Guidelines for auditing management systems - RQA · PDF fileISO /PC 302 ISO 19011:2011(E) Secretariat: ANSI Third edition 2016-12-15 Guidelines for auditing management systems Lignes

ISO/PC 302 N 36

ISO/PC 302Guidelines for auditing management systems

Email of secretary: [email protected] Secretariat: ANSI (United States)

ISO CD 19011 2011(E) 20161214

Document type: CD ballot

Date of document: 2016-12-15

Expected action: VOTE

Action due date: 2017-03-15

Background: The ISO CD 19011 ballot is now open for vote and comment. This ballot will close on March 15,2017. Please contact me at [email protected] with any questions.

Committee URL: http://isotc.iso.org/livelink/livelink/open/pc302

mailto:[email protected]

mailto:[email protected]

http://isotc.iso.org/livelink/livelink/open/pc302

ISO /PC 302

ISO 19011:2011(E)

Secretariat: ANSI

Third edition 2016-12-15

Guidelines for auditing management systems

Lignes directrices pour l'audit des systèmes de management

Guidelines for auditing management systems

Lignes directrices pour l'audit des systèmes de management

ISO 19011:2011(E)

ii © ISO 2011 – All rights reserved

Copyright notice

This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, photocopying, recording or otherwise, without prior written permission being secured.

Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's member body in the country of the requester.

ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org

Reproduction may be subject to royalty payments or a licensing agreement.

Violators may be prosecuted.

ISO 19011:2011(E)

© ISO 2011 – All rights reserved iii

Contents Page

1 Scope ...................................................................................................................................................... 1

2 Normative references ............................................................................................................................ 1

3 Terms and definitions ........................................................................................................................... 1

4 Principles of auditing ............................................................................................................................ 4

5 Managing an audit programme ............................................................................................................ 5 5.1 General ................................................................................................................................................... 5 5.2 Determining and evaluating audit programme risks and opportunities .......................................... 7 5.3 Establishing the audit programme objectives ................................................................................... 7 5.4 Establishing the audit programme ...................................................................................................... 8 5.4.1 Roles and responsibilities of the person managing the audit programme ..................................... 8 5.4.2 Competence of the person managing the audit programme ............................................................ 9 5.4.3 Establishing the extent of the audit programme ................................................................................ 9 5.4.4 Determining audit programme resources ......................................................................................... 10 5.5 Implementing the audit programme .................................................................................................. 10 5.5.1 General ................................................................................................................................................. 10 5.5.2 Defining the objectives, scope and criteria for an individual audit ............................................... 10 5.5.3 Selecting the audit methods .............................................................................................................. 11 5.5.4 Selecting the audit team members .................................................................................................... 11 5.5.5 Assigning responsibility for an individual audit to the audit team leader .................................... 12 5.5.6 Managing the audit programme outcome ......................................................................................... 13 5.5.7 Managing and maintaining audit programme records .................................................................... 13 5.6 Monitoring the audit programme ....................................................................................................... 14 5.7 Reviewing and improving the audit programme .............................................................................. 14

6 Performing an audit ............................................................................................................................. 15 6.1 General ................................................................................................................................................. 15 6.2 Initiating the audit ................................................................................................................................ 16 6.2.1 General ................................................................................................................................................. 16 6.2.2 Establishing contact with the auditee ............................................................................................... 16 6.2.3 Determining the feasibility of the audit ............................................................................................. 17 6.3 Preparing audit activities .................................................................................................................... 17 6.3.1 Performing review of documented information ............................................................................... 17 6.3.2 Audit planning ..................................................................................................................................... 18 6.3.3 Assigning work to the audit team ...................................................................................................... 19 6.3.4 Preparing work documents ................................................................................................................ 19 6.4 Conducting the audit activities .......................................................................................................... 20 6.4.1 General ................................................................................................................................................. 20 6.4.2 Conducting the opening meeting ...................................................................................................... 20 6.4.3 Reviewing documented information while conducting the audit ................................................... 21 6.4.4 Communicating during the audit ....................................................................................................... 21 6.4.5 Assigning roles and responsibilities of guides and observers ...................................................... 22 6.4.6 Audit information availability and access......................................................................................... 22 6.4.7 Collecting and verifying information ................................................................................................. 22 6.4.8 Generating audit findings ................................................................................................................... 23 6.4.9 Preparing audit conclusions .............................................................................................................. 24 6.4.10 Conducting the closing meeting ........................................................................................................ 24 6.5 Preparing and distributing the audit report ...................................................................................... 25 6.5.1 Preparing the audit report .................................................................................................................. 25 6.5.2 Distributing the audit report ............................................................................................................... 26 6.6 Completing the audit ........................................................................................................................... 26 6.7 Conducting audit follow-up ................................................................................................................ 26

7 Competence and evaluation of auditors ........................................................................................... 26

ISO 19011:2011(E)

iv © ISO 2011 – All rights reserved

7.1 General ..................................................................................................................................................26 7.2 Determining auditor competence to fulfil the needs of the audit programme ..............................27 7.2.1 General ..................................................................................................................................................27 7.2.2 Personal behaviour .............................................................................................................................27 7.2.3 Knowledge and skills ..........................................................................................................................28 7.2.4 Achieving auditor competence ..........................................................................................................31 7.2.5 Audit team leaders ...............................................................................................................................31 7.3 Establishing the auditor evaluation criteria ......................................................................................31 7.4 Selecting the appropriate auditor evaluation method .....................................................................31 7.5 Conducting auditor evaluation ...........................................................................................................32 7.6 Maintaining and improving auditor competence ..............................................................................32

Annex A (informative) Additional guidance for auditors for planning and conducting audits ...............33 A.1 Applying audit methods ......................................................................................................................33 A.2 Verification of information ..................................................................................................................34 A.3 Sampling ...............................................................................................................................................34 A.3.1 General ..................................................................................................................................................34 A.3.2 Judgement-based sampling ...............................................................................................................35 A.3.3 Statistical sampling .............................................................................................................................35 A.4 Preparing work documents ................................................................................................................36 A.5 Selecting sources of information .......................................................................................................36 A.6 Guidance on visiting the auditee’s location .....................................................................................37 A.7 Conducting interviews ........................................................................................................................38 A.8 Audit findings .......................................................................................................................................38 A.8.1 Determining audit findings .................................................................................................................38 A.8.2 Recording conformities ......................................................................................................................39 A.8.3 Recording nonconformities ................................................................................................................39 A.8.4 Dealing with findings related to multiple criteria .............................................................................39

ISO 19011:2011(E)

© ISO 2011 – All rights reserved v

Foreword 1

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies 2 (ISO member bodies). The work of preparing International Standards is normally carried out through ISO 3 technical committees. Each member body interested in a subject for which a technical committee has been 4 established has the right to be represented on that committee. International organizations, governmental and 5 non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the 6 International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. 7

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. 8

The main task of technical committees is to prepare International Standards. Draft International Standards 9 adopted by the technical committees are circulated to the member bodies for voting. Publication as an 10 International Standard requires approval by at least 75 % of the member bodies casting a vote. 11

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent 12 rights. ISO shall not be held responsible for identifying any or all such patent rights. 13

ISO 19011 was prepared by Project Committee ISO/PC 302, Guidelines for auditing management systems. 14

This third edition cancels and replaces the second edition (ISO 19011:2011), which has been technically 15 revised. 16

The main differences compared with the second edition are as follows: 17

updated requirements relating to audit plans; now the output of the audit planning process. 18

ISO 19011:2011(E)

vi © ISO 2011 – All rights reserved

Introduction 19

Since the second edition of this International Standard was published in 20011, a number of new 20 management system standards have been published. As a result, there is now a need to consider a broader 21 scope of management system auditing, as well as providing guidance that is more generic. 22

In 2015, the ISO committee for conformity assessment (CASCO) developed ISO/IEC 17021-1, which sets out 23 requirements for third party certification of management systems and which was based in part on the 24 guidelines contained in the second edition of this International Standard. 25

The second edition of ISO/IEC 17021-1, published in 2015, was extended to transform the guidance offered in 26 this International Standard into requirements for management system certification audits. It is in this context 27 that this third edition of this International Standard provides guidance for all users, including small and 28 medium-sized organizations, and concentrates on what are commonly termed “internal audits” (first party) and 29 “audits conducted by customers on their suppliers” (second party). While those involved in management 30 system certification audits follow the requirements of ISO/IEC 17021-1:2015, they might also find the guidance 31 in this International Standard useful. 32

The relationship between this third edition of this International Standard and ISO/IEC 17021-1:2015 is shown 33 in Table 1. 34

Table 1 — Scope of this International Standard and its relationship with ISO/IEC 17021-1:2015 35

Internal auditing External auditing

Supplier auditing Third party auditing

Sometimes called first party audit Sometimes called second party audit

For legal, regulatory and similar purposes

For certification (see also the requirements in ISO/IEC 17021-1:2015)

36 This International Standard does not state requirements, but provides guidance on the management of an 37 audit programme, on the planning and conducting of an audit of the management system, as well as on the 38 competence and evaluation of an auditor and an audit team. 39

Organizations can operate more than one formal management system. To simplify the readability of this 40 International Standard, the singular form of “management system” is preferred, but the reader can adapt the 41 implementation of the guidance to their own particular situation. This also applies to the use of “person” and 42 “persons”, “auditor” and “auditors”. 43

This International Standard is intended to apply to a broad range of potential users, including auditors, 44 organizations implementing management systems, and organizations needing to conduct audits of 45 management systems for contractual or regulatory reasons. Users of this International Standard can, however, 46 apply this guidance in developing their own audit-related requirements. 47

The guidance in this International Standard can also be used for the purpose of self-declaration, and can be 48 useful to organizations involved in auditor training or personnel certification. 49

The guidance in this International Standard is intended to be flexible. As indicated at various points in the text, 50 the use of this guidance can differ depending on the size and level of maturity of an organization’s 51 management system and on the nature and complexity of the organization to be audited, as well as on the 52 objectives and scope of the audits to be conducted. 53

This International Standard adopts the approach that when two or more management systems of different 54 disciplines are audited together, this is termed a “combined audit”. Where these systems are integrated into a 55 single management system, the principles and processes of auditing are the same as for a combined audit. 56

ISO 19011:2011(E)

© ISO 2011 – All rights reserved vii

Clause 3 sets out the key terms and definitions used in this International Standard. All efforts have been taken 57 to ensure that these definitions do not conflict with definitions used in other standards. 58

Clause 4 describes the principles on which auditing is based. These principles help the user to understand the 59 essential nature of auditing and are important in understanding the guidance set out in Clauses 5 to 7. 60

Clause 5 provides guidance on establishing and managing an audit programme, establishing the audit 61 programme objectives, and coordinating auditing activities. 62

Clause 6 provides guidance on planning and conducting an audit of a management system. 63

Clause 7 provides guidance relating to the competence and evaluation of management system auditors and 64 audit teams. 65

Annex A provides additional guidance for auditors on planning and conducting audits. 66

INTERNATIONAL STANDARD ISO 19011:2011(E)

© ISO 2011 – All rights reserved 1

Guidelines for auditing management systems 67

Guidelines for auditing management systems 68

1 Scope 69

This International Standard provides guidance on auditing management systems, including the principles of 70 auditing, managing an audit programme and conducting management system audits, as well as guidance on 71 the evaluation of competence of individuals involved in the audit process. These people may include the 72 person managing the audit programme, auditors and audit teams. 73

It is applicable to all organizations that need to conduct internal or external audits of management systems or 74 manage an audit programme. 75

The application of this International Standard to other types of audits is possible, provided that special 76 consideration is given to the specific competence needed. 77

2 Normative references 78

No normative references are cited. This clause is included in order to retain clause numbering identical with 79 other ISO management system standards. 80

3 Terms and definitions 81

For the purposes of this document, the following terms and definitions apply. 82

3.1 83 audit 84 systematic, independent and documented process for obtaining audit evidence (3.3) and evaluating it 85 objectively to determine the extent to which the audit criteria (3.2) are fulfilled 86

NOTE 1 to entry: Internal audits, sometimes called first party audits, are conducted by the organization itself, or on its 87 behalf, for management review and other internal purposes (e.g. to confirm the effectiveness of the management system 88 or to obtain information for the improvement of the management system). Internal audits can form the basis for an 89 organization’s self-declaration of conformity. In many cases, particularly in small organizations, independence can be 90 demonstrated by the freedom from responsibility for the activity being audited or freedom from bias and conflict of interest. 91

NOTE 2 to entry: External audits include second and third party audits. Second party audits are conducted by parties 92 having an interest in the organization, such as customers, or by other persons on their behalf. Third party audits are 93 conducted by independent auditing organizations, such as regulators or those providing certification. 94

NOTE 3 to entry: When two or more management systems of different disciplines (e.g. quality, environmental, 95 occupational health and safety) are audited together, this is termed a combined audit. 96

NOTE 4 to entry: When two or more auditing organizations cooperate to audit a single auditee (3.7), this is termed a 97 joint audit. 98

ISO 19011:2011(E)

2 © ISO 2011 – All rights reserved

[SOURCE: ISO 9000:2015, 3.13.1, modified — Notes 1 and 2 to entry deleted, Notes 3 and 4 to entry added] 99

3.2 100 audit criteria 101 set of policies, procedures or requirements used as a reference against which audit evidence (3.3) is 102 compared 103

NOTE to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the terms “compliant” or 104 “non-compliant” are often used in an audit finding (3.4). 105

[SOURCE: ISO 9000:2015, 3.13.7, modified — Note 1 to entry added] 106

3.3 107 audit evidence 108 records, statements of fact or other information which are relevant to the audit criteria (3.2) and verifiable 109

NOTE to entry: Audit evidence can be qualitative or quantitative. 110

[SOURCE: ISO 9000:2015, 3.13.8, modified — Note to entry added] 111

3.4 112 audit findings 113 results of the evaluation of the collected audit evidence (3.3) against audit criteria (3.2) 114

NOTE 1 to entry: Audit findings indicate conformity (3.18) or nonconformity (3.19). 115

NOTE 2 to entry: Audit findings can lead to the identification of opportunities for improvement or recording good 116 practices. 117

NOTE 3 to entry: If the audit criteria are selected from legal or other requirements, the audit finding is termed 118 compliance or non-compliance. 119

[SOURCE: ISO 9000:2015, 3.13.9] 120

3.5 121 audit conclusion 122 outcome of an audit (3.1), after consideration of the audit objectives and all audit findings (3.4) 123

[SOURCE: ISO 9000:2015, 3.13.10] 124

3.6 125 audit client 126 organization or person requesting an audit (3.1) 127

NOTE to entry: In the case of internal audit, the audit client can also be the auditee (3.7) or the person managing the 128 audit programme. Requests for external audit can come from sources such as regulators, contracting parties or potential 129 clients. 130

[SOURCE: ISO 9000:2015, 3.13.11, modified — Note to entry added] 131

3.7 132 auditee 133 organization being audited 134

[SOURCE: ISO 9000:2015, 3.13.12] 135

3.8 136 auditor 137 person who conducts an audit (3.1) 138

ISO 19011:2011(E)


[SOURCE: ISO 9000:2015, 3.13.15] 139

3.9 140 audit team 141 one or more persons conducting an audit (3.1), supported if needed by technical experts (3.10) 142

NOTE 1 to entry: One auditor of the audit team is appointed as the audit team leader. 143

NOTE 2 to entry: The audit team may include auditors-in-training. 144

[SOURCE: ISO 9000:2015, 3.13.14, modified] 145

3.10 146 technical expert 147 person who provides specific knowledge or expertise to the audit team (3.9) 148

NOTE 1 to entry: Specific knowledge or expertise is that which relates to the organization, the process or activity to be 149 audited, or language or culture. 150

NOTE 2 to entry: A technical expert does not act as an auditor (3.8) in the audit team. 151

[SOURCE: ISO 9000:2015, 3.13.16] 152

3.11 153 audit programme 154 arrangements for a set of one or more audits (3.1) planned for a specific time frame and directed towards a 155 specific purpose 156

[SOURCE: ISO 9000:2015, 3.13.4, modified] 157

3.12 158 audit scope 159 extent and boundaries of an audit (3.1) 160

NOTE 1 to entry: The audit scope generally includes a description of the location(s) (both physical and virtual), functions, 161 activities and processes, as well as the time period covered. 162

Note 3 to entry: A virtual location is where an organization performs work or provides a service using an on-line 163 environment allowing persons irrespective of physical locations to execute processes. 164

[SOURCE: ISO 9000:2015, 3.13.5, modified — Notes to entry added] 165

3.13 166 audit plan 167 description of the activities and arrangements for an audit (3.1) 168

[SOURCE: ISO 9000:2015, 3.13.6] 169

3.14 170 risk 171 effect of uncertainty 172

[SOURCE: ISO 9000:2015, 3.7.9, modified — Notes to entry have been deleted] 173

3.15 174 competence 175 ability to apply knowledge and skills to achieve intended results 176

ISO 19011:2011(E)


[SOURCE: ISO 9000:2015, 3.10.4, modified — Note to entry has been deleted] 177

3.16 178 conformity 179 fulfilment of a requirement 180

[SOURCE: ISO 9000:2015, 3.6.11, modified — Note to entry has been deleted] 181

3.17 182 nonconformity 183 non-fulfilment of a requirement 184

[SOURCE: ISO 9000:2015, 3.6.9] 185

3.18 186 management system 187 set of interrelated or interacting elements of an organization to establish policies and objectives, and 188 processes to achieve those objectives 189

Note 1 to entry: A management system can address a single discipline or several disciplines, e.g. quality management, 190 financial management or environmental management. 191

Note 2 to entry: The management system elements establish the organization’s structure, roles and responsibilities, 192 planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those objectives. 193

Note 3 to entry: The scope of a management system can include the whole of the organization, specific and identified 194 functions of the organization, specific and identified sections of the organization, or one or more functions across a group 195 of organizations. 196

[SOURCE: ISO 9000:2015, 3.5.3] 197

4 Principles of auditing 198

Auditing is characterized by reliance on a number of principles. These principles should help to make the audit 199 an effective and reliable tool in support of management policies and controls, by providing information on 200 which an organization can act in order to improve its performance. Adherence to these principles is a 201 prerequisite for providing audit conclusions that are relevant and sufficient and for enabling auditors, working 202 independently from one another, to reach similar conclusions in similar circumstances. 203

The guidance given in Clauses 5 to 7 is based on the six principles outlined below. 204

a) Integrity: the foundation of professionalism 205

Auditors and the person managing an audit programme should: 206

perform their work with honesty, diligence, and responsibility; 207

observe and comply with any applicable legal requirements; 208

demonstrate their competence while performing their work; 209

perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings; 210

be sensitive to any influences that may be exerted on their judgement while carrying out an audit. 211

b) Fair presentation: the obligation to report truthfully and accurately 212

ISO 19011:2011(E)


Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the audit 213 activities. Significant obstacles encountered during the audit and unresolved diverging opinions between 214 the audit team and the auditee should be reported. The communication should be truthful, accurate, 215 objective, timely, clear and complete. 216

c) Due professional care: the application of diligence and judgement in auditing 217

Auditors should exercise due care in accordance with the importance of the task they perform and the 218 confidence placed in them by the audit client and other interested parties. An important factor in carrying 219 out their work with due professional care is having the ability to make reasoned judgements in all audit 220 situations. 221

d) Confidentiality: security of information 222

Auditors should exercise discretion in the use and protection of information acquired in the course of their 223 duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit 224 client, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the 225 proper handling of sensitive or confidential information. 226

e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions 227

Auditors should be independent of the activity being audited wherever practicable, and should in all cases 228 act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be 229 independent from the operating managers of the function being audited. Auditors should maintain 230 objectivity throughout the audit process to ensure that the audit findings and conclusions are based only 231 on the audit evidence. 232

For small organizations, it may not be possible for internal auditors to be fully independent of the activity 233 being audited, but every effort should be made to remove bias and encourage objectivity. 234

f) Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions 235 in a systematic audit process 236

Audit evidence should be verifiable. It will in general be based on samples of the information available, 237 since an audit is conducted during a finite period of time and with finite resources. An appropriate use of 238 sampling should be applied, since this is closely related to the confidence that can be placed in the audit 239 conclusions. 240

5 Managing an audit programme 241

5.1 General 242

An organization should establish an audit programme that can help determine the effectiveness of the 243 auditee’s management system. The audit programme can include audits addressing one or more 244 management system standards, conducted either separately or in combination. 245

The extent of an audit programme should be based on the size and nature of the organization being audited, 246 as well as on the nature, functionality, complexity and the level of maturity of the management system(s) to be 247 audited. Priority should be given to allocating resources to audit those matters of significance within a 248 management system. 249

The audit client should ensure that audit programme objectives are established and assign one or more 250 competent persons to manage the audit programme. 251

The audit programme should include information to organize and conduct its audits effectively and efficiently 252 within the specified time frames, and determine the necessary resources. The information should include: 253

ISO 19011:2011(E)


a) objectives for the audit programme; 254

b) extent/number/ duration/locations/schedule of the audits; 255

c) audit types, such as internal or external 256

d) audit criteria; 257

e) audit methods to be employed; 258

f) criteria for selection of audit teams; 259

Figure 1 illustrates the process flow for the management of an audit programme. 260

261

NOTE 1 This figure illustrates the application of the Plan-Do-Check-Act cycle in this International Standard. 262

ISO 19011:2011(E)


NOTE 2 Clause/subclause numbering refers to the relevant clauses/subclauses of this International Standard. 263

Figure 1 — Process flow for the management of an audit programme 264

5.2 Determining and evaluating audit programme risks and opportunities 265

There are many different risks and opportunities associated with an audit programme that can affect the 266 achievement of its objectives. The person managing the programme should consider these risks and 267 opportunities when planning. 268

Risks can be associated with: 269

planning, e.g. failure to set relevant audit objectives and determine the extent of the audit programme; 270

resources, e.g. allowing insufficient time for developing the audit programme or conducting an audit; 271

selection of the audit team, e.g. the team does not have the collective competence to conduct audits 272 effectively; 273

implementation, e.g. ineffective communication of the audit programme, or not considering information 274 security and confidentiality; 275

control of documented information, e.g. failure to adequately protect audit records to demonstrate audit 276 programme effectiveness; 277

monitoring, reviewing and improving the audit programme, e.g. ineffective monitoring of audit programme 278 outcomes. 279

Opportunities can include: 280

improving processes; 281

using resources more efficiently; 282

increasing organizational knowledge and auditor competence; 283

improving awareness in the organization by improving communication. 284

5.3 Establishing the audit programme objectives 285

The audit client should ensure that the audit programme objectives are established to direct the planning and 286 conduct of audits and should ensure the audit programme is implemented effectively. Audit programme 287 objectives should be consistent with and support management system policy and objectives. 288

These objectives may be based on consideration of the following: 289

a) commercial or other business intentions; 290

b) management priorities; and the strategic direction of the organization; 291

c) characteristics of processes, products, services and projects, and any changes to them; 292

d) management system requirements; 293

e) legal requirements and other requirements to which the organization subscribes; 294

ISO 19011:2011(E)


f) need for supplier evaluation; 295

g) needs and expectations of relevant interested parties, including customers; 296

h) auditee’s level of performance, as reflected in the occurrence of failures or incidents or customer 297 complaints; 298

i) determination of risks and opportunities; 299

j) results of previous audits; 300

k) level of maturity of the management system being audited. 301

Examples of audit programme objectives include the following: 302

to contribute to the improvement of a management system and its performance; 303

to address risk and realise opportunities; 304

to fulfil external requirements, e.g. certification to a management system standard; 305

to verify conformity with contractual requirements; 306

to obtain and maintain confidence in the capability of a supplier; 307

to determine the effectiveness of the management system; 308

to evaluate the alignment of the management system objectives with the strategic direction of the 309 organization. 310

5.4 Establishing the audit programme 311

5.4.1 Roles and responsibilities of the person managing the audit programme 312

The person managing the audit programme should: 313

a) establish the extent of the audit programme; 314

b) evaluate and address the risks and opportunities that can affect the audit programme; 315

c) select audit teams and assign roles and responsibilities; 316

d) establish processes for audit programmes to include performing audits, performing audit follow-up if 317 applicable, and reporting to the audit client; 318

e) determine necessary resources; 319

f) ensure the implementation of the audit programme, including the establishment of audit objectives, scope 320 and criteria of the individual audits, determining audit methods and selecting the audit team and 321 evaluating auditors; 322

g) ensure that appropriate documented information is maintained, including audit programme records; 323

h) monitor, review and improve the audit programme; 324

i) as appropriate, communicate the audit programme. 325

ISO 19011:2011(E)


The person managing an audit programme should, where necessary, inform the audit client about the audit 326 programme and request its approval. 327

5.4.2 Competence of the person managing the audit programme 328

The person managing the audit programme should have the necessary competence to manage the 329 programme and its associated risks and opportunities effectively and efficiently, as well as knowledge and 330 skills in the following areas: 331

a) audit principles, processes and methods; 332

b) management system standards and reference documents; 333

c) activities, products, services and processes of the auditee; 334

d) applicable legal and other requirements relevant to the activities and products of the auditee; 335

e) customers, suppliers and other relevant interested parties of the auditee, where applicable. 336

The person managing the audit programme should engage in appropriate continual professional development 337 activities to maintain the necessary knowledge and skills to manage the audit programme. 338

5.4.3 Establishing the extent of the audit programme 339

The person managing the audit programme should determine the extent of the audit programme. This can 340 vary depending on the size and nature of the auditee, as well as on the nature, functionality, complexity and 341 the level of maturity of, and matters of significance to, the management system to be audited. 342

. 343

NOTE In certain cases, depending on the auditee's structure or its activities, the audit programme might only consist 344 of a single audit (e.g. a small project activity). 345

Other factors impacting the extent of an audit programme include the following: 346

a) the objective, scope and duration of each audit and the number of audits to be conducted, including audit 347 follow up, if applicable; 348

b) the management system standards used and the disciplines covered 349

c) the number, importance, complexity, similarity and locations of the activities to be audited; 350

d) those factors influencing the effectiveness of the management system; 351

e) applicable audit criteria, such as planned arrangements for the relevant management system standards, 352 legal and other requirements to which the organization subscribes; 353

f) conclusions of previous internal or external audits; 354

g) results of a previous audit programme review; 355

h) language, cultural and social issues; 356

i) the concerns of interested parties, such as customer complaints, non-compliance with legal requirements, 357 or supply chain issues; 358

j) significant changes to the auditee or its operations; 359

ISO 19011:2011(E)


k) availability of information and communication technologies to support audit activities, in particular the use 360 of remote audit methods (see Clause A.1); 361

l) the occurrence of internal and external events, such as product failures, information security leaks, health 362 and safety incidents, criminal acts or environmental incidents; 363

m) business risks and opportunities; 364

n) risks and opportunities arising from the occurrence of internal and external events. 365

5.4.4 Determining audit programme resources 366

When determining resources for the audit programme, the person managing the audit programme should 367 consider: 368

a) the financial resources necessary to develop, implement, manage and improve audit activities; 369

b) audit methods (See Clause A.1); 370

c) the availability of auditors and technical experts having competence appropriate to the particular audit 371 programme objectives; 372

d) the extent of the audit programme and audit programme risks and opportunities; 373

e) travel time and cost, accommodation and other auditing needs; 374

f) the availability of information and communication technologies. 375

5.5 Implementing the audit programme 376

5.5.1 General 377


a) communicate the pertinent parts of the audit programme to relevant parties and informing them 379 periodically of its progress; 380

b) define objectives, scope and criteria for each individual audit; 381

c) coordinate and schedule audits and other activities relevant to the audit programme; 382

d) ensure the selection of audit teams with the necessary competence; 383

e) provide necessary resources to the audit teams; 384

f) ensure the conduct of audits in accordance with the audit programme; 385

g) ensure that audit activities are documented and records are properly managed and maintained. 386

5.5.2 Defining the objectives, scope and criteria for an individual audit 387

Each individual audit should be based on defined audit objectives, scope and criteria. These should be 388 consistent with the overall audit programme objectives. 389

The audit objectives define what is to be accomplished by the individual audit and may include the following: 390

ISO 19011:2011(E)


a) determination of the extent of conformity of the management system to be audited, or parts of it, with 391 audit criteria; 392

b) determination of conformity of activities, processes, products and services with the audit criteria; 393

c) evaluation of the capability of the management system to ensure compliance with legal requirements and 394 other requirements to which the organization is committed; 395

d) evaluation of the effectiveness of the management system in meeting its specified objectives; 396

e) identification of areas for potential improvement of the management system. 397

The audit scope should be consistent with the audit programme and audit objectives. It includes such factors 398 as locations, functions, activities and processes to be audited, as well as the time period covered by the audit. 399

The audit criteria are used as a reference against which conformity is determined. These may include one or 400 more of the following: applicable policies, processes, procedures, standards, legal requirements, management 401 system standard requirements, contractual requirements, sector codes of conduct or other planned 402 arrangements. 403

In the event of any changes to the audit objectives, scope or criteria, the audit programme should be modified 404 if necessary. 405

When more than one discipline is being audited at the same time it is important that the audit objectives scope 406 and criteria are consistent with the relevant audit programmes. 407

5.5.3 Selecting the audit methods 408

The person managing the audit programme should select and determine the methods for effectively 409 conducting an audit, depending on the defined audit objectives, scope and criteria. 410

NOTE Guidance on how to determine audit methods is given in Annex A. 411

Where two or more auditing organizations conduct a joint audit of the same auditee, the persons managing 412 the different audit programmes should agree on the audit method and consider implications for resourcing and 413 planning the audit. If an auditee operates two or more management systems of different disciplines, combined 414 audits may be included in the audit programme. 415

5.5.4 Selecting the audit team members 416

The person managing the audit programme should appoint the members of the audit team, including the team 417 leader and any technical experts needed for the specific audit. 418

An audit team should be selected, taking into account the competence needed to achieve the objectives of the 419 individual audit within the defined scope. If there is only one auditor, the auditor should perform all applicable 420 duties of an audit team leader. 421

NOTE Clause 7 contains guidance on determining the competence required for the audit team members and 422 describes the processes for evaluating auditors. 423

In deciding the size and composition of the audit team for the specific audit, consideration should be given to 424 the following: 425

a) the overall competence of the audit team needed to achieve audit objectives, taking into account audit 426 scope and criteria; 427

b) complexity of the audit and if the audit is a combined or joint audit; 428

ISO 19011:2011(E)


c) the selected audit methods; 429

d) legal requirements and other requirements to which the organization subscribes; 430

e) the need for impartiality and objectivity of the audit team members from the activities to be audited and to 431 avoid any conflict of interest [see principle e) in Clause 4]; 432

f) selecting the audit team and conducting audits to ensure objectivity and the impartiality of the audit 433 process [see principle e) in Clause 4]; 434

g) the ability of the audit team members to interact effectively with the representatives of the auditee and to 435 work together; 436

h) the language of the audit, and the auditee’s social and cultural characteristics. These issues may be 437 addressed either by the auditor's own skills or through the support of a technical expert. 438

To assure the overall competence of the audit team, the following steps should be performed: 439

identification of the knowledge and skills needed to achieve the objectives of the audit; 440

selection of the audit team members so that the necessary knowledge and skills are present in the audit 441 team. 442

If the necessary competence is not covered by the auditors in the audit team, technical experts with additional 443 competence should be included in the team. Technical experts should operate under the direction of an 444 auditor, but should not act as auditors. 445

Auditors-in-training may be included in the audit team, but should participate under the direction and guidance 446 of an auditor. 447

Adjustments to the size and composition of the audit team may be necessary during the audit, i.e. if a conflict 448 of interest or competence issue arises. If such a situation arises, it should be discussed with the appropriate 449 parties (e.g. audit team leader, the person managing the audit programme, audit client or auditee) before any 450 adjustments are made. 451

5.5.5 Assigning responsibility for an individual audit to the audit team leader 452

The person managing the audit programme should assign the responsibility for conducting the individual audit 453 to an audit team leader. 454

The assignment should be made in sufficient time before the scheduled date of the audit, in order to ensure 455 the effective planning of the audit. 456

To ensure effective conduct of the individual audits, the following information should be provided to the audit 457 team leader: 458

a) audit objectives; 459

b) audit criteria and any reference documented information; 460

c) audit scope, including identification of the organizational and functions and processes to be audited; 461

d) audit methods and processes; 462

e) composition of the audit team; 463

f) contact details of the auditee, the locations, dates and duration of the audit activities to be conducted; 464

ISO 19011:2011(E)


g) the resources necessary to conduct the audit; 465

h) information needed for evaluating and addressing identified risks to the achievement of the audit 466 objectives. 467

The assignment information should also cover the following, as appropriate: 468

working and reporting language of the audit where this is different from the language of the auditor or the 469 auditee, or both; 470

audit report contents and distribution required by the audit programme; 471

matters related to confidentiality and information security, if required by the audit programme; 472

any health and safety arrangements for the auditors; 473

any security and authorization requirements; 474

any follow-up actions, e.g. from a previous audit, if applicable; 475

coordination with other audit activities, in the case of a joint audit; 476

identifying opportunities where relevant. 477

Where a joint audit is conducted, it is important to reach agreement among the organizations conducting the 478 audits, before the audit commences, on the specific responsibilities of each party, particularly with regard to 479 the authority of the team leader appointed for the audit. 480

5.5.6 Managing the audit programme outcome 481

The person managing the audit programme should ensure that the following activities are performed: 482

a) review and approval of audit reports, including evaluating the suitability and adequacy of audit findings; 483

b) review the effectiveness of actions taken to address audit findings; 484

c) distribution of audit reports to relevant interested parties; 485

d) determination of the necessity for any follow-up audit. 486

5.5.7 Managing and maintaining audit programme records 487

The person managing the audit programme should ensure that audit records are created, managed and 488 maintained to demonstrate the implementation of the audit programme. Processes should be established to 489 ensure that any confidentiality needs associated with the audit records are addressed. 490

Records should include the following: 491

a) records related to the audit programme, such as: 492

audit programme objectives and extent; 493

those addressing audit programme risks and opportunities; 494

reviews of the audit programme effectiveness. 495

b) records related to each individual audit, such as: 496

ISO 19011:2011(E)


audit plans and audit reports; 497

nonconformity reports; 498

corrective action reports; 499

audit follow-up reports, if applicable. 500

c) records related to audit team covering topics such as: 501

competence and performance evaluation of the audit team members; 502

selection of audit teams and team members; 503

maintenance and improvement of competence. 504

The form and level of detail of the records should demonstrate that the objectives of the audit programme 505 have been achieved. 506

5.6 Monitoring the audit programme 507

The person managing the audit programme should evaluate: 508

a) if schedules are being met and audit objectives are being achieved; 509

b) the performance of the audit team members; 510

c) the ability of the audit teams to implement the audit plan; 511

d) feedback from audit clients, auditees, auditors, technical experts and other interested parties. 512

Some factors may indicate the need to modify the audit programme. These may include: 513

audit findings; 514

demonstrated level of management system effectiveness; 515

changes to the auditee’s management system; 516

changes to the audit client’s management system or its context; 517

changes to standards, legal requirements and other requirements to which the organization subscribes; 518

change of supplier; 519

identified conflicts of interest. 520

5.7 Reviewing and improving the audit programme 521

The person managing the audit programme should review the audit programme to assess whether its 522 objectives have been achieved. Lessons learned from the audit programme review should be used as inputs 523 for the continual improvement for the programme (see Clause 6.6). 524

The audit programme review should consider the following: 525

a) results and trends from audit programme monitoring; 526

ISO 19011:2011(E)


b) conformity with audit programme processes; 527

c) evolving needs and expectations of relevant interested parties; 528

d) audit programme records; 529

e) alternative or new auditing methods; 530

f) effectiveness of the measures to address the risks and opportunities associated with the audit 531 programme; 532

g) confidentiality and information security issues relating to the audit programme. 533


review the overall implementation of the audit programme; 535

identify areas of improvement; 536

amend the programme if necessary; 537

review the continual professional development of auditors, in accordance with Clauses 7.4, 7.5 and 7.6; 538

report the results of the audit programme to the audit client. 539

6 Performing an audit 540

6.1 General 541

This clause contains guidance on preparing and conducting a specific audit as part of an audit programme. 542 Figure 2 provides an overview of the steps performed in a typical audit. The extent to which the provisions of 543 this clause are applicable depends on the objectives and scope of the specific audit. 544

ISO 19011:2011(E)


545

NOTE Subclause numbering refers to the relevant subclauses of this International Standard. 546

Figure 2 — Typical audit steps 547

6.2 Initiating the audit 548

6.2.1 General 549

The responsibility for conducting the audit remains with the assigned audit team leader (see Clause 5.5.5) 550 until the audit is completed (see Clause 6.6). 551

To initiate an audit, the steps in Figure 2 should be considered; however, the sequence can differ depending 552 on the auditee, processes and specific circumstances of the audit. 553

6.2.2 Establishing contact with the auditee 554

The audit team leader should contact the auditee representative and address the following: 555

ISO 19011:2011(E)


a) confirm communication channels with the auditee’s representatives; 556

b) confirm the authority to conduct the audit; 557

c) provide information on the audit objectives, scope, methods and audit team composition, including any 558 technical experts; 559

d) request access to relevant information for planning purposes; 560

e) determine applicable legal requirements and other requirements relevant to the activities, products and 561 services of the auditee; 562

f) confirm the agreement with the auditee regarding the extent of the disclosure and the treatment of 563 confidential information; 564

g) make arrangements for the audit including the schedule; 565

h) determine any location-specific arrangements for access, health and safety, security, confidentiality or 566 other; 567

i) agree on the attendance of observers and the need for guides or translators for the audit team; 568

j) determine any areas of interest, concern or risks to the auditee in relation to the specific audit. 569

6.2.3 Determining the feasibility of the audit 570

The feasibility of the audit should be determined to provide reasonable confidence that the audit objectives 571 can be achieved. 572

The determination of feasibility should take into consideration such factors as the availability of the following: 573

a) sufficient and appropriate information for planning and conducting the audit; 574

b) adequate cooperation from the auditee; 575

c) adequate time and resources for conducting the audit. 576

NOTE resources include access to adequate and appropriate information and communication technology. 577

Where the audit is not feasible, an alternative should be proposed to the audit client, in agreement with the 578 auditee. 579

6.3 Preparing audit activities 580

6.3.1 Performing review of documented information 581

The relevant management system documented information of the auditee should be reviewed in order to: 582

a) gather information to understand the auditee’s operations and to prepare audit activities and applicable 583 work documents (see Clause 6.3.4), e.g. on processes, functions; 584

b) establish an overview of the extent of the system documented information to determine possible 585 conformance and detect possible areas of concern, such as deficiencies, omissions or conflicts. 586

NOTE Guidance on how to verify information is provided in Clause A.2. 587

ISO 19011:2011(E)


The documented information should include, but not be limited to, management system documents and 588 records, as well as previous audit reports. The documented information review should take into account the 589 size, nature and complexity of the auditee’s management system and organization, and the audit objectives 590 and scope. 591

6.3.2 Audit planning 592

6.3.2.1 The audit team leader should plan an audit based on the information contained in the audit 593 programme and in the documented information provided by the auditee. 594

NOTE: The output of audit planning may be in the form of an audit plan 595

Audit planning should consider the risks of the audit activities on the auditee’s processes and provide the 596 basis for the agreement among the audit client, audit team and the auditee regarding the conduct of the audit. 597 Planning should facilitate the efficient scheduling and coordination of the audit activities in order to achieve the 598 objectives effectively. 599

The amount of detail provided in the audit planning output should reflect the scope and complexity of the audit, 600 as well as the risk to achieving the audit objectives. In planning the audit, the audit team leader should 601 consider the following: 602

a) the appropriate sampling techniques (see Clause A.3); 603

b) the composition of the audit team and its overall competence; 604

c) opportunities to improve the effectiveness and efficiency of the audit activities. 605

d) the risks to the organization and the achievement of the audit objectives created by ineffective audit 606 planning; 607

e) the risks to the organization created by performing the audit. 608

Risks to the organization may result from the presence of the audit team members influencing health and 609 safety, environment and quality, and their presence presenting threats to the auditee’s products, services, 610 personnel or infrastructure (e.g. contamination in clean room facilities). 611

For combined audits, particular attention should be given to the interactions between operational processes 612 and any competing objectives and priorities of the different management systems. 613

6.3.2.2 The scale and content of the audit planning may differ, for example, between initial and 614 subsequent audits, as well as between internal and external audits. Audit planning should be sufficiently 615 flexible to permit changes which can become necessary as the audit activities progress. 616

Audit planning should address or reference the following: 617

a) the audit objectives; 618

b) the audit scope, including identification of the organizational and functions, as well as processes to be 619 audited; 620

c) the audit criteria and any reference documented information; 621

d) the locations, dates, expected time and duration of audit activities to be conducted, including meetings 622 with the auditee’s management; 623

ISO 19011:2011(E)


e) the need for the audit team to familiarise themselves with auditee’s facilities and processes (e.g. by 624 conducting a tour of physical location(s), or information and communication technology networks, 625 protocols and features); 626

f) the audit methods to be used, including the extent to which audit sampling is needed to obtain sufficient 627 audit evidence; 628

g) the roles and responsibilities of the audit team members, as well as guides and observers or translators; 629

h) the allocation of appropriate resources to critical areas of the audit. 630

Audit planning may also cover the following, as appropriate: 631

identification of the auditee’s representative for the audit; 632

the working and reporting language of the audit where this is different from the language of the auditor or 633 the auditee or both; 634

the audit report topics; 635

logistics and communications arrangements, including specific arrangements for the locations to be 636 audited; 637

any specific measures to be taken to address risk to achieving the audit objectives and opportunities 638 arising; 639

matters related to confidentiality and information security; 640

any follow-up actions from a previous audit or other source(s) e.g. lessons learned, project reviews; 641

any follow-up activities to the planned audit; 642

coordination with other audit activities, in case of a joint audit. 643

Audit planning output may be reviewed and accepted by the audit client, and should be presented to the 644 auditee. Any objections by the auditee to the audit planning output should be resolved between the audit team 645 leader, the auditee and the audit client. 646

6.3.3 Assigning work to the audit team 647

The audit team leader, in consultation with the audit team, should assign to each team member responsibility 648 for auditing specific processes, activities, functions or locations. Such assignments should take into account 649 the impartiality and objectivity and competence of auditors and the effective use of resources, as well as 650 different roles and responsibilities of auditors, auditors-in-training and technical experts. 651

Audit team briefings should be held, as appropriate, by the audit team leader in order to allocate work 652 assignments and decide possible changes. Changes to the work assignments can be made as the audit 653 progresses in order to ensure the achievement of the audit objectives. 654

6.3.4 Preparing work documents 655

The audit team members should collect and review the information relevant to their audit assignments and 656 prepare work documents, as necessary, for reference and for recording audit evidence. Such work documents 657 may include the following: 658

a) checklists; 659

ISO 19011:2011(E)


b) audit sampling plans; 660

c) forms for recording information, such as supporting evidence, audit findings and records. 661

The use of checklists and forms should not restrict the extent of audit activities, which can change as a result 662 of information collected during the audit. 663

NOTE Guidance on preparing work documents is given in Clause A.4. 664

Work documents, including records resulting from their use, should be retained at least until audit completion, 665 or as specified in the audit programme. Retention of documented information after audit completion is 666 described in Clause 6.6. Documented information created during the audit process involving confidential or 667 proprietary information should be suitably safeguarded at all times by the audit team members. 668

6.4 Conducting the audit activities 669

6.4.1 General 670

Audit activities are normally conducted in a defined sequence as indicated in Figure 2. This sequence may be 671 varied to suit the circumstances of specific audits. 672

6.4.2 Conducting the opening meeting 673

The purpose of the opening meeting is to: 674

a) confirm the agreement of all parties (e.g. auditee, audit team) to the audit planning output; 675

b) introduce the audit team; 676

c) ensure that all planned audit activities can be performed. 677

An opening meeting should be held with the auditee’s management and, where appropriate, those responsible 678 for the functions or processes to be audited. During the meeting, an opportunity to ask questions should be 679 provided. 680

The degree of detail should be consistent with the familiarity of the auditee with the audit process. In many 681 instances, e.g. internal audits in a small organization, the opening meeting may simply consist of 682 communicating that an audit is being conducted and explaining the nature of the audit. 683

For other audit situations, the meeting may be formal and records of attendance should be retained. The 684 meeting should be chaired by the audit team leader. 685

Introduction of the following items should be considered, as appropriate: 686

the participants, including observers and guides, translators, and an outline of their roles; 687

the audit methods to manage risks to the organization which may result from the presence of the audit 688 team members. 689

Confirmation of the following items should be considered, as appropriate: 690

the audit objectives, scope and criteria; 691

the audit planning output and other relevant arrangements with the auditee, such as the date and time for 692 the closing meeting, any interim meetings between the audit team and the auditee’s management, and 693 any late changes; 694

ISO 19011:2011(E)


formal communication channels between the audit team and the auditee; 695

the language to be used during the audit; 696

that, during the audit, the auditee will be kept informed of audit progress; 697

the availability of the resources and facilities needed by the audit team; 698

matters relating to confidentiality and information security; 699

relevant access, health and safety, security and emergency arrangements for the audit team; 700

The presentation of information on the following items should be considered, as appropriate: 701

the method of reporting audit findings including grading, if any; 702

conditions under which the audit may be terminated; 703

how to deal with possible findings during the audit; 704

any system for feedback from the auditee on the findings or conclusions of the audit, including complaints 705 or appeals. 706

6.4.3 Reviewing documented information while conducting the audit 707

The auditee’s relevant documented information should be reviewed to: 708

a) determine the conformity of the system, as far as documented, with audit criteria; 709

b) gather information to support the audit activities. 710

NOTE Guidance on how to verify information is provided in Clause A.2. 711

The review may be combined with the other audit activities and may continue throughout the audit, providing 712 this is not detrimental to the effectiveness of the conduct of the audit. 713

If adequate documented information cannot be provided within the time frame given in the audit planning 714 output, the audit team leader should inform both the person managing the audit programme and the auditee. 715 Depending on the audit objectives and scope, a decision should be made as to whether the audit should be 716 continued or suspended until documented information concerns are resolved. 717

6.4.4 Communicating during the audit 718

During the audit, it may be necessary to make formal arrangements for communication within the audit team, 719 as well as with the auditee, the audit client and potentially with external bodies (e.g. regulators), especially 720 where legal requirements require the mandatory reporting of non-compliances. 721

The audit team should confer periodically to exchange information, assess audit progress, and reassign work 722 between the audit team members, as needed. 723

During the audit, the audit team leader should periodically communicate the progress of the audit and any 724 concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an 725 immediate and significant risk should be reported without delay to the auditee and, as appropriate, to the audit 726 client. Any concern about an issue outside the audit scope should be noted and reported to the audit team 727 leader, for possible communication to the audit client and auditee. 728

ISO 19011:2011(E)


Where the available audit evidence indicates that the audit objectives are unattainable, the audit team leader 729 should report the reasons to the audit client and the auditee to determine appropriate action. Such action may 730 include changes to audit planning, the audit objectives or audit scope, or termination of the audit. 731

Any need for changes to the audit planning which may become apparent as auditing activities progress should 732 be reviewed and accepted, as appropriate, by both the person managing the audit programme and the audit 733 client. 734

6.4.5 Assigning roles and responsibilities of guides and observers 735

Guides and observers (e.g. regulator or other interested parties) may accompany the audit team with 736 appropriate approvals, where required. They should not influence or interfere with the conduct of the audit. 737

For observers, any arrangements for access, health and safety, security and confidentiality should be 738 managed between the audit client and the auditee. 739

Guides, appointed by the auditee, should assist the audit team and act on the request of the audit team leader. 740 Their responsibilities should include the following: 741

a) assisting the auditors in identifying individuals to participate in interviews and confirming timings and 742 locations; 743

b) arranging access to specific locations of the auditee; 744

c) ensuring that rules concerning location-specific arrangements for access, health and safety, security and 745 confidentiality are known and respected by the audit team members and observers and any risks are 746 addressed. 747

d) witnessing the audit on behalf of the auditee, when appropriate; 748

e) providing clarification or assisting in collecting information, when needed. 749

6.4.6 Audit information availability and access 750

The audit methods chosen for an audit depend on the defined audit objectives, scope and criteria, as well as 751 duration and location. The location is where the information needed for the specific audit activity is available to 752 the audit team. This may include physical and virtual locations. 753

It is crucial to the audit where, when and how to get access to information. This is independent of where the 754 information is created, used or stored. Based on these two aspects, the audit methods need to be determined 755 See Annex B.2 table 1. The audit can use a mixture of methods. Also, audit circumstances may mean that the 756 methods need to change during the audit. 757

6.4.7 Collecting and verifying information 758

During the audit, information relevant to the audit objectives, scope and criteria, including information relating 759 to interfaces between functions, activities and processes, should be collected by means of appropriate 760 sampling and should be verified. 761

NOTE 1 – For verification of information see Annex A.2. 762

Only information that is verifiable should be accepted as audit evidence. Audit evidence leading to audit 763 findings should be recorded. If, during the collection of evidence, the audit team becomes aware of any new or 764 changed circumstances or risks, these should be addressed by the team accordingly. 765

NOTE 2 Guidance on sampling is given in Clause A.3. 766

ISO 19011:2011(E)


Figure 3 provides an overview of the process, from collecting information to reaching audit conclusions. 767

768

Source of information

Collecting by means of appropriate sampling

Evaluating against audit criteria

Reviewing

Audit conclusions

Audit evidence

Audit findings

769

Figure 3 — Overview of the process of collecting and verifying information 770

Methods of collecting information include the following: 771

interviews; 772

observations; 773

review of documented information. 774

NOTE 3 Guidance on sources of information is given in Clause A.5. 775

NOTE 4 Guidance on visiting the auditee’s location is given in Clause A.6. 776

NOTE 5 Guidance on how to conduct interviews is given in Clause A.8. 777

6.4.8 Generating audit findings 778

Audit evidence should be evaluated against the audit criteria in order to determine audit findings. Audit 779 findings can indicate conformity or nonconformity with audit criteria. When specified by the audit planning 780 output, individual audit findings should include conformity and good practices along with their supporting 781 evidence, opportunities for improvement, and any recommendations to the auditee. 782

Nonconformities and their supporting audit evidence should be recorded. Nonconformities may be graded. 783 They should be reviewed with the auditee in order to obtain acknowledgement that the audit evidence is 784 accurate, and that the nonconformities are understood. Every attempt should be made to resolve any 785 diverging opinions concerning the audit evidence or findings, and unresolved points should be recorded. 786

ISO 19011:2011(E)


The audit team should meet as needed to review the audit findings at appropriate stages during the audit. 787

NOTE Additional guidance on the identification and evaluation of audit findings is given in Clause A.9. 788

6.4.9 Preparing audit conclusions 789

6.4.9.1 The audit team should confer prior to the closing meeting in order to: 790

a) review the audit findings, and any other appropriate information collected during the audit, against the 791 audit objectives; 792

b) agree on the audit conclusions, taking into account the uncertainty inherent in the audit process; 793

c) prepare recommendations, if specified by the audit planning output; 794

d) discuss audit follow-up, as applicable. 795

6.4.9.1 Audit conclusions can address issues such as the following: 796

a) the extent of conformity with the audit criteria and robustness of the management system, including the 797 effectiveness of the management system in meeting the stated objectives; 798

b) the effective implementation, maintenance and improvement of the management system; 799

c) achievement of audit objectives, coverage of audit scope, and fulfilment of audit criteria; 800

d) similar findings made in different areas that were audited or from a joint or previous audit for the purpose 801 of identifying trends 802

If specified by the audit planning output, audit conclusions can lead to recommendations for improvement, or 803 future auditing activities. 804

6.4.10 Conducting the closing meeting 805

A closing meeting, facilitated by the audit team leader, should be held to present the audit findings and 806 conclusions. Participants in the closing meeting should include the management of the auditee and, where 807 appropriate, those responsible for the functions or processes which have been audited, and may also include 808 the audit client and other parties. If applicable, the audit team leader should advise the auditee of situations 809 encountered during the audit that may decrease the confidence that can be placed in the audit conclusions. If 810 defined in the management system or by agreement with the audit client, the participants should agree on the 811 time frame for an action plan to address audit findings. 812

The degree of detail should be consistent with the familiarity of the auditee with the audit process. For some 813 audit situations, the meeting may be formal and minutes, including records of attendance, should be kept. In 814 other instances, e.g. internal audits, the closing meeting is less formal and may consist solely of 815 communicating the audit findings and audit conclusions. 816

As appropriate, the following should be explained to the auditee in the closing meeting: 817

a) advising that the audit evidence collected was based on a sample of the information available; 818

b) the method of reporting; 819

c) the process of handling of audit findings and possible consequences; 820

d) presentation of the audit findings and conclusions in such a manner that they are understood and 821 acknowledged by the auditee’s management; 822

ISO 19011:2011(E)


e) any related post-audit activities (e.g. implementation of corrective actions, audit complaint handling, 823 appeal process) 824

Any diverging opinions regarding the audit findings or conclusions between the audit team and the auditee 825 should be discussed and, if possible, resolved. If not resolved, this should be recorded. 826

If specified by the audit objectives, opportunities for improvement recommendations may be presented. It 827 should be emphasized that recommendations are not binding. 828

6.5 Preparing and distributing the audit report 829

6.5.1 Preparing the audit report 830

The audit team leader should report the audit results in accordance with the audit programme processes. 831

The audit report should provide a complete, accurate, concise and clear record of the audit, and should 832 include or refer to the following: 833

a) the audit objectives; 834

b) the audit scope, particularly identification of the organizational and functions or processes audited; 835

c) identification of the audit client; 836

d) identification of audit team and auditee’s participants in the audit; 837

e) the dates and locations where the audit activities were conducted; 838

f) the audit criteria; 839

g) the audit findings and related evidence; 840

h) the audit conclusions; 841

i) a statement on the degree to which the audit criteria have been fulfilled 842

The audit report can also include or refer to the following, as appropriate: 843

the audit plan including time schedule; 844

a summary of the audit process, including any obstacles encountered that may decrease the reliability of 845 the audit conclusions; 846

confirmation that the audit objectives have been achieved within the audit scope in accordance with the 847 audit plan; 848

any areas within the audit scope not covered; 849

a summary covering the audit conclusions and the main audit findings that support them; 850

any unresolved diverging opinions between the audit team and the auditee; 851

good practices identified; 852

agreed follow-up action plans, if any; 853

a statement of the confidential nature of the contents; 854

ISO 19011:2011(E)


any implications for the audit programme or subsequent audits; 855

the distribution list for the audit report. 856

6.5.2 Distributing the audit report 857

The audit report should be issued within an agreed period of time. If it is delayed, the reasons should be 858 communicated to the auditee and the person managing the audit programme. 859

The audit report should be dated, reviewed and accepted, as appropriate, in accordance with audit 860 programme processes. 861

The audit report should then be distributed to the recipients as defined in the audit processes or audit planning 862 output. 863

6.6 Completing the audit 864

The audit is completed when all planned audit activities have been carried out, or as otherwise agreed with 865 the audit client (e.g. there might be an unexpected situation that prevents the audit being completed according 866 to the audit planning). 867

Documented information pertaining to the audit should be retained or destroyed by agreement between the 868 participating parties and in accordance with audit programme processes and applicable requirements. 869

Unless required by law, the audit team and the person managing the audit programme should not disclose 870 any information obtained during the audit, or the audit report, to any other party without the explicit approval of 871 the audit client and, where appropriate, the approval of the auditee. If disclosure of the contents of an audit 872 document is required, the audit client and auditee should be informed as soon as possible. 873

Lessons learned from the audit should identify risks to and opportunities for improvement for the management 874 system of the auditing organizations. 875

6.7 Conducting audit follow-up 876

The outcome of the audit can, depending on the audit objectives, indicate the need for corrections, or for 877 corrective actions, or opportunities for improvement. Such actions are usually decided and undertaken by the 878 auditee within an agreed timeframe. As appropriate, the auditee should keep the person managing the audit 879 programme and the audit team informed of the status of these actions. 880

The completion and effectiveness of these actions should be verified. This verification may be part of a 881 subsequent audit. 882

7 Competence and evaluation of auditors 883

7.1 General 884

Confidence in the audit process and the ability to achieve its objectives depends on the competence of those 885 individuals who are involved in performing audits, including auditors and audit team leaders. Competence 886 should be evaluated regularly through a process that considers personal behaviour and the ability to apply the 887 knowledge and skills gained through education, work experience, auditor training and audit experience. This 888 process should take into consideration the needs of the audit programme and its objectives. Some of the 889 knowledge and skills described in Clause 7.2.3 are common to auditors of any management system discipline; 890 others are specific to individual management system disciplines. It is not necessary for each auditor in the 891 audit team to have the same competence; however, the overall competence of the audit team needs to be 892 sufficient to achieve the audit objectives. 893

ISO 19011:2011(E)


The evaluation of auditor competence should be planned, implemented and documented in accordance with 894 the audit programme to provide an outcome that is objective, consistent, fair and reliable. The evaluation 895 process should include four main steps, as follows: 896

a) determine the required competence to fulfil the needs of the audit programme; 897

b) establish the evaluation criteria; 898

c) select the appropriate evaluation method; 899

d) conduct the evaluation. 900

The outcome of the evaluation process should provide a basis for the following: 901

selection of audit team members as described in Clause 5.5.4; 902

determining the need for improved competence (e.g. additional training); 903

ongoing performance evaluation of auditors. 904

Auditors should develop, maintain and improve their competence through continual professional development 905 and regular participation in audits (see Clause 7.6). 906

A process for evaluating auditors and audit team leaders is described in Clauses 7.4 and 7.5. 907

Auditors and audit team leaders should be evaluated against the criteria set out in Clauses 7.2.2 and 7.2.3. 908

The competence required of the person managing the audit programme is described in Clause 5.4.2. 909

7.2 Determining auditor competence to fulfil the needs of the audit programme 910

7.2.1 General 911

In deciding the appropriate knowledge and skills of the auditor, the following should be considered: 912

a) the size, nature and complexity of the organization to be audited; 913

b) the methods for auditing; 914

c) the management system disciplines to be audited; 915

d) the complexity of the management system to be audited; 916

e) the objectives and extent of the audit programme; 917

f) the uncertainty in achieving audit objectives; 918

g) other requirements, such as those imposed by the audit client or other external bodies, where appropriate. 919

This information should be matched against that listed in Clauses 7.2.3.2, 7.2.3.3 and 7.2.3.4. 920

7.2.2 Personal behaviour 921

Auditors should possess the necessary qualities to enable them to act in accordance with the principles of 922 auditing as described in Clause 4. Auditors should exhibit professional behaviour during the performance of 923 audit activities. Desired behaviours include being: 924

ISO 19011:2011(E)


a) ethical, i.e. fair, truthful, sincere, honest and discreet; 925

b) open-minded, i.e. willing to consider alternative ideas or points of view; 926

c) diplomatic, i.e. tactful in dealing with people; 927

d) observant, i.e. actively observing physical surroundings and activities; 928

e) perceptive, i.e. aware of and able to understand situations; 929

f) versatile, i.e. able to readily adapt to different situations; 930

g) tenacious, i.e. persistent and focused on achieving objectives; 931

h) decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis; 932

i) self-reliant, i.e. able to act and function independently whilst interacting effectively with others; 933

j) acting with fortitude, i.e. able to act responsibly and ethically, even though these actions may not always 934 be popular and may sometimes result in disagreement or confrontation; 935

k) open to improvement, i.e. willing to learn from situations, and striving for better audit results; 936

l) culturally sensitive, i.e. observant and respectful to the culture of the auditee; 937

m) collaborative, i.e. effectively interacting with others, including audit team members and the auditee’s 938 personnel. 939

7.2.3 Knowledge and skills 940

7.2.3.1 General 941

Auditors should possess the knowledge and skills necessary to achieve the intended results of the audits they 942 are expected to perform. All auditors should possess generic knowledge and skills and should also be 943 expected to possess some discipline and sector-specific knowledge and skills. Audit team leaders should 944 have the additional knowledge and skills necessary to provide leadership to the audit team. 945

7.2.3.2 Generic knowledge and skills of management system auditors 946

Auditors should have knowledge and skills in the areas outlined below. 947

a) Audit principles, processes and methods: knowledge and skills in this area enable the auditor to 948 ensure audits are performed in a consistent and systematic manner. 949

An auditor should be able to: 950

understand the types of risks and opportunities associated with auditing; 951

plan and organize the work effectively; 952

perform the audit within the agreed time schedule; 953

prioritize and focus on matters of significance; 954

communicate effectively, orally and in writing (either personally, or through the use of interpreters 955 and translators); 956

ISO 19011:2011(E)


collect information through effective interviewing, listening, observing and reviewing documented 957 information, including records and data; 958

understand the appropriateness and consequences of using sampling techniques for auditing; 959

understand and consider experts’ opinions; 960

verify the relevance and accuracy of collected information; 961

confirm the sufficiency and appropriateness of audit evidence to support audit findings and 962 conclusions; 963

assess those factors that may affect the reliability of the audit findings and conclusions; 964

document audit activities and audit findings, and prepare reports; 965

maintain the confidentiality and security of information. 966

b) Management system standards and other references: knowledge and skills in this area enable the 967 auditor to understand the audit scope and apply audit criteria, and should cover the following: 968

management system standards or other references used as audit criteria; 969

the application of management system standards by the auditee and other organizations, as 970 appropriate; 971

relationships and interactions between the components of the management system(s); 972

understanding the importance and priority of references; 973

application of the references to different audit situations. 974

c) The organization and its context: knowledge and skills in this area enable the auditor to understand the 975 auditee’s structure, purpose and management practices and should cover the following: 976

needs and expectations of relevant interested parties that impact the audit; 977

type of organization, governance, size, structure, functions and relationships; 978

general business and management concepts, processes and related terminology, including 979 planning, budgeting and management of people; 980

cultural and social aspects of the auditee. 981

d) Applicable legal requirements and other requirements: knowledge and skills in this area enable the 982 auditor to be aware of, and work within, the organization’s requirements. Knowledge and skills specific to 983 the jurisdiction or to the auditee’s activities, products and services should cover the following: 984

laws and regulations and their governing agencies; 985

basic legal terminology; 986

contracting and liability. 987

ISO 19011:2011(E)


7.2.3.3 Discipline and sector-specific knowledge and skills of auditors 988

Audit teams should have the collective discipline and sector-specific knowledge and skills appropriate for 989 auditing the particular types of management systems and sectors. 990

The discipline and sector-specific knowledge and skills of auditors include the following: 991

a) management system requirements and principles, and their application; 992

b) legal requirements relevant to the discipline and sector, such that the auditor is aware of the requirements 993 specific to the jurisdiction and the auditee’s obligations, activities, products and services; 994

c) fundamentals of the discipline; 995

d) application of discipline and sector-specific methods, techniques, processes and practices to enable the 996 audit team to assess conformity within the defined audit scope and generate appropriate audit findings 997 and conclusions; 998

e) principles, methods and techniques relevant to the discipline and sector, such that the auditor can 999 determine and evaluate the risks associated with the audit programme. 1000

7.2.3.4 Generic knowledge and skills of an audit team leader 1001

In order to facilitate the efficient and effective conduct of the audit an audit team leader should have the 1002 knowledge and skills necessary to: 1003

a) plan the audit and assign audit tasks according to the specific competence of individual audit team 1004 members; 1005

b) develop a collaborative working relationship among the audit team members; 1006

c) manage the audit process, including: 1007

making effective use of resources during the audit; 1008

managing the uncertainty of achieving audit objectives; 1009

protecting the health and safety of the audit team members during the audit, including ensuring 1010 compliance of the auditors with the relevant health and safety, and security arrangements; 1011

directing the audit team members; 1012

providing direction and guidance to auditors-in-training; 1013

preventing and resolving conflicts, as necessary. 1014

d) represent the audit team in communications with the person managing the audit programme, the audit 1015 client and the auditee; 1016

e) lead the audit team to reach the audit conclusions; 1017

f) prepare and complete the audit report. 1018

7.2.3.5 Knowledge and skills for auditing multiple disciplines 1019

When auditing multiple discipline systems, the audit team member should have an understanding of the 1020 interactions and synergy between the different management systems. 1021

ISO 19011:2011(E)


Audit team leaders should understand the requirements of each of the management system standards being 1022 audited and recognize the limits of their knowledge and skills in each of the disciplines. 1023

7.2.4 Achieving auditor competence 1024

Auditor knowledge and skills can be acquired using a combination of the following: 1025

a) training programmes that cover generic auditor knowledge and skills; 1026

b) experience in a relevant technical, managerial or professional position involving the exercise of 1027 judgement, decision making, problem solving and communication with managers, professionals, peers, 1028 customers and other interested parties; 1029

c) education/training and experience in a specific management system discipline and sector that contribute 1030 to the development of overall knowledge and skills; 1031

d) audit experience acquired under the supervision of an auditor in the same discipline. 1032

7.2.5 Audit team leaders 1033

An audit team leader should have acquired additional audit experience to develop the knowledge and skills 1034 described in Clause 7.2.3. This additional experience should have been gained by working under the direction 1035 and guidance of a different audit team leader. 1036

7.3 Establishing the auditor evaluation criteria 1037

The criteria should be qualitative (such as having demonstrated desired behaviour, knowledge or the 1038 performance of the skills, in training or in the workplace) and quantitative (such as the years of work 1039 experience and education, number of audits conducted, hours of audit training). 1040

7.4 Selecting the appropriate auditor evaluation method 1041

The evaluation should be conducted using two or more of the methods such as those in Table 2. In using 1042 Table 2, the following should be noted: 1043

a) the methods outlined represent a range of options and may not apply in all situations; 1044

b) the various methods outlined may differ in their reliability; 1045

c) a combination of methods should be used to ensure an outcome that is objective, consistent, fair and 1046 reliable. 1047

Table 2 — Auditor evaluation methods 1048

Evaluation method Objectives Examples

Review of records To verify the background of the auditor Analysis of records of education, training, employment, professional credentials and audit experience

Feedback To provide information about how the performance of the auditor is perceived

Surveys, questionnaires, personal references, testimonials, complaints, performance evaluation, peer review

Interview To evaluate desired behaviour and communication skills, to verify information and test knowledge and to acquire additional information

Personal interviews

ISO 19011:2011(E)


Evaluation method Objectives Examples

Observation To evaluate desired behaviour and the ability to apply knowledge and skills

Role playing, witnessed audits, on-the-job performance

Testing To evaluate desired behaviour and knowledge and skills and their application

Oral and written exams, psychometric testing

Post-audit review To provide information on the auditor performance during the audit activities, identify strengths and opportunities for improvement

Review of the audit report, interviews with the audit team leader, the audit team and, if appropriate, feedback from the auditee

1049

7.5 Conducting auditor evaluation 1050

The information collected about the auditor under evaluation should be compared against the criteria set in 1051 Clause 7.2.3. When an auditor under evaluation who is expected to participate in the audit programme does 1052 not fulfil the criteria, then additional training, work or audit experience should be undertaken and a subsequent 1053 re-evaluation should be performed. 1054

7.6 Maintaining and improving auditor competence 1055

Auditors and audit team leaders should continually improve their competence. Auditors should maintain their 1056 auditing competence through regular participation in management system audits and continual professional 1057 development. This may be achieved through means such as additional work experience, training, private 1058 study, coaching, attendance at meetings, seminars and conferences or other relevant activities (see Clause 1059 7.1.1). 1060

The person managing the audit programme should establish suitable mechanisms for the continual evaluation 1061 of the performance of the auditors and audit team leaders. 1062

The continual professional development activities should take into account the following: 1063

a) changes in the needs of the individual and the organization responsible for the conduct of the audit; 1064

b) developments in the practice of auditing including information and communication technology; 1065

c) relevant standards and other requirements; 1066

d) changes in sector industries. 1067

ISO 19011:2011(E)


Annex A 1068

(informative) 1069

1070

Additional guidance for auditors for planning and conducting audits 1071

A.1 Applying audit methods 1072

An audit can be performed using a range of audit methods. An explanation of commonly used audit methods 1073 can be found in this annex. The audit methods chosen for an audit depend on the defined audit objectives, 1074 scope and criteria, as well as duration and location. Available auditor competence and any uncertainty arising 1075 from the application of audit methods should also be considered. Applying a variety and combination of 1076 different audit methods can optimize the efficiency and effectiveness of the audit process and its outcome. 1077

Performance of an audit involves an interaction among individuals with the management system being audited 1078 and the technology used to conduct the audit. Table A.1 provides examples of audit methods that can be used, 1079 singly or in combination, in order to achieve the audit objectives. If an audit involves the use of an audit team 1080 with multiple members, both on-site and remote methods may be used simultaneously. 1081

NOTE Additional information about on-site visits is given in Clause A.6. 1082

Table A.1 — Audit methods 1083

1084

Extent of involvement between the auditor

and the auditee

Location of the auditor

On-site Remote

Human interaction Conducting interviews.

Completing checklists and questionnaires with auditee participation.

Conducting document review with auditee participation.

Sampling.

Via interactive communication means:

conducting interviews;

observing work performed with remote guide (avatar)

completing checklists and questionnaires;

conducting document review with auditee participation.

No human interaction Conducting document review (e.g. records, data analysis).

Observation of work performed.

Conducting on-site visit.

Completing checklists.

Sampling (e.g. products).

Conducting document review (e.g. records, data analysis).

Observing work performed via surveillance means, considering social and legal requirements.

Analysing data.

On-site audit activities are performed at the location of the auditee. Remote audit activities are performed at any place other than the location of the auditee, regardless of the distance.

Interactive audit activities involve interaction between the auditee’s personnel and the audit team. Non-interactive audit activities involve no human interaction with persons representing the auditee but do involve interaction with equipment, facilities and documentation.

1085

ISO 19011:2011(E)


The responsibility of the effective application of audit methods for any given audit in the planning stage 1086 remains with either the person managing the audit programme or the audit team leader. The audit team leader 1087 has this responsibility for conducting the audit activities. 1088

The feasibility of remote audit activities can depend on the level of confidence between auditor and auditee’s 1089 personnel. 1090

On the level of the audit programme, it should be ensured that the use of remote and on-site application of 1091 audit methods is suitable and balanced, in order to ensure satisfactory achievement of audit programme 1092 objectives. 1093

A.2 Verification of information 1094

The auditors should consider if the information is: 1095

a) complete (all expected content is contained in the documented information); 1096

b) correct (the content conforms to other reliable sources such as standards and regulations); 1097

c) consistent (the documented information is consistent in itself and with related documents); 1098

d) current (the content is up to date); 1099

It should also be considered if the information being verified provides sufficient evidence to support the 1100 validation against the relevant audit criteria. 1101

When preparing work documents, the validation is made against the intended outcome. 1102

If information is provided in a manner other than expected (e. g. by different persons, alternate media), the 1103 integrity of the evidence should be assessed. 1104

The use of information and communication technologies, depending on the audit methods, promotes efficient 1105 conduct of the audit: specific care is needed for information security due to applicable regulations on 1106 protection of data (in particular for information which lies outside the audit scope, but which is also contained 1107 in the document). 1108

NOTE Document review can give an indication of the effectiveness of document control within the auditee’s 1109 management system. 1110

A.3 Sampling 1111

A.3.1 General 1112

Audit sampling takes place when it is not practical or cost effective to examine all available information during 1113 an audit, e.g. records are too numerous or too dispersed geographically to justify the examination of every 1114 item in the population. Audit sampling of a large population is the process of selecting less than 100 % of the 1115 items within the total available data set (population) to obtain and evaluate evidence about some characteristic 1116 of that population, in order to form a conclusion concerning the population. 1117

The objective of audit sampling is to provide information for the auditor to have confidence that the audit 1118 objectives can or will be achieved. 1119

The risk associated with sampling is that the samples may be not representative of the population from which 1120 they are selected. Thus the auditor's conclusion may be biased and be different from that which would be 1121

ISO 19011:2011(E)


reached if the whole population was examined. There may be other risks depending on the variability within 1122 the population to be sampled and the method chosen. 1123

Audit sampling typically involves the following steps: 1124

a) establishing the objectives of sampling; 1125

b) selecting the extent and composition of the population to be sampled; 1126

c) selecting a sampling method; 1127

d) determining the sample size to be taken; 1128

e) conducting the sampling activity; 1129

f) compiling, evaluating, reporting and documenting results. 1130

When sampling, consideration should be given to the quality of the available data, as sampling insufficient and 1131 inaccurate data will not provide a useful result. The selection of an appropriate sample should be based on 1132 both the sampling method and the type of data required, e.g. to infer a particular behaviour pattern or draw 1133 inferences across a population. 1134

Reporting on the sample selected could take into account the sample size, selection method and estimates 1135 made based on the sample and the confidence level. 1136

Audits can use either judgement-based sampling (see A.3.2) or statistical sampling (see A.3.3). 1137

A.3.2 Judgement-based sampling 1138

Judgement-based sampling relies on the knowledge, skills and experience of the audit team (see Clause 7). 1139

For judgement-based sampling, the following can be considered: 1140

a) previous audit experience within the audit scope; 1141

b) complexity of requirements (including legal requirements) to achieve the objectives of the audit; 1142

c) complexity and interaction of the organization’s processes and management system elements; 1143

d) degree of change in technology, human factor or management system; 1144

e) previously identified key risk areas and areas of improvement; 1145

f) output from monitoring of management systems. 1146

A drawback to judgement-based sampling is that there can be no statistical estimate of the effect of 1147 uncertainty in the findings of the audit and the conclusions reached. 1148

A.3.3 Statistical sampling 1149

If the decision is made to use statistical sampling, the sampling plan should be based on the audit objectives 1150 and what is known about the characteristics of overall population from which the samples are to be taken. 1151

Statistical sampling design uses a sample selection process based on probability theory. Attribute-based 1152 sampling is used when there are only two possible sample outcomes for each sample (e.g. correct/incorrect or 1153 pass/fail). Variable-based sampling is used when the sample outcomes occur in a continuous range. 1154

ISO 19011:2011(E)


The sampling plan should take into account whether the outcomes being examined are likely to be attribute-1155 based or variable-based. For example, when evaluating conformance of completed forms to the requirements 1156 set out in a procedure, an attribute-based approach could be used. When examining the occurrence of food 1157 safety incidents or the number of security breaches, a variable-based approach would likely be more 1158 appropriate. 1159

The key elements that will affect the audit sampling plan are: 1160

a) the size of the organization; 1161

b) the number of competent auditors; 1162

c) the frequency of audits during the year; 1163

d) the time of individual audit; 1164

e) any externally required confidence level. 1165

When a statistical sampling plan is developed, the level of sampling risk that the auditor is willing to accept is 1166 an important consideration. This is often referred to as the acceptable confidence level. For example, a 1167 sampling risk of 5 % corresponds to an acceptable confidence level of 95 %. A sampling risk of 5 % means 1168 the auditor is willing to accept the risk that 5 out of 100 (or 1 in 20) of the samples examined will not reflect the 1169 actual values that would be seen if the entire population was examined. 1170

When statistical sampling is used, auditors should appropriately document the work performed. This should 1171 include a description of the population that was intended to be sampled, the sampling criteria used for the 1172 evaluation (e.g. what is an acceptable sample), the statistical parameters and methods that were utilized, the 1173 number of samples evaluated and the results obtained. 1174

A.4 Preparing work documents 1175

When preparing work documents, the audit team should consider the questions below for each document. 1176

a) Which audit record will be created by using this work document? 1177

b) Which audit activity is linked to this particular work document? 1178

c) Who will be the user of this work document? 1179

d) What information is needed to prepare this work document? 1180

For combined audits, work documents should be developed to avoid duplication of audit activities by: 1181

clustering of similar requirements from different criteria; 1182

coordinating the content of related checklists and questionnaires. 1183

The work documents should be adequate to address all those elements of the management system within the 1184 audit scope and may be provided in any media. 1185

A.5 Selecting sources of information 1186

The sources of information selected may vary according to the scope and complexity of the audit and may 1187 include the following: 1188

ISO 19011:2011(E)


a) interviews with employees and other persons; 1189

b) observations of activities and the surrounding work environment and conditions; 1190

c) documented information, such as policies, objectives, plans, procedures, standards, instructions, licenses 1191 and permits, specifications, drawings, contracts and orders; 1192

d) records, such as inspection records, minutes of meetings, audit reports, records of monitoring programme 1193 and the results of measurements; 1194

e) data summaries, analyses and performance indicators; 1195

f) information on the auditee’s sampling plans and on any procedures for the control of sampling and 1196 measurement processes; 1197

g) reports from other sources, e.g. customer feedback, external surveys and measurements, other relevant 1198 information from external parties and supplier ratings; 1199

h) databases and websites; 1200

i) simulation and modelling. 1201

A.6 Guidance on visiting the auditee’s location 1202

To minimize interference between audit activities and the auditee’s work processes and to ensure the health 1203 and safety of the audit team during a visit, the following should be considered: 1204

a) planning the visit: 1205

— ensure permission and access to those parts of the auditee’s location, to be visited in accordance 1206 with the audit scope; 1207

— provide adequate information (e.g. briefing) to auditors on security, health (e.g. quarantine), 1208 occupational health and safety matters and cultural norms for the visit including requested and 1209 recommended vaccination and clearances, if applicable; 1210

— confirm with the auditee that any required personal protective equipment (PPE) will be available for 1211 the audit team, if applicable; 1212

— except for unscheduled, ad hoc audits, ensure that personnel being visited will be informed about the 1213 audit objectives and scope. 1214

b) on-site activities: 1215

— avoid any unnecessary disturbance of the operational processes; 1216

— ensure that the audit team is using PPE properly; 1217

— ensure emergency procedures are communicated (e.g. emergency exits, assembly points); 1218

— schedule communication to minimize disruption; 1219

— adapt size of the audit team and the number of guides and observers in accordance with the audit 1220 scope, in order to avoid interference with the operational processes as far as practicable; 1221

ISO 19011:2011(E)


— do not touch or manipulate any equipment, unless explicitly permitted, even when competent or 1222 licensed; 1223

— if an incident occurs during the on-site visit, the audit team leader should review the situation with the 1224 auditee and, if necessary, with the audit client and reach agreement on whether the audit should be 1225 interrupted, rescheduled or continued; 1226

— if taking photographs, voice or video material, ask for authorization from management in advance 1227 and consider security and confidentiality matters and avoid recording individuals without their 1228 permission; 1229

— when taking notes, avoid collecting personal information unless required by the audit objectives or 1230 audit criteria; 1231

— if taking copies of documents of any kind, ask for permission in advance and consider confidentiality 1232 and security matters; 1233

— when taking notes, avoid collecting personal information unless required by the audit objectives or 1234 audit criteria. 1235

A.7 Conducting interviews 1236

Interviews are one of the important means of collecting information and should be carried out in a manner 1237 adapted to the situation and the person interviewed, either face to face or via other means of communication. 1238 However, the auditor should consider the following: 1239

a) interviews should be held with persons from appropriate levels and functions performing activities or tasks 1240 within the audit scope; 1241

b) interviews should normally be conducted during normal working hours and, where practical, at the normal 1242 workplace of the person being interviewed; 1243

c) attempt to put the person being interviewed at ease prior to and during the interview; 1244

d) the reason for the interview and any note taking should be explained; 1245

e) interviews may be initiated by asking the persons to describe their work; 1246

f) careful selection of the type of question used (e.g. open, closed, leading questions, appreciative inquiry); 1247

g) awareness of limited non-verbal communication in virtual settings; instead focus on the type of questions 1248 to use in finding objective evidence; 1249

h) the results from the interview should be summarized and reviewed with the interviewed person; 1250

i) the interviewed persons should be thanked for their participation and cooperation. 1251

A.8 Audit findings 1252

A.8.1 Determining audit findings 1253

When determining audit findings, the following should be considered: 1254

a) follow-up of previous audit records and conclusions; 1255

ISO 19011:2011(E)


b) requirements of audit client; 1256

c) findings exceeding normal practice, or opportunities for improvement; 1257

d) sample size; 1258

e) categorization (if any) of the audit findings. 1259

A.8.2 Recording conformities 1260

For records of conformity, the following should be considered: 1261

a) identification of the audit criteria against which conformity is shown; 1262

b) audit evidence to support conformity; 1263

c) declaration of conformity, if applicable. 1264

A.8.3 Recording nonconformities 1265

For records of nonconformity, the following should be considered: 1266

a) description of or reference to audit criteria; 1267

b) nonconformity declaration; 1268

c) audit evidence; 1269

d) related audit findings, if applicable. 1270

A.8.4 Dealing with findings related to multiple criteria 1271

During an audit, it is possible to identify findings related to multiple criteria. Where an auditor identifies a 1272 finding linked to one criterion on a combined audit, the auditor should consider the possible impact on the 1273 corresponding or similar criteria of the other management systems. 1274

Depending on the arrangements with the audit client, the auditor may raise either: 1275

a) separate findings for each criterion; or 1276

b) a single finding, combining the references to multiple criteria. 1277

Depending on the arrangements with the audit client, the auditor may guide the auditee on how to respond to 1278 those findings. 1279

ISO 19011:2011(E)


Bibliography 1280

[1] ISO 2859-4, Sampling procedures for inspection by attributes — Part 4: Procedures for assessment of 1281 declared quality levels 1282

[2] ISO 9000:2015, Quality management systems — Fundamentals and vocabulary 1283

[3] ISO 9001, Quality management systems — Requirements 1284

[4] ISO 14001, Environmental management systems — Requirements with guidance for use 1285

[5] ISO 14050, Environmental management — Vocabulary 1286

[6] ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and 1287 certification of management systems –Part 1: Requirements 1288

[7] ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management 1289 system requirements 1290

[8] ISO 22000, Food safety management systems — Requirements for any organization in the food chain 1291

[9] ISO/IEC 27000, Information technology — Security techniques — Information security management 1292 systems — Overview and vocabulary 1293

[10] ISO/IEC 27001, Information technology — Security techniques — Information security management 1294 systems — Requirements 1295

[11] ISO/IEC 27002, Information technology — Security techniques — Code of practice for information 1296 security management 1297

[12] ISO/IEC 27003, Information technology — Security techniques — Information security management 1298 system implementation guidance 1299

[13] ISO/IEC 27004, Information technology — Security techniques — Information security management — 1300 Measurement 1301

[14] ISO/IEC 27005, Information technology — Security techniques — Information security risk 1302 management 1303

[15] ISO 28000, Specification for security management systems for the supply chain 1304

[16] ISO 30301, Information and documentation — Management system for records — Requirements 1305

[17] ISO 31000, Risk management — Principles and guidelines 1306

[18] ISO 39001, Road traffic safety (RTS) management systems — Requirements with guidance for use 1307

[19] ISO 50001, Energy management systems — Requirements with guidance for use 1308

[20] ISO Guide 73:2009, Risk management — Vocabulary 1309

[21] ISO 45001:201x, Occupational health and safety management systems — Requirements 1310

[22] ISO 9001 Auditing Practices Group papers available at: 1311 www.iso.org/tc176/ISO9001AuditingPracticesGroup 1312

ISO 19011:2011(E)


1313

Documents

Guidelines for auditing management systems - RQA · PDF fileISO /PC 302 ISO 19011:2011(E) Secretariat: ANSI Third edition 2016-12-15 Guidelines for auditing management systems Lignes