Pages Appendix1 Appendix2 References



SO 19011 is one of those standards that can be thought of as existing in the overall ISO 9000 family (it is also part of another family but that still fits the image – two standards were married together to create this one and we usually accept that marriage results in membership of more than one family). The standard is entitled ‘’Guidelines for quality and/or environmental systems auditing’. It is intended to provide a general description of how audits of all types – first, second and third party – should be carried out when auditing quality or environmental management systems. It is based on the understanding that the basic approach to both quality and environmental audits is essentially the same. Certainly the framework and underlying rules for how to audit are similar. Each involves selection and qualification of auditors, planning, preparation, introduction, execution, analysis, reporting and corrective/improvement action. The specific things that are being looked for in an audit are quite different, so I have reservations about combining the actual audits, but to have a common central approach to the two seems very sensible and can make planning and scheduling, for example, much more efficient.

It should be noted that ISO 19011 is not a mandatory or systems certification standard. Assessors examining organizations for ISO 9001 compliance may have ISO 19011 in the back of their mind when looking at good audit practice but cannot raise non-compliances specifically against its contents. There are some auditor and training registration schemes that are founded on ISO 19011, but it is the requirements of their own arrangements that are typically used as bases on which to make judgements, not the contents of the standard itself. In fact the introduction to the standard itself states that its guidance is intended to be flexible;


the extent to and manner in which they are adopted will depend upon the size, nature and complexity of the organization carrying out the audits. In this sense it might be thought of in the same way that we would often use a management text book or seminar – we would consider what we have learnt and then decide what lessons we will decide to apply, where and in what manner.


ISO 19011 is a brand new standard, issued in 2002 as ISO 19011:2002 it represents the first version. Prior to this, quality auditing was described in ISO 10011, which was issued in three parts describing different aspects of managing and conducting audits, and was released in 1990–91.

The general history of the quality audit standard is similar to that of the quality management systems standard, with new issues usually lagging those of the management standard and without any necessary direct link between a version of one and a version of the other (i.e. just because the management systems standard is changed does not mean the associated audit standard is no longer valid). There was much talk when ISO 9001:2000 was first released (and even before, when drafts were available) that quality auditing would have a heavy process flavour, yet this emphasis does not particularly stand out in ISO 19011. Many quality professionals and third party auditors still take this stance, but it must be emphasized that there is no specific guidance in ISO 19011 stating that audits must be planned or carried out in relation to boundary-crossing processes.

ISO 19011 also replaces the previous environmental audit standards which were issued in 1996 to coincide with the release of ISO 14001:1996 (the standard for environmental management systems). Again, the environmental audit standards were in three parts, but in this case were available as three separate standards: ISO 14010, ISO 14011 and ISO 14012. Many of the good points from these standards (such as the concept of the audit ‘client’) have been brought forward into the combined standard.


ISO 19011 is, as already mentioned, intended only to provide guidance on how to audit and does not represent a set of auditable requirements when an organization is seeking certification to ISO 9001 (or the environmental standard ISO 14001, for that matter). Thus, its main purpose is for general information and reference. In this capacity, it is unlikely to be referred to or even acquired by many of those responsible for running a quality management system.

Since it is generally accepted that all quality auditors should have been appropriately trained, then a good training course or qualification regime will presumably have sufficiently covered the requirements of the standard to ensure that auditors know what they are doing. The principal area of application of ISO 19011 then is undoubtedly for those who are seeking to provide training in how to conduct quality audits, either as specialist trainers or as someone who has experience of auditing and wishes to design and run a training event to pass their experience on to a potential internal audit team. Any course intended to pass on the skills of quality auditing should cover all applicable elements of the standard, as related to the aims of the audit programme (for example, some of the elements of management and planning may be reduced if the target audience will only be conducting audits and not involved in managing them).

Other potential users of the standard might be managers of audit programmes. Those who run formal programmes on behalf of others, such as accredited third party certification bodies, will want to ensure that they are conforming to best practice (and in fact will often be required to do so by the appropriate authorities). Managers of less formal programmes might also wish to examine the contents of the standard to see where new ideas could be gained, or if there are features of their existing systems that could be updated or improved. Audit managers in simple, small organizations should not however feel obliged to do this if they are content with the effectiveness of their existing arrangements.

If you are new to auditing or running an audit programme, do not rely on reading ISO 19011 to tell you how to do it. You already have access to this book which should provide the basic reading matter that you need – beyond that, attending a good course will do you much more good than buying a copy of ISO 19011.


Just as ISO 9001 has ISO 9000 to provide a reference for the definitions of terms used within its text (and ISO 14001 has ISO 14050 to do the same thing), ISO 19011 also relies on ISO 9000 and ISO 14050 to define the key words and phrases encountered within the document. Even for those highly interested in the detail of how audit standards operate and what they require, there is no need to acquire a further standard to define the terminology since this is already available in the general terminology standards that they probably already possess.

For readers of this book, however, there are a few interesting terms that are worth mentioning before we go any further:

Audit criteria The standard defines this as a set of policies, procedures or requirements. What is meant by this is the set of things that the results of the audit will be judged against. This should be clearly understood by the auditor and the audit team before the audit commences so that everybody is working from the same set of rules. Note that the requirements can be very specific (for example every stores request must be made on a form 37B and signed by a divisional director) or could be broader (for example allocation of responsibilities between areas should be well understood).

Audit conclusion This is the output of the audit. This is defined in the report and includes identification of areas needing attention, recommendations, decisions, next steps and so on.

Audit client Defined as the organization or person requesting the audit. Although this idea has not been traditionally widely used in quality auditing, it is a valuable concept. The client is the person who wants the audit to happen and who has the most interest in its results. Sometimes this might be the head of the area being audited themselves, or it could even be somebody outside the audit team and group of auditees, such as a procurement director commissioning a consultancy to audit a supplier on their behalf.



The standard commences, as do all such standards, with a contents list, an introductory note and sections defining the scope, other references and terminology. Some of the information has been summarized earlier in this chapter. Although these are important elements to set the background for any formal document, they are also the sections that are most often skipped or only lightly attended to. We shall do the same here and move swiftly to the ‘meat’ of the standard. This is divided into four sections:

  • Section 4 – Principles of auditing
  • Section 5 – Managing an audit programme
  • Section 6 – Audit activities
  • Section 7 – Competence and evaluation of auditors. These sections are discussed in turn below.


The requirements of the standard open with a statement explaining that auditing is based upon a set of underlying principles, adherence to which should ensure that the audit is relevant, sufficient and independent. It is also suggested that these principles would provide an element of calibration (my word, not the standard’s) that helps to make results between auditors and audit teams consistent. Three principles for auditors are given, plus two more for the audit itself. It is suggested that all the more detailed guidance given in the rest of the standard is based on these five principles, described below.

Ethical conduct

An ethical approach, it is stated, is the foundation of professionalism. It is then implied that ethical conduct consists of displaying trust, integrity, confidentiality and discretion. A good way of testing for ethical conduct is to understand that ethical actions are those that would not lead to scandal, betrayal, shame or disgrace. Integrity is my favourite word here since it implies honesty, fairness, selflessness, impartiality and many of those other good things that make for an ethical approach to auditing, or indeed to any other business activity. Although we would hope for ethical conduct from anyone with whom we make contact, it is especially important for auditors who are required to make judgements on the effectiveness and acceptability of an activity or area.

Fair presentation

Fair presentation is defined as the obligation to report truthfully and accurately. In my view this is also part of ethical conduct; an ethical approach is an honest and truthful one.

This does include the obligation to report proportionately and in context. If a system is generally functional but a small number of errors were found, then it is appropriate to say so and not to report that the system is dysfunctional. I once was working on the development of a team of auditors that tended to over-report things. A lost training record or a human error would be reported as incompetent staff, while failure to mention a low probability ‘what if’ would be reported as a lack of a documented system. These auditors gave into the temptation of reporting in a way that they felt would have impact (mainly with the audit client or audit programme manager) rather than reporting fairly. In fact, the problem here was not only that the reports were unfair, but also that the area manager did not know what to act upon since instead of having to deal with one instance of weak training records, he was told that he had a chronic staff competence shortage.

The standard specifically states that reports should also mention any obstacles or difficulties that affected the conduct or output of the audit and should record any differences of opinion between the people involved in the audit, in all roles (for example if the auditee disagrees with the auditor’s interpretation of criteria).

Due professional care

The requirement here is to apply diligence and judgement in auditing. Auditors are expected to do a reasonable job of the audit, not to wash over issues but not to be rigid in their approach either, applying judgement appropriate to the nature and requirements of the audit. Although it might seem obvious that a person should always aim to do their job with care and diligence, as an auditor it must be remembered that every audit involves a review of somebody else’s work and so the results are very important for that person or group of people. An auditor cannot afford to have a bad day and not try very hard that day, since there may well be a lot riding on the recommendations that arise from the audit conclusions.


This is the first of the principles applied to auditing in general rather than specifically to the auditor. The standard states that independence is the basis for impartiality and objectivity. Independence is discussed with the aim of ensuring that the audit team is free from bias and conflict of interest. This still allows room for the manager of the audit programme to determine what constitutes a conflict of interest. For example it is quite normal to permit a team to audit an organization of which they are all personal customers in the normal sense (such as utility companies) as long there is no strong personal involvement.

Evidence-based approach

The last principle is applied to audits rather than auditors and requires that an approach based on evidence is adopted. This means that conclusions should be based on facts and data rather than feelings and opinions. The essence of the principle is that anything in the final report should be underpinned by verifiable evidence. It is acknowledged that the evidence may be based on a sample, rather than the whole population, depending upon the practicalities of the individual audit including size, scope and so on.



This section is about overall management of audits. It is divided into many subsections but the division is, in my opinion, somewhat long-winded and much of it can be distilled to a few simple concepts. In general, it is anticipated that a programme is established that incorporates a number of audits over a period of time. The programme is used to plan timescales and resources, as well as to ensure that all objectives are adequately covered, reported and dealt with. The audits may have a number of overall objectives (for instance quality and environmental) and there may be more than one programme (separate quality and environmental). The idea is also mentioned that two auditing organizations may elect to conduct joint audits. A good example of this might be where two organizations agree to conduct joint audits of sub-contractors. The overall approach to managing audit programmes is shown in Figure 5.1.

Objectives and extent

Certainly it is a good idea to decide why the organization is running an audit programme, rather simply doing it because it seems the right thing to do (ISO 19011 talks about the ‘why’ as being the objectives for the programme, but here it means broad aims rather than the specific, quantifiable objectives implied by ISO 9001). The audit programme could be run for something ambitious such as to maximize efficiency, for something contractual such as supplier audits, or could just be to satisfy a certification requirement such as exists for third party audits or minimal internal audit programmes.

Once it is understood what the aims of an audit programme are, the standard also suggests that a conscious effort to fix its extent should be made. This includes what areas or units to cover, how often to audit them, how to group or separate them, what criteria need to be applied (e.g. does the corporate technical standard need to be applied to all sub-contractors) and what activities each audit will cover. This seems obvious perhaps and is inherent in all audit programmes. ISO 19011 suggests that this should be a conscious exercise though rather than just allowing the audit areas to fall into place for convenience.

Responsibilities, resources and procedures

The responsibility for planning and running the audit programme should be allocated to an individual or group. It is common for there to be an audit programme coordinator within an organization; this is commonly the Quality Manager in many internal ISO 9001 systems (or the Environmental Manager for ISO 14001 systems), but it could be somebody else. For third party audits it is the management team of the certification body. This person need not necessarily carry out any audits themselves although they will need a good understanding of what audits are all about. ISO 19011 lists their responsibilities as including setting the objectives and extent, defining procedures and obtaining resources, delegating responsibilities (e.g. to carry out an audit), making it happen and ensuring that audits are recorded, and monitoring and reviewing things to maintain and improve the programme. In most systems this person is also the one that takes the process further when an individual auditor or audit team finds that they reach obstacles in terms of cooperation, agreement, resources and so on. They also may take responsibility for ensuring that findings are addressed and followed up where arrangements mean that it is impractical for the auditor to do so.

This section of the standard also briefly mentions the type of resources that may be necessary when running an audit programme. These include funding, audit techniques, auditor training and development, the auditors themselves and any supporting expertise, the audit programme, and general support resources such as travelling time, transport, accommodation and so on.

The lengthy section covering responsibilities and resources also deals with procedures. This provides for written procedures defining the whole range of activities that are embodied in the audit programme. This specifically includes:

  • planning and scheduling
  • team leader and auditor competence
  • team composition
  • how to carry out the audit
  • how to carry out follow-up audits
  • keeping records
  • how to monitor performance
  • reports to senior management on how well the audit programme is working.

There is a statement that all of the above may be embodied in a single document for smaller organizations. This is probably an unnecessary statement since organizations will naturally decide how much each of these elements applies to them and tailor their documentation accordingly, applying the guidelines across as many documents as necessary. Indeed, some very small operations may even elect to include audit procedures within another document, such as a monitoring and review procedure.


The standard then goes on to discuss implementation. It seems obvious that the programme needs to be implemented; the standard aims to specifically state the areas that must be addressed as part of implementation, but in fact just repeats the main areas that are addressed throughout the rest of the standard. As a result, this section merely states that not only must an organization plan and document its audit system but must also put it into operation.


Suitably kept and safeguarded records are a requirement. Suitable safeguarding means doing one’s best to preserve them such as not leaving paper files in a damp, mouse-infected cellar (mice love to shred important paper – I know from painful personal experience) or providing backup, security and virus protection for electronic data. Records to suit the size and complexity of the audit programme are required to cover audit planning, conduct, resource management and actions arising

Monitoring and reviewing

The last management section is about understanding how well the audit programme is serving the needs of the organization by means other than just asking for gut feelings around a table (although holding review meetings is of course a valid monitoring technique). Objectives might include, for example, good use of audit resources for a third party certification body or could include early identification of risks in an internal audit programme.

The section suggests that measurements or other data should be collected and formally reviewed. The measurements would cover how well the plan worked, how well the target timescales were met, plus other factors such as how far it shows that procedures were followed, results and trends, the consistency of the audit process itself and so on. Naturally, any interesting points revealed by such monitoring should lead to action to prevent or cure problems.



Now we come to the part of the standard that describes how the audit itself should be carried out, including the planning. The steps involved are summarized in Figure 5.2.

An especially interesting point in this introduction to the actual audit process is that the standard recognizes that not all elements will be applicable in every case. This allows, for example, that audit features such as opening meetings and preliminary document reviews are not applicable in very case.

Initiating the audit

  • appointing the team leader
  • defining audit objectives
  • determining the feasibility of the audit
  • selecting the audit team
  • establishing initial contact with the auditee

Conducting document review

reviewing relevant management system documents, including records and determining their adequacy with respect to audit criteria

Preparing for the on-site audit activities

  • preparing the audit plan
  • assigning work to the audit team
  • preparing work documents

Conducting on-site audit activities

  • conducting opening meeting
  • communication during the audit
  • roles and responsibilities of guides and observers
  • collecting and verifying information
  • generating audit findings
  • preparing audit conclusions
  • conducting closing meeting

Preparing, approving and distributing the audit report

  • preparing the audit report
  • approving and distributing the audit report

FIGURE 5.2 Audit steps

Initiating the audit

ISO 19011 defines an involved set of possible actions that are involved in initiating the audit. These are:

  • appointing the team leader
  • defining audit objectives, scope and criteria
  • determining the feasibility of the audit
  • selecting the audit team
  • establishing initial contact with the auditee.

The appointment of the team leader is a useful first step in making the audit happen, since the team leader can then take over many of the preparation duties. The team leader will need to be somebody with the organizational skills to be able to coordinate effectively between the auditee and the rest of the audit team. Note that where the audit team consists of just one person, the team leader role and appointment should not be ignored, but the sole auditor effectively takes on the duties of the team leader. If the audit is being conducted as a joint affair between two or more parties (for example two bodies conducting a joint audit as part of a contract award process), the appointment of a single audit team leader must be jointly agreed before the audit can proceed.

Once the team leader is appointed, they need to be informed of the objectives, scope and criteria for the audit (in many cases the team leader may play an active part in defining these). These describe what this particular audit is all about and provide guidance for the audit leader and the team as to what they should be looking for and at. The objectives set out what the audit is trying to achieve, such as determine eligibility for a certificate award, determine suitability to appear on a contract shortlist, demonstrate improvements in a previously identified weak area, confirm adherence to policy, identify areas for potential improvement or perhaps a combination of two or more of these. The scope gives the audit team their breadth and boundaries: which sites, areas, activities and so on they are to cover. For example an internal audit team may have a limited area to audit in order to keep the audit to a manageable size, whereas a second party audit team may have a limited scope for reasons of confidentiality. The scope may also serve to point out activities that are specifically included to ensure that the audit team does not leave them out of their investigations. The criteria for the audit represent those rules and requirements against which the audited organization will be assessed. These might include standards, policies, legislation procedures and so on, and could even, for the purposes of improvement, include the experience and judgement of the auditor, although this should never be the only criterion.

At some point during the initial planning, it is also important to check that the audit is feasible. It could be that, after considering all the factors, the audit cannot be carried out as defined for reasons such as auditor availability, incompatibility of scope and time allowed, accessibility of activities (e.g. rare events which will not happen at the planned time), availability of information, failure of agreement (such as payment terms between the parties involved) or a variety of other factors. Detailed planning and arrangements should only proceed once it is known that the audit can go ahead.

Once the nature, requirements, leadership and feasibility of the audit have been determined, the remainder of the team membership (if the team is larger than one) can be decided upon. The team leader often plays a part in this but there may well also be input from the audit planners. Auditors should be selected for their ability to play a suitable part in the audit. Selection should be based on:

  • the number of auditors required
  • competence in the activities being audited
  • any specific expertise or knowledge needed by the team
  • the need for impartiality
  • auditor availability and workload
  • the language of the audit.

The standard recognizes that auditors may not always possess the special ‘technical’ knowledge necessary to understand every situation and that occasionally experts may need to be called in to assist the team, under the guidance of a competent auditor.

The final part of establishing the audit is for the audit team leader to make initial contact with the auditee. This is to provide for:

  • general introductions
  • agreement that the audit is authorized to proceed
  • confirmation of specific timings
  • determination of necessary precautions and arrangements, including health, safety and security
  • agreement of attendance of team members and any accompanying personnel such as trainees and observers.

Conducting a document review

Many audits include a review of the documentation presented by the auditee to see whether or not it meets the audit criteria. This can be a useful exercise to determine general compliance (for example has the organization adequately documented and defined its key processes for ISO 9001 purposes) and also to give the audit team an understanding of whether the overall system is likely to be in good shape; if the documentation is poor then it may not be worth proceeding with the on-site investigation. It also provides the audit team with some understanding of the system in place before carrying out the detailed investigation.

In many audits, the document review is not a formal, separate affair. It is carried out as part of preparation during the general investigation. In such cases, however, it is usually still the audit team’s job to look at the adequacy of documentation.

Preparing for the on-site audit activities

Whereas initiating the audit is about ensuring that everything is in place to make the audit happen, preparation is actually part of the audit itself, where the audit team start to understand exactly what it is they will investigate. ISO 19011 suggests that the first part of this phase is the creation of a comprehensive audit plan. This is envisaged as not just a simple schedule, but an all-encompassing plan such as might be found in large projects and almost serves as the terms of agreement between the audit team and the auditee.

The plan should detail what will happen and when and also lists key personnel and their responsibilities; objectives, criteria and scope; reporting arrangements; confidentiality and security; any limitations and reservations; the manner in which any decisions will be made; and the procedures for follow-up. Although this seems rather daunting, remember that ISO 19011 is giving the most complete picture; in many cases this approach is unnecessarily cumbersome since much of the detail is already accepted as standard practice or is detailed in general arrangements between the parties involved. For most internal and third party quality audits, the audit plan consists of little more than a timetable, and even that may be done verbally if the circumstances permit. Such a plan may be appropriate, however, if the audit is a second party affair and there is a lot at stake, or there are significant confidentiality issues and so on.

Once the plan is prepared, the standard describes the allocation of work to individual audit team members. Assignment is made taking into account availability, skills, experience, impartiality and so on. In reality, this may be better undertaken before the plan is prepared to allow both the audit team and the auditee to clearly see who is doing what and when.

The final element is the preparation of audit documents. This includes items such as checklists and aide memoires (although the standard does not say much about what should be in them) as well as forms that will be used to record data during the audit. A specific point is made that any documents containing confidential information should be suitably safeguarded by the auditors.

Conducting on-site audit activities


As has been discussed throughout the rest of this book, actually carrying out the investigation is the heart of the audit. ISO 19011 recognizes this and devotes this section to a large proportion of its requirements. In recognition of this, I have added the third-level headings in this section to make it easier to follow.

Conducting the opening meeting

The investigation should start with an opening meeting, whose purpose is to confirm the plan, provide a summary of how the audit will be carried out, confirm communication channels, and answer any questions that the auditee may have. The meeting is typically held with the management of the organization or area being audited and the entire audit team.

The standard states that the opening meeting may be a simple affair in some circumstances, such as internal audits, whereas in others it may be a formal, minuted meeting. There is then a table offering practical help, which largely comprises a list of 14 topics that could be addressed at the meeting. There is nothing surprising or new in this list and since I discuss opening meetings in some detail in Chapter 10, the list is not repeated here.

Communication during the audit

The standard emphasizes the importance of communication between members of the audit team, and between the audit team and the auditee. Certainly there should be opportunities for the audit team to meet (or at least speak, if they are working remotely from each other), to exchange ideas and findings and to keep the team leader up to date, where the team is more than one person.

In turn, the team leader needs to ensure that the someone from the auditee organization is regularly informed of what is going on. If there is a guide, one of their responsibilities is often to act as key communication point. In particular, it is the job of the team leader to let the auditee know immediately if one or more findings reveals a problem that has major significance; this could be an immediate risk of some nature or could be a situation that will result in a failure of some sort, such as major non-compliance issued during a third party audit. Similarly, the audit team should make it clear as soon as there seems to be any barrier that might make it difficult to complete the audit objectives or properly cover the scope. This may mean adjusting the plan, scope and so on in agreement with the auditee and the audit client.

If the audit is large, complex or highly formal, then it may be necessary to establish a suitably formal communications procedure as part of the audit plan.

Roles and responsibilities of guides and observers

Guides are people appointed by the auditee to help the auditor manage the logistics of the audit and to provide a present point of contact. It is emphasized that guides should not interfere with the audit, but are there to help to arrange times, and so on, for interviews; arrange visits to locations; ensure that auditors are following health, safety and security rules; provide a witness to the audit; and assist in collecting or clarifying information. Note that in many audits guides are not provided; even some third party audits in small organizations rely on the proximity of people who can help rather than the provision of a dedicated guide.

Observers are usually, although not necessarily, from the auditing organization. They are there to watch how the audit goes and to learn from it, often because they are auditors-in-training. Such visitors usually require the permission of the auditee to attend and although they may comment, do not directly interfere and should not take time or effort away from the audit itself.

Collecting and verifying information

This is an activity very much based on personal skill, so while there is a lot to cover, the standard is able to offer little in the way of specific requirements. Much of this element is described in the standard by tables and simple diagrams. The steps given are:

  1. Identify the sources of information (including information on interfaces between functions).
  2. Collect data by sampling and verify it (the standard gives interviewing, observation and document review as methods of data collection).
  3. Evaluate the information against the audit criteria.
  4. Review the analysis.
  5. Reach conclusions.

The standard emphasizes that audits can only be based on a sample, that sampling introduces an element of uncertainty and that this uncertainty must be understood by everybody involved.

ISO 19011 offers the advice that sources of information will vary from one audit to another. As guidance, the following possible sources are suggested:

  • interviews with employees and others observations of activities and the surrounding environment and conditions
  • documents, such as policy, objectives, plans, procedures, standards, instructions, licences and permits, specifications, drawings, contracts and orders
  • records, such as inspection records, minutes of meetings, audit reports, records of monitoring programmes and the results of measurements
  • data summaries, analyses and performance indicators
  • information on the auditee’s sampling programmes and on procedures for the control and sampling and measurement processes
  • reports from other sources, for example, customer feedback, other relevant information from external parties and supplier ratings
    • computer databases and web sites.
    • The standard states that interviewing is one of the key data gathering tools and needs to be tailored to the person being interviewed. In recognition of the personal and sensitive nature of interviews, the following tips are offered:
  • Interviews should be held with people from appropriate levels and functions performing activities or tasks within the scope of the audit.
  • Interviews should be conducted during the normal working hours and, where practical, at the normal workplace of the person being interviewed.
  • Every attempt should be made to put the person being interviewed at ease prior to and during the interview.
  • The reason for the interview and any note-taking should be explained.
  • Interviews can be initiated by asking the people to describe their work.
  • Questions that bias the answers (leading questions) should be avoided.
  • The results from the interview should be summarized and reviewed with the interviewed person.
  • The interviewed people should be thanked for their participation and cooperation.
Generating audit findings

The standard then discusses audit findings. These could include areas of verified conformity (especially if the objectives of the audit specifically include verification that the organization or area being audited are conforming to certain requirements), areas of non-conformity and, if appropriate to the audit, areas representing opportunities for improvement. Where conformity is recorded, this should include reference to locations, functions and processes audited. Where non-conformity is recorded, this should include supporting evidence. The standard also says that all findings should be reviewed by the auditee to ensure that evidence is accurate and to resolve or note any divergent opinions. Categorization of findings is allowed for, if appropriate to the audit.

Preparing audit conclusions

At the end of the investigation, the audit team should review their findings to determine the conclusions that will be presented. Even where the audit team comprises only one person, there still needs to be a period of quiet reflection prior to the feedback session (see ‘Conducting the closing meeting’ below). The purpose of this is to finally agree upon findings, to agree any conclusions or recommendations (if such are called for) and to determine what follow-up may be needed.

Conducting the closing meeting

The closing meeting is chaired by the audit team leader and is attended by the audit team and suitable auditee representatives. The purpose of the meeting is to explain the findings, conclusions and recommendations. In simple audits there may be nothing more than a verbal explanation of the findings, whereas others may be full, formal minuted affairs. Again, the standard suggests that any differences of opinion should be resolved; where this is not possible, the differences should be recorded as part of the meeting notes.

Preparing, approving and distributing the audit report

The standard starts by explaining that the audit team leader is responsible for preparing the report. Suggested contents and/or references are:


  • what was audited, including the organization/area and scope
  • details of the audit client
  • audit team details
  • dates and locations of the audit investigation
  • audit criteria
  • audit findings (which may be summarized in the body of the report if they are reported separately elsewhere)
  • conclusions
  • audit plan
  • people contacted within the auditee organization
  • audit process
  • problems encountered that may have an impact on the reliability of the results
  • achievement of the audit objectives
  • areas within the scope but not covered
  • improvement recommendations
  • follow-up plans and arrangements
  • a confidentiality statement
  • distribution list for the audit report.

The audit report should be prepared, reviewed, approved and distributed within a defined time from the end of the investigation. ISO 19011 states that the report is the property of the audit client (note that it is not, unless they are one and the same, the property of the auditee). The report should, of course, remain confidential.

Completing the audit

The audit is complete when all auditing activities are done and the report is distributed. At this stage unwanted working documents are destroyed and the remainder of the audit records are suitably stored so as to respect their confidentiality.

The standard points out that audit documents should not be disclosed to any other parties without suitable agreement and approval or where it is a formal requirement (e.g. a legal requirement to hand over evidence or an audit of a third party certification body by an accreditation agency).

Conducting audit follow-up

Follow-up is not necessarily an integral part of the audit. The audit client does need to ensure that the auditee has taken any agreed actions within an appropriate timescale, but this can be verified by a variety of means. One of these may be by a follow-up audit, or it could be that they will be verified as part of a subsequent full audit.

The standard offers the advice that using the original audit team to verify completion of actions can be a good idea since they have suitable experience and expertise. However, maintaining independence and impartiality needs to be taken into account in such cases.



The final main section of the standard gives details of the key resource needed for good auditing – the auditors themselves. The success of the audit depends upon the competence of the auditors; competence in turn is demonstrated through personal attributes and ability to apply their knowledge and skills, all of which are discussed in further paragraphs. A diagram is given showing that skills are acquired through a mixture of education, work experience, audit experience and audit training. It is suggested that methods of evaluating auditors should be employed; this is also discussed later in the standard.

Personal attributes

Auditors should possess key personal attributes, in that they should be:

  • ethical – fair, truthful, sincere, honest and discreet open-minded – willing to consider alternative ideas or points of view
  • diplomatic – tactful in dealing with people observant – actively aware of physical surroundings and activities
  • perceptive – instinctively aware of and able to understand situations
  • versatile – adjusts readily to different situations
  • tenacious – persistently focused on achieving objectives
  • decisive – reaches timely conclusions based on logical reasoning and analysis
  • self-reliant – acts and functions independently while interacting effectively with others.

Knowledge and skills

This is an extensive section effectively listing a wide range of required knowledge and skills in four areas. Since the list is fairly self-explanatory, here it is:

Audit principles
  • application of audit principles, procedures and techniques
  • planning and organizing work effectively
  • conducting the audit within the agreed timescale
  • prioritizing and focussing on matters of significance
  • collecting information through effective interviewing, listening, observing and reviewing documents, records and data
  • understanding the appropriateness and consequences of using sampling techniques for auditing
  • verifying the accuracy of collected information
  • confirming the sufficiency and appropriateness of audit evidence to support audit findings and conclusions
  • assessing those factors that can affect the reliability of the audit findings and conclusions
  • using work documents to record audit activities
  • preparing audit reports
  • maintaining the confidentiality and security of information
  • communicating effectively, either through personal linguistic skills or through an interpreter.
Management system and references
  • applying management systems to different organizations
  • understanding the interaction between the components of the management system
  • familiarity with quality (and/or environmental) standards, procedures and other management system documents
  • recognizing differences between and priority of the reference documents
  • applying the reference documents to different audit situations
  • knowledge of the use of information systems and technology for authorization, security, distribution and control of documents, data and records.

Organizational situations


organizational size, structure, functions and relationships

  • general business processes and related terminology
  • cultural and social customs of the auditee.
Laws and regulatory requirements


  • local, regional and national codes, laws and regulations
  • contracts and agreements
  • international treaties and conventions other requirements to which the organization subscribes.

General knowledge and skills of audit team leaders

In addition to the knowledge and skills required of auditors, those leading the audit (again, this applies even if the audit team comprises just one person) will need additional skills to enable them to manage the audit effectively. These are:

  • planning the audit and making effective use of resources during the audit
    • representing the audit team in communications with the audit client and auditee
    • organizing and directing audit team members (in teams of more than one)
  • providing direction and guidance to auditors in training
  • leading the audit team to reach the audit conclusions
  • preventing and resolving conflicts
  • preparing and completing the audit report.

Specific knowledge and skills of systems auditors

The standard describes sets of skills needed specifically by those auditing quality and environmental systems. The standard aims to cover both types of audit but here differentiates the technical skills needed. Since we are concentrating on quality audits here, I have only listed the requirements for quality auditors (although in Chapter 7 I describe the requirements for auditors who cover both).

Quality system auditors are required to have:

  • knowledge of quality related methods and techniques, including terminology, quality management principles and their application, common quality tools and their application;
  • knowledge of processes and products in the audited organization, including sector-specific terminology, technical characteristics and sector-specific processes and practices.

Education, work experience, auditor training and audit experience

ISO 19011 states, quite rightly, that an auditor should have appropriate levels of education, work experience, auditor training and audit experience. These should be in the areas of:

  • the required knowledge and skills described earlier;
  • work experience in a position that involves the exercise of judgement, problem solving and communication with other managerial or professional personnel, peers, customers and/or other interested parties;
  • work experience in the quality management field (or the environmental field for environmental auditors);
  • suitable auditor training;
    • experience in carrying out audits, gained under the guidance of a qualified audit team leader.
    • The levels of each of these are not specified, although the standard does address this in two ways. First, it offers that the levels should be judged as part of the auditor evaluation process described later. Second, it offers a table of example levels for each element. For a quality auditor this is:
  • completed secondary education (i.e. up to the stage of university or similar entrance but not necessarily at graduate level);
  • total work experience of five years, at least two of which should be in quality management;
  • a minimum of forty hours of audit training;
  • four complete audits, covering the entire audit cycle and occupying at least twenty days.

This is approximately what is applied to most third party auditors, although the majority of second party and internal auditors would not have had the required forty hours of audit training (and if they had, it would have meant that they had probably attended the five-day lead third party assessor course and I would argue that they had been inappropriately trained). The standard does, however, say that these levels will vary according to the needs and nature of the audit programme.

Audit team leaders should have gained further experience, acting as a team leader of a team of more than one, possibly under the guidance of a suitably experienced, qualified team leader. The example given for this is a further three audits as leader, occupying at least fifteen days.

Maintenance and improvement of competence

Auditors are expected to ensure that they pursue continual professional development. What this is and how much is done will depend upon the nature of the audit programme. It can include:

  • additional work experience
  • further training
  • private study
  • coaching
  • further educational study
  • attendance at meetings, conferences and seminars.

To keep their skills up to date, ISO 19011 also suggests that auditors should regularly participate in audits. Again, there is no specification of how many this should be.

Auditor evaluation

Auditors should be evaluated to ensure that they are competent and to identify any needed training and skill enhancement. Evaluation should take place to determine their initial suitability to be auditors, their suitability to participate in a particular audit (for example do they have adequate understanding of the processes that they will audit) and on an ongoing basis to identify needs to maintain and update their skills and knowledge.

A number of steps are suggested in the evaluation process:

  1. Think about what is needed to audit within the context of the audit programme.
  2. Translate this into a set of criteria for auditors and team leaders.
  3. Choose the methods of evaluation, such as records review, examining feedback on their audit work, interview, observation, testing and post-audit review, bearing in mind that the most appropriate combination of methods should be chosen and that the various methods differ in their reliability.
  4. Conduct the evaluation. Where the criteria are not met, further development and training should take place, after which a re-evaluation should take place.


  • ISO 19011 is a distant member of the ISO 9000 family in that it defines quality system audit guidelines.
  • It also covers environmental audit.
  • It is intended to cover all types of audit, including first, second and third party.
  • Much of its content is most appropriate to third party, certification audits.
  • Its contents include principles, management, general audit requirements, audit activities and auditor competence.
Top of page
Site Policy Contact Us Disclosure Policy Suggested Operating Environment