General guidance for auditing management systems revised

Third edition of BS EN ISO 19011 published in July 2018

The third edition of BS EN ISO 19011- Guidelines for auditing management systems replaces the previous edition that was published in 2011. While BS EN ISO/IEC 17021-1 provides requirements for auditing management systems for third party certification, BS EN ISO 19011 concentrates on:

• internal audits (called ‘first party audits’); and
• audits conducted by organizations on their external parties (called ‘second party’ or supplier audits).

BS EN ISO 19011 presents a broad approach to management system auditing that can be applied across a range of management systems, such as quality, environment, health and safety, and information security. It is intended to apply to a broad range of potential users, such as auditors and organizations either implementing management systems or needing to conduct management system audits of their suppliers. BS EN ISO 19011 provides guidance on the management of an audit programme, on the planning and conducting of management system audits, as well as on the competence and evaluation of an auditor and an audit team.

Auditing relies on a number of principles that are set out in the guidance. The principles laid down in BS EN ISO 19011 are:

1. Integrity;
2. Fair presentation in reporting truthfully and accurately;
3. Due professional care applying diligence and judgement;
4. Confidentiality;
5. Independence;
6. Evidence-based approach to reach reliable and reproducible conclusions;
7. Risk-based approach that considers risks and opportunities.

These principles are intended to:

• make the audit effective and reliable
• support an organization’s policies and controls;
• provide audit information that can be used to improve performance;
• provide audit relevant conclusion; and
• enable auditors to reach similar conclusions in similar circumstances even when working independently

The main differences compared to the previous edition are:

• adding the risk-based approach to the principles of auditing;
• expanding guidance on managing an audit programme, including audit programme risk;
• expanding guidance on conducting an audit, particularly the section on audit planning;
• expanding the generic competence requirements for auditors;
• removing the competence requirements for auditing specific management system disciplines because it would not be practical to include competence requirements for all disciplines given the number of individual management system standards;
• updating terminology;
• expanding the additional guidance for auditors planning and conducting audits in Annex A of the standardto provide guidance on auditing concepts such as organization context, leadership and commitment, virtual audits, compliance and supply chain.

BS EN ISO 19011:2018 presents best practice in auditing management systems including practical experience gained across many different management systems. The guidance can help you improve your internal and supplier audit processes. Resources available from the Medical Devices Single Audit Program (MDSAP) and new European Regulations can supplement this guidance on aspects of regulatory audits of a quality management system. There are further resources on the BSI website that can help develop your knowledge and skills in auditing.

Author: Eamonn Hoxey, of E V Hoxey Ltd, UK, is a writer, trainer and consultant on a range of life science areas including regulatory compliance, quality management, sterility assurance and standards development