ISO 19011 revision - Your thoughts

Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#42
Re: ISO 19011 revision - Cairo TC 207 meeting - Your thoughts - June 2009

It looks like Paul Simpson is the author - one of our Cove friends... :bigwave:
Indeed.

The following excerpt of the article caught my attention:
Risk-based auditing will be acknowledged for the first time in the revision. While the topic is not dealt with as a separate issue the standard emphasizes the need to assess what an organization does and, by extension the significant risks associated with its activities in developing an audit programme, audit plans and in selecting competent auditors.
In the Aerospace ICOP Scheme, the new AS9101 D standard also drives the need for "risk-based" audits. Apparently, the ISO TC's are catching up with the business world and awakening to the fact that audits, just like everything else a business does, must add value. "Risk based" auditing is definitely something not comprehensible by auditorsaurus-rex.
 
#43
Re: ISO 19011 revision - Cairo TC 207 meeting - Your thoughts - June 2009

Indeed.

The following excerpt of the article caught my attention:
In the Aerospace ICOP Scheme, the new AS9101 D standard also drives the need for "risk-based" audits. Apparently, the ISO TC's are catching up with the business world and awakening to the fact that audits, just like everything else a business does, must add value. "Risk based" auditing is definitely something not comprehensible by auditorsaurus-rex.
Agreed, Sidney. This surely points to a void in the ISO 19011 requirements for audit program management? The current version is really too aligned with external audit process, which happens to a fairly fixed calender of events. An internal audit program needs to be very much more dynamic in nature and, for example, forces organizations to get away from the 'element a month' or 'we audit twice a year' approach which may have some CBs fooled, but doesn't do anything for customer, management and the bottom line...
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#44
Re: ISO 19011 revision - Cairo TC 207 meeting - Your thoughts - June 2009

Agreed, Sidney. This surely points to a void in the ISO 19011 requirements for audit program management? The current version is really too aligned with external audit process, which happens to a fairly fixed calender of events. An internal audit program needs to be very much more dynamic in nature and, for example, forces organizations to get away from the 'element a month' or 'we audit twice a year' approach which may have some CBs fooled, but doesn't do anything for customer, management and the bottom line...
Yes, Andy. Let's remember that the US version of ISO 19011 is customized to address the specifics of 1[sup]st[/sup] and 2[sup]nd[/sup] party auditing as well. But two things I would like to point out:

When ISO 9001 requires (not a suggestion; not a guidance) that internal audits are scheduled based on status and importance of the processes and areas to be audited, it basically says, without using the word risk, audits should be scheduled based on a (informal) risk assessment. The vast majority of organizations out there fail to comply with that requirement and most (internal and external) auditors fail to point that out.

Nothing prohibits/prevents progressive registrants and registrars to develop a surveillance and re-certification process that also allows risk assessment to be part of the planning/execution/reporting audit activities. Actually, some already offer that. Not always an easy sell; after all, not too many registrants are comfortable enough with discussing areas of higher risk with external auditors, but for those enlightened organizations that are mature enough to understand the potential benefits of identifying process weaknesses and gaps in high risk areas, they welcome healthy scrutiny by outside parties. After all, the goal should be a robust system. Only when you identify weaknesses, you can correct them. Flying blind is not a bliss.
 

Paul Simpson

Trusted Information Resource
#45
Re: ISO 19011 revision - Cairo TC 207 meeting - Your thoughts - June 2009

Yes, Andy. Let's remember that the US version of ISO 19011 is customized to address the specifics of 1[sup]st[/sup] and 2[sup]nd[/sup] party auditing as well. But two things I would like to point out:
Now I would have thought that any standard offering to provide guidance for auditing should provide general guidance that applies for any type of audit. Don't you think? From what I understand even some 3rd party auditors get some benefit from 19011. :D

When ISO 9001 requires (not a suggestion; not a guidance) that internal audits are scheduled based on status and importance of the processes and areas to be audited, it basically says, without using the word risk, audits should be scheduled based on a (informal) risk assessment. The vast majority of organizations out there fail to comply with that requirement and most (internal and external) auditors fail to point that out.
You are exactly right, Sidney. It is both a requirement of any management system standard worth its salt and intuitive that you would ensure your audits focus on areas of importance (risk) to the business. Hence all the revised version of 19011 has to do is simply refer to this concept.

Nothing prohibits/prevents progressive registrants and registrars to develop a surveillance and re-certification process that also allows risk assessment to be part of the planning/execution/reporting audit activities. Actually, some already offer that. Not always an easy sell; after all, not too many registrants are comfortable enough with discussing areas of higher risk with external auditors, but for those enlightened organizations that are mature enough to understand the potential benefits of identifying process weaknesses and gaps in high risk areas, they welcome healthy scrutiny by outside parties. After all, the goal should be a robust system. Only when you identify weaknesses, you can correct them. Flying blind is not a bliss.
Very true again, Sidney. In fact I remember seeing on the Cove examples where certification body representatives took every opportunity to latch onto posts and promote this as being the approach of their registrar. It could never happen here! :notme:
 
#46
Re: ISO 19011 revision - Cairo TC 207 meeting - Your thoughts - June 2009

I am going to little off topic issue.Sorry for this and my sincere thanks to friends as many useful thoughts are posted so far.

:topic:
Is the TC considering anything on amount of audit notes to be generated
during audit?Over a period of time it has become a practice with many auditors and some CBs too to create more audit notes.Sometimes these auditors takes more than 70% of on-site audit time for making audit notes.In the process their handwriting improves but amount of verification gets affected.There are reasons for this.These CBs uses administrators to review audit report package and these reviewer considers the quality of audit report package by volume.So if the auditor can generate a big volume of audit notes,feels confident to pass through review process.
TC should consider this issue and make it clear for third party auditor about the extent of audit notes requirements.

Also request TC 207 to consider carbon foot print for each extra page used for audit notes.Let us contribute in saving the earth.:tg:
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#49
A couple of interesting aspects from the new ISO 19011 document:

The second edition of ISO/IEC 17021, published in 2011, was extended to transform the guidance offered in this International Standard into requirements for management system certification audits. It is in this context that this second edition of this International Standard provides guidance for all users, including small and medium-sized organizations, and concentrates on what are commonly termed “internal audits” (first party) and “audits conducted by customers on their suppliers” (second party). While those involved in management system certification audits follow the requirements of ISO/IEC 17021:2011, they might also find the guidance in this International Standard useful.
This International Standard introduces the concept of risk to management systems auditing. The approach adopted relates both to the risk of the audit process not achieving its objectives and to the potential of the audit to interfere with the auditee’s activities and processes. It does not provide specific guidance on the organization’s risk management process, but recognizes that organizations can focus audit effort on matters of significance to the management system.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#50
http://www.iso.org/iso/pressrelease.htm?refid=Ref1492

ISO has just published an updated edition of the ISO 19011 auditing standard which will save money, time and resources by providing a uniform approach to multiple management system audits.

In today’s business environment, many organizations incorporate a number of management systems, such as quality, environmental, IT services and information security. As a result, these organizations want to harmonize and, where possible, combine the auditing of these systems.

Compared to the first edition of the standard published in 2002 which applied only to ISO 9001 (quality) and ISO 14001 (environment) ,the scope of ISO 19011:2011, Guidelines for auditing management systems, has been expanded to reflect current thinking and the complexities of auditing multiple management system standards (MSS).

It will help user organizations to optimize and facilitate the integration of their management systems and, in facilitating a single audit of its systems, will streamline the audit processes, reduce duplication of effort and decrease disruption of work units being audited.

Specific attention is given to the implementation of the audit programme. By fully applying these guidelines, the prerequisites are provided to make auditing a crucial tool for top management to achieve the objectives of the organization.

ISO 19011:2011 provides guidance on the conduct of internal or external management system audits, as well as on the management of audit programmes. Intended users of this International Standard include auditors, audit team leaders, audit programme managers, organizations implementing management systems, and organizations needing to conduct audits of management systems for contractual or regulatory reasons.

Alister Dalrymple, Convenor of the team that updated the guidelines, described the benefits which the new standard is expected to bring to users and the improvements made compared to the 2002 edition it replaces:

“ISO 19011:2011 has been revised to provide auditors, organizations implementing management systems and organizations needing to conduct audits of management systems an opportunity to re-assess their own practices and identify improvement opportunities.

"Compared to the 2002 version, the standard adds the concept of risk and recognizes more explicitly the competence of the audit team and individual auditors. Also, the use of technology in remote auditing is acknowledged, for example, conducting remote interviews and reviewing records remotely.”

Another improvement is the clarification of the relationship between ISO 19011:2011 and ISO/IEC 17021:2011, Conformity assessment – Requirements for bodies providing audit and certification of management systems. While those involved in management system certification audits follow the requirements of ISO/IEC 17021:2011, they might also find the guidance in this International Standard useful.

ISO 19011:2011, Guidelines for auditing management systems, was developed by ISO technical committee ISO/TC 176, Quality management and quality assurance, subcommittee SC 3, Supporting technologies. It is available from ISO national member institutes (see the complete list with contact details). It may also be obtained directly from the ISO Central Secretariat, price 142 Swiss francs, through the ISO Store or by contacting the Marketing, Communication & Information department
 
Thread starter Similar threads Forum Replies Date
J Recommendations for online ISO 19011 training? Training - Internal, External, Online and Distance Learning 8
N ISO 19011:2018 - 5.4.2 "...audit program should engage in appropriate continual development..." Training - Internal, External, Online and Distance Learning 4
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
Sidney Vianna ISO 19011:2018 Released - July 2018 Other ISO and International Standards and European Regulations 1
Sidney Vianna ISO 19011:2018 Released July 2018 General Auditing Discussions 8
Sidney Vianna ISO 19011:2018 is released July 2018 Other ISO and International Standards and European Regulations 0
Q ISO 19011 - Looking for a Presentation Material Other ISO and International Standards and European Regulations 6
S How to transition from ISO 19011:2002 to ISO 19011:2011 General Auditing Discussions 2
S ISO 19011 - Remote Auditing Imported Legacy Blogs 5
F Is this situation against ISO 19011? Internal Auditing 2
A ISO 19011 Can't see the wood from the trees! Customer and Company Specific Requirements 2
A ISO 19011:2012 - Emphasis on Risk Analysis, Competence of Auditors and Vocabulary Internal Auditing 2
C Practical Examples of completed ISO 19011:2011 Audit Reports General Auditing Discussions 5
U Need speaker for ISO 19011:2011 at Quality Conference Texas General Auditing Discussions 3
AnaMariaVR2 GMP News: New Version of ISO 19011 on Auditing published Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
S Certification Bodies - ISO 19011 and ISO 17011 Requirements Registrars and Notified Bodies 2
D Does anyone know about an ISO 19011 Amendment? General Auditing Discussions 2
S Quality Auditing System - Audit Plan per guidance from ISO 19011 Internal Auditing 8
M Internal Auditor Competency based upon Skill Sets based on ISO 19011 Internal Auditing 20
Paul Simpson New ISO 19011 - What do Covers think should be in the next edition? General Auditing Discussions 12
L Where to buy the ISO 19011 guidance document General Auditing Discussions 18
Stijloor What do you think about QE19011S-2004? (ISO 19011) General Auditing Discussions 9
P Has anyone compared ISO 19011:2002 to ISO 20000-2 (Service Management)? Internal Auditing 4
M ISO 9001:2000 Audit Nonconformance - "Failure to have the document ISO 19011" ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
R What are the Shortcomings of ISO 19011? General Auditing Discussions 33
Geoff Cotton What is ISO 19011? Has it superceded ISO 14010, 14011, 14012 & 10011? General Auditing Discussions 6
S I have a copy of ISO 19011. Do you have one? General Auditing Discussions 15
S What will ISO 19011 replace? General Auditing Discussions 22
S ISO 19011 (Quality and/or environmental management systems) has been published by ISO General Auditing Discussions 5
S ISO 19011 - Where can I find a copy? General Auditing Discussions 17
R ISO/FDIS 19011 (Espa?ol) General Auditing Discussions 0
Marc ISO 19011 - Report on US TAG Standards Group Meetings General Auditing Discussions 17
T ISO 10011 Dead - 19011 Is Released - A summary of differences General Auditing Discussions 18
chris1price Archiving of paper records - ISO 9001 7.5.3.1b Records and Data - Quality, Legal and Other Evidence 2
M Transferring ISO 17025 from one company to another ISO 17025 related Discussions 1
D Common practices in ISO 9001 deployment ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
Q ISO 9001-2015 Internal audit finding Internal Auditing 12
B ISO 17025:2017 risk management Risk Management Principles and Generic Guidelines 0
P Audit check for IT company (ISO 9001) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Label Making & Printing Standards ISO / ASTM ISO 13485:2016 - Medical Device Quality Management Systems 5
Sidney Vianna Interesting Discussion Should ISO 9004 be changed from a guidance standard to a requirements standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Ed Panek ISO 13485:2016 Section 5.5.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
Q Do these certificates of calibration meet ISO 9001 requirements for traceability to NIST? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
ebrahim QMS as per ISO 13485, Clause 4.2 Requirements for regulatory purposes for Medical Devices Authorized Representatives. ISO 13485:2016 - Medical Device Quality Management Systems 3
S ISO 2768-mk print call out Other ISO and International Standards and European Regulations 11
T ISO 17024, clauses 4.3.8. and 5.1.1. Other ISO and International Standards and European Regulations 4
C ISO 14001:2015 6.1.3 Compliance Obligations - Legal requirements monitoring ISO 14001:2015 Specific Discussions 0
C Requirement to link Quality Manual to ISO 9001 clause numbers? ISO 13485:2016 - Medical Device Quality Management Systems 13
D ISO 13485 scope (implantable) - Polymers for dental application EU Medical Device Regulations 9
W First time being audited (ISO 9001), asking for advice ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9

Similar threads

Top Bottom