SHAPING A WORLD OF TRUST

A GLOBAL LEADER IN TESTING,

INSPECTION & CERTIFICATION SERVICES
BVC Auditor transition to ISO 19011:2018
Standard

What has changed in ISO 19011:2018.?

Main Changes
 The main differences in the 3 rd edition as compared to the second edition:-
 Revision in definition of terms, addition of new terms & their definitions
 Addition of the risk-based approach to the principles of auditing (7 th principle)
 Expansion of the guidance on managing an audit programme, including audit
programme risk,
 Expansion of the guidance on conducting an audit, particularly the section on
audit planning
 Expansion for the generic competence requirements for the auditors
 Removal of the annex containing competency requirements for auditing specific
management system disciplines
 Expansion of annex A to provide guidance on auditing(new) concept such as
Organization context,, leadership and commitment, virtual audits, compliance
and supply chain

More details will be covered in each clause wise discussions ….

Instructions To The Learners
Dear All
This course is intended to give you an overview of the key
changes made in the ISO 19011:2018 Standard
This Learning Session should take approx. 4 - 6 hours of class
room learning (depending on the size of the class) and
equivalent hours of E learning for the qualified BVC Auditors
who have undergone one or more Lead Auditor training and
subsequent auditing experience
It is required that you possess a copy of the standard (both the
2011 and 2018 version) and keep it handy while undergoing
the learning process.
Annexures given in either of the versions of the standard are
not covered in this session and you are required to go through
them separately.
Wish you happy learning…!!!
CLAUSE 1. SCOPE

&

CLAUSE 2. NORMATIVE REFERENCE

Scope And Normative Reference
Revision in Scope & Normative Reference

ISO 19011:2018 ISO 19011:2011

 1 Scope ► 1 Scope

 This document provides guidance on auditing management ► This international standard provides guidance on auditing
systems, including the principles of auditing, managing an management systems, including the principles of auditing,
audit programme and conducting management system audits, conducting management system audits, as well as guidance on
as well as guidance on the evaluation of competence of the evaluation of competence of individuals involved in the audit
individuals involved in the audit process. These activities process, including the persons managing the audit programme,
include the individual(s) managing the audit programme, auditors and audit teams.
auditors and audit teams.
► It is applicable to all organizations that need to conduct internal or
 It is applicable to all organizations that need to plan and external audits of management systems or manage an audit
conduct internal or external audits of management systems or programme.
manage an audit programme.
► The application of this International Standard to other types of
 The application of this document to other types of audits is audits is possible, provided that special consideration is given to
possible, provided that special consideration is given to the the specific competence needed.
specific competence needed. ► 2 Normative references
 2 Normative references
► There are no normative references in this document.
 There are no normative references in this document.
CLAUSE 3

TERMS AND DEFINITIONS

 Revision In The Definition Of Terms
Main Changes
ISO 19011:2018 (Total 26 definitions) ISO 19011:2011 (Total 20 definitions)
requirement: mandatory need established.  Not provided
 process: is the set of related activities to achieve an established  Not provided
objective.
 Not provided
 efficacy: indicator used to measure whether the activities that have
been carried out have been useful or not
 combined audit: is the audit that occurs when more than one
 Not provided
management system is audited at the same time, but to only one  Not provided
organization.
 joint audit: occurs when two or more audit organizations work to
audit a single organization.
Revision In The Definition Of Terms

Main Changes

ISO 19011:2018 ISO 19011:2011

performance: measureable result. ► Not provided

objective evidence: data supporting the existence or verity of ► audit evidence: records, statement of facts, or other information
something. which are relevant to the audit criteria (3.2).
audit: systematic, independent and documented process for ► audit: systematic, independent and documented process for
obtaining objective evidence (3.8) and evaluating it objectively to obtaining audit evidence (3.3) and evaluating it objectively to
determine the extent to which the audit criteria (3.7) are fulfilled determine the extent to which the audit criteria (3.2) are fulfilled
audit criteria: set of requirements (3.23) used as a reference against
which objective evidence (3.8) is compared ► audit criteria: set of requirements (3.23) used as a reference
“audit evidence” replaced with “objective evidence” against which audit evidence (3.3) is compared
CLAUSE 4
PRINCIPLES OF
MANAGEMENT SYSTEM
AUDITING
 PRINCIPLES OF AUDITING
Main Changes
ISO 19011:2018 (7 principles) ISO 19011:2011 (6 principles)
 integrity . ► integrity .

 fair presentation ► fair presentation

 Due professional care ► Due professional care

 Confidentiality ► Confidentiality

 Independence ► Independence

 Evidence based approach ► Evidence based approach

 Risk based approach

Principles Of Auditing Risk Based Approach
Risk Based Approach
 Risk based approach requires the auditing organization and audit team to
determine and consider the risks and opportunities in the context of planning,
execution and reporting the audit results
 Focus on matters that are important to the organization and the audit
outcome
 Identify any associated risks that might have a negative impact on the audit
outcome and the organization.
 For example: operations is generally the most significant process for any organization as compared to
other processes. The audit team must focus proportionately more on this area in terms of time
allocation and specific sector competence of audit team
 Risk in this context can be broadly understood in 2 different ways:
 risk to the organization and
 risk to the outcome of the audit
7 Principles Of Auditing
These principles are intended to:-
 make the audit effective and reliable
 support an organization’s policies and controls;
 provide audit information that can be used to
improve performance;
 provide audit relevant conclusion; and
 enable auditors to reach similar conclusions under
similar circumstances even while working
independently
Guiding Principles Of Auditing

►Integrity
►Fair presentation
►Diligence and judgment
►Confidentiality
►Independence
►Evidence-based approach
►Risk-based approach
CLAUSE 5

MANAGING AN AUDIT
PROGRAMME
 5. MANAGING AN AUDIT PROGRAMME-KEY CHANGES
Figure 1
5.2 Establishing audit 5.7 Reviewing and Improving
programme objective. audit programme.

5.3 Determining and

evaluating audit programme
risks and opportunities

5.4 Establishing audit 5.5 Implementing audit 5.6 Monitoring audit

programme programme. programme. Clause 5

Clause 6

6.2 Initiating Audit

6.7 Conducting audit follow-

up
6.4 Conducting audit
6.3 Preparing audit activities
activities

6.5 preparing and

6.6 Completing audit
distributing audit report
5. Managing An Audit Programme – Key Changes
5.1 General
The approval authority for the audit programme is not by Top Management, but by
the audit client
Risk based auditing has become a prominent requirement in the standard now, which
earlier was a note without more explanation
More emphasis on the audit planning where activities of the audit client are
outsourced
Covering external providers as part of internal audit planning is specific should
requirement
 Recognize the extensive changes to overall process flow for the management of
an audit programme through the figure above
 Recognize that In this edition at many places, internal audits are explicitly
addressed and special provisions given w.r.t Internal audits

5.2 Establishing audit programme objectives

• Audit programme objectives now determined by the audit client and not Top Management
• Alignment of audit programme objectives with those of client’s strategic direction, policy and objectives
• Some additional considerations added while establishing audit programme objectives :-
 identified opportunities to the auditee & maturity of client’s management system based on their KPIs
 Some considerations deleted are :
 management priorities & commercial and other business intentions
5. Managing An Audit Programme – Key Changes
5.3 Determining and evaluating audit programme risks and
opportunities (new clause)
•An audit programme can have its own risks and opportunities. Typical risks
can be:
 planning, e.g. failure to set relevant audit objectives and determine the extent,
number, duration, locations and schedule of the audits;
 resources, e.g. allowing insufficient time, equipment and/or training for developing
the audit programme or conducting an audit;
 selection of the audit team, e.g. insufficient overall competence to conduct audits
effectively;
 communication, e.g. ineffective external/internal communication processes/channels;
 implementation, e.g. ineffective coordination of the audits within the audit programme, or not considering information security and confidentiality;
 control of documented information, e.g. ineffective determination of the necessary documented information required by auditors and relevant
interested parties, failure to adequately protect audit records to demonstrate audit programme effectiveness;
 monitoring, reviewing and improving the audit programme, e.g. ineffective monitoring of audit programme outcomes;
 availability and cooperation of auditee and availability of evidence to be sampled.
5. Managing An Audit Programme – Key Changes
5.3 Determining and evaluating audit programme risks and opportunities (New clause)
•An audit programme can have its own risks and opportunities.
•Opportunities for improving the audit programme can include:
 allowing multiple audits to be conducted in a single visit;
 minimizing time and distances travelling to site;
 matching the level of competence of the audit team to the level of competence needed to achieve the
audit objectives;
 aligning audit dates with the availability of auditee’s key staff.
Recognize the respective role risks and opportunities play in the development of audit programme
5.4 Establishing the audit programme
Individuals managing the audit programme should:
Determine the risks and opportunities related to the audit programme
Establish all relevant processes needed for the audit programme management
Request for approval of the audit programme by audit client
Recognize the changes to the roles, responsibilities and the competence of the individuals managing the
audit programme, including their ability to manage risk and deal with the internal and external issues, and
to understand the auditee’s context and business activities
Recognize the changes to those factors which influence the extent of audit programme
5. Managing An Audit Programme – Key Changes
5.5 Implementing audit programme
Individuals managing the audit programme should:
Communicate to audit client among other elements, the risks and opportunities related to the programme
ensure the conduct of audits in accordance with the audit programme, managing all operational risks, opportunities and
issues (i.e. unexpected events), as they arise during the deployment of the programme;
define and implement the operational controls necessary for audit programme monitoring;
review the audit programme in order to identify opportunities for its improvement.
 Each individual audit should be based on defined audit objectives, scope and criteria. These should be
consistent with the overall audit programme objectives.

 The audit objectives define what is to be accomplished by the individual audit and may include the following:

 evaluation of the capability of the management system to assist the organization in meeting relevant statutory and
regulatory requirements and other requirements to which the organization is committed;

 evaluation of the effectiveness of the management system in meeting its intended results;

 evaluation of the suitability and adequacy of the management system with respect to the context and strategic
direction of the auditee;

 evaluation of the capability of the management system to establish and achieve objectives and effectively address
risks and opportunities, in a changing context, including the implementation of the related actions.

 Audits can be performed on-site, remotely or as a combination. The use of these methods should be suitably
balanced, based on, among others, consideration of associated risks and opportunities.

 Where two or more auditing organizations conduct a joint audit of the same auditee, the individuals managing
the different audit programmes should agree on the audit methods and consider implications for resourcing
and planning the audit. If an auditee operates two or more management systems of different disciplines,
combined audits may be included in the audit programme.
5. Managing An Audit Programme – Key Changes
5.5 Implementing audit programme
The individual(s) managing the audit programme should appoint
the members of the audit team, including the team leader and any
technical experts needed for the specific audit.
An audit team should be selected, taking into account the
competence needed to achieve the objectives of the individual audit
within the defined scope. If there is only one auditor, the auditor
should perform all applicable duties of an audit team leader.
To assure the overall competence of the audit team, the following
steps should be performed
In deciding the size and composition of the audit team for the
specific audit, consideration should be given to the following: (In
addition to the earlier requirements):
whether the audit is a combined or joint audit;
the selected audit methods;
 the relevant external/internal issues, such as the language of the audit, and the auditee’s social and cultural characteristics. These
issues may be addressed either by the auditor's own skills or through the support of a technical expert, also considering the need
for interpreters;
 Changes to the composition of the audit team may be necessary during the audit, e.g. if a conflict of interest or competence
issue arises. If such a situation arises, it should be resolved with the appropriate parties (e.g. audit team leader, the individual(s)
managing the audit programme, audit client or auditee) before any changes are made.
Recognize that when considering the composition of the audit team for a specific audit, the need to ‘ensure independence from the
activities being audited ‘ has been replaced with the need to ‘ensure objectivity and impartiality’
Recognize that although the composition of the audit team is still determined by the individual managing the audit programme, it is
now strongly recommended that they consult with the audit team leader
5. Managing An Audit Programme – Key Changes
5.5 Implementing audit programme
 The individual(s) managing the audit programe should ensure that the
following additional activities are performed as part of audit outcome:
evaluation of the achievement of the objectives for each audit within the
audit programme;
review of the effectiveness of actions taken to address audit findings;
Consider communicating audit results and best practices to other areas
of the organization, and — the implications for other processes
 The individual(s) managing the audit programe should maintain the
following additional records :
 schedule of audits;
5.6 Monitoring audit programme
 The individual(s) managing the audit programme should ensure the evaluation of:
 the performance of the audit team members including the audit team leader and the technical experts;
 sufficiency and adequacy of documented information in the whole audit process.
 Some factors can indicate the need to modify the audit programme. These can include changes to:
 effectiveness of the audit programme; identified conflicts of interest; the audit client’s requirements.
5. Managing An Audit Programme – Key Changes
5.7 Reviewing and improving audit programme
The individual(s) managing the audit programme and the audit client should
review the audit programme to assess whether its objectives have been achieved.
Lessons learned from the audit programme review should be used as inputs for
the improvement of the programme.
The individual(s) managing the audit programme should ensure the following:
 review of the overall implementation of the audit programme;
 identification of areas and opportunities for improvement; application of changes to the
audit programme if necessary;
 review of the continual professional development of auditors, in accordance with 7.6;
 reporting of the results of the audit programme and review with the audit client and
relevant interested parties, as appropriate.
Recognize reference is now made to audit planning output and audit reporting output, the
outcomes of which could be (but do not have to be) an audit plan and an audit report.
Recognize the changes to the audit programme records that are recommended to be managed
and maintained.
Recognize the changes to the monitoring arrangements for audit programmes and those factors
that may necessitate revision of the audit programme.
Recognize the involvement the audit client now has in reviewing and improving the audit
programme and in the reporting of review findings to relevant interested parties (previously top
management).
5. Managing An Audit Programme – Key Changes
Summary of Changes:
Recognize the extensive changes to figure 1 – ‘process flow for the
management of an audit programme’
Recognize changes to the audit programme in terms of its focus, content
and the monitoring of its delivery
Recognize audit programme objectives are now determined by the audit
client, not top management. Similarly, approval of the audit programme
is by the audit client, not top management
Recognize the changes to what should be considered when formulating
audit programme objectives
Recognize the respective roles risks and opportunities play in the
development of audit programme
Recognize the changes to the role, responsibilities and the competence
of the individual managing the audit programme, including those relating
to their ability to manage risk and deal with internal and external issues,
and to understand the auditee’s context and business activities.
Recognize the changes to those factors which influence the extent of
audit programmes.
Recognize that the selection of audit methods is now based on the
effectiveness and efficiency of the method as well as consideration of the
risks associated with the method.
5. Managing An Audit Programme – Key Changes
Summary of Changes:
Recognize that when considering the composition of the audit team for a
specific audit, the need to ‘ensure independence from the activities being
audited’ has been replaced with the need to ‘ensure objectivity and
impartiality’. i.e. the ‘requirement’ for auditor independence has gone.
Recognize technical experts are no longer audit team members and they
now operate under the direction of the audit team leader, not individual
auditors.
Recognize that although the composition of the audit team is still
determined by the individual managing the audit programme, it is now
strongly recommended that they consult with the audit team leader.
Recognize reference is now made to audit planning output and audit
reporting output, the outcomes of which could be (but do not have to be)
an audit plan and an audit report.
Recognize the changes to the audit programme records that are
recommended to be managed and maintained.
Recognize the changes to the monitoring arrangements for audit
programmes and those factors that may necessitate revision of the audit
programme.
Recognize the involvement the audit client now has in reviewing and
improving the audit programme and in the reporting of review findings to
relevant interested parties (previously top management).
CLAUSE 6

CONDUCTING AN AUDIT
6. Conducting An Audit – Key Changes
6.1 General
Nothing new
6.2 Initiating audit
 The responsibility for conducting the audit should remain with the assigned audit team
leader until the audit is completed.
 To initiate an audit, the steps in Figure 1 should be considered; however, the sequence
can differ depending on the auditee, processes and specific circumstances of the audit.
 The audit team leader should ensure that contact is made with the auditee to:
 resolve issues regarding composition of the audit team with the auditee or audit client.
6.3 Preparing audit activities
 The relevant management system documented information of the auditee should be
reviewed in order to:
 to the audit criteria and detect possible areas of concern, such as deficiencies,
omissions or conflicts.

 The audit team leader should adopt a risk-based approach to planning the audit based on the information in the audit programme and the
documented information provided by the auditee.
 Audit planning should consider the risks of the audit activities on the auditee’s processes and provide the basis for the agreement among the
audit client, audit team and the auditee regarding the conduct of the audit. Planning should facilitate the efficient scheduling and coordination of
the audit activities in order to achieve the objectives effectively.
 The amount of detail provided in the audit plan should reflect the scope and complexity of the audit, as well as the risk of not achieving the audit
objectives.
 In planning the audit, the audit team leader should consider the following additional aspects:
 opportunities to improve the effectiveness and efficiency of the audit activities;
 the risks to achieving the audit objectives created by ineffective audit planning;
Preparing Audit Activities – Barriers & Challenges
Complexity

Time Safety

Shifts Health

Absence Business
Technical
Levels
6. Conducting An Audit – Key Changes
 Audit planning should address or reference the following (additional):
the need for the audit team to familiarize themselves with auditee’s facilities and processes
(e.g. by conducting a tour of physical location(s), or reviewing information and
communication technology);
the allocation of appropriate resources based upon consideration of the risks and
opportunities related to the activities that are to be audited.
 Audit plans should be presented to the auditee. Any issues with the audit plans
should be resolved between the audit team leader, the auditee and, if necessary,
the individual(s) managing the audit programme.
 The audit team members should collect and review the information relevant to
their audit assignments and prepare documented information for the audit, using
any appropriate media. The documented information for the audit can include but
is not limited to:
physical or digital checklists;
audio visual information.
 The use of these media should not restrict the extent of audit activities, which can change as a result of information collected
during the audit.
 Documented information prepared for, and resulting from, the audit should be retained at least until audit completion, or as
specified in the audit programme.
 Documented information created during the audit process involving confidential or proprietary information should be suitably
safeguarded at all times by the audit team members.
6.Conducting An Audit - Key Changes
6.4 Conducting audit activities (additional/changes)
Audit activities are normally conducted in a defined sequence as indicated in Figure 1. This sequence may be varied to suit the
circumstances of specific audits.
Guides and observers may accompany the audit team with approvals from the audit team leader, audit client and/or auditee, if
required. They should not influence or interfere with the conduct of the audit. If this cannot be assured, the audit team leader
should have the right to deny observers from being present during certain audit activities.
For observers, any arrangements for access, health and safety, environmental, security and confidentiality should be managed
between the audit client and the auditee.
Guides, appointed by the auditee, should assist the audit team and act on the request of the audit team leader or the auditor
to which they have been assigned. Their responsibilities should include the following:
assisting the auditors in identifying individuals to participate in interviews and confirming timings and locations;
arranging access to specific locations of the auditee;
ensuring that rules concerning location-specific arrangements for access, health and safety, environmental, security,
confidentiality and other issues are known and respected by the audit team members and observers and any risks are
addressed;
witnessing the audit on behalf of the auditee, when appropriate;
providing clarification or assisting in collecting information, when needed.
selection of audit methods is now based on the effectiveness and efficiency of the method as well as consideration of the risks
associated with the method.
changes to the monitoring arrangements for audit programmes and those factors that may necessitate revision of the audit
programme.
involvement the audit client now has in reviewing and improving the audit programme and in the reporting of review findings to
relevant interested parties (previously top management).
6. Conducting An Audit - Key Changes
Conducting opening meeting (additional/changes)
 Introduction of the following should be considered, as appropriate:
 other participants, including observers and guides, interpreters and an outline of their roles;
 the audit methods to manage risks to the organization which may result from the presence of the audit
team members.
 Confirmation of the following items should be considered, as appropriate:
 the audit objectives, scope and criteria;
 the audit plan and other relevant arrangements with the auditee, such as the date and time for the
closing meeting, any interim meetings between the audit team and the auditee’s management, and any
change(s) needed;
 matters relating to confidentiality and information security;
 relevant access, health and safety, security, emergency and other arrangements for the audit team;
 activities on site that can impact the conduct of the audit.
 The presentation of information on the following items should be considered, as appropriate:
 the method of reporting audit findings including criteria for grading, if any;
 how to deal with possible findings during the audit;

The audit information availability and access (additional/changes)

 The audit methods chosen for an audit depend on the defined audit objectives, scope and criteria, as well as duration and location. The
location is where the information needed for the specific audit activity is available to the audit team. This may include physical and virtual
locations.
 Where, when and how to access audit information is crucial to the audit. This is independent of where the information is created, used and/or
stored. Based on these issues, the audit methods need to be determined (see Table given in next slide). The audit can use a mixture of
methods. Also, audit circumstances may mean that the methods need to change during the audit.
6. Conducting An Audit-Key Changes
Table 1 - Audit Methods
Location of the auditor
Extent of involvement between the auditor
and the auditee On-site Remote

 Conducting interviews Via interactive communication means:

 Completing checklists and questionnaires  conducting interviews;
with auditee participation  observing work performed with remote
Human interaction  Conducting document review with
guide;
 completing checklists and questionnaires;
auditee participation  conducting document review with auditee
 Sampling participation.

 Conducting document review (e.g. re-  Conducting document review (e.g. re­
cords, data analysis) cords, data analysis)
No Human Interaction  Observing work performed  Observing work performed via surveil­
 Conducting on-site visit lance means, considering social and
 Completing checklists statutory and regulatory requirements
 Sampling (e.g. products)  Analyzing data
On-site audit activities are performed at the location of the auditee. Remote audit activities are performed at any place other than the location of
the auditee, regardless of the distance.
Interactive audit activities involve interaction between the auditee’s personnel and the audit team. Non-interactive audit activities involve no
human interaction with individuals representing the auditee but do involve interaction with equipment, facilities and documentation.
6. Conducting An Audit – Key Changes
Collecting and verifying information (Additional
/Changes) Source of
Information
Only information that can be subject to some degree Figure 2
of verification should be accepted as audit evidence.
Where the degree of verification is low the auditor
Collecting by means of
should use their professional judgement to determine appropriate sampling.
the degree of reliance that can be placed on it as
evidence. Audit evidence leading to audit findings
should be recorded. If, during the collection of
objective evidence, the audit team becomes aware of Audit Relevance
any new or changed circumstances, or risks or
opportunities, these should be addressed by the team
accordingly.
Evaluating against audit criteria

Figure 2 provides an overview of a typical process,

from collecting information to reaching audit
conclusions.
Reviewing
NOTE 1 For verifying information see A.5.
NOTE 2 Guidance on sampling is given in A.6.

Audit Conclusions
6. Conducting An Audit - Key Changes
Conducting closing meeting (additional/changes)
 The closing meeting should be chaired by the audit team leader and attended by the
management of the auditee and include, as applicable:
 the audit client; other members of the audit team; other relevant interested parties as
determined by the audit client and/or auditee.
 Preparing and distributing audit report (additional/changes)
 The audit team leader should report the audit conclusions in accordance with the audit
programme. The audit report should provide a complete, accurate, concise and clear record
of the audit, and should include or refer to the following:
 audits by nature are a sampling exercise; as such there is a risk that the audit
evidence examined is not representative.
 The audit report can also include or refer to the following, as appropriate:
 any issues of availability of evidence, resources or confidentiality, with related
justifications;
 Distributing audit report (additional/changes)
 When distributing the audit report, appropriate measures to ensure confidentiality
should be considered.
6.6 Completing audit (additional/changes)
 No additions /changes in the contents of this clause
6.7 Conducting audit follow-up (additional/changes)
 Outcomes should be reported to the individual managing the audit programme and
reported to the audit client for management review.
6. Conducting An Audit - Key Changes: Summary
 Reflect the extensive changes to the titles and ordering of Clause 6 (now Conducting an Audit,
previously Performing an Audit) and its sub clauses. Also, recognize the additional of a new sub
clause (6.4.5)
 Recognize the deletion of the old (2011 edition) figure 2 – typical audit activities. The old figure
3 – ‘overview of a process for collecting and verifying information’ now becomes the new figure
2
 Recognize the additional information an audit team leader should now seek when establishing
initial contact with the auditee
 Recognize the additional considerations to be taken into account when reviewing an auditee’s
documented information
 Recognize that ‘preparing the audit plan’ (a document) now becomes ‘audit planning’ (a
process). Also recognize that the considerations to be taken into account when undertaking
audit planning have been expanded.
 Recognize that the audit team leader now allocates decision making authority to each audit
team member as well as responsibility for auditing specific processes, activities, functions or
locations
 Recognize ISO 19011:2018 no longer refers to preparing stage 1 ‘work documents’ (e.g.
checklists, audit plans). 2018 instead refers to ‘preparing documented information for audit’ and
recognizes that this may be physical or electronic.
 Recognize that the sub clause relating to the appointment of guides and observers has been
moved forward three sub clauses in the standard. The standard now also recognizes the role of
interpreters in audits.
6. Conducting An Audit - Key Changes: Summary
 Recognize the additional 2018 edition communication responsibilities of the audit team leader whilst
conducting audit activities, particularly following the identification of ‘immediate and significant’ risk or
upon realisation that the audit objectives will not be met.
 Recognize the addition of the new Information availability and access clause (6.4.5) and its contents.
 Recognize the change from ‘only information that has been verified can be accepted as audit evidence’
to ‘audit evidence is information that can be subject to some degree of verification’. This fundamental
change recognises it may not always be possible to verify information 100%, and that as a result of this
auditors must now use their professional judgement to determine the level of reliance that should be
placed on the information. This is a major departure from previous audit teaching where audit evidence
had to be verifiable. Now it must be verifiable to a degree.
 Recognize that the 2011 edition clause 6.4.8 has been divided into 2 new sub-sub clauses – 6.4.9.1 and
6.4.9.2 (though the contents of these are largely unchanged).
 Recognize that the closing meeting is now chaired (not facilitated) by the audit team leader. There are
changes in respect of the desired attendees at this meeting and the recommended agenda items to be
covered have been expanded.
 Recognize the changes to the suggested content and distribution of audit reports
 Recognize changes to the way lessons learned from audits are dealt with in the 2018 edition, and the
dropping of the recommendation that they are entered into the continual improvement process of the
auditee’s management system.
 Recognize that the ‘conclusion of the audit’ is now referred to as the ‘outcome of the audit’. Also
references to preventive action have been dropped.
CLAUSE 7

COMPETENCE AND
EVALUATION OF
AUDITORS
7. Competence And Evaluation Of Auditors- Key Changes
7.1 General (additional/changes)
No additions/Changes in the contents of this clause
7.2 Determining auditor competence
In deciding the necessary competence for an audit, an auditor’s knowledge and skills
related to the following should be considered (additional/changes) :
the methods for auditing;
the types and levels of risks and opportunities addressed by the management system;
the objectives and extent of the audit programme;
other requirements, such as those imposed by the audit client or other relevant interested parties,
where appropriate.
This information should be matched against that listed in 7.2.3. (knowledge and skills)
Personal behavior (7.2.2) (additional/changes)
No additions/Changes in the contents of this clause
Knowledge and skills (7.2.3) (additional/changes)
 Auditors should have knowledge and skills in the areas outlined below.
 understand the types of risks and opportunities associated with auditing and the principles of the risk-based approach to
auditing;
 audit a process from start to finish, including the interrelations with other processes and different functions, where
appropriate;
 management system standards or other normative or guidance/supporting documents used to establish audit criteria or
methods;
 understanding the importance and priority of multiple standards or references;
7. Competence And Evaluation Of Auditors – Key Changes
 Auditors should have knowledge and skills in the areas outlined below.
 The organization and its context: knowledge and skills in this area enable the auditor to
understand the auditee’s structure, purpose and management practices and should cover the
following:
 needs and expectations of relevant interested parties that impact the management system; —
type of organization, governance, size, structure, functions and relationships;
 management system audit should not be treated as a legal compliance audit.
Discipline and sector-specific competence of auditors (additional/changes)
 Audit teams should have the collective discipline and sector-specific competence appropriate
for auditing the particular types of management systems and sectors.
 The discipline and sector-specific competence of auditors include the following:
 management system requirements and principles, and their application;
 application of discipline and sector-specific methods, techniques, processes and practices to
enable the audit team to assess conformity within the defined audit scope and generate
appropriate audit findings and conclusions;
Generic competence of audit team leader (additional/changes)
 In order to facilitate the efficient and effective conduct of the audit an audit team leader
should have the competence to:
 plan the audit and assign audit tasks according to the specific competence of individual audit
team members;
 discuss strategic issues with top management of the auditee to determine whether they have
considered these issues when evaluating their risks and opportunities;
 develop and maintain a collaborative working relationship among the audit team members;
7. Competence And Evaluation Of Auditors – Key Changes
Knowledge and skills for auditing multiple disciplines (additional/changes)
 No additions/Changes in the contents of this clause
Achieving auditor competence (additional/changes)
 Auditor competence can be acquired using a combination of the following:
 successfully completing training programmes that cover generic auditor knowledge and
skills;
 experience in a relevant technical, managerial or professional position involving the exercise
of judgement, decision making, problem solving and communication with managers,
professionals, peers, customers and other relevant interested parties;
 education/training and experience in a specific management system discipline and sector
that contribute to the development of overall competence;
NOTE: Successful completion of a training course will depend on the type of course. For courses with an examination
component it can mean successfully passing the examination. For other courses, it can mean participating in and
completing the course.
Achieving audit team leader competence
 An audit team leader should have acquired additional audit experience to develop the
competence described in 7.2.3.4. This additional experience should have been gained by
working under the direction and guidance of a different audit team leader.

 7.3 Establishing auditor evaluation criteria

 No addition /Changes in the contents of this clause
 7.4 Selecting appropriate auditor evaluation method
 The evaluation should be conducted using two or more of the methods given in Table 2. In using Table 2, the following should be noted:
 the methods outlined represent a range of options and may not apply in all situations;
 the various methods outlined may differ in their reliability;
 a combination of methods should be used to ensure an outcome that is objective, consistent, fair and reliable.
7. Competence And Evaluation Of Auditors – Key Changes
Table 2-Auditor evaluation methods
Evaluation method Objectives Examples

Analysis of records of education, training, employment,

Review of records To verify the background of the auditor
professional credentials and auditing experience

Surveys, questionnaires, personal references,

To provide information about how the performance
Feedback testimonials, complaints, perfor­mance evaluation, peer
of the auditor is perceived
review
To evaluate desired professional behaviour and
Interview communication skills, to verify information and test Personal interviews
knowledge and to acquire additional information

To evaluate desired professional behaviour and the

Observation Role playing, witnessed audits, on-the-job performance
ability to apply knowledge and skills

To evaluate desired behaviour and knowledge and

Testing Oral and written exams, psychometric testing
skills and their application

To provide information on the auditor performance Review of the audit report, interviews with the audit
Post-audit review during the audit activities, identify strengths and team leader, the audit team and, if appropriate,
opportunities for improvement feedback from the auditee
7. Competence And Evaluation Of Auditors – Key Changes

7.5 Conducting auditor evaluation

No additions/Changes in the contents of this clause

7.6 Maintaining and improving auditor competence

The continual professional development activities should take into

account the following:

changes in the needs of the individual and the organization

responsible for the conduct of the audit;

 developments in the practice of auditing including the

use of technology;
 relevant standards including guidance/supporting
documents and other requirements;
 changes in sector or disciplines.
7. Competence And Evaluation Of Auditors
Summary of Changes:-
 Recognize that the 2018 edition now calls for regular evaluation of auditor competence.
 Recognize that the list of professional behaviours an auditor should exhibit becomes ‘desired’
professional behaviours, reflecting the fact not all auditors possess all of these attributes.
 Recognize that auditors should understand the risks and opportunities involved in auditing (as a
process) as well as the meaning of a risk based approach. They should also be able to process audit
and should understand the organization and its context, the needs and expectations of relevant
interested parties that impact the management system and have knowledge of the auditee’s
processes and products and services.
 Recognize that it is now audit teams that should collectively have the discipline and sector specific
competence necessary to carry out the audit, not each individual auditor.
 Recognize the replacement throughout ISO 19011:2018 of the term ‘knowledge and skills’ by
‘competence’. Competence = knowledge and skills and the ability to apply these.
 Recognize audit team leaders should now possess the necessary competence to discuss strategic
matters with the auditee’s top management and the necessary competence to develop a
collaborative working relationship between team members
 Recognize the deletion of the old annex A - GUIDANCE AND ILLUSTRATIVE EXAMPLES OF
DISCIPLINE-SPECIFIC KNOWLEDGE AND SKILLS OF AUDITORS
 Recognize that the old annex B – ‘additional guidance for auditors planning and conducting audits’
becomes new annex A. This has been considerable expanded and contains new guidance for auditors
in respect of the application of the process approach, professional judgement, performance results,
auditing compliance, context, leadership and commitment, risks and opportunities, life cycles, supply
chains, virtual locations and activities etc. Note several of the 2011 edition clauses have been retitled.
• Recognize that the bibliography to 19011 has been significantly reduced.
SHAPING
A WORLD
OF TRUST
WWW.BUREAUVERITAS.COM