit criteria they were
conducting their audit against. They should record details of anything they have seen or heard which
indicates that these criteria are not being met i.e. the objective evidence. They should identify their
finding as a nonconformity and should consider any related findings that substantiate the nonconformity.
A.18.4 Dealing with findings related to multiple criteria

There may be occasions when a single finding identifies that several audit criteria are not being met.
If this occurs during a combined audit, then the auditor needs to consider the possible impact of the
finding for all the management systems under review, not just for the system the finding was originally
identified in.
In the case of multiple criteria, the auditor can either raise a separate finding for each nonconforming
situation or a single finding which references all nonconforming situations, taking into account the
audit client preferences. If the audit client agrees, the auditor may also provide guidance to the audit
client in respect of how they should respond to the auditor’s findings. This is more common in
second party audits.
Bibliography
ISO 19011:2011 referenced 23 documents and/or
websites in its bibliography, including many of ISO’s
principal management system standards.
For ISO 19011:2018, this number has been

significantly reduced. There are now only 4 entries in
the bibliography;
• ISO 9000:2015 – Quality management systems –

Fundamentals and vocabulary
• ISO/IEC 17021-1:2015 – Conformity assessment
– Requirements for bodies providing audit and
certification of management systems – Part
1: Requirements
• ISO Guide 73:2009, Risk management – Vocabulary
• ISO 9001 Auditing Practices
Group papers available at:
www.iso.org/tc176/ISO9001AuditingPracticesGroup

7. Implications
General
ISO 19011 is a guidance standard and, as a result, organizations are not required to make any changes
to their existing audit arrangements as a result of the publication of ISO 19011:2018.
However, the CQI and IRCA recommends that organizations review their existing approach to audit in
light of ISO 19011:2018’s publication.
The purpose of revising ISO 19011 was to set a higher standard for the effectiveness of both internal
(and where applicable) external audit. The voluntary adoption of the revised guidance contained within
ISO 19011:2018 should result in the implementation of more efficient and effective audit processes and
the development of more competent audit personnel.
Implications For Specific Audit Roles

Individuals Managing the Audit Programme
There have been significant changes to the role of the Individual Managing the Audit programme. These
are detailed in sub-clause (see 5.4.1). Also, the competence requirements of this individual have been
substantively amended (see 5.4.2).
The individual managing the audit programme must now consider the context of the auditee’s
organization when designing audit programmes. This requires an understanding of their internal and
external issues and the relevant requirements of their stakeholder. They must ensure that the audit
programme is focussed on areas of high risk or where there are recognised performance issues.
The information to be included in the audit programme has increased (see 5.1) and greater emphasis
has been placed on the ongoing monitoring and maintenance of the programme and on the
achievement of the audit programme objectives.
The individual managing the audit programme is expected to use information arising from the
monitoring of the audit programme to drive the programme’s improvement. This is to take place on an
ongoing basis. The individual managing the audit programme is also required to revise the programme is
there are changes to audit objectives, scopes or criteria. They are also expected to notify the audit client
in respect of the risks, opportunities and resource requirements identified during the development of
the audit programme.
In order to undertake these duties, the individual managing the audit programme requires the necessary
competence to deal with any risks and opportunities or internal or external issues to the delivery of
the audit programme. Knowledge of the auditee’s context and business activities plus statutory and
regulatory requirements relating to the auditee’s business is considered essential as is an awareness of
risk, project and process management.
It is the individual managing the audit programme who selects the audit methods to be used based
on their evaluation of the method’s effectiveness and efficiency. Once they have completed the
identification of methods, they should communicate these to the audit client.
The individual managing the audit programme still appoints the audit team leader, audit team members
and technical experts, ensuring their collective competence to conduct the assessment. In doing so
there is an expectation that they will consult on team composition with the audit team leader.
The scope of communication for the individual managing the audit programme has been extended. They
are now expected to interact not just with the auditee but other relevant interested parties, as required.
Once an audit has been completed the individual managing the audit programme must ensure that the
objectives for each single audit have been met. They should review the performance of entire audit team
and any technical experts and should distributed the audit report to relevant interested parties.
Auditors
It is now accepted that auditors no longer have to be independent of the activity being audited in
order to be able to demonstrate impartiality and objectivity. This is because the demonstration of these
characteristics has more to do with the mind-set of the auditor than it has with their assigned role or
duties. This notwithstanding, there is an expectation that auditors will be independent ‘where practical’ so
if it is possible to structure an audit team in such a way that no auditor audits their own work then the
individual managing the audit team should do so.
Auditors can now expect to receive additional information prior to the audit including information
relating to environmental arrangements as well as any requirements for travel to or access of
remote sites. They should also expect to be advised as to their decision-making authority by the
audit team leader.
When conducting desktop reviews auditors will now need to additionally consider the auditee’s
context, risks and opportunities and the audit criteria that are to be applied. They will then be required
to prepare documented information for audit (previously work documents) e.g. checklists which could
be virtual (e.g. online).
One of the most significant changes brought into ISO 19011:2018 is the guidance that audit evidence
is no longer ‘information that can be verified’ but information that can be ‘subject to a degree of
verification’. Increasingly auditors need to recognise that there will be instances, especially when assessing
elements of Annex SL based standards, where evidence suggests compliance where professional
judgement will need to be used in order to determine the degree of reliance the auditor should place
on audit evidence. Not everything in the world of audit is black or white, there are shades of grey and
auditors must be comfortable dealing with such uncertainty.
Auditors should expect greater monitoring of their performance during audits and more regular
evaluations of their competence between audits. The inclusion of new topics in annex A indicates an

expectation that auditors should be competent in these topics as they are applicable to their own
scope of audit.
It is now recognised that a competent auditor requires more than the technical knowledge and skill
required to conduct an audit. They require a greater understanding of the auditee’s business sector,
processes, products and services than previously.
Auditors should understand risks and opportunities and risk-based auditing, and should be competent in
audit principles, methods and techniques relevant to the disciplines and sectors they assess.
All auditors are expected to undertake regular continuing professional development (CPD) and it
is no longer sufficient for an auditor to attend an auditor training course – in order to demonstrate
competence, they are expected to satisfactorily complete it.
Audit Team Leaders (Lead Auditors)

In addition to those implications for auditors set out above, there are additional implications for those
responsible for leading audit teams.
While still responsible for agreeing audit arrangements with the auditee, the audit team leader must
now act to resolve any issues in respect of the composition of the team (including any potential conflicts
of interest) with the auditee and/or audit client prior to the audit.
New considerations have been introduced in respect of audit planning and the audit team leader should
ensure that there is a focus on the entire audit planning activity as opposed to just the end product,
‘the audit plan’.
The audit team leader now assigns responsibilities to team members for decision making following
consultation with the team. They direct the use of technical experts and approve (where necessary with
the auditee and the auditee client) any guides, observers and/or interpreters.
In the 2011 edition of 19011 the audit team leader facilitated the closing meeting, now they are
expected to Chair the closing meeting.
Audit team leaders must possess the necessary competence to facility the efficient and effective
conducting of the audit (previously knowledge and skills to manage) the audit and the competence
to discuss strategic matters with the auditee’s top management. They must also display the necessary
leadership to achieve a collaborative working relationship within the team and address any issues
within the team.
As is the case for single auditors, audit team leaders are expected to undertake regular continuing
professional development including improving their understanding and application of audit
practice and ICT.
Audit Client
The audit client is the individual or organization that is responsible for commissioning the audit. The
audit client may or may not be the auditee.
ISO 19011:2018 transfers responsibility for establishing the audit programme objectives to the audit
client. There are now specific considerations the audit client must take into account when they
are formulating these objectives. It is essential that the audit programme objectives align with the
strategic objectives of the auditee’s organization. Once agreed, the audit programme objectives should
be documented.
The audit client is also responsible for ensuring that the audit programme is being effectively
implemented, previously a responsibility of the auditee’s top management. They are required to approve
any changes to the programme (also previously an auditee’s role) and should be present at the closing
meeting, as appropriate, with any other interested parties.
Auditees
Auditees should expect to see a more business focussed auditor, aware of their organization’s risks and
opportunities, internal and external issues and the relevant requirements of their stakeholders. They
should expect an auditor with up-to-date skills and knowledge whose performance is being regularly
assessed in order to ensure they remain competent to audit. The auditor should be skilled in a range
of audit methods, tools and techniques and not focussed solely on reviewing documents or sticking
religiously to predefined checklists. They should witness auditors adopting a process approach to audit,
understanding the operation of the auditee’s business holistically as opposed to assessing each individual
element in isolation.
As auditors are increasingly being asked to demonstrate professional judgement, the potential for
disagreement between the auditee and the auditor in respect of audit findings is increased. As is the
case at present, auditees should be prepared to challenge the auditor where they feel that the auditor’s
decision is incorrect.

8. Conclusion
ISO 19011:2018 is not without its flaws.

In common with most ISO standards, it’s
written in language which make it easy
to translate but sometimes difficult to
understand. The 2011 edition Annex A,
which provided examples of discipline
and sector specific audit topics, has been
deleted despite its popularity, as no one
could be identified to maintain it. The new
Annex A which provides advice on specific
audit topics is underdeveloped and could
have been of so much more practical use
for those starting out in the profession.
And of course, the standard remains
guidance: there is no obligation for anyone
to adopt its contents.
Nonetheless, ISO 19011:2018 underpins

all CQI and IRCA auditor training courses
and auditor certification schemes for good
reason – it provides a robust, tried-and-
tested framework for the effective audit of
any management system.
9. Clause Comparison -
ISO 19011:2018 and ISO
19011:2011
The following table highlights the respective structures of the 2018 and 2011 editions of ISO 19011. As
ISO 19011 is not an annex SL based management system standard, the ISO/PC302 committee was not
required to adopt the high-level structure prescribed within annex SL appendix 2.
Whilst the 2018 and 2011 editions’ structures are broadly similar, there are some important differences
as detailed in this table. These centre around the retitling and reordering of a number of the 2011
clauses in the 2018 edition, the introduction of a new sub-clause 6.4.5 - ‘Audit information availability
and access’, the deletion of the 2011 edition’s annex A and the expansion of the 2011 edition’s annex B
which now becomes the 2018 edition’s annex A.
ISO 19011:2018 ISO 19011:2011

Foreword Foreword
Contents Contents
Introduction Introduction
1 Scope 1 Scope
2 Normative references 2 Normative references
3 Terms and Definitions 3 Terms and Definitions
4 Principles of auditing 4 Principles of auditing
5 Managing an audit programme 5 Managing an audit programme
5.1 General 5.1 General
Establishing the audit
5.2 Establishing audit programme objectives 5.2
programme objectives
Determining and evaluating audit
5.3 (see 5.3.4 below)
programme risks and opportunities
5.4 Establishing audit programme 5.3 Establishing the audit programme
Roles and responsibilities of individual(s) Roles and responsibilities of the person
5.4.1 5.3.1
managing the audit programme managing the audit programme
ISO 19011:2018 ISO 19011:2011
Competence of individual(s) managing Competence of the person managing the
5.4.2 5.3.2
the audit programme audit programme
Establishing the extent of the
5.4.3 Establishing extent of audit programme 5.3.3
audit programme
5.4.4 Determining audit programme resources (see 5.3.6 below)
Identifying and evaluating audit
5.3.4
programme risks
Establishing procedures for the
5.3.5
audit programme
5.3.6 Identifying audit programme resources
5.5 Implementing audit programme 5.4 Implementing the audit programme
5.5.1 General 5.4.1 General
Defining the objectives, scope and Defining the objectives, scope and
5.5.2 5.4.2
criteria for a single audit criteria for a single audit
5.5.3 Selecting and determining audit methods 5.4.3 Selecting the audit methods
5.5.4 Selecting audit team members 5.4.4 Selecting the audit team members
Assigning responsibility for a single audit Assigning responsibility for a single audit
5.5.5 5.4.5
to the audit team leader to the audit team leader
5.5.6 Managing audit programme results 5.4.6 Managing the audit programme outcome
Managing and maintaining audit Managing and maintaining audit
5.5.7 5.4.7
programme records programme records
5.6 Monitoring audit programme 5.5 Monitoring the audit programme
Reviewing and improving Reviewing and improving the
5.7 5.6
audit programme audit programme
6 Conducting an audit 6 Performing an audit
6.2 Initiating audit 6.2 Initiating the audit
Establishing initial contact
6.2.2 Establishing contact with auditee 6.2.2
with the auditee
6.2.3 Determining feasibility of audit 6.2.3 Determining the feasibility of the audit

ISO 19011:2018 ISO 19011:2011
6.3 Preparing audit activities 6.3 Preparing audit activities
Performing review of Performing document review in
6.3.1 6.3.1
documented information preparation for the audit
6.3.2 Audit planning 6.3.2 Preparing the audit plan
6.3.3 Assigning work to audit team 6.3.3 Assigning work to the audit team
Preparing documented
6.3.4 6.3.4 Preparing work documents
information for audit
6.4 Conducting audit activities 6.4 Conducting the audit activities
Assigning roles and responsibilities of
6.4.2 (see 6.4.5 below)
guides and observers
6.4.3 Conducting opening meeting 6.4.2 Conducting the opening meeting
6.4.4 Communicating during audit (see 6.4.4 below)
6.4.5 Audit information availability and access
Reviewing documented information Performing document review while
6.4.6 6.4.3
while conducting audit conducting audit
6.4.4 Communicating during the audit
Assigning roles and responsibilities of
6.4.5
guides and observers
6.4.7 Collecting and verifying information 6.4.6 Collecting and verifying information
6.4.8 Generating audit findings 6.4.7 Generating audit findings
6.4.9 Determining audit conclusions 6.4.8 Preparing audit conclusions
6.4.10 Conducting closing meetings 6.4.9 Conducting the closing meeting
Preparing and distributing
6.5 Preparing and distributing audit report 6.5
the audit report
6.5.1 Preparing audit report 6.5.1 Preparing the audit report
6.5.2 Distributing audit report 6.5.2 Distributing the audit report
6.6 Completing audit 6.6 Completing the audit
6.7 Conducting audit follow up 6.7 Conducting audit follow-up
7 Competence and evaluation of auditors 7 Competence and evaluation of auditors
ISO 19011:2018 ISO 19011:2011
Determining auditor competence to fulfil
7.2 Determining auditor competence 7.2
the needs of the audit programme
7.2.2 Personal behaviour 7.2.2 Personal behaviour
7.2.3 Knowledge and skills 7.2.3 Knowledge and skills
7.2.3.1 General 7.2.3.1 General
Generic knowledge and skills of Generic knowledge and skills of
7.2.3.2 7.2.3.2
management system auditors management system auditors
Discipline and sector-specific Discipline and sector specific knowledge
7.2.3.3 7.2.3.3
competence of auditors and skills of management system auditors
Generic competence of Generic knowledge and skills of an
7.2.3.4 7.2.3.4
audit team leader audit team leader
Knowledge and skills for auditing
Knowledge and skills for auditing
7.2.3.5 7.2.3.5 management systems addressing
multiple disciplines
multiple disciplines
7.2.4 Achieving auditor competence 7.2.4 Achieving auditor competence
7.2.5 Achieving audit team leader competence 7.2.5 Audit team leaders
7.3 Establishing auditor evaluation criteria 7.3 Establishing the auditor evaluation criteria
Selecting appropriate auditor Selecting the appropriate auditor
7.4 7.4
evaluation criteria evaluation method
7.5 Conducting auditor evaluation 7.5 Conducting auditor evaluation
Maintaining and improving Maintaining and improving
7.6 7.6
auditor competence auditor competence
Guidance and illustrative examples

Annex
of discipline-specific knowledge and
A
skills of auditors
Annex Additional guidance for auditors planning Annex Additional guidance for auditors for
A and conducting audits B planning and conducting audits
A.1 Applying audit methods B.1 Applying audit methods
A.2 Process approach to auditing

ISO 19011:2018 ISO 19011:2011
A.3 Professional judgement
A.4 Performance results
A.5 Verifying information B.2 Conducting document review
A.6 Sampling B.3 Sampling
A.6.1 General B.3.1 General
A.6.2 Judgement-based sampling B.3.2 Judgement-based sampling
A.6.3 Statistical sampling B.3.3 Statistical sampling
Auditing compliance within a
A.7
management system (new for 2018)
A.8 Auditing Context
A.9 Auditing Leadership and Commitment
A.10 Auditing risks and opportunities
A.11 Life cycle
A.12 Audit of supply chain
A.13 Preparing audit work documents B.4 Preparing work documents
A.14 Selecting sources of information B.5 Selecting sources of information
A.15 Visiting the auditee’s location B.6 Guidance on visiting the auditees location
A.16 Auditing virtual activities and locations
A.17 Conducting interviews B.7 Conducting interviews
A.18 Audit findings B.8 Audit findings
A.18.1 Determining audit findings B.8.1 Determining audit findings
A.18.2 Recording conformities B.8.2 Recording conformities
A.18.3 Recording nonconformities B.8.3 Recording nonconformities
Dealing with findings relating to Dealing with findings relating to
A.18.4 B.8.4
multiple criteria multiple criteria
Bibliography Bibliography
10. Acknowledgements
The CQI and IRCA would like to thank the authors, reviewers and contributors for their work
on this report.
Richard Green: (principal author)
Ian Dunlop: BSc FCQI CQP, CQI and IRCA Technical Assessor (author)
Denise Robitaille: Chair, ISO PC 302
Alexander Woods: Policy Manager, CQI
The CQI and IRCA would also like to thank Ideagen PLC for their sponsorship and support
of this report.
The Chartered Quality Institute (CQI) and The International

Register of certificated Auditors (IRCA)
The CQI is the chartered body for quality management professionals.
It exists to benefit the public by advancing education in, knowledge of and the practice of quality in
industry, commerce, the public sector and the voluntary sectors.
IRCA is a division of the CQI and is the leading professional body of management system auditors
www.quality.org
Ideagen Plc
Ideagen provides software and expertise to help the world’s leading brands to improve efficiency,
prevent undesirable events and ensure compliance by managing quality, safety, audit and every aspect
of operational risk.
With over 4,000 customers in more than 90 countries, Ideagen’s products and services are at
the forefront of quality, safety, risk, operational performance and compliance management for
some of the world’s best-known organizations including PwC, Heineken, NHS, Emirates and
Harvard University.
Ideagen is dedicated to promoting enterprise-wide quality management through compliance with

standard such as ISO 9001 and many more.
www.ideagen.com
Report published (September 2018) by:
The Chartered Quality Institute (CQI)
2nd Floor North, Chancery Exchange
10 Furnival Street
London EC4A 1AB
T: +44 (0) 207 245 6722
www.quality.org
Incorporated by Royal Charter and registered
as a charity. Number 259678
© 2018 Chartered Quality Institute.

All Rights Reserved
This report is available for private use only and

is not permitted to be copied, duplicated, or
distributed unless authorized by the Chartered 9 781234 567897
Quality Institute.

ISO 19011 Report

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ISO 19011 Report

Încărcat de

Drepturi de autor:

Formate disponibile

Report

With over 4,000 customers in more than 90 countries,

Ideagen is dedicated to promoting enterprise-wide quality

© 2018 Chartered Quality Insitute. All Rights Reserved

3. Message from Denise Robitaille 7

5. Interpretation and comment 10

6. Clause by clause evaluation 11

7. Implications for specific audit roles 61

9. ISO 19011:2011 vs ISO 19011:2018 clause comparison 67

ISO 19011 provides detailed guidance regarding;

• Managing audit programmes

4 | ISO 19011:2018 | Understanding the International Standard

Purpose of this report

Involvement of the CQI and IRCA

Message from Denise Robitaille, Chair of ISO/PC 302, the committee

ISO 19011 – The Revision and Why It Matters

The good news

8 | ISO 19011:2018 | Understanding the International Standard

The development of ISO 19011:2018 provided an opportunity for CQI

The most significant changes incorporated into ISO 19011:2018 are;

• adding a new seventh audit principle – Risk-based approach to audit

10 | ISO 19011:2018 | Understanding the International Standard

This next section of this document sets out to:

ISO 19011:2018 – Guidelines for auditing management systems

12 | ISO 19011:2018 | Understanding the International Standard

5. Managing an Audit Programme

14 | ISO 19011:2018 | Understanding the International Standard

5.2 Establishing audit programme objectives

• stakeholder needs and expectations

5.4 Establishing audit programme

The individual(s) managing the audit programme should also;

5.4.2 Competence of individual(s) managing audit programme

18 | ISO 19011:2018 | Understanding the International Standard

5.4.4 Determining audit programme resources

5.5 Implementing audit programme

5.5.3 Selecting and determining audit methods

5.5.4 Selecting audit team members

20 | ISO 19011:2018 | Understanding the International Standard

5.5.6 Managing audit programme results

22 | ISO 19011:2018 | Understanding the International Standard

• records related to the audit programme

5.6 Monitoring audit programme

5.7 Reviewing and improving audit programme

The review itself should consider;

• results and trends identified as a result of monitoring the audit programme

24 | ISO 19011:2018 | Understanding the International Standard

6.2 Initiating audit

6.2.2 Establishing contact with auditee

26 | ISO 19011:2018 | Understanding the International Standard

6.2.3 Determining feasibility of audit

6.3 Preparing audit activities

6.3.2.1 Risk-based approach to planning

6.3.2.2 Audit planning details

28 | ISO 19011:2018 | Understanding the International Standard

6.3.3 Assigning work to audit team

6.3.4 Preparing documented information for audit

6.4 Conducting audit activities

6.4.2 Assigning roles and responsibilities of guides and observers

30 | ISO 19011:2018 | Understanding the International Standard

6.4.3 Conducting opening meeting

6.4.4 Communicating during audit

6.4.5 Information availability and access

32 | ISO 19011:2018 | Understanding the International Standard

6.4.6 Reviewing documented information while conducting audit

3. Message from Denise Robitaille 7

5. Interpretation and comment 10

6. Clause by clause evaluation 11

7. Implications for specific audit roles 61

9. ISO 19011:2011 vs ISO 19011:2018 clause comparison 67