ISO 19011: A design for auditing life

16th January 2012


Related Topics

Related tags

  • Business & Industry ,
  • Employee engagement ,
  • Certification ,
  • EMS ,
  • Auditing



Nigel Leehane asks whether the new auditing guidance standard will improve environment management system audits

In 2007, the International Organisation for Standardisation (ISO) balloted members on revising ISO 19011:2002, its guidelines for how to perform effective audits of quality and environment management systems.

As well as acknowledging that auditing practices had evolved since 2002, ISO needed to address the relationship between 19011 and ISO 17021, a newer standard aimed at ensuring the competency of third-party certification audits. ISO also recognised the benefits of expanding the scope of 19011 to include the increasing proliferation of new management system standards for disciplines such as health and safety, information security, food safety, and energy management.

The positive responses for revising 19011 from members included recommendations for addressing new concepts in auditing, including risk-based and integrated systems auditing, and the use of information technology in audits. Members also expressed a desire for the revised standard to be more accessible to small and medium-sized enterprises (SMEs) and for the focus to shift to internal auditing. It was acknowledged, however, that the guidance in the 2002 version specific to quality and environment management needed to be preserved in some form, potentially as annexes to the new standard.

The revised standard was published in November 2011, but has the revision met expectations?

Internal focus

The declared aim of the new standard is to be applicable to all organisations that need to conduct internal or external audits of management systems. Its role in the ISO management systems library is to provide the definitive source of guidance on auditing principles and practice. That said, the primary focus of the revised 19011 is internal auditing.

The standard starts by explaining the relationship between certification and other forms of management systems auditing and recognises that 17021 should be viewed as the primary standard for certification auditing. While the guidance contained in 19011:2011 is also applicable to external auditing, including certification, ISO notes that in applying 19011 to such audits, special consideration must be given to the additional competencies needed.

One criticism of the 2002 standard was that it was written primarily to provide guidance for external, third-party auditing, with extensive explanations of the duties of auditors to their clients and the need for confidentiality, for example. This was seen as reducing its helpfulness for non-specialist internal auditors, especially in SMEs.

The terminology and style of the standard has not changed. Indeed, one feature in the 2002 version seen as providing clarification and simplification, the “help boxes”, has been moved into an annex.

Admittedly, the new annex provides more extensive guidance, but much of this is additional, rather than supportive or explanatory. In addition, a dedicated website is planned to provide a broader range of less formal guidance. Perhaps all of this supplementary guidance would not be needed if 19011 were a more accessible document, providing simpler guidance to non-professional auditors.

Another much anticipated inclusion was the guidance for auditing integrated management systems. This has been addressed, but only through a statement in the introduction to the effect that an audit of an integrated system does not differ from a combined audit of one or more separate systems. This is based on the premise that, provided the audit team has the necessary understanding of the relevant disciplines and of auditing principles and practices, there are no special competence requirements for auditing combined or integrated systems. Experienced auditors of complex integrated management systems may disagree!

Managing risk

One of the objectives of the revision was to address the emerging concept of risk-based auditing, which has become established as a fundamental element of financial auditing.

In that arena, the focus is on the potential problems arising from a lack of control over areas of financial risk (the equivalent of failing to control an environmental risk). The financial auditing discipline is also concerned with audit risk, which relates to the potential for misstatement by the auditor, in other words the risk of reaching an erroneous audit conclusion.

The 2011 version of 19011 does not provide a definition of risk-based auditing, but provides the following explanation of its approach to risk: “This international standard introduces the concept of risk to management systems auditing. The approach adopted relates both to the risk of the audit process not achieving its objectives and to the potential of the audit to interfere with the auditee’s activities and processes. It does not provide specific guidance on the organisation’s risk management process, but recognises that organisations can focus audit effort on matters of significance to the management system.”

It is introducing three risk concepts:

  • Audit risk – the potential for the audit process not to achieve its objectives.
  • Risk to the auditee as a result of the audit – for example, introducing contamination into a food-manufacturing process or disclosing confidential business information.
  • Risk-based auditing – or focusing audit effort on matters of significance to the management system.

It is unfortunate that the standard shies away from an explicit explanation of risk-based auditing. In environmental auditing practice, it has become accepted that the planning of audits and audit programmes should focus on the key issues for the auditee and its management system.

These may be inherently high-risk activities undertaken by the organisation or areas of poor control, leading to high residual risks. Such risks may not simply be related to activities with the potential to cause significant environmental impacts, but could involve key organisational objectives, where failure could result in reputational damage.

A risk-based approach to auditing provides a greater opportunity to focus audit effort and deliver value from the auditing process. The failure of the revised 19011 to explain this explicitly is regrettable.

Instead, the standard deals implicitly with risk-based auditing, particularly in the clauses that relate to developing the audit programme. For example, it states that: “The extent of an audit programme should be based on the size and nature of the organisation being audited, as well as on the nature, functionality, complexity and the level of maturity of the management system to be audited. Priority should be given to allocating the audit programme resources to audit those matters of significance within the management system. These may include the key characteristics of product quality or hazards related to health and safety, or significant environmental aspects and their control.”

It also advises that the audit programme should take account of:

  • management priorities;
  • characteristics of processes, products and projects;
  • legal and contractual requirements;
  • auditee’s level of performance, as reflected in the occurrence of failures or incidents;
  • significant changes to activities; and
  • results of previous audits.

So, the new standard provides the guidance for focusing audit programme effort on matters of significance, but fails to emphasise the benefits of risk-based auditing any more than it did in the 2002 version. The revised standard does, however, address audit risk explicitly, as indeed it should. It includes the ISO definition of risk as being “the effect of uncertainty on objectives”, and focuses attention on ensuring that audits achieve their objectives.

Auditor competence

The 2011 version of 19011 defines competence as the “ability to apply knowledge and skills to achieve intended results”, and sets out a process for evaluating auditor competence, based on:

  • determining the competence requirements needed for the audit programme;
  • establishing the evaluation criteria;
  • selecting the appropriate evaluation method; and
  • conducting the evaluation.

The revised standard expands on the personal behaviours (rather than attributes) of auditors, and the generic and discipline-specific knowledge and skills that may be needed by auditors and by audit team leaders. Where the audit team needs skills and knowledge in more than one discipline in order to carry out audits of “management systems addressing multiple disciplines” (integrated or combined systems), 19011 expects the team as a whole to have the necessary competence.

Individual auditors need only be able to audit a single discipline, for example environment or health and safety. However, audit team leaders must be able to understand the requirements of each of the management system standards being audited against and auditors must understand the “interaction and synergy” between the different systems. A new annex is provided, detailing the skills and knowledge that may be required for an audit, depending on circumstances. These expand on the list in the 2002 standard and now include:

Clearly, the level of skill and extent of knowledge required will be entirely different for audits of small organisations with simple processes than for audits of multinational organisations with wide-ranging or complex activities spread over numerous sites. The standard recognises this dilemma. Instead of providing competence criteria guidelines in the form of educational qualifications, the number of years of experience or the amount of training an individual has, it is more flexible and leaves the organisation to determine the appropriate evaluation criteria.

Forward thinking

The revised standard has updated the guidance available to management systems auditors to reflect many new or evolving audit practices, and is now applicable to all of the ISO management system standards. The lack of guidance, however justified, for risk-based auditing and the auditing of integrated management systems may be a disappointment to some. Nonetheless, 19011:2011 is a comprehensive source of structured guidance, which will continue to provide the basis for mentoring and training in the field of management systems auditing.

A future article in the environmentalist will explain the strengthened guidance in the revised 19011 standard for managing audits.


Subscribe to IEMA's newsletters to receive timely articles, expert opinions, event announcements, and much more, directly in your inbox.

Transform articles

Four in five shoppers willing to pay ‘sustainability premium’

Despite cost-of-living concerns, four-fifths of shoppers are willing to pay more for sustainably produced or sourced goods, a global survey has found.

16th May 2024

Read more

One in five UK food businesses are not prepared for EU Deforestation Regulation (EUDR) coming into force in December, a new survey has uncovered.

16th May 2024

Read more

Each person in the UK throws a shocking 35 items of unwanted clothes and textiles into general waste every year on average, according to a new report from WRAP.

2nd May 2024

Read more

The largest-ever research initiative of its kind has been launched this week to establish a benchmark for the private sector’s contribution to the UK’s 2050 net-zero target.

2nd May 2024

Read more

Weather-related damage to homes and businesses saw insurance claims hit a record high in the UK last year following a succession of storms.

18th April 2024

Read more

The Science Based Targets initiative (SBTi) has issued a statement clarifying that no changes have been made to its stance on offsetting scope 3 emissions following a backlash.

16th April 2024

Read more

One of the world’s most influential management thinkers, Andrew Winston sees many reasons for hope as pessimism looms large in sustainability. Huw Morris reports

4th April 2024

Read more

Vanessa Champion reveals how biophilic design can help you meet your environmental, social and governance goals

4th April 2024

Read more

Media enquires

Looking for an expert to speak at an event or comment on an item in the news?

Find an expert

IEMA Cookie Notice

Clicking the ‘Accept all’ button means you are accepting analytics and third-party cookies. Our website uses necessary cookies which are required in order to make our website work. In addition to these, we use analytics and third-party cookies to optimise site functionality and give you the best possible experience. To control which cookies are set, click ‘Settings’. To learn more about cookies, how we use them on our website and how to change your cookie settings please view our cookie policy.

Manage cookie settings

Our use of cookies

You can learn more detailed information in our cookie policy.

Some cookies are essential, but non-essential cookies help us to improve the experience on our site by providing insights into how the site is being used. To maintain privacy management, this relies on cookie identifiers. Resetting or deleting your browser cookies will reset these preferences.

Essential cookies

These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.

Analytics cookies

These cookies allow us to recognise and count the number of visitors to our website and to see how visitors move around our website when they are using it. This helps us to improve the way our website works.

Advertising cookies

These cookies allow us to tailor advertising to you based on your interests. If you do not accept these cookies, you will still see adverts, but these will be more generic.

Save and close