Auditing ISO

ISO Management Systems – December 2001 39

p to now, ISO had developedseparate guidelines for auditing

quality and environmental manage-ment systems (Figure 1). The threeparts of ISO 10011 providing guid-ance on the auditing of quality man-agement systems were issued in 1991.The three separate guidelines for theauditing of environmental manage-ment systems – ISO 14010, ISO 14011and ISO 14012, were published in1996.

During the development of theISO 14010 series, due attention waspaid to ISO 10011 and, therefore, thetwo sets of standards do not differfundamentally from each other. Inparticular, ISO 10011-1 and ISO 14011on audit procedures, and ISO 10011-2and ISO 14012 on auditor qualifica-tions, show great similarities. Ofcourse, ISO 14012 requires that envi-

ronmental auditors have knowledgeof environmental management, envi-ronmental science and technology,and environmental legislation that isdifferent from the knowledge require-ments in ISO 10011-2. Nevertheless,the framework of qualification crite-ria in terms of education, training,and work and audit experience isbasically the same.

I N T E R N A T I O N A L

ISO develops unique standardfor auditing ISO 9000 and ISO 14000 systemsAs part of ISO’s response to ISO 9000 and ISO 14000 users’ requirement for maximum compatibility between the two families of standards, the organization is developing aunique guideline for the auditing of both quality and environmental management systems.The draft International Standard ISO/DIS 19011, Guidelines for quality and/or environmen-tal management systems auditing, was published on 31 May 2001 and has been distributedto ISO’s members for a five-month ballot, closing on 31 October 2001. Its publication as anInternational Standard is expected in the second half of 2002. ISO 19011 will complete theISO 9000 “core series” also comprising the revised ISO 9000, ISO 9001 and ISO 9004, published in December 2000. It is being developed by a joint working group set up by sub-committees of two of the most well known ISO technical committees: ISO/TC 176, Qualitymanagement and quality assurance, and ISO/TC 207, Environmental management. Thedevelopment of ISO 19011 is a unique project for ISO as is it the first document to bridgethe gap between the famous ISO 9000 and ISO 14000 families of standards. This articledescribes the background to this project and highlights the major features of the futurestandard.

UDick Hortensius is SeniorStandardization Consultantwith the NetherlandsStandardization Institute(NEN). Closely involved with the development of the ISO 14000 series onenvironmental management,he serves as Secretary of the Joint Working Group on Auditing set bySubcommittees 3 and 2,respectively, of ISO TechnicalCommittee ISO/TC 176 (ISO 9000)and ISO/TC 207 (ISO 14000).

Dick Hortensius, NEN, P.O. Box 5059, NL-2600 GB Delft,Netherlands.

Tel. + 31 15 2 69 03 90.Fax + 31 15 2 69 01 90.E-mail [email protected] www.nen.nl

BY DICK HORTENSIUS

40 ISO Management Systems – December 2001

More recent was the develop-ment of a guideline describing thegeneral principles of environmentalauditing, ISO 14010. However, it wasnot considered necessary to developa document on managing environ-mental auditing programmes and,therefore, the ISO 14010 series doesnot include a counterpart to ISO10011-3.

Focus on compatibility and alignment

At the beginning of 1997, ISO/TC176 and ISO/TC 207 paid renewedattention to their cooperation and theway in which they managed the devel-opment of compati-ble standards, i.e.standards that areeasy to use in a com-bined or integratedmanner. The reasonfor this revival of the“ c o m p a t i b i l i t ydebate” was thefinalization of thefirst important set ofISO 14000 standardsin the second half of1996 and, at the same time, the startof the revision process of both theISO 9000 series and ISO 10011.

It was clear that both revisionswould lead to fundamental changesin the standards, for example, ISO9001 and ISO 9004 were to be basedon the process model and ISO 10011would incorporate a new approach to

the qualification of auditors. There-fore, the establishment of new mech-anisms to ensure compatibility wasconsidered important. The Joint Co-ordination Group of ISO/TC 176and ISO/TC 207 initiated variousliaison groups, amongst which theCommon Study Group on Auditingbetween the subcommittees (SC’s)ISO/TC 176/SC 3 and ISO/TC 207/SC 2.

This Common Study Group hadthe task of investigating options tofurther align the ISO standards onauditing up to full integration and toassess the market need, support for,and the feasibility of these options.The group met for twice in 1997 and

1998. Its mostimportant recom-mendation to therespective parentcommittees was toconsider the devel-opment of one com-mon ISO documenton environmentaland quality auditing,if necessary withadd-ons for specificquality and environ-

mental aspects.In March 1998, this recommenda-

tion was followed-up by the issuingof a joint new work item proposal forthe development of a common ISOstandard on quality and environmen-tal auditing. This proposal wasaccepted by both ISO subcommitteesand a joint working group (JWG)


Figure 1Current ISO guidelines for auditing

At the beginning of 1997,

ISO/TC 176 and ISO/TC 207

paid renewed attention

to the way in which they

managed the development

of compatible standards


ronmental) regulatory complianceaudits, product audits and processaudits are not covered by ISO19011. Of course, performance, regu-latory compliance, prod-uct and processes are ele-ments of system audits,for example, where thecapability of a manage-ment system to assist thecompany in complyingwith applicable legisla-tion, or in achieving per-formance objectives, isassessed. However, it wasdecided to focus ISO19011 on those qualityand environment relatedaudits that are closest toeach other and can most readily becombined in a standard, as well asactual practice. At the same time,this provides a good opportunity touse ISO 19011 as a basis for othermanagement system audits, such asthose for occupational health andsafety.

Figure 3 (overleaf) indicates howthe various elements of the currentauditing standards are merged inISO 19011.

This does not mean that ISO19011 is simply a combination of thecurrent documents.

was established that met for the firsttime in November 1998 to developthe single auditing standard.

This JWG (Figure 2) is chaired bytwo co-conveners: Alistair Dalrymple,from the French certification body,AFAQ, on behalf of ISO/TC 176/SC 3 and Andrew Griffiths, fromDegussa Metals Catalysts Cerdec,Germany, on behalf of ISO/TC207/SC 2. During the entire process,the Netherlands StandardizationInstitute (NEN) played a key role asit is responsible for the secretariats of both the ISO subcommitteesinvolved, as well as of the CommonStudy Group and the Joint WorkingGroup.

Breaking new ground with ISO 19011

ISO/DIS 19011, Guidelines forquality and/or environmental man-agement systems auditing, is theproduct of seven meetings of theJoint Working Group and threeinternal Committee Drafts. The num-ber 19011 – the first XX011 numberavailable – was specially granted tothis project by ISO. The idea behindthis choice of number was to avoidlinking the standard exclusively toeither the ISO 9000 or the ISO 14000family of standards, but on the otherhand to maintain the relationshipwith the current auditing standards(ISO 10011 and 14011). The number19011 can also be looked upon as asymbol that this project goes beyondthe current gap between quality andenvironmental management.

From a first look at ISO 19011, itbecomes immediately clear that:

– an explicit choice has been madeto limit the scope of the standardto management system audits;

– all elements of the current ISO10011 and the ISO 14010 series areembodied in the new standard.

The first point means that vari-ous types of audits, such as environ-mental performance audits, (envi-


Figure 2 – Position of theJWG on Auditing

Proof that quality and environmental ‘cultures’ cansit down at the same table:co-conveners of the JointWorking Group on Auditingwhich is developing ISO 19011 – Left, AndrewGriffiths, from DegussaMetals Catalysts Cerdec,Germany, on behalf of ISO/TC 207/SC 2 (ISO 14000),and right, Alistair Dalrymplefrom the French certificationbody, AFAQ, on behalf ofISO/TC 176/SC 3 (ISO 9000).


Key improvements are:

– the clear set of definitions cover-ing the relevant concepts of man-agement system auditing;

– the concise des-cription of theessential charac-teristics and prin-ciples of auditingand the auditingprofession;

– the provision ofthe key aspectsof managing anaudit programmeincluding clearlinkages with the conduct of indi-vidual audits and the process ofevaluation of auditor compe-tence;

– the clear description of all ele-ments of an audit process, and

– the competence approach to audi-tor qualification.

In addition to these, various prac-tical help boxes are included in thetext to provide additional detail andto assist, for example, small andmedium sized enterprises, along witha number of figures presenting thekey concepts of ISO 19011 visually.

Potential users of the standard

ISO 19011 is intended to be appli-cable to internal as well as externalmanagement system audits. There-fore, the main target group areorganizations having implemented aquality and/or environmental man-agement system and thus having aneed to conduct internal systemaudits. Another important targetgroup are certification/registrationbodies that conduct external systemaudits as a basis for the decisionwhether or not to issue a certificateof conformity to a management sys-tem standard.

Other potential users of the stan-dard include organizations involvedin auditor training or registration,organizations that provide consul-tancy in management systems, andaccreditation bodies.

The guidance in ISO 19011 can beused to conductaudits on either anenvironmental man-agement system or aquality managementsystem separately, orto conduct combinedaudits on both sys-tems (whether in-tegrated or not) atthe same time. Thischoice is at the dis-cretion of the user

and is not at all imposed by ISO19011 itself. However, ISO 19011reflects the market development thatmany organizations implement bothquality and environmental manage-ment systems and want to optimizetheir auditing efforts.

The concept of auditing

According to the definition in ISO19011 an audit is a systematic, inde-pendent and documented process forobtaining audit evidence and evaluat-ing it objectively to determine theextent to which audit criteria are ful-filled. Audit evidence is based onrecords, statements of fact or other


Figure 3 – Merging of the ISO 10011 and the ISO 14010 series

The number 19011

can be looked upon as a

symbol that this project

goes beyond the current

gap between quality and

environmental management


information that the auditor gathersand that can be verified. The auditcriteria may be, for example, therequirements of a management sys-tem standard such as ISO 9001 orISO 14001. The evaluation of theaudit evidence against the audit crite-ria leads to findings of conformity ornonconformity with the criteria, i.e.something does or does not conformto the applicable requirements.

After consideration of all the find-ings, the auditor can draw conclu-sions such as whether the manage-ment system of an organization doesor does not conform to a manage-ment system standard.

These basic steps of gathering andselecting information and logical rea-soning are shown in Figure 4 below.

! Ethical conduct – the foundation ofprofessionalism

! Fair presentation – the obligationto report truthfully and accurately

! Due professional care – the appli-cation of diligence and judgment toauditing.

Two further principles relate tothe audit process:

! Independence – the basis for theimpartiality and objectivity of theaudit conclusions

! Evidence – the rational basis forreaching reliable and reproducibleaudit conclusions in a systematicaudit process.

Adherence to these principles is aprerequisite for providing a reliableand relevant audit outcome and theremainder of the guidance given inISO 19011 is therefore based onthem.

Management of audit programmes

According to ISO 19011, an auditprogramme is a set of one or moreaudits planned for a specific timeframe and directed towards a specificpurpose. For many organizations,the audit programme will consist ofthe set of individual audits whichare carried out to cover all elementsof the management system in allparts of the organization during anaudit cycle. The programme mayalso consist of the set of initial andsurveillance audits carried out by athird party during the contractualperiod of a management system cer-tificate of conformity. Managementof an audit programme includes allrelevant activities that are necessaryto facilitate the conduct of individ-ual audits, such as appropriate plan-ning, providing resources (financial,human) and establishing proce-dures.

Figure 5 (overleaf) shows the various elements of an audit pro-gramme and the application of thePlan-Do-Check-Act cycle to it.


Figure 4 – Basic steps in an audit process

Principles of auditing

ISO 19011 describes the principlesof auditing that make audits differentfrom other types of assessment, andthat make them a reliable tool in sup-port of management policies and con-trols, and in the provision of informa-tion to interested parties.

Three of these principles relate tothe auditors themselves:



Conduct of audits

The guidance that ISO 19011 pro-vides for the conduct of individualaudits does not differ fundamentallyfrom the guidance given in the cur-rent auditing standards.

Figure 6 below shows the partiesinvolved in the conduct of an audit.In the ISO 10011 and ISO 14010series the roles and responsibilities of

each actor were described in detail.In ISO 19011, these roles and respon-sibilities are included in the descrip-tion of the audit process.

The various stages in this auditprocess are given in Figure 7 on thenext page and, for each element, ISO19011 provides the necessary guidance.

Auditor competence

The most innovative part of ISO19011 is the clause which addressesthe competence of auditors. In ISO10011-2, as well as in ISO 14012, thequalification criteria for auditors aredefined in terms of minimum level ofeducation and number of years ofwork experience and hours of auditortraining and experience. In ISO19011, the focus is on auditor compe-tence: to be a competent auditor aperson should demonstrate the pos-session of a number of personalattributes and the ability to apply theknowledge and skills that are neces-sary to conduct a successful audit andachieve the audit objectives.Knowledge and skills can be acquiredby an appropriate combination ofeducation, work experience and audittraining and experience. This concept

Figure 5 – Management ofan audit programme

Figure 6 – Parties involvedin an audit



of auditor competence is portrayed inFigure 8 opposite.

The knowledge and skills speci-fied in ISO 19011 are subdivided intothose that apply to all managementsystem auditors, those that only applyto auditors of quality or environmen-tal management systems and thosethat apply to audit team leaders.

The generic knowledge and skillsinclude those related to:

– audit principles, procedures andtechniques;

– management systems and refer-ence documents;

– organizational situations, and

– applicable laws, regulations andother relevant requirements.

Figure 7 – Overview ofaudit activities Figure 8 – Auditor

competence

ISO 19011 can be used

to conduct audits on

either an environmental

management system or

a quality management

system separately, or to

conduct combined audits

on both systems


Knowledge and skills specific toquality management system auditorsare those related to:

– quality-related methods and tech-niques, and

– products, including services andoperational processes.

Specific to environmental manage-ment system auditors are:

– environmental management meth-ods and techniques;

– environmental science and tech-nology, and

– technical and environmentalaspects of ope-rations.

As far as auditteam leaders areconcerned, ISO19011 states thatthey should havethe knowledgeand leadershipskills necessaryto enable theteam to conductthe audit efficiently and effectively.

In addition to the above, the audi-tor should posses a number of per-sonal attributes that contribute to the

successful performance of audits.According to ISO 19011, an auditorshould be ethical, open minded,diplomatic, observant, perceptive,versatile, tenacious, decisive and self-reliant.

The necessary knowledge andskills and the personal attributes toapply them effectively can beacquired by an appropriate combina-tion of education, work experience,auditor training and audit experi-ence. In ISO 10011-2 and ISO 14012,these “building blocks” are quanti-fied by, for example, specifying theminimum level of education, the nec-essary number of years’ work experi-

ence and the min-imum amount ofaudit experience.

The authors ofISO 19011, how-ever, consideredit not appropriateto set generic r e c o m m e n d e dlevels that shouldapply to all audi-tors in all auditsituations. It was

acknowledged that the appropriatelevels will vary according to such fac-tors as the size, nature and complexi-ty of the organization to be auditedand the objectives and extent of theaudit programme.

It is up to the organization todefine the appropriate levels.Therefore, ISO 19011 clearlydescribes an auditor evaluationprocess that includes the setting oflevels of knowledge and skills thatare needed and the education, audi-tor training and work and audit expe-rience necessary to acquire them.

Auditor evaluation

The evaluation of auditors occursat different stages:

– an initial evaluation of personswho wish to become auditors with-in the framework of an audit pro-gramme (for example, the internalaudit programme of a company, or

ISO 19011 represents a first

collaborative effort between

two ISO ‘communities’ –

quality and the environment –

with their own history, culture

and ways of interacting


Figure 9 – Stages of auditorevaluation


the external audit programmes of aregistration/certification organiza-tion);

– the evaluation of auditors as partof the selection of an audit team toconduct a specific audit within theaudit programme, or

– the on-going evaluation of auditorperformance in the audit pro-gramme to identify, for example,training needs to maintain andimprove the necessary knowledgeand skills.

These stages are represented inFigure 9 on the preceding page.

In each case, the evaluationprocess involves the following steps:

1. identification of the types and lev-els of knowledge and skills neces-sary to meet the needs;

2. setting of indicators of education,work experience, auditor trainingand audit experience to acquire thelevels identified in step 1;

3. selection of the appropriatemethod to evaluate whether theindicators identified in step 2 aresatisfied, and

4. completion of the evaluation bycomparing the results for a per-son/auditor (by application of theselected method) against the indi-cators identi-fied in step 2.

On comple-tion of this pro-cess, persons/auditors identi-fied as notmeeting the cri-teria may needfurther educa-tion, training and/or experience.

The necessary knowledge andskills can vary for each stage. Forexample, a person may qualify as anauditor in the internal audit pro-gramme of a chemical company, butnot qualify as member of a team to

conduct a specific audit in a businessunit with special hi-tech processes,unless supported by appropriate

technical expert-ise.

As mention-ed above, therequired knowl-edge and skillswill vary foreach organiza-tion having theneed to conductaudits and, as ac o n s e q u e n c e ,the necessary

education, auditor training and workand audit experience to acquire thecompetence will vary as well.However, ISO 19011 includes a tableillustrating indicators of these“building blocks of competence”


ISO 19011 includes a table

illustrating indicators of the

‘building blocks of competence’

which are typical for auditors

conducting certification audits

Figure 10 – Auditor evaluation process

Example of internal audit programme


which are typical for auditors con-ducting certification audits, or auditsof similar complexity. ISO 19011 alsoincludes a table with examples of theapplication of the auditor evaluationprocess in an internal audit pro-gramme.

Figure 10 on thepreceding page rep-resents the auditorevaluation process,as well as givingsome examples of itsapplication in aninternal audit pro-gramme.

Conclusion

After three Committee Drafts,ISO/DIS 19011 has clearly emergedas close to the final version of theISO standard on management systemauditing. The project is runningsmoothly and swiftly: from start tofinish, it will take less than four years.On the one hand, it can be arguedthat good starting material was avail-able, but, on the other hand, ISO

19011 represents a first collaborativeeffort between two ISO “communi-ties” – quality and the environment –with their own history, culture andways of interacting.

Regarding this last point, thespirit of cooperationand teamwork in theJoint Working Groupis remarkable and,after seven meet-ings, it is hard to tellwhich member origi-nates from the qual-ity or environmentalside. At the lastmeeting in Sydney,the JWG members

were compared with the Australianplatypus – a perfect combination oftwo rather distinct animals!

Quality and the environment aregood partners and ISO 19011 is per-haps only the first project in a newseries of ISO standards. The cata-logue number ISO 19001 is stillavailable for an ambitious newproject...

Quality

and the environment are

good partners and

ISO 19011 is perhaps only

the first project in a new

series of ISO standards


The Joint Working Group of TC 176 and TC 207 experts which developed ISO 19011 has been compared with the Australian platypus –

a perfect combination of two rather distinct animals!

Auditing ISO

Documents

Transcript of Auditing ISO