Published: 1 Nov 2016

Richard Green explains crucial changes to ISO 19011 and ISO/IEC 17021-1 and reveals what this will mean for the quality profession.

Two of the principal standards underpinning the world of management system audit are currently in the process of revision. The good news is that the CQI, as a Category A Liaison to the technical committees developing the new revisions, will be present at the negotiating table.  

ISO 19011:2011 – ‘Guidelines for auditing management systems’ is primarily aimed at those conducting first or second party audits – sometimes referred to respectively as ‘internal audits’ and ‘supplier audits’.

It starts by outlining the principles of auditing, which are essentially the value set on which management system audits must be based. This includes integrity, fair presentation (of audit results), due professional care, confidentiality, independence and an evidence based approach.

ISO 19011:2011 then provides guidelines for managing audit programmes, including programme creation, implementation, review and revision. Next it addresses how audits are performed. This encompasses how audits are planned, conducted, reported and followed up. Finally, it considers the competence and evaluation of auditors. If you have ever wondered where that list of desirable auditor personal behaviours comes from – acting ethically, diplomatically, tenaciously, decisively and so on – look no further than ISO 19011.   

On 7 November representatives of Project Committee 302 will meet for a week in Orlando, the US, to work on the next iteration of this standard. A design specification has already been produced which confirms that while the overall purpose of the standard is unlikely to change, the contents will be refreshed to consider developments such as increased integration of management systems, the evolving role of IT on audit practices, addressing complex business structures, managing audit risk and adding value to audit programmes. 

The second of the two standards currently under review is a member of the ISO/IEC 17021-X series which details requirements for bodies providing audit and certification of management systems – typically certification bodies carrying out third party (or external) assessments.

ISO/IEC 17021-1 is the foundation of this series. It covers audit principles, general requirements around contracts and liability, structural requirements relating to the certification body and top management, as well as resource requirements relating to auditor competency and outsourcing. It also includes information requirements relating to management of certification documents and protection of confidentiality, process requirements relating to planning, conducting and reporting of third party audits, and management system requirements relating to the certification bodies own management system.

While ISO/IEC 17021-1 provides generic requirements, other members of the series include additional requirements specific to particular ‘flavours’ of management system. It is ISO/ IEC TS 17021-3, which details additional competence requirements for auditing and certification of quality management systems that the CQI is currently feeding into.

With more than 1.2 million ISO 9001 certificates issued worldwide, any change in the way certification bodies audit and certificate quality management systems will have a far-reaching impact, not just for the certification bodies but also for their clients.

The CQI recently ran a survey inviting our quality management system (QMS) auditors to comment on several of the proposed amendments. A total of 90 responses were received and the results appear below.

Among those who responded to the survey, there was general support for the direction ISO/IEC TS 17021-3 is taking. This was consistent with the result of the ISO vote on the Draft International Standard (DIS). This closed on 11 October and revealed 97% of participating members had voted to approve it.

Despite this overwhelming support, more than 200 comments were received on the draft and ISO procedures dictate that each of these is individually reviewed. A second meeting will be held in Geneva, Switzerland, later this month for this purpose.

So what are the implications of these changes for CQI members? Changes to ISO 19011 impact all IRCA auditors, irrespective of the schemes they are registered to or their current grade, because the standard provides the very foundation for management system audit. It underpins all IRCA training courses, shaping both their structure and contents. The behaviours it champions are also echoed in the CQI Code of Conduct. Everyone practising audit as a profession should therefore endeavour to keep abreast as to how ISO 19011 evolves.  

ISO 19011 is used by organisations to define, develop and manage their internal audit programmes as well as supplier/contractor audits. Those entrusted with managing these functions within their organisations similarly need to be mindful of any changes and how these may impact their current audit methodology.

The changes to ISO/IEC TS 17021-3 will primarily impact certification body QMS audit teams and, by association, their client’s organisations.

The required skills and knowledge (competency) for QMS audit teams is set to change, reflecting the changes brought into ISO 9001:2015 resulting from the adoption of Annex SL. These revised competency requirements were anticipated by the CQI and incorporated into the design criteria for CQI’s approved ISO 9001:2015 transition training courses. As a result, those who have completed IRCA QMS Transition Training will be well positioned when the new version of ISO 17021-3 is published early next year. Those who have not yet transitioned should consider doing so in order to elevate their individual competence to the level demanded in the new requirements.

Richard Green, CQP MCQI, is the CQI representative for ISO 17021-3, ISO 19011 and ISO 45001 and managing director of Kingsford Consultancy Services.