ISO 19011:2011 provides guidance on auditing management systems, including the principles of auditing, managing an audit program and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process, including the person managing the audit program, auditors and audit teams.
ISO 19011:2011 is applicable to all organizations that need to conduct internal or external audits of management systems or manage an audit program.
The application of ISO 19011:2011 to other types of audits is possible, provided that special consideration is given to the specific competence needed.
Since the first edition of this International Standard was published in 2002, a number of new management system standards have been published. As a result, there is now a need to consider a broader scope of management system auditing, as well as providing guidance that is more generic.
In 2006, the ISO committee for conformity assessment (CASCO) developed ISO/IEC 17021, which sets out requirements for third party certification of management systems and which was based in part on the guidelines contained in the first edition of this International Standard.
The second edition of ISO/IEC 17021, published in 2011, was extended to transform the guidance offered in this International Standard into requirements for management system certification audits. It is in this context that this second edition of this International Standard provides guidance for all users, including small and medium-sized organizations, and concentrates on what are commonly termed “internal audits” (first party) and “audits conducted by customers on their suppliers” (second party). While those involved in management system certification audits follow the requirements of ISO/IEC 17021:2011, they might also find the guidance in this International Standard useful.
The audit activities of ISO 19011 detail the management of the activities for the audits themselves. This formalized approach can help to ensure your internal audits are effective and consistent, and builds the integrity of the internal audit system. These steps are not mandatory (e.g., smaller companies might skip some of them), but they are a best practice for conducting an audit. Below is a flowchart of the process of conducting an individual audit:
- Initiate the Audit:To start, the auditor must initiate the audit by contacting the process owner to be audited and ensuring the audit will be feasible. It is just a good idea to make sure someone is available to present evidence when you want to audit, rather than try to surprise them.
- Review the Documents:You then need to review the documents for the process. This will help you to know how big of an audit it will be, whether it might take a whole day or only an hour. This knowledge is critical for the next step.
- Develop Audit Plan:The purpose of the document review is to develop your audit plan of what will be audited, who will do the auditing, when it will happen and who will be audited. Here you decide how the audit will be split up if more than one auditor will be used, and how much time will be dedicated to each process in the audit.
- Assign Work to Auditors per Plan:Larger audits may assign work amongst several auditors, with each taking more than one process to audit. In this way you can shorten the amount of time that an audit disrupts the processes, such as having three auditors working for one day rather than one auditor working for three days.
- Prepare Working Papers:The assigned auditor then prepares the audit working papers that will identify what the auditor wants to verify, what questions to ask, and what they expect as evidence. This will be drawn from the QMS documentation and the ISO 9001
- Determine the Audit Sequence:The next step is to determine the sequence of audit from the opening meeting through presenting audit findings. If done right, the sequence of process audits can help to make the audit flow easier. Some examples are starting a large audit with a review of internal audits and corrective actions, which will give you an idea of what weaknesses have already been identified; or ending the audit with a review of documentation records and training records, because the process audits will have identified records to review, making this easier.
- Conduct Opening Meeting:The audit begins with an opening meeting. This is to reiterate to the auditees that this is not a surprise audit, and is there to verify conformance rather than to find fault. Some fine tuning of the audit times can be done at the opening meeting, as well as making sure that everyone understands the scope and extent of this particular audit.
- Review Documents and Communicate:After the meeting, any documents immediately presented by the auditee should be reviewed to gather relevant information that might not have been available before (an example would be a process improvement that is being used on a trial basis, but is not yet in the documentation). A general rule is that communication should be maintained throughout the audit (sometimes an audit guide is used, especially with external auditors).
- Carry out the Audit:This step is often thought of as the actual audit. The auditor asks the questions, and collects the records and observations that will demonstrate if the processes meet the QMS requirements. Again, it is important to remember that an auditor is there to try to verify that a process conforms to the requirements set out, not to dig until fault is found.
- Generate Audit Findings:After the auditor finishes the verification, they must generate the audit findings and prepare any audit conclusions to be presented. If all is found to be conforming, then there will be no corrective actions presented; but if not, then the corrective actions need to be properly prepared. It is equally important to highlight best practices in a process as it is to identify any shortcomings. Some companies also use a process of having internal audits identify opportunities for improvement (OFIs), which the process owner can review and accept if they wish.
- Present Findings and Conclusions:The findings and conclusions are then presented, normally at a closing meeting, in order for the process owners to understand and ask questions as well as present clarification if something was misunderstood in the audit.
- Formally Distribute Audit Report:The final findings are formally written and distributed in an audit report. This gives everyone an easy reference on actions needed, as well as providing a record of the outcome of the audit.
- Follow Up on Actions / Corrective Actions: Probably the most important part of an audit is for the auditor to follow up on any actions, as a way of ensuring remedial action is taken and completing the audit. Without follow up of corrections and corrective actions, the same problems could be found continually during subsequent audits, which defeats the purpose of the audit being done. For more information, see Seven Steps for Corrective and Preventive Actions to support Continual Improvement.