The ISO 19011:2018 revision: How will it impact auditing practices

[div class=”box1 mt15 cms_area”]

The latest update to the ISO 19011:2018 – Guidelines for auditing management systems was published in July 2018. In this article, we explore the impact this new update will have on all kinds of auditing practices.

Introducing ISO 19011:2018

ISO 19011:2018 is a standard that provides guidelines for auditing management systems. The standard was first introduced in 2002 with the last revision in 2011. It is applicable to all organizations who need to conduct audits on management systems or manage an audit program. Audits may be internal (first party), external by interested parties (second party) or by certification or regulatory bodies (third party).

Currently, ISO has over 60 management system standards, developed using global expertise and best practices and touching various aspects of business and industry. These standards have helped organizations worldwide align their systems better, improve quality, increase performance and reduce costs among many other benefits.

However, for organizations to get the maximum benefit from their management systems and ensure continual improvement, there needs to be regular auditing done on their systems. This becomes complex when an organization has several management systems in place.

The ISO 19011:2018 – Guidelines for auditing management systems provides organizations with a streamlined and uniform approach to audit all their management systems effectively.

Why the recent update in 2018?

Over the last several years, there have been a lot of changes made to the various ISO management system standards. Also beginning with the publication of the ISO 9001:2015, a lot of the modifications made to these standards have focused on shared High-Level Structure, similar core guidelines and common definitions and terms. Also, the emphasis of these revisions has been increasingly on risk management and top management involvement.

Denise Robitaille, Chair of the ISO project committee that revised the standard, said that it was necessary to update the standard to ensure it continued providing effective guidance that addressed changes in the marketplace, evolving technologies and the many new management system standards recently published or revised.

The key changes

ISO 19011:2018 was revised with the following list of changes in order to consider a broader approach to management systems auditing in response to the various updates being made to the various ISO management system standards.

  • Addition of seventh principle – Risk-based approach – to the principles of auditing
  • Guidance on managing an audit program has been expanded, with a focus on audit program risk
  • Guidance on conducting audits have been expanded (especially the section on audit planning)
  • Generic competence requirements of auditors have been expanded
  • Terminology adjusted to reflect the process and not the object
  • Annex A (Guidance and illustrative examples of discipline-specific knowledge and skills of auditors) has been removed. With so many individual management system standards out there, it is not feasible to include the competence requirements for all disciplines.
  • The new Annex A, “Additional guidance for auditors planning and conducting audits” (earlier Annex B in ISO 19011:2011), has been expanded to provide guidance on auditing concepts such as organization context, leadership and commitment, virtual audits, compliance and supply chain.

Equipped with these changes, ISO 19011:2018 outlines the overall principles of conducting management systems audits and managing an audit program along with details on evaluating the individuals and teams involved in the audit program.

Impact on auditing practices

Some of the impacts on auditing practices made by the new ISO 19011:2018 standard include:

Risk-based approach: With the new revision, the broader approach to organizational risk and opportunities – a risk-based approach will significantly influence the planning, conducting and reporting of audits in order to ensure that the audit program’s relevance and objectives of the organization are met. Also, experienced auditors and top management will understand what to expect during and after an audit. Moreover, entry-level auditors and trainers will find the revised standard more practical with clear guidance and clarity on the concepts of risk and opportunities.

Auditor competence: ISO 19011:2018 addresses the topic of auditor competence more directly with more knowledge and skills required of auditors. The standard also outlines the expectations of auditor achieving competence through ongoing experience and audit delivery. The standard also outlines ways to measure and demonstrate the auditor’s competence. These include the audit experience, versatility, certifications, report accuracy, report timeliness and client feedback.

Audit planning & process: ISO 19011:2018 puts a special focus on audit planning with an emphasis on risk-based approach. Planning helps mitigate risk and one needs to consider the risks involved in hindering the completion of the audit program. The standard encourages you to think ahead about these risks and add elements to your audit plan to mitigate or eliminate them.

Focus on business risk and opportunities

In the context of business, we have to consider the inherent risks and opportunities to help achieve the objectives of the quality management system implementation.

Risk is the effect of uncertainty on expected results or objectives. This effect may be a positive or negative deviation from what is expected. Risk is about what could happen and what the effect of this happening might be.

Objectives are conformity and compliance of products or services to the QMS requirements and enhancing customer satisfaction. In this there are opportunities for progress or advancement of the objectives of the QMS.

Risk and opportunities that can affect conformity of products and services with requirements and the ability to increase customer satisfaction, are determined and addressed. This gives assurance that the QMS has achieved its intended results, mitigates or prevents undesired effects and achieves continual improvement.


Overall, ISO 19011:2018 aims to consolidate and improve existing guidelines for auditing practices to help organizations conduct and manage a successful audit program with the focus on risk and opportunities.