ISO 19011 - 2018MANAGEMENT SYSTEM AUDITING:WHAT’S NEW AND WORTH KNOWING?Understanding changes to the 2018 edition of the ISO Guidelinesfor Auditing Management SystemsEvan Baker, Assurance Practice Lead, SPANThe ISO 19011 Guidelines for auditing management systems has become the widely acceptedstandard for auditing not only management systems, but operational auditing in general. Thenewest edition of the standard, released in July 2018, has some important changes based on theexperience gained from implementation of past editions. This SPAN update explores a few ofthose changes, and also highlights some important considerations that have not changed fromprevious editions of the standard.What’s newThe main differences compared to the previous edition of ISO 19011 are: Addition of the risk-based approach to the principles of auditing; expansion of the guidance on managing an audit program; expansion of requirements for auditor competence and evaluation; expansion of Annex A to provide additional guidance on auditing new concepts such asorganization context, leadership and commitment, virtual audits, compliance andsupply chain, removal of the annex containing competence requirements for auditing specificmanagement system disciplines as it is not practical to provide for every managementsystem standard and discipline, and other minor changes to terminology and structure to support the new guidancedocument and processes.Contact us to learn more about this white paper: [email protected]

Risk Based Approach for Audit Program ManagementIn this era of heightened awareness of risks and risk management around all activities, it shouldbe no surprise that an organization’s audit program should be focused on operational risks, butalso risks associated with the audit program itself.The risk-based approach should substantively influence the planning, conducting and reportingof audits in order to ensure that audits are focused on matters that are significant for the auditclient, and for achieving the audit program objectives.The updated ISO 19011 doesn’t spend as much time explaining how to accomplish a risk-basedapproach, but it is a central theme and expectation. However, a lot of the risk-based auditingdiscussion is focused more on risks of the audit to the organization, which we might not considerwhen developing an audit program.Key changes to ISO 19011Important aspects to considerSection 5.3 - Audit program risks and opportunitiesThese are the sub-sections ofa) Planning - failure to set relevant audit objectives and determine theextent, number, duration, locations and schedule.b) Resources - allowing insufficient time, equipment and/or training fordeveloping the audit program or conducting an audit.c) Audit team - insufficient overall competence to conduct auditseffectively.e) Implementation - ineffective coordination of the audits within theaudit program, or not considering information security andconfidentiality.g) Monitoring, reviewing and improving the audit program - ineffectivemonitoring of audit program outcomes.Section - Risk-based approach to planning consider the risks of the audit activities on the auditee’s processesand provide the basis for the agreement among the audit client, auditteam and the auditee regarding the conduct of the audit.a) the composition of the audit team and its overall competence;b) the appropriate sampling techniques;particular interest in the new guideline.Plan well, make sure you have the rightresources to carry out the plan, checkhow well you are doing, makecorrections.What are the potential risks of the auditprogram to the audit client or auditee?How is the audit to be conducted tominimize those risks? Is thereagreement?How does your organization consideroperational risks when deciding whereand how to conduct audits?d) the risks to achieving the audit objectives created by ineffectiveaudit planning;e) the risks to the auditee created by performing the auditContact us to learn more about this white paper: [email protected]

Risk Focus in Audit ExecutionNow we’ve considered the risks to address in audit planning and program management, howdo we adequately audit risks related to the management system and organizationalprocesses?Key changes to ISO 19011Important aspects to considerAppendix Section A.10 - Auditing risks and opportunitiesThis is a new section that focuses onevaluating how an organization uses riskmanagement generally for itsmanagement system, regardless ofwhether risk management is a specificelement of the management system.As part of the assignment of an individual audit the determination andmanagement of the organization’s risk and opportunities can beincluded. The core objectives for such an audit assignment are to:— give assurance on the credibility of the risk and opportunityidentification process(es);— give assurance that risks and opportunities are correctly determinedand managed;— review how the organization addresses its determined risks andopportunities.An audit of an organization’s approach to the determination of risksand opportunities should not be performed as a stand-alone activity.It should be implicit during the entire audit of a management system,including when interviewing top management.This is a critical component of both themanagement system and the audit ofthe management system, but not alwaysan easy one to include in the auditscope. It is worthwhile spending timeduring audit planning to consider this inthe audit scope and how it can beaccomplished.Managing an Audit ProgramCompanies often relegate audit programmanagement to a sidebar responsibility of anothergroup, such as safety or environment, without assigningproper authority for the audit program within thegovernance structure of the organization.Audit, and assurance programs overall, needs to begiven the proper authority to carry out their mandateand provide value to the organization. A well-designedaudit program also has an annual (and often longer)audit plan, that is implemented and reviewed regularly.Contact us to learn more about this white paper: [email protected]

Key changes to ISO 19011Important aspects to considerSection 5.4 - Establishing the audit programThis whole section of the standard is a good checklist torun through when designing an audit program. Keyconsiderations at the top are the responsibilities andthe competence of the audit program manager. Thistakes some thought in an organization. Auditknowledge and skills are important to have in aprogram manager.Section 5.4.4 Determining audit program resources –consider:Is the audit program still rooted in spreadsheets andword documents, or does it take advantage ofauditing technologies that enable much better use ofaudit information, development of effective actionplans, and integration with other company functions?a) the financial and time resources necessary todevelop, implement, manage and improve auditactivities;g) the availability of information and communicationtechnologies (e.g. technical resources required to setup a remote audit using technologies that supportremote collaboration);Whose tools, ie computers, to use? Are they secure touse in the company environment? Coordination whenaudit results need to be merged (practical and oftenproblematic topics). Also see “Spotlight on VirtualAuditing” below.h) the availability of any tools, technology andequipment required;S 5.6 Monitoring audit programensure the evaluation of:a) whether schedules are being met and auditprogram objectives are being achieved;b) the performance of the audit team membersincluding the audit team leader and the technicalexperts;It is important to establish measures for the auditprogram, and consider carefully how you are going toevaluate against those measures; qualitatively andquantitatively.Does your audit program have a formal feedbackmechanism?d) feedback from audit clients, auditees, auditors,technical experts and other relevant parties;Contact us to learn more about this white paper: [email protected]

Auditor Competence and EvaluationThe evaluation of auditor competence should be planned, implemented and documented toprovide an outcome that is objective, consistent, fair and reliable.Section 7 of the standard provides a good list of the qualities and professional behaviours thatare desirable in an auditor, such as open-minded, diplomatic, tenacious, decisive, self-reliant,collaborative, and the abilities to act with fortitude and prioritize and focus on matters ofsignificance. Technical competence is great, but these are soft skills that are often hard to come by in aperson. How to balance decisiveness with open-mindedness? Fortitude with diplomatic?How do you test for these attributes in an auditor before-hand, and how do you evaluateafter the fact? Can your auditors prioritize? It is very easy to get lost in the weeds of detail, or to focus onthose topics we know best and are comfortable with. As an auditor you must constantlyprioritize and evaluate your progress on meeting your own objectives as an auditor. What issignificant to the auditee, the client and the success of the audit?Auditing New ConceptsAdditional guidance has been provided on the following three concepts to further aid andenhance the completeness and quality of auditing.Key changes to ISO 19011Important aspects to considerAppendix Section A.9 Auditing Leadership andCommitmentMany management systems standards have increased requirements for topmanagement. These requirements include demonstrating commitment andleadership by taking accountability for the effectiveness of the managementsystem and fulfilling a number of responsibilities. These include tasks that topmanagement should undertake itself and others that can be delegated.Auditors should obtain objective evidence of: the degree to which top management is involved in decision-making relatedto the management system, and how it demonstrates commitment to ensuring its effectiveness The audit team needs access to management at all levels of the organizationto properly fulfill its mandate.Contact us to learn more about this white paper: [email protected]

Appendix Section A.10 –Virtual AuditingAppendix Section A.12 –Audit of Supply ChainVirtual auditing is to some extent already fairly common in things like documentreview, but is likely to be considered for greater application, considering the needfor audit efficiency and cost management. There is nothing wrong with this, butthe effectiveness and practicality of expanding virtual auditing practices must becarefully considered. The following items need to be reviewed for virtual auditing. Audits are performed using remote access technology Standard audit processes still apply Technical checks of equipment capabilities and security clearances may beneeded in advance Ensure confidentiality and privacy during audit breaks e.g. by mutingmicrophones, pausing cameras. What are the remote access protocols? Are there contingencies in the event of interrupted access?The audit of the supply chain to specific requirements can be required. Thesupplier audit program should be developed with applicable audit criteria for thetype of suppliers and external providers.This is a new section that doesn’t provide much detail, but at least gets supplychain audits into the conversation.Supply chain audits often result in recovered costs well in excess of the cost of theaudit and improve overall contract management.for Audits and AssessmentsOctane is our software tool for managing the datagenerated from audits and self-assessments of managementsystems and programs. SPAN partnered the development ofthis product with our clients to create a robust toolsuitable for complex organizations.A proper data management tool that supportsaudits, assessments and the management of gapsand implementation of actions is necessary tomaintain the security and integrity of your operationsand management system information. Email andspreadsheets are unsecure.For more information about Octane and how our we and ourclients use it to manage audit and assessment information,please visit us to learn more about this white paper: [email protected]

About SPANSPAN is a consulting company that focuses on assisting companies to implement managementsystems, design programs and incorporate assurance practices into their day-to-day activities.Our knowledgeable and trained team has extensive experience in management systems,audits and assessments, process improvement, project & change management and businessperformance management among others. We pride ourselves on our fresh and strong culturefocused on delivering services using the right approach and methods to suit your company’sway of operating.Our Assurance Program services include assurance current state assessments, assuranceprogram design and implementation, and regulatory and management system audits.Evan Baker Assurance Practice LeadEvan Baker leads SPAN’s Assurance Practice, focused on developing andimplementing top to bottom assurance programs. He has 30 years’ experiencewith regulatory and management system audits and has developed auditprograms, procedures and protocols.Evan has led numerous environment, health and safety, regulatory and relatedtechnical program audits for pipelines, upstream oil and gas, thermal and windpower generation, water and wastewater, waste management and otherindustries.Contact us to learn more about this white paper: [email protected]