ISO 19011: Auditing strength

Nigel Leehane looks at whether the revised guidance in ISO 19011 will help to improve EMS audits

The publication at the end of last year of the revised ISO 19011 guidance standard on auditing management systems modified existing auditing approaches and introduced new ones. An article in the January issue of the environmentalist examined the revised standard’s treatment of risk-based auditing and auditor competence.

Other significant developments include the greater emphasis given to audit programme management and the introduction of guidance for selecting audit methods, including remote auditing.

This second part of our review of the updated 19011 considers the practical implications of the revisions, specifically for environment auditors, although it could equally apply to the auditing of a management system for health and safety or quality, for example.

Improvements to audit programmes

External auditors often raise the issue of nonconformity or make other criticisms of internal audit programmes, on the basis that they:

  • simply do not exist;
  • have not been implemented;
  • are only partially completed;
  • are under-resourced; or
  • fail to focus on significant aspects.

These failings are often indicative of weaknesses in the organisation’s procedures for planning and implementing the audit programme. However, they may also result from ineffective allocation of responsibility for managing all elements of the audit programme. The revised 19011 attempts to improve these potential deficiencies.

Although the original version provided substantial guidance for audit programme management, much of it retained in the revision, it placed more emphasis on the role of the auditor, potentially to the detriment of effective programme management.

There was only one reference, for example, to the allocation of responsibility for audit programme management to an individual. In large part this was due to the desire not to create an explicit post of audit programme manager, and an additional cost burden to organisations.

The 2011 revision also avoids creating a new post, with the clumsy phrase “the person responsible for managing the audit programme” being used repeatedly. However, this is an important development, emphasising the need for an individual to take responsibility for all aspects of audit programme development, delivery and improvement. This is a positive step, and should be helpful to users of 19011.

The revised standard also defines more clearly some of the responsibilities for audit programme management, which in the 2002 version were set out in the “audit activities” rather than the “managing an audit programme” section.

The 2011 version establishes a far clearer distinction between the responsibilities for “managing an audit programme” and “performing an audit”, which is the remit of the auditor.

Managing the programme now includes responsibility for determining the feasibility of individual audits, selecting the audit team and distributing the audit report. It also contains responsibility for:

  • defining the objectives, scope and criteria for individual audits;
  • selecting the audit methods;
  • assigning responsibility for individual audits, and briefing the audit team leader; and
  • ensuring audit reports are reviewed and approved, and that corrective and preventive actions and reports are communicated to senior management.

This clear allocation of responsibility to a single point should ensure that the audit programme reflects organisational objectives and risks, and is better planned, and that individual audits are more effective, with auditors understanding their objectives and having adequate resources.

Selecting audit methods

The revised standard advises that appropriate audit methods should be selected, taking account of the audit objectives, scope and criteria.

A new Annex B of additional guidance includes a classification of four categories of audit method, based on location and degree of interactivity between the auditor and auditee. These are:

  • remote, non-interactive – involves viewing video or inspecting web-based records.
  • remote, interactive ­– comprises telephone or video conference; and
  • on-site, non-interactive – could involve document review or observation of activities;
  • on-site, interactive – involves the traditional face-to-face interaction of the auditor and auditee;

The appropriate audit type should be selected for a given situation. In many cases, the traditional on-site approach will be favoured, as this method is applicable for a broad range of audit objectives, scopes and criteria. Both interactive and non-interactive methods may be included in a single site-based audit.

Remote methods (see below) have limitations and may impose constraints. Increasingly reliable and sophisticated information and communication systems provide a range of tools that can be applied in remote audit situations, including web-hosting of data, real-time transmission and reception of video footage, and telephone and video conferencing.

However, basic technological limitations, such as low bandwidth, may restrict the transmission of data, making access to documentation slow and preventing the use of video streaming. Even where there are no technological failures, the mere use of the technology can restrict the ability of the auditor to develop reliable findings.

Difficulties posed for auditors include the following:

  • Establishing a relationship with auditees in interviews by telephone or video conferencing. It may be harder to gain the trust of auditees and therefore elicit useful and reliable audit evidence.
  • Ensuring that the auditee clearly understands the auditor’s aims and questions, and equally that the auditor understands the responses. Nuances can be lost in remote situations.
  • Finding documents and records in remote systems when there is no auditee to provide direction.
  • Ensuring that remote video footage captures all relevant activities and views.
  • Being unable to deviate from the remote audit plan, making it hard to follow up new trails and find corroborative evidence.

Many of these difficulties can be overcome or minimised by developing remote audit protocols, training auditors in the application and pitfalls of remote audit methods, and providing guidance and support to auditees.

Although remote audits can be effective in reducing auditor time on-site, time spent travelling and the associated CO2 emissions and costs, the potential risks must not be overlooked.

Before selecting remote methods, consideration should be given to the resultant risks to achieving the objectives of both individual audits and the audit programme itself. This is the responsibility of the person managing the audit programme.

Effective audits?

The improved and practical guidance in the revised 19011 standard should help organisations develop audit programmes better focused on risk, and with greater emphasis on planning the delivery of audits.

In combination with the use of new audit methods, organisations should enjoy the benefits of a more efficient and effective audit programme that genuinely adds value.

Using remote audits

Remote methods can be applied in the context of risk-based auditing, where a particular activity with significant aspects warrants additional audit effort. An example is fuel storage at sites across a multinational organisation.

Rather than incur the cost of a substantial number of audit visits, it may be feasible to undertake more frequent remote audits by using video footage of the storage facilities; interviewing fuel-storage staff by telephone or video conferencing; and reviewing facility fuel-handling procedures, staff training records, and inspection and maintenance records via the internet.

The findings of these remote audits could be confirmed by less frequent comprehensive site audits.

Back to Index