ISO published the 3rd edition of ISO19011 in July 2018, after a long drafting and consultation period. This is the internationally recognised guidelines for auditing management systems. With this publication previous version (2011) is now superseded. As expected with the increased emphasis on Risk Management in ISO9001, ISO14001 and ISO45001, many of the changes in ISO19011 relate to understanding and auditing risk using the process approach to auditing. We will be exposing the key changes in this latest edition.

Risk Based Thinking Auditing Technique

Auditors should be focused on the intended result of the management system throughout the audit process. While processes and what they achieve are important, the result of the management system and its performance are what counts. This means that when preparing and undertaking an audit, the auditor should focus not only on compliance to the relevant management system documentation, but the process objectives (KPI’s), whether the objectives are being met, and if not, what action is being taken to address the issue(s).

Audit planning should address or reference: the processes to be audited, the locations (physical and virtual), the need to familiarise themselves with the auditee’s facilities and processes. This may include, before the start of the audit, the auditor going to visit the area where the process is performed, which will help in ensuring the effective planning for the audit.

When auditing the Management processes, auditors should interview top management to cofirm that they have an adequate understanding of the management system, the context their organization operates within and the strategic direction, so that they can ensure that the management system achieves its intended results. Auditors should not only focus on leadership at the Top Management level but should also audit leadership and commitment at other levels of management, as appropriate.

When preparing the audit

report, this should include

issues such as the identi

cation of risks and

effectiveness of actions taken

by the auditee to address risks

An audit of an organization’s approach to the determination of risks and opportunities should not be performed as a stand-alone activity. It should be implicit during the entire audit of all processes in the management system, including when interviewing Top Management. The organization’s treatment of its risks and opportunities, including the level of risk it wishes to accept and how it is controlled, will require the application of professional judgement by the auditor, as this is not de ned in any standard.

Auditors should have relevant sector-speci c knowledge and understanding of the management tools that organizations can use to make a judgement regarding the effectiveness of the processes. This is in line with the IATF requirement 7.2.3 which requires audits to have a technical understanding of the process to be audited. For example, if the auditor is going to undertake an audit of a plating process, they need to understand some of the critical things that need to be controlled to ensure the process meets the defined requirements.