ISO 19011 - 2018 Basics (8 Free Management System Audit Checklists) - Process Street - Checklist, Workflow and SOP Software

6/22/23, 9:23 AM ISO 19011:2018 Basics (8 Free Management System Audit Checklists) | Process Street | Checklist, Workflow and
flow and SOP Softw…
ISO 19011:2018 Basics (8 Free

Management System Audit
Checklists)
Oliver Peterson Business Processes, Checklists, ISO,
July 12, 2019 Processes, Quality Control
What exactly is an “audit“?
The International Organization for Standardization defines it as:
“[the] systematic, independent and documented process for obtaining

objective evidence and evaluating it objectively to determine the extent to
which the audit criteria are fulfilled.” – ISO, from ISO 19011:2018 – Guidelines
for Auditing Management Systems
https://www.process.st/iso-19011/ 1/34
6/22/23, 9:23 AM ISO 19011:2018 Basics (8 Free Management System Audit Checklists) | Process Street | Checklist, Workflow and SOP Softw…
That’s another way of saying someone takes a look at what you’re doing, gathers
some evidence, and compares that evidence to what you’re supposed to be
doing (in other words, a set of clearly documented requirements).
In the case of ISO, these requirements are known as standards. ISO 9001 is a
standard. ISO 14001 is a standard.
Importantly, this understanding of audit implies that there are a few main things
being considered by the auditor:
What’s documented by the company (e.g. internal processes, policies, and

SOPs)
Evidence gathered to support how these policies, procedures, and SOPs are
implemented in practice
The requirements defined by the ISO standard being audited against (e.g. ISO
9001)
Audits performed by companies to assess and analyze their own management

systems are known as internal audits. Many resources for guiding companies on
how to perform internal audits exist, and foremost of these is the ISO 19011
standard.
For most management system standards, internal audits are an important

requirement. Even guideline standards like ISO 26000 for social responsibility
depend on reports to evidence the success of their implementations.
As such, ISO 19011 defines a set of guidelines; a framework for companies to

plan, implement, and improve upon their audit programs, for auditing the
implementation of management systems.
Since the first edition of ISO 19011 was published in 2002, many new
management system standards have been published.
These standards often share a common structure, including certain requirements,

terms, and definitions being used. That means ISO 19011 can be used to devise
highly economic audit programs, wherein knowledge and processes can be

shared and applied across various management systems.
By considering how they might take a broader approach to management system

auditing and integration, companies implementing ISO management systems
stand to save time, money, and confusion when preparing for and implementing
internal audits.
The goal of this post is to provide a spring-board for understanding ISO 19011,
and how to get started with internal ISO auditing. In this post, I’ll cover:
What is ISO 19011

7 principles of ISO auditing
Different types of ISO audit
Key elements of an ISO audit
8 free ISO audit templates
If you just want the free ISO audit templates, then here they are:
ISO 19011:2018 Checklist for Auditing Management Systems

ISO 9001:2015 Audit Checklist for Quality Management Systems
ISO 26000:2010 Social Responsibility Performance Assessment Checklist
ISO 45001:2018 Occupational Health and Safety (OHS) Audit Checklist
ISO 27001:2013 Information Security Management System (ISO 27K ISMS)
Audit Checklist
ISO 14001 Environmental Management Self Audit Checklist
ISO 9004:2018 for Sustainable Success in QMS Self Audit Checklist
ISO 9001 and ISO 14001 Integrated Management System (IMS) Checklist
So, let’s start by trying to understand a few things about the standard for auditing
management systems: ISO 19011.
What is ISO 19011?
ISO 19011 is a set of guidelines for auditing management systems.
It is not a set of requirements. You can’t get “ISO 19011 certified”.
It’s sort of like a meta-standard designed to inform companies how to prepare

audit programs for auditing their management systems (quality management
systems, environmental management systems, risk management systems, et
cetera).
As of writing, the most recent revision, ISO 19011:2018 (Guidelines for auditing
management systems), was published in July 2018 in response to demand for
guidance on combined management system audits.
ISO 19011 has three important sections concerning auditing management
systems:
How to manage an audit program

The 7 principles of auditing
Approaches for evaluating the competence of auditors
There’s also a big focus on applying principles of continuous improvement to an

audit program.
One of the main tenets of such an approach is making sure that the objectives of
the audit program are well-aligned with the main business objectives of the
organization, and that the needs and best-interests of customers and other
stakeholders are prioritized.
An area of increasing importance in the auditing of management systems is the

principle of risk management.
Management System Standard (MSS)
The management system standard (MSS) refers to the shared structure that ISO
management systems use to make it easier for organizations to integrate
multiple management systems by re-using knowledge and steps required for
implementation.
An example of this type of standard is Annex L (previously known as Annex SL).
Annex L
Annex L is a high-level structure (HLS) designed to streamline the creation,

maintenance, and improvement of management systems.
Based on a core structure of ten clauses, Annex L is shared by many ISO

management system standards, such as ISO 9001:2015, ISO 14001:2015, and
ISO 45001:2018.
It replaces ISO’s previous Guide 83 standard, which provided base structure and
format for management system standards.
7 principles of ISO auditing
ISO 19011 defines 7 key principles that help to ensure audits are effective and
reliable tools, supporting the management systems they are auditing by
providing actionable information that organizations can use to improve
performance.
These principles are designed to enable auditors working independently from

one another to reach similar conclusions in similar circumstances.
They also form the basis for the guidance outlined in the three key elements of
an ISO audit that appear later on in this article (and in ISO 19011, clauses 5 to 7).
Integrity: The foundation of professionalism
Auditors and audit programme managers should perform their work ethically, in
an honest and responsible manner, and using their best judgement should:
Undertake audit activities only if competent to do so

Perform work in a fair and unbiased manner
Remain sensitive to influences exerted upon their judgement while carrying
out audits
Fair presentation: the obligation to report truthfully and accurately
All audit findings, including documented evidence, conclusions and written

reports should reflect truthfully and accurately the activities of the audit.
This includes any obstacles, disagreements with other auditors, or difficulties

faced during the audit. Everything must be adequately documented.
It goes without saying that all communication, not just documented and
reported information, should be truthful, timely, rational, clear, and complete.
Due professional care: Diligence and judgement in auditing
Auditors should exercise due professional care in all tasks performed during the
audit, in accordance with the confidence placed in them by the auditee and in
recognition of the importance of the task they are performing.
One of the most important requirements of this principle is that auditors have
the ability to make reasoned judgements in all situations during the audit.
Confidentiality: Security of information
Auditors should respect the confidentiality of all information they’re dealing with
throughout the audit.
This means exercising due diligence in making sure all information acquired
during the course of their duties as auditors is respected and adequately
protected.
Making sure information is secure includes taking special precautions where

necessary, such as handling sensitive or confidential information.
Independence: Audit impartiality and objectivity
Audits, by nature, should be independent of the activity being audited, to the

furthest extent possible. They should not interfere with the activity, nor should
they hold any bias or conflict of interest.
If possible, internal audits should preferably be independent from the function

being audited.
Key to all audits is the pursuit of objectivity via rational process, to make sure all
findings and results from the audit are based only on audit evidence.
Smaller organizations may find it difficult to enlist truly independent auditors; as

such every effort should be made to eliminate bias and encourage the pursuit of
rational objectivity.
Evidence-based approach: Rational, reliable, reproducible results
Evidence is one of the pillars of a successful audit, and the foundation of rational,
reliable, reproducible results.
Audit evidence should be based on samples of available information, in

acknowledgement of the fact that audits are conducted within limited periods of
time, with limited resources.
Collection of audit evidence is based on a formalized process known as audit

sampling.
Audit sampling typically involves the following steps:
Setting clear sampling objectives

Determining how much of, and what will be sampled
Selecting a sampling method
Deciding on a sample size

Carrying out the sampling
Documenting and reporting all results
Further details of various audit sampling processes are expanded in annex A.6 of
ISO 19011:2018.
Risk-based approach: Considering risks and opportunities
Risk management is a substantial factor when planning for, conducting, and

documenting an audit.
The goal of a risk-based approach is simply to orient the audits more clearly
towards matters that are important for audit clients and the achievement of
audit objectives.
Different types of ISO audit
ISO 19011 is a standard designed to help companies perform audits.
When it comes to ISO standards, there are two main different types of audit:
Internal audits (first-party)

External audits (second-party and third-party)
ISO 19011 specializes in first and second-party audits, and is designed for use by
audit teams of all types and sizes, from single auditors to larger teams suited for
full-scale enterprise audits.
Remember that ISO 19011 is a set of guidelines; it’s not a complete set of
requirements that needs to be followed step-by-step. The guidance offered by
ISO 19011 should be adopted as appropriate to suit the specific needs and
requirements of the audit programme in question.
ISO 19011 can also be used as additional guidance for third-party audits, but the
specific requirements for auditing management systems are set out in ISO/IEC
17021-1; these requirements are for use by certified lead auditors or registered
bodies when carrying out certification audits.
Below you can find a quick breakdown of each type of audit.
First-party
This is simply an internal audit.
Internal audits are conducted by (or on behalf of) the organization itself. These
audits are typically in the context of assessing conformity, evaluating
effectiveness, identifying areas that could be improved, or as requirements for
certain ISO standards specifying that internal audits need to be carried out.
First-party audits may also be done as a preparation for a 3rd party audit;
however, first party audits can never result in an ISO certification.
Second-party
External audits encompass both second and third-party audits.
Second-party audits are conducted by, or at the request of relevant interested

parties outside of the organization, like customers or contracted organizations on
behalf of a customer.
For example, a client and vendor have a contract, and goods or services are being
exchanged. Typically, second-party audits will be more formal than first-party,
because they will influence the relations with customers or other relevant
interested parties.
Third-party
Third party audits are done by independent organizations that have no vested or
conflict of interest in the organization being audited, like those that provide
certification, or government agencies.
Independence of the audit organization is one of the defining factors of a third-

party audit.
Customers can also request third-party audits, and this will usually be in order to
verify you conform to some specific requirements.
Only third-party audits can be used to get ISO certified. Third-party audits may
also result in other types of registration, recognition, or licensing.
Equally, failing a third-party audit might also result in a fine or citation.
Key elements of an ISO audit
Generally speaking, an ISO audit will consist of the following key elements, or
stages:
Audit management
Audit preparation
Audit process
Gathering evidence
Evaluation of audit evidence against audit criteria
Closing the audit
Following up
Competence and evaluation of auditors
Each of these stages will involve various sub-tasks and requirements, depending
on the specific standard being audited to.
Since ISO 19011 is a standard providing guidelines for auditing management

systems, it is structured in a way that deals with preparing for and conducting the
audit, but also covers how organizations might evaluate the competence and
selection of the actual auditors.
It’s worth noting that ISO 19011 cannot be “audited” against; rather it is a standard
that defines guidelines for organizations to structure their audits.
So basically, ISO 19011 is a set of guidelines for auditing other ISO management
systems against their respective management system standards.
Nonetheless, ISO 19011 offers invaluable information on how to approach an

audit of any ISO management system standard.
Remember that an audit implies comparison against a set of requirements. For

ISO audits, the set of requirements is whatever standard is being audited to.
Let’s take the example of a quality management system. In this case, the
requirements would be a standard of the ISO 9000 family; say, ISO 9001:2015.
So, how would an organization’s QMS be audited to the requirements of ISO

9001:2015?
In simple terms, the auditor would have to look at two things:
How the QMS is documented

How the evidence gathered compares with the requirements of ISO
9001:2015
Based on this information, the auditor will then be able to determine

conformities and nonconformities, and offer suggestions to the auditee about
how they can improve their QMS.
Below, I’ll outline the three core elements set out in ISO 19011 for approaching an
ISO audit.
Audit management
Audit management starts with the establishment of an audit programme. The

purpose of the audit programme is to oversee the whole audit process, including
planning and scope, which includes determining which management system (or
systems) will be audited, and the specific requirements.
The full scope of the audit system will also depend on the size of the auditee
(company being audited), as well as the nature and complexity of the
management system being audited.
During this stage, audit planning and preparations are made, including review of
all available documented information for the management system being
audited, and establishment of clear audit objectives and criteria.
Work done under the banner of “audit management” goes on to inform and
direct the actions of the auditors during the main audit process.
An important part of audit management is making sure the entire audit party has
adequately reviewed all documented information for the management system
being audited.
Audit process
“Audit process” might be a bit vague, but it basically means everything that goes
into actually conducting the audit, starting from making contact with the auditee
to prepare or request any documented information, and ending with conducting
closing meetings and distributing the completed audit report.
One of the first things to be done is to determine audit feasibility.
Working from the audit objectives established during the planning stage of audit
management, this basically asks “can we (the auditor) achieve the audit
objectives, based on time, resources, information, and cooperation with the
auditee?”.
The audit process also involves preparing a complete audit plan, preparing
additional documented information for the audit (like reference standards and
documents to bring with you during on-site evidence collection), preparing for
and conducting opening meetings, collecting audit evidence, evaluating evidence
against audit criteria, and preparing the final audit report.
There’s a lot that goes into the main audit process; the above points are just a
brief summary of key steps. The complete process, start-to-finish, is outlined in
the free ISO 19011:2018 template that appears later on in the article.
Competence and evaluation of auditors
The final component of the ISO 19011 standard is aimed at providing general
guidelines for making sure the auditors are competent to do their job.
Ideally, competence should be evaluated on a regular basis using a process that

takes into account the behaviour and knowledge of each auditor.
Such a process should also consider the specific needs, objectives, and
considerations of the audit program in question.
As with all ISO standards, requirements and guidelines alike, the whole process
of evaluating auditor competence should be adequately documented, in order to
maintain consistency, and ensure fair and reliable results.
The process for evaluating auditor competence has four main steps:
Determine the level of competence required for the job

Establish some criteria for evaluating competence
Choose a method for evaluating competence
Conduct the evaluation
Following the evaluation, the results will contribute to the ongoing performance
evaluation of the auditors, and can be used to inform the following decisions:
Selecting the audit team
Determining whether there is a need for improved competence (e.g. more

training)
Competence and evaluation of auditors also feeds back into and supports the
principle of continuous improvement, allowing an audit team to maintain and
improve competence via recurring participation in audits.
For a specific process for evaluating auditors and audit team leaders, see clauses
7.3, 7.4, and 7.5 of ISO 19011:2018; for individuals responsible for managing the
audit programme (not necessarily themselves auditors), see clause 5.4.2.
8 free ISO audit templates

What better way to get started with internal ISO audits than with a pre-made
template to guide you through the process?
Below you’ll find 8 custom-built templates for performing ISO audits (or reviews,
where the standard doesn’t specify requirements).
To use these templates, you’ll need a Process Street account. It’s free, and takes
about 2 minutes to sign up. You can do that here.
ISO 19011:2018 Checklist for Auditing Management Systems
To begin with the namesake of this article, ISO 19011 doesn’t specify
requirements, but a set of guidelines for approaching ISO audits of management
systems.
This checklist can however be used to guide you through the internal audit
process for any ISO management system. That includes, but isn’t limited to:
ISO 9001:2015 for quality management systems

ISO 14001:2015 for environmental management systems
ISO 45001:2018 for occupational health and safety management systems
ISO 27001:2013 for information security management systems
Click here to get the ISO 19011:2018 Checklist for Auditing Management
Systems.
Share   Edit
 Back to templates
ISO 19011 Management Systems Audit Checklist

Run this checklist to prepare for and run an audit programme against any management
system, using the guidelines set out in ISO 19011:2018 for auditing management systems.
1 Introduction:
2 Enter basic details
3 Managing the audit (programme preparation):
4 Establish competence of audit programme managers
5 Establish context of the audit programme
6 Establish objectives of the audit programme
7 Determine risks and opportunities of the audit programme
ISO 9001:2015 Internal Audit Checklist for Quality Management Systems
Perhaps one of ISO’s most popular standards, ISO 9001 defines the
requirements for implementing, maintaining, and optimizing a quality
management system.
Organizations value ISO 9001 because it allows them to demonstrate to their

stakeholders that they can consistently deliver products and services that meet
specific customer and regulatory requirements.
Click here to get the ISO 9001:2015 Audit Checklist for Quality Management
Systems.
Share   Edit
ISO 9001 Internal Audit Checklist for Quality Management

Systems
Run this checklist to perform an internal audit on a quality management system (QMS) against
the ISO 9001:2015 requirements.
1 Introduction:
3 Preparing for the audit:
4 Establish context of the audit
5 Establish objectives of the audit
6 Establish scope of the audit
E t bli h it i f th dit
ISO 26000:2010 Social Responsibility Performance Assessment Checklist
ISO 26000 is a standard that outlines a set of guiding principles for corporate
social responsibility.
Just like ISO 19011, ISO 26000 is a set of guidelines, as opposed to

requirements. ISO 26000 is voluntary and as such can not be certified to.
Rather, organizations seeking to implement ISO 26000 will benefit from (and
sometimes require) performance assessments to determine their success in
understanding and clearly defining what social responsibility means to them.
This checklist provides guidelines to assist with the deployment of best practice
principles and actionable solutions for organizations that are trying to implement
ISO 26000:2010.
Click here to get the ISO 26000:2010 Social Responsibility Performance

Assessment Checklist.
Share   Edit
ISO 26000 Social Responsibility Performance Assessment

Checklist
Run this checklist to assess your organization's performance according to the social
responsibility guidelines set out by ISO 26000:2010.
1 Introduction:
3 Preparation:
4 Determine context of the assessment
5 Determine assessment objectives
6 Determine scope of the assessment
M k t ith li t
ISO 45001:2018 Occupational Health and Safety (OHS) Audit Checklist
ISO 45001 is designed to help organizations to improve employee safety, reduce

workplace risks and create better, safer working conditions.
Sharing the core structure of other management system standards like ISO
14001 and ISO 9001, it also takes into account other International Standards in
this area such as:
OHSAS 18001
International Labour Organization’s ILO-OSH Guidelines
ILO’s international labour standards and conventions
Various other (inter)national standards
This checklist will simplify the audit process for you, saving you time and effort
by eliminating manual tasks and utilizing Process Street features like conditional
logic and role assignments to automate recurring tasks and make your life easier.
Click here to get the ISO 45001:2018 Occupational Health and Safety (OHS)
Audit Checklist.
Share   Edit
ISO 45001 Occupational Health and Safety (OHS) Audit

Checklist
Run this checklist to perform an internal audit on an organization's occupational health and
safety (OHS) management system against the ISO 45001:2018 requirements.
1 Introduction:
4 Establish context of the OHSMS audit
5 Establish objectives of the OHSMS audit
6 Establish scope of the OHSMS audit
E t bli h it i f th OHSMS dit
ISO 27001:2013 Information Security Management System (ISO 27K ISMS)

Audit Checklist
Internal audits are crucial requirements for information security management

systems (ISMS) following the ISO IEC 27001:2013 (ISO 27001) standard.
They are also some of the most challenging requirements to successfully meet,
especially for smaller organizations.
As such, the importance of a solid, reliable process is paramount. This checklist

will guide you through the internal audit process from start to finish.
Click here to get the ISO 27001:2013 Information Security Management System
(ISO 27K ISMS) Audit Checklist.
Share   Edit
ISO 27001 Information Security Management System (ISO27K

ISMS) Audit Checklist
Run this checklist to perform an internal audit on an organization's information security
management system (ISMS) against the ISO 27001:2013 requirements.
1 Introduction:
4 Establish context of the ISMS audit
5 Establish objectives of the ISMS audit
6 Determine ISMS audit scope
E t bli h it i f th ISMS dit
ISO 14001:2015 Environmental Management Self Audit Checklist
Similar in scope to the ISO 9001 internal audit checklist for quality management
systems, this template is designed for companies wanting to perform a self-
audits to ensure compliance with ISO 14001 standards for their EMS.
If you’re already familiar with ISO 9001 or any similar ISO management system
standards, this one should look very familiar, and this checklist will help guide
you through the process.
Click here to get the ISO 14001:2015 Environmental Management Self Audit
Checklist.
Share   Edit
ISO 14001 Environmental Management Self Audit Checklist

Run this checklist to perform an internal audit on an environmental management system (EMS)
against the requirements set out in ISO 14001:2015.
1 Introduction:
2 Enter checklist details
3 Scope:
4 Assess EMS scope
5 Environmental policy:
6 Assess if environmental policy is adequately defined
7 Plan:
ISO 9004:2018 Guidelines for Sustainable Success (Quality Management)

Self Audit Checklist
ISO 9004 is a set of guidelines designed to help organizations achieve sustained

success, consistent with the principles and requirements for a quality
management system outlined in ISO 9001:2015.
This internal audit checklist will run you through the entire process of examining
your organization against the guidelines defined in the standard.
Click here to get the ISO 9004:2018 for Sustainable Success in QMS Self Audit
Checklist.
Share   Edit
ISO 9004:2018 Self-Audit Checklist

Run this checklist to perform an internal audit using guidelines set out in the ISO 9004:2018
standard for achieving sustained success, consistent with principles of quality management
outlined in ISO 9001:2015.
1 Introduction:
2 Enter checklist details
3 Run the Self-Audit:
4 Relevant interested parties
5 External and internal issues
6 Mission, vision, values and culture
L d hi G l
ISO 9001:2015 and ISO 14001:2015 Integrated Management System (IMS)

Checklist
Integrating multiple management system standards that share the same or

similar structure can save you time and effort in the long run.
For example, perhaps you already have a quality management system based on
ISO 9001, and you want to integrate it together with a new environmental
management system based on the ISO 14001 requirements.
Or perhaps it’s the other way around, and you’re looking to integrate the
principles of a QMS alongside an existing environmental management system.
Either way, this checklist will guide you through the whole process, and save you
tons of effort in the long run.
Click here to get the ISO 9001 and ISO 14001 Integrated Management System
(IMS) Checklist.
Share   Edit
ISO 9001 and ISO 14001 Integrated Management System

(IMS) Checklist
Run this checklist to integrate your ISO 9001 QMS with your ISO 14001 EMS.
1 Introduction:
2 Gather basic details
3 Plan:
4 Develop a project plan
5 Define the scope of the IMS
6 Determine common ground
7 Approval:
More ISO resources

We’ve done a lot of writing on ISO standards; check out these other Process
Street articles if you’d like to look further:
What is Quality Management? The Definitive QMS Guide (Free ISO 9001
Template)
What is ISO 9001 Certification? How to Get Certified (For Beginners)
Agile ISO: How to Combine Compliance with Rapid Process Improvement
Processes, Policies and Procedures: Important Distinctions to Systemize Your
Business
What is an ISO Audit? Free ISO 9000 Self-Audit Checklist (ISO 9004:2018)
How to Write an Actionable Policy and Procedure Template (ISO Compliant!)
20 Free SOP Templates to Make Recording Processes Quick and Painless

ISO 26000 for Corporate Social Responsibility: How to Get Started
Confused about ISO management system audits? Maybe there’s a specific

standard you’d like to know more about – let us know in the comments and we’ll
do our best to help you out.
Get our posts & product updates earlier by simply subscribing
Work email address
Subscribe
Oliver Peterson
Oliver Peterson is a content writer for Process Street with an
interest in systems and processes, attempting to use them as tools
for taking apart problems and gaining insight into building robust,
lasting solutions.
4 Comments
Zohaib Kazmi
June 22, 2020 at 4:20 am
Reply Very helpful content, I appreciate this efforts.
Adam Henshall
June 22, 2020 at 9:07 am
Reply Thanks Zohaib. Glad to hear you enjoyed it.
Patricia Sarah Vandy
July 9, 2020 at 12:57 pm
Reply needed for my studies
Adam Henshall
July 9, 2020 at 1:15 pm
Reply Glad to hear you’ve found this helpful, Patricia. If there’s anything else you think
would be useful, let us know and I’ll see whether we have any materials on it.
Cheers,
Adam
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Post Comment
Take control of your workflows today
Get started
Contact Sales
PROCESS.ST USE CASES
Features Workflow software

Process AI BPM software
Pricing Onboarding software
Template library SOP software
Blog Approval software
Careers
TEAMS FOR CUSTOMERS
Customer success Enterprise solution
HR software Partners
Compliance software Help & API docs
IT workflow software Security & GDPR
Sales software Terms & Privacy
Sitemap
        

ISO 19011 - 2018 Basics (8 Free Management System Audit Checklists) - Process Street - Checklist, Workflow and SOP Software

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 19011 - 2018 Basics (8 Free Management System Audit Checklists) - Process Street - Checklist, Workflow and SOP Software

Uploaded by

Copyright:

Available Formats

6/22/23, 9:23 AM ISO 19011:2018 Basics (8 Free Management System Audit Checklists) | Process Street | Checklist, Workflow and

flow and SOP Softw…

ISO 19011:2018 Basics (8 Free

What exactly is an “audit“?

The International Organization for Standardization defines it as:

“[the] systematic, independent and documented process for obtaining

What’s documented by the company (e.g. internal processes, policies, and

Audits performed by companies to assess and analyze their own management

For most management system standards, internal audits are an important

As such, ISO 19011 defines a set of guidelines; a framework for companies to

These standards often share a common structure, including certain requirements,

highly economic audit programs, wherein knowledge and processes can be

By considering how they might take a broader approach to management system

What is ISO 19011

ISO 19011:2018 Checklist for Auditing Management Systems

What is ISO 19011?

ISO 19011 is a set of guidelines for auditing management systems.

It is not a set of requirements. You can’t get “ISO 19011 certified”.

It’s sort of like a meta-standard designed to inform companies how to prepare

How to manage an audit program

There’s also a big focus on applying principles of continuous improvement to an

An area of increasing importance in the auditing of management systems is the

Management System Standard (MSS)

An example of this type of standard is Annex L (previously known as Annex SL).

Annex L is a high-level structure (HLS) designed to streamline the creation,

Based on a core structure of ten clauses, Annex L is shared by many ISO

7 principles of ISO auditing

These principles are designed to enable auditors working independently from

Integrity: The foundation of professionalism

Undertake audit activities only if competent to do so

Fair presentation: the obligation to report truthfully and accurately

All audit findings, including documented evidence, conclusions and written

This includes any obstacles, disagreements with other auditors, or difficulties

Due professional care: Diligence and judgement in auditing

Confidentiality: Security of information

Making sure information is secure includes taking special precautions where

Independence: Audit impartiality and objectivity

Audits, by nature, should be independent of the activity being audited, to the

If possible, internal audits should preferably be independent from the function

Smaller organizations may find it difficult to enlist truly independent auditors; as

Evidence-based approach: Rational, reliable, reproducible results

Audit evidence should be based on samples of available information, in

Collection of audit evidence is based on a formalized process known as audit

Audit sampling typically involves the following steps:

Setting clear sampling objectives

Deciding on a sample size

Risk-based approach: Considering risks and opportunities

Risk management is a substantial factor when planning for, conducting, and

Different types of ISO audit

ISO 19011 is a standard designed to help companies perform audits.

Internal audits (first-party)

External audits (second-party and third-party)

Below you can find a quick breakdown of each type of audit.

This is simply an internal audit.

External audits encompass both second and third-party audits.

Second-party audits are conducted by, or at the request of relevant interested

Independence of the audit organization is one of the defining factors of a third-

Equally, failing a third-party audit might also result in a fine or citation.

Key elements of an ISO audit

Since ISO 19011 is a standard providing guidelines for auditing management

Nonetheless, ISO 19011 offers invaluable information on how to approach an

Remember that an audit implies comparison against a set of requirements. For

So, how would an organization’s QMS be audited to the requirements of ISO