Nigel Leehane asks whether the new auditing guidance standard will improve environment management system audits
In 2007, the International Organisation for Standardisation (ISO) balloted members on revising ISO 19011:2002, its guidelines for how to perform effective audits of quality and environment management systems.
As well as acknowledging that auditing practices had evolved since 2002, ISO needed to address the relationship between 19011 and ISO 17021, a newer standard aimed at ensuring the competency of third-party certification audits. ISO also recognised the benefits of expanding the scope of 19011 to include the increasing proliferation of new management system standards for disciplines such as health and safety, information security, food safety, and energy management.
The positive responses for revising 19011 from members included recommendations for addressing new concepts in auditing, including risk-based and integrated systems auditing, and the use of information technology in audits. Members also expressed a desire for the revised standard to be more accessible to small and medium-sized enterprises (SMEs) and for the focus to shift to internal auditing. It was acknowledged, however, that the guidance in the 2002 version specific to quality and environment management needed to be preserved in some form, potentially as annexes to the new standard.
The revised standard was published in November 2011, but has the revision met expectations?
The declared aim of the new standard is to be applicable to all organisations that need to conduct internal or external audits of management systems. Its role in the ISO management systems library is to provide the definitive source of guidance on auditing principles and practice. That said, the primary focus of the revised 19011 is internal auditing.
The standard starts by explaining the relationship between certification and other forms of management systems auditing and recognises that 17021 should be viewed as the primary standard for certification auditing. While the guidance contained in 19011:2011 is also applicable to external auditing, including certification, ISO notes that in applying 19011 to such audits, special consideration must be given to the additional competencies needed.
One criticism of the 2002 standard was that it was written primarily to provide guidance for external, third-party auditing, with extensive explanations of the duties of auditors to their clients and the need for confidentiality, for example. This was seen as reducing its helpfulness for non-specialist internal auditors, especially in SMEs.
The terminology and style of the standard has not changed. Indeed, one feature in the 2002 version seen as providing clarification and simplification, the “help boxes”, has been moved into an annex.
Admittedly, the new annex provides more extensive guidance, but much of this is additional, rather than supportive or explanatory. In addition, a dedicated website is planned to provide a broader range of less formal guidance. Perhaps all of this supplementary guidance would not be needed if 19011 were a more accessible document, providing simpler guidance to non-professional auditors.
Another much anticipated inclusion was the guidance for auditing integrated management systems. This has been addressed, but only through a statement in the introduction to the effect that an audit of an integrated system does not differ from a combined audit of one or more separate systems. This is based on the premise that, provided the audit team has the necessary understanding of the relevant disciplines and of auditing principles and practices, there are no special competence requirements for auditing combined or integrated systems. Experienced auditors of complex integrated management systems may disagree!
One of the objectives of the revision was to address the emerging concept of risk-based auditing, which has become established as a fundamental element of financial auditing.
In that arena, the focus is on the potential problems arising from a lack of control over areas of financial risk (the equivalent of failing to control an environmental risk). The financial auditing discipline is also concerned with audit risk, which relates to the potential for misstatement by the auditor, in other words the risk of reaching an erroneous audit conclusion.
The 2011 version of 19011 does not provide a definition of risk-based auditing, but provides the following explanation of its approach to risk: “This international standard introduces the concept of risk to management systems auditing. The approach adopted relates both to the risk of the audit process not achieving its objectives and to the potential of the audit to interfere with the auditee’s activities and processes. It does not provide specific guidance on the organisation’s risk management process, but recognises that organisations can focus audit effort on matters of significance to the management system.”
It is introducing three risk concepts:
- Audit risk – the potential for the audit process not to achieve its objectives.
- Risk to the auditee as a result of the audit – for example, introducing contamination into a food-manufacturing process or disclosing confidential business information.
- Risk-based auditing – or focusing audit effort on matters of significance to the management system.
It is unfortunate that the standard shies away from an explicit explanation of risk-based auditing. In environmental auditing practice, it has become accepted that the planning of audits and audit programmes should focus on the key issues for the auditee and its management system.
These may be inherently high-risk activities undertaken by the organisation or areas of poor control, leading to high residual risks. Such risks may not simply be related to activities with the potential to cause significant environmental impacts, but could involve key organisational objectives, where failure could result in reputational damage.
A risk-based approach to auditing provides a greater opportunity to focus audit effort and deliver value from the auditing process. The failure of the revised 19011 to explain this explicitly is regrettable.
Instead, the standard deals implicitly with risk-based auditing, particularly in the clauses that relate to developing the audit programme. For example, it states that: “The extent of an audit programme should be based on the size and nature of the organisation being audited, as well as on the nature, functionality, complexity and the level of maturity of the management system to be audited. Priority should be given to allocating the audit programme resources to audit those matters of significance within the management system. These may include the key characteristics of product quality or hazards related to health and safety, or significant environmental aspects and their control.”
It also advises that the audit programme should take account of:
- management priorities;
- characteristics of processes, products and projects;
- legal and contractual requirements;
- auditee’s level of performance, as reflected in the occurrence of failures or incidents;
- significant changes to activities; and
- results of previous audits.
So, the new standard provides the guidance for focusing audit programme effort on matters of significance, but fails to emphasise the benefits of risk-based auditing any more than it did in the 2002 version. The revised standard does, however, address audit risk explicitly, as indeed it should. It includes the ISO definition of risk as being “the effect of uncertainty on objectives”, and focuses attention on ensuring that audits achieve their objectives.
The 2011 version of 19011 defines competence as the “ability to apply knowledge and skills to achieve intended results”, and sets out a process for evaluating auditor competence, based on:
- determining the competence requirements needed for the audit programme;
- establishing the evaluation criteria;
- selecting the appropriate evaluation method; and
- conducting the evaluation.
The revised standard expands on the personal behaviours (rather than attributes) of auditors, and the generic and discipline-specific knowledge and skills that may be needed by auditors and by audit team leaders. Where the audit team needs skills and knowledge in more than one discipline in order to carry out audits of “management systems addressing multiple disciplines” (integrated or combined systems), 19011 expects the team as a whole to have the necessary competence.
Individual auditors need only be able to audit a single discipline, for example environment or health and safety. However, audit team leaders must be able to understand the requirements of each of the management system standards being audited against and auditors must understand the “interaction and synergy” between the different systems. A new annex is provided, detailing the skills and knowledge that may be required for an audit, depending on circumstances. These expand on the list in the 2002 standard and now include:
- best available techniques;
- the waste hierarchy;
- use of hazardous substances;
- greenhouse-gas emissions and management;
- environmental design;
- environmental reporting and disclosure;
- product stewardship; and
- renewable and low-carbon technologies.
Clearly, the level of skill and extent of knowledge required will be entirely different for audits of small organisations with simple processes than for audits of multinational organisations with wide-ranging or complex activities spread over numerous sites. The standard recognises this dilemma. Instead of providing competence criteria guidelines in the form of educational qualifications, the number of years of experience or the amount of training an individual has, it is more flexible and leaves the organisation to determine the appropriate evaluation criteria.
The revised standard has updated the guidance available to management systems auditors to reflect many new or evolving audit practices, and is now applicable to all of the ISO management system standards. The lack of guidance, however justified, for risk-based auditing and the auditing of integrated management systems may be a disappointment to some. Nonetheless, 19011:2011 is a comprehensive source of structured guidance, which will continue to provide the basis for mentoring and training in the field of management systems auditing.
A future article in the environmentalist will explain the strengthened guidance in the revised 19011 standard for managing audits.