Rolling Out ISO 19011:2018 – Guidelines for Auditing Management Systems

Administrator business man financial inspector and secretary making report calculating or checking balance. Internal Revenue Service inspector checking document. Audit concept.

ISO 19011:2018 was released in July, and the new revisions have truly transformed the contents of the standard. The changes, including most significantly a new risk-based auditing approach, recognize the importance of managing risk in any management system, as well as the marketplace.

ISO 19011 provides guidelines for auditing management systems, enabling effective auditing across multiple systems at the same time. The document offers guidance regarding:

  • The principles of auditing
  • Managing an audit program
  • Conducting management system audits
  • Guidance on evaluating the competence of those involved in the audit process, including the managers, auditors and audit teams

It can be used by any organization that needs to conduct internal or external audits of management systems, including 2nd party and supplier audits.

The new standard revision puts an increased focus on risk – a Principle of Auditing has been added into Clause 4, and a series of new sub-clauses emphasizes the standard’s new risk-based approach principle, including calls for consideration of risk and opportunities when performing an audit and managing the audit program.  

Auditors are now advised to employ a Risk Based Approach, an audit approach that considers risks and opportunities. This risk-based approach, according to the new language, should “substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit program objectives.”

This Risk Based Approach joins Integrity, Fair Presentation, Due Professional Care, Confidentiality, Independence and Evidence Based Approach as ISO 19011’s expectations.  Your certification body will want to see your knowledge of the new standard, implementation plans and timing for your company to adopt this new approach to your internal audits.

Other revisions to the standard include:  

  • Additional guidance on managing an audit program
  • Expanded guidance on conducting an audit
  • An expansion of the generic competence requirements for auditors
  • Adjusted terminology to reflect the process and not the object
  • Removal of the annex providing competence requirements for auditing specific management system disciplines
  • An expansion of Annex A to provide guidance on auditing new concepts such as organizational context, leadership and commitment, virtual audits, compliance and supply chain.  

SimpleQuE’s auditors have extensive training and experience and follow ISO 19011’s guidelines for conducting audits, can you say the same for your auditors?  Contact us for more information about training your internal auditors or outsourcing your audits.

Sign Up For Our Newsletter

Look Fors – Part 3: Planning for Risk and Change

A pen and a magnifying glass focusing on a chart.

Would you like to know what 3rd party auditors are looking for when auditing how your company complies with quality system standards like ISO 9001:2015?

016_1469JimFLOffice 1What are 3rd party auditors looking for?  This is the third of a three part series by Jim Lee, President of simpleQuE

Clause 6 of ISO 9001:2015 – Planning for Risk and Change
In parts one and two of this series of articles, Context of the Organization and Leadership were covered. Next is the topic of Planning for Risk, which brings risk-based thinking to the forefront. Once the organization has identified the risks and opportunities in Clause 4, it needs to stipulate how to address these.  The planning phase examines who, what, how and when risks must be addressed.  It’s a proactive approach that replaces preventative action and hopefully reduces the need for corrective actions later on.

Particular focus is also placed on the objectives of the management system.  These should be consistent with the quality policy and be measurable, monitored, communicated and updated when needed.  Changes to the QMS should also be planned and consequences understood to assess risk and minimize potential negative impact.

 

Third party auditors may use the following for evidence of risk based thinking and integration into the quality management system:

  • Design reviews
  • Competitive analysis, benchmarking, recall analysis, competitive testing
  • Process control plan, internally tighter tolerances and controls than customer specs
  • Management reviews
  • Process and design FMEA (Failure Mode and Effects Analysis)
  • Corrective Actions, and replicating actions across similar products and processes
  • Metrics related to objective in management review
  • Customer scorecards, dissatisfaction, trends and performance
  • Operational meeting minutes with action items for higher risks
  • Change in leadership or new programs
  • Processes to deal with new technology, new materials, new processes, new products, new suppliers, new packaging, moving production, changing equipment
  • Program plan describing and monitoring change
  • Equipment maintenance plans and programs
  • Calibration frequencies
  • Internal audit frequencies, and the need to audit some areas more than others
  • Contingency plans
  • Strategic or business planning, SWOT (Strength, Weaknesses, Opportunity, Threats) analysis, PEST (Political, Economic, Social and Technological) analysis, etc.
  • Approval for capital, along with the justification and risks to invest now or delay to later
  • Supply chain risk management with supplier performance, financial stability, sole sourcing, geography with lead times and inventory in transit, leverage, long term agreements, etc.

 

Not that all of the elements listed above will be needed, but organizations may experience potential issues if:

  • Risks and opportunities are not identified when there is clear evidence of problems or need for action
  • Risk-based thinking is not driven by leadership
  • Actions to address risks and opportunities are not taken or not effective
  • Risk evaluation is not applied throughout the QMS (supplier selection and evaluation, new product or service, short lead time, capacity constraints, etc.)
  • Measurable objectives are not established
  • Objectives are not monitored or changed as the context of the organization changes
  • Action is not taken when objectives are not met, or trends are going the wrong direction
  • The impact of change is not identified or magnitude of change not understood
  • Costs/schedule are not included in defining change

Also, read more about Context of the Organization in Part 1 and Leadership in Part 2.

 

 

Source:  NQA’s Teaming Conference – August 2017