What exactly is an “audit“?
The International Organization for Standardization defines it as:
“[the] systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” – ISO, from ISO 19011:2018 – Guidelines for Auditing Management Systems
That’s another way of saying someone takes a look at what you’re doing, gathers some evidence, and compares that evidence to what you’re supposed to be doing (in other words, a set of clearly documented requirements).
Importantly, this understanding of audit implies that there are a few main things being considered by the auditor:
- What’s documented by the company (e.g. internal processes, policies, and SOPs)
- Evidence gathered to support how these policies, procedures, and SOPs are implemented in practice
- The requirements defined by the ISO standard being audited against (e.g. ISO 9001)
Audits performed by companies to assess and analyze their own management systems are known as internal audits. Many resources for guiding companies on how to perform internal audits exist, and foremost of these is the ISO 19011 standard.
For most management system standards, internal audits are an important requirement. Even guideline standards like ISO 26000 for social responsibility depend on reports to evidence the success of their implementations.
As such, ISO 19011 defines a set of guidelines; a framework for companies to plan, implement, and improve upon their audit programs, for auditing the implementation of management systems.
Since the first edition of ISO 19011 was published in 2002, many new management system standards have been published.
These standards often share a common structure, including certain requirements, terms, and definitions being used. That means ISO 19011 can be used to devise highly economic audit programs, wherein knowledge and processes can be shared and applied across various management systems.
By considering how they might take a broader approach to management system auditing and integration, companies implementing ISO management systems stand to save time, money, and confusion when preparing for and implementing internal audits.
The goal of this post is to provide a spring-board for understanding ISO 19011, and how to get started with internal ISO auditing. In this post, I’ll cover:
- What is ISO 19011
- 7 principles of ISO auditing
- Different types of ISO audit
- Key elements of an ISO audit
- 8 free ISO audit templates
If you just want the free ISO audit templates, then here they are:
- ISO 19011:2018 Checklist for Auditing Management Systems
- ISO 9001:2015 Audit Checklist for Quality Management Systems
- ISO 26000:2010 Social Responsibility Performance Assessment Checklist
- ISO 45001:2018 Occupational Health and Safety (OHS) Audit Checklist
- ISO 27001:2013 Information Security Management System (ISO 27K ISMS) Audit Checklist
- ISO 14001 Environmental Management Self Audit Checklist
- ISO 9004:2018 for Sustainable Success in QMS Self Audit Checklist
- ISO 9001 and ISO 14001 Integrated Management System (IMS) Checklist
So, let’s start by trying to understand a few things about the standard for auditing management systems: ISO 19011.
What is ISO 19011?
ISO 19011 is a set of guidelines for auditing management systems.
It is not a set of requirements. You can’t get “ISO 19011 certified”.
It’s sort of like a meta-standard designed to inform companies how to prepare audit programs for auditing their management systems (quality management systems, environmental management systems, risk management systems, et cetera).
As of writing, the most recent revision, ISO 19011:2018 (Guidelines for auditing management systems), was published in July 2018 in response to demand for guidance on combined management system audits.
ISO 19011 has three important sections concerning auditing management systems:
- How to manage an audit program
- The 7 principles of auditing
- Approaches for evaluating the competence of auditors
There’s also a big focus on applying principles of continuous improvement to an audit program.
One of the main tenets of such an approach is making sure that the objectives of the audit program are well-aligned with the main business objectives of the organization, and that the needs and best-interests of customers and other stakeholders are prioritized.
An area of increasing importance in the auditing of management systems is the principle of risk management.
Management System Standard (MSS)
The management system standard (MSS) refers to the shared structure that ISO management systems use to make it easier for organizations to integrate multiple management systems by re-using knowledge and steps required for implementation.
An example of this type of standard is Annex L (previously known as Annex SL).
Annex L is a high-level structure (HLS) designed to streamline the creation, maintenance, and improvement of management systems.
Based on a core structure of ten clauses, Annex L is shared by many ISO management system standards, such as ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018.
It replaces ISO’s previous Guide 83 standard, which provided base structure and format for management system standards.
7 principles of ISO auditing
ISO 19011 defines 7 key principles that help to ensure audits are effective and reliable tools, supporting the management systems they are auditing by providing actionable information that organizations can use to improve performance.
These principles are designed to enable auditors working independently from one another to reach similar conclusions in similar circumstances.
They also form the basis for the guidance outlined in the three key elements of an ISO audit that appear later on in this article (and in ISO 19011, clauses 5 to 7).
Integrity: The foundation of professionalism
Auditors and audit programme managers should perform their work ethically, in an honest and responsible manner, and using their best judgement should:
- Undertake audit activities only if competent to do so
- Perform work in a fair and unbiased manner
- Remain sensitive to influences exerted upon their judgement while carrying out audits
Fair presentation: the obligation to report truthfully and accurately
All audit findings, including documented evidence, conclusions and written reports should reflect truthfully and accurately the activities of the audit.
This includes any obstacles, disagreements with other auditors, or difficulties faced during the audit. Everything must be adequately documented.
It goes without saying that all communication, not just documented and reported information, should be truthful, timely, rational, clear, and complete.
Due professional care: Diligence and judgement in auditing
Auditors should exercise due professional care in all tasks performed during the audit, in accordance with the confidence placed in them by the auditee and in recognition of the importance of the task they are performing.
One of the most important requirements of this principle is that auditors have the ability to make reasoned judgements in all situations during the audit.
Confidentiality: Security of information
Auditors should respect the confidentiality of all information they’re dealing with throughout the audit.
This means exercising due diligence in making sure all information acquired during the course of their duties as auditors is respected and adequately protected.
Making sure information is secure includes taking special precautions where necessary, such as handling sensitive or confidential information.
Independence: Audit impartiality and objectivity
Audits, by nature, should be independent of the activity being audited, to the furthest extent possible. They should not interfere with the activity, nor should they hold any bias or conflict of interest.
If possible, internal audits should preferably be independent from the function being audited.
Key to all audits is the pursuit of objectivity via rational process, to make sure all findings and results from the audit are based only on audit evidence.
Smaller organizations may find it difficult to enlist truly independent auditors; as such every effort should be made to eliminate bias and encourage the pursuit of rational objectivity.
Evidence-based approach: Rational, reliable, reproducible results
Evidence is one of the pillars of a successful audit, and the foundation of rational, reliable, reproducible results.
Audit evidence should be based on samples of available information, in acknowledgement of the fact that audits are conducted within limited periods of time, with limited resources.
Collection of audit evidence is based on a formalized process known as audit sampling.
Audit sampling typically involves the following steps:
- Setting clear sampling objectives
- Determining how much of, and what will be sampled
- Selecting a sampling method
- Deciding on a sample size
- Carrying out the sampling
- Documenting and reporting all results
Further details of various audit sampling processes are expanded in annex A.6 of ISO 19011:2018.
Risk-based approach: Considering risks and opportunities
Risk management is a substantial factor when planning for, conducting, and documenting an audit.
The goal of a risk-based approach is simply to orient the audits more clearly towards matters that are important for audit clients and the achievement of audit objectives.
Different types of ISO audit
ISO 19011 is a standard designed to help companies perform audits.
When it comes to ISO standards, there are two main different types of audit:
- Internal audits (first-party)
- External audits (second-party and third-party)
ISO 19011 specializes in first and second-party audits, and is designed for use by audit teams of all types and sizes, from single auditors to larger teams suited for full-scale enterprise audits.
Remember that ISO 19011 is a set of guidelines; it’s not a complete set of requirements that needs to be followed step-by-step. The guidance offered by ISO 19011 should be adopted as appropriate to suit the specific needs and requirements of the audit programme in question.
ISO 19011 can also be used as additional guidance for third-party audits, but the specific requirements for auditing management systems are set out in ISO/IEC 17021-1; these requirements are for use by certified lead auditors or registered bodies when carrying out certification audits.
Below you can find a quick breakdown of each type of audit.
This is simply an internal audit.
Internal audits are conducted by (or on behalf of) the organization itself. These audits are typically in the context of assessing conformity, evaluating effectiveness, identifying areas that could be improved, or as requirements for certain ISO standards specifying that internal audits need to be carried out.
First-party audits may also be done as a preparation for a 3rd party audit; however, first party audits can never result in an ISO certification.
External audits encompass both second and third-party audits.
Second-party audits are conducted by, or at the request of relevant interested parties outside of the organization, like customers or contracted organizations on behalf of a customer.
For example, a client and vendor have a contract, and goods or services are being exchanged. Typically, second-party audits will be more formal than first-party, because they will influence the relations with customers or other relevant interested parties.
Third party audits are done by independent organizations that have no vested or conflict of interest in the organization being audited, like those that provide certification, or government agencies.
Independence of the audit organization is one of the defining factors of a third-party audit.
Customers can also request third-party audits, and this will usually be in order to verify you conform to some specific requirements.
Only third-party audits can be used to get ISO certified. Third-party audits may also result in other types of registration, recognition, or licensing.
Equally, failing a third-party audit might also result in a fine or citation.
Key elements of an ISO audit
Generally speaking, an ISO audit will consist of the following key elements, or stages:
- Audit management
- Audit preparation
- Audit process
- Gathering evidence
- Evaluation of audit evidence against audit criteria
- Closing the audit
- Following up
- Competence and evaluation of auditors
Each of these stages will involve various sub-tasks and requirements, depending on the specific standard being audited to.
Since ISO 19011 is a standard providing guidelines for auditing management systems, it is structured in a way that deals with preparing for and conducting the audit, but also covers how organizations might evaluate the competence and selection of the actual auditors.
It’s worth noting that ISO 19011 cannot be “audited” against; rather it is a standard that defines guidelines for organizations to structure their audits.
So basically, ISO 19011 is a set of guidelines for auditing other ISO management systems against their respective management system standards.
Nonetheless, ISO 19011 offers invaluable information on how to approach an audit of any ISO management system standard.
Remember that an audit implies comparison against a set of requirements. For ISO audits, the set of requirements is whatever standard is being audited to.
Let’s take the example of a quality management system. In this case, the requirements would be a standard of the ISO 9000 family; say, ISO 9001:2015.
So, how would an organization’s QMS be audited to the requirements of ISO 9001:2015?
In simple terms, the auditor would have to look at two things:
- How the QMS is documented
- How the evidence gathered compares with the requirements of ISO 9001:2015
Based on this information, the auditor will then be able to determine conformities and nonconformities, and offer suggestions to the auditee about how they can improve their QMS.
Below, I’ll outline the three core elements set out in ISO 19011 for approaching an ISO audit.
Audit management starts with the establishment of an audit programme. The purpose of the audit programme is to oversee the whole audit process, including planning and scope, which includes determining which management system (or systems) will be audited, and the specific requirements.
The full scope of the audit system will also depend on the size of the auditee (company being audited), as well as the nature and complexity of the management system being audited.
During this stage, audit planning and preparations are made, including review of all available documented information for the management system being audited, and establishment of clear audit objectives and criteria.
Work done under the banner of “audit management” goes on to inform and direct the actions of the auditors during the main audit process.
An important part of audit management is making sure the entire audit party has adequately reviewed all documented information for the management system being audited.
“Audit process” might be a bit vague, but it basically means everything that goes into actually conducting the audit, starting from making contact with the auditee to prepare or request any documented information, and ending with conducting closing meetings and distributing the completed audit report.
One of the first things to be done is to determine audit feasibility.
Working from the audit objectives established during the planning stage of audit management, this basically asks “can we (the auditor) achieve the audit objectives, based on time, resources, information, and cooperation with the auditee?”.
The audit process also involves preparing a complete audit plan, preparing additional documented information for the audit (like reference standards and documents to bring with you during on-site evidence collection), preparing for and conducting opening meetings, collecting audit evidence, evaluating evidence against audit criteria, and preparing the final audit report.
There’s a lot that goes into the main audit process; the above points are just a brief summary of key steps. The complete process, start-to-finish, is outlined in the free ISO 19011:2018 template that appears later on in the article.
Competence and evaluation of auditors
The final component of the ISO 19011 standard is aimed at providing general guidelines for making sure the auditors are competent to do their job.
Ideally, competence should be evaluated on a regular basis using a process that takes into account the behaviour and knowledge of each auditor.
Such a process should also consider the specific needs, objectives, and considerations of the audit program in question.
As with all ISO standards, requirements and guidelines alike, the whole process of evaluating auditor competence should be adequately documented, in order to maintain consistency, and ensure fair and reliable results.
The process for evaluating auditor competence has four main steps:
- Determine the level of competence required for the job
- Establish some criteria for evaluating competence
- Choose a method for evaluating competence
- Conduct the evaluation
Following the evaluation, the results will contribute to the ongoing performance evaluation of the auditors, and can be used to inform the following decisions:
- Selecting the audit team
- Determining whether there is a need for improved competence (e.g. more training)
Competence and evaluation of auditors also feeds back into and supports the principle of continuous improvement, allowing an audit team to maintain and improve competence via recurring participation in audits.
For a specific process for evaluating auditors and audit team leaders, see clauses 7.3, 7.4, and 7.5 of ISO 19011:2018; for individuals responsible for managing the audit programme (not necessarily themselves auditors), see clause 5.4.2.
8 free ISO audit templates
What better way to get started with internal ISO audits than with a pre-made template to guide you through the process?
Below you’ll find 8 custom-built templates for performing ISO audits (or reviews, where the standard doesn’t specify requirements).
ISO 19011:2018 Checklist for Auditing Management Systems
To begin with the namesake of this article, ISO 19011 doesn’t specify requirements, but a set of guidelines for approaching ISO audits of management systems.
This checklist can however be used to guide you through the internal audit process for any ISO management system. That includes, but isn’t limited to:
- ISO 9001:2015 for quality management systems
- ISO 14001:2015 for environmental management systems
- ISO 45001:2018 for occupational health and safety management systems
- ISO 27001:2013 for information security management systems
ISO 9001:2015 Internal Audit Checklist for Quality Management Systems
Perhaps one of ISO’s most popular standards, ISO 9001 defines the requirements for implementing, maintaining, and optimizing a quality management system.
Organizations value ISO 9001 because it allows them to demonstrate to their stakeholders that they can consistently deliver products and services that meet specific customer and regulatory requirements.
ISO 26000:2010 Social Responsibility Performance Assessment Checklist
ISO 26000 is a standard that outlines a set of guiding principles for corporate social responsibility.
Just like ISO 19011, ISO 26000 is a set of guidelines, as opposed to requirements. ISO 26000 is voluntary and as such can not be certified to.
Rather, organizations seeking to implement ISO 26000 will benefit from (and sometimes require) performance assessments to determine their success in understanding and clearly defining what social responsibility means to them.
This checklist provides guidelines to assist with the deployment of best practice principles and actionable solutions for organizations that are trying to implement ISO 26000:2010.
ISO 45001:2018 Occupational Health and Safety (OHS) Audit Checklist
ISO 45001 is designed to help organizations to improve employee safety, reduce workplace risks and create better, safer working conditions.
Sharing the core structure of other management system standards like ISO 14001 and ISO 9001, it also takes into account other International Standards in this area such as:
- OHSAS 18001
- International Labour Organization’s ILO-OSH Guidelines
- ILO’s international labour standards and conventions
- Various other (inter)national standards
This checklist will simplify the audit process for you, saving you time and effort by eliminating manual tasks and utilizing Process Street features like conditional logic and role assignments to automate recurring tasks and make your life easier.
ISO 27001:2013 Information Security Management System (ISO 27K ISMS) Audit Checklist
Internal audits are crucial requirements for information security management systems (ISMS) following the ISO IEC 27001:2013 (ISO 27001) standard.
They are also some of the most challenging requirements to successfully meet, especially for smaller organizations.
As such, the importance of a solid, reliable process is paramount. This checklist will guide you through the internal audit process from start to finish.
ISO 14001:2015 Environmental Management Self Audit Checklist
Similar in scope to the ISO 9001 internal audit checklist for quality management systems, this template is designed for companies wanting to perform a self-audits to ensure compliance with ISO 14001 standards for their EMS.
If you’re already familiar with ISO 9001 or any similar ISO management system standards, this one should look very familiar, and this checklist will help guide you through the process.
ISO 9004:2018 Guidelines for Sustainable Success (Quality Management) Self Audit Checklist
This internal audit checklist will run you through the entire process of examining your organization against the guidelines defined in the standard.
ISO 9001:2015 and ISO 14001:2015 Integrated Management System (IMS) Checklist
Integrating multiple management system standards that share the same or similar structure can save you time and effort in the long run.
For example, perhaps you already have a quality management system based on ISO 9001, and you want to integrate it together with a new environmental management system based on the ISO 14001 requirements.
Or perhaps it’s the other way around, and you’re looking to integrate the principles of a QMS alongside an existing environmental management system.
Either way, this checklist will guide you through the whole process, and save you tons of effort in the long run.
More ISO resources
We’ve done a lot of writing on ISO standards; check out these other Process Street articles if you’d like to look further:
- What is Quality Management? The Definitive QMS Guide (Free ISO 9001 Template)
- What is ISO 9001 Certification? How to Get Certified (For Beginners)
- Agile ISO: How to Combine Compliance with Rapid Process Improvement
- Processes, Policies and Procedures: Important Distinctions to Systemize Your Business
- What is an ISO Audit? Free ISO 9000 Self-Audit Checklist (ISO 9004:2018)
- How to Write an Actionable Policy and Procedure Template (ISO Compliant!)
- 20 Free SOP Templates to Make Recording Processes Quick and Painless
- ISO 26000 for Corporate Social Responsibility: How to Get Started
Confused about ISO management system audits? Maybe there’s a specific standard you’d like to know more about – let us know in the comments and we’ll do our best to help you out.