The recently updated ISO 19011:2018, provides excellent guidelines for the risk-based management of internal and external audit programs and auditors.
One of the primary drivers for the creation of ISO 19011:2018 was to synchronise the audit process with the philosophy and intent behind the recent revisions to the management system Standards.
The ISO 19011:2018 Standard includes seven auditing principles:
- Integrity
- Fair presentation
- Due professional care
- Confidentiality
- Independence
- Evidence-based approach
- Risk-based approach
These principles, when implemented effectively, provide the guidance needed to successfully manage and conduct audits of ISO management systems.
5 tips to conducting value-added audits with ISO 19011:2018:
When audits detect problematic issues (often referred to as non-conformances), it is very important that management response includes the effective;
1. Align the audit program with the business’s objectives
Clause 5 of the ISO 19011:2018 Standard concerns managing an audit program, recognising there is more involved than creating an audit schedule. The audit program should consider a management systems functionality, complexity, maturity and the type of risks and opportunities associated with it.
2. Adopt a risk-based approach to audit planning
Clause 6.3.2 of the ISO 19011:2018 Standard provides guidance on audit planning. By adopting a risk-based approach to planning, auditors can consider the risks of the audit activities and not achieving the audit objectives. A common problem is allocating sufficient time and resources. Many leaders do not understand the time required; they see auditors interviewing team members and believe this, plus some time to compile a report, is all that auditing involves.
3. Use the right people for the job
For the audit program to be effective in achieving its objectives, you need to have competent and qualified auditors to conduct the audit activities. Clause 7 in ISO 19011: 2018 discusses the evaluation of auditor competence and performance. If the audit team lacks knowledge or expertise, a technical expert should be used to close the knowledge gap. Auditors do not have to be experts in every single process, but they should understand the organisations;
- Key organisational goals and issues
- Management systems and requirements (and how they might interact)
- Core business processes and how they impact each other
- Risk-based approach to management at all levels
- Regulatory frameworks
4. Audit the audit program
The audit process itself must be audited, and like all other processes, opportunities to improve it should be identified and implemented. The audit process ideally then becomes an opportunity to confirm the capability of the processes under audit, and to identify and share best practices within the business.
5. Don’t just treat the symptom
When audits detect problematic issues (often referred to as non-conformances), it is very important that management response includes the effective;
- Containment and Correction of the problem
- Corrective Action
- Mitigation of any emerging risks related to actions taken
All of the above actions are important but conducting an effective corrective action process, including thorough root cause analysis, is absolutely vital to drive continual improvement. Businesses are often quick to react to the issue by treating the symptoms and are therefore likely to experience the issue again. Instead, the business should take a step back and understand the broader issue, working to resolve the root cause and eliminating the issue from reoccurring.
Audits are not simply a process to ensure your business management functions and processes are operational and effective, they also allows your organisation to assess the condition of other management programs and risk management processes, as well as assist in compliance with applicable regulations, standards and other key requirements.
Similar to how an internal audit reviews the condition of your organisation, the audit program itself must be assessed and treated as an opportunity for enhancement and optimisation.
ISO 19011: 2018 is a catalyst for these objectives and also identifies and distinguishes the potential impact that advancements in technology can have on the audit process, such as virtual or remote technology enabled audits.