ISO 19011 is a set of guidelines for auditing management systems. It is an international standard to help organizations perform these audits. 

ISO 19011 is designed to advise organizations on how to prepare audit programs for auditing their management systems, such as their environmental management systems, quality management systems, and risk management systems.

However, ISO 19011 is not a set of requirements that a company has to follow step by step, as an organization can’t become ISO 19011 certified. Rather, an organization should adopt ISO 19011 guidance as appropriate to suit the specific needs and requirements of the particular audit program. 

ISO 19011 differs from the ISO 9001 international standard that specifies requirements for quality management systems in that ISO 9001 is the only standard in the ISO 9000 series to which organizations can certify.

What is the latest version of ISO 19011?

In its ISO 19011:2018 – Guidelines for Auditing Management Systems, the International Organization for Standardization (ISO) defines an audit as “[the] systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.”

That means that an auditor or audit team looks at what a company is doing, collects evidence, and compares that evidence to the controls the organization is supposed to be doing.

In terms of ISO standards, there are two main types of ISO audits:

  • Internal audits (first-party audits )
  • External audits (second-party and third-party audits)

ISO 19011, which specializes in first-party and second-party audits, is targeted to individual auditors as well as larger audit teams that conduct comprehensive enterprise audits.

Internal audits are conducted by the company itself. These internal audits generally focus on evaluating effectiveness, determining conformity, and identifying areas that could be improved. Although a company may do a first-party audit to prepare for a third-party audit, a first-party audit never results in an ISO certification.

External audits include second-party and third-party audits. A second-party audit is usually performed at the request of a customer (or a company contracted to act on the customer’s behalf) on a supplier of products or services. 

A third-party audit is conducted by an independent organization that has no vested or conflict of interest in the company being audited, such as those organizations that provide certification.

ISO 19011 contains three important sections pertaining to auditing management systems:

  • How to manage an audit program
  • The seven principles of auditing
  • Approaches for evaluating the competence of auditors

ISO 19011 also focuses on applying the principles of continuous improvement to an audit program. These include ensuring that the audit program’s objectives align with the main objectives of the business and that the needs and best interests of customers and other stakeholders are prioritized.