ISO 19011 is an internationally recognized standard for auditing management systems, for example quality management systems according to ISO 9001 or information security management systems according to ISO 27001. It is applicable to all organizations and companies that perform internal and/or external audits of management systems or are responsible for managing an audit program.


ISO 19011 - What is the essential content?

With the ISO 9001:2015 quality standard, a number of new management aspects have found their way into the strategy of companies - terms such as "process orientation" or "risk-based approach" are now part of everyday work. Of course, this also called for ISO 19011, the world's definitive guide to auditing management systems, to be adapted to this development.

In the sense of a continuous improvement process, the planning, execution and follow-up of audits are to be evaluated regularly. The standard provides guidance on auditing a management system, audit principles, managing and conducting an audit program, and assessing the competencies of those who are part of the audit process. Also worth reading are the small guides in the appendix of the standard that address these areas:

  • Process Approach to Auditing
  • Auditing leadership and commitment
  • Auditing risks and opportunities
  • Life cycle
  • Professional judgment
  • Performance results
  • Auditing compliance within a management system

ISO 19011:2018-10 | Guidance on auditing management systems. The standard is available from the ISO website.

ISO 19011 - Universal instrument for the implementation of audit competence

The international guideline DIN EN ISO 19011:2018 contains advice and guidance on auditing any type of management system. Among other things, the guidelines refer to the management of audit programs, the implementation of internal audits and supplier audits, and the qualification and assessment of auditors.

The guidelines can be applied by organizations of all types and sizes, with a focus on first- and second-party audits (internal audits and supplier audits). However, the guide is also extremely useful for external auditors in the certification industry, although it is not mandatory. It can be used for all management systems such as ISO 9001, ISO 14001, ISO 27001, ISO 45001 and ISO 50001 as well as their processes - also for integrated management systems.


HLS - Opportunity for an integrated management system

Exciting topic? Learn more in our free White Paper. From the content:

  • 10 reasons for an integrated management system
  • Comparison of the requirements of the "Big Five": ISO 9001, ISO 14001, ISO 45001, ISO 50001 and ISO 27001

by Rita Kagerer, expert for integrated management systems

The core topics of ISO 19011


The risk-based approach

The risk-based approach considers risks and opportunities and significantly influences audit planning, execution and reporting. These include risks, such as not providing enough qualified auditors to meet audit objectives. But opportunities also play a role, for example by auditing current management issues, with a view to implementing restructuring in the organization or dealing with the GDPR.

The idea behind this is to focus the audits more on the topics that are relevant for the client and for achieving the goals of the audit program.

ISO 19011 - Managing the audit program

This chapter of the standard focuses on what ultimately matters when conducting audits:

"Audits serve not only to confirm conformity, but also, and more importantly, to further develop the organization and its processes."

Thus, the reference is strongly to the strategic direction of the organization - its context, its objectives, and the identified risks and opportunities. The application of a process approach is a prerequisite for all management system standards. Thus, all relevant processes and their interactions must be audited. This should be especially known by those commissioning the audits (for example, top management) so that clear assignments can be made.

Appropriate audit planning should take into account, among other things, the following:

  • Complexity of the company and processes
  • Locations, with special features if applicable
  • Spin-offs
  • Information security and confidentiality requirements

In practice, it is already common today to make the planning for the audit program more flexible and not necessarily fixed, for example over 3 years. Processes with higher risks or lower performance levels should be selected and current company issues should be accompanied by audits.

ISO 19011 - Conduct an audit

The risk-based approach should significantly influence the planning, execution and reporting of audits, especially with regard to the efficiency of audit activities, the achievement of audit objectives and the evaluation of findings related to risks and opportunities. Audit objectives are nothing new in the standard. In practice, however, they are often not used sufficiently, although they provide the "red thread" for the audit in addition to the audit criteria.

Audit objectives should focus on

  • the maturity of the management system, the processes and other audit criteria
  • the effectiveness of the management system and its intended results, for example with reference to the process objectives
  • the identification of opportunities for potential improvement, for example with regard to efficiency and digitalization
  • the suitability, appropriateness and capability of the management system in relation to the (changing) context and strategic direction.

Audit objectives should be focused on

  • the maturity of the management system, processes and other audit criteria
  • the effectiveness of the management system and its intended results, for example with reference to process objectives
  • the identification of opportunities for potential improvement, for example with regard to efficiency and digitalization
  • the suitability, appropriateness and capability of the management system in relation to the (changing) context and strategic direction

ISO 19011 - planning and conducting internal audits differently

Internal audits are not always appealing from the point of view of those involved. However, there are numerous approaches in ISO 19011 to carry out internal audits differently. With different approaches to audit planning, new audit objectives and alternative methods, internal auditors can achieve amazing results - and create a positive expectation of the audit.

ISO 19011 - Remote audits

The ISO 19011:2018 guide also takes a look at digitalization. On the one hand, this concerns the audit itself, in which a tablet or notebook is increasingly used. However, these devices must be well checked to see if they are efficient for the audit process, for example in terms of writing and voice recognition, photos or videos (this with consent).

The use of remote audits must always be carefully considered, as not every situation can be adequately assessed at a distance. For example, relevant documents may not be viewed appropriately. And often it is the small things, the environment of a workplace or individual work steps in production, that are necessary for an adequate assessment.

ISO 19011 - Competence of auditors

The standard specifies to ensure the assessment of the competence of those involved in the audit process during audits according to ISO 19011, for example with regard to sufficient (overall) competence in the audit team or the accompaniment of experts. This competence is also aimed at skills such as the use of audit methods, the understanding and application of the process- and risk-oriented approach in the audit, or the type and degree of risks and opportunities, i.e., not just pure knowledge and skills.

Communication skills are also required, for example effective collaboration, self-confidence, confident behavior in the event of disagreements, questioning techniques, for example with open and closed questions, and of course the confident use of information and communication technology.

Audit team leaders must also be able to delegate, i.e., assign audit tasks according to the specific competence of individual auditors. They must be able to audit management, i.e., discuss strategic issues, including risks and opportunities, with top management. And they must be able to lead, i.e. guide and direct the members of the audit team, including auditors in training - in short, they must be a role model.

How to manage audits competently with ISO 19011 - Conclusion

The ISO 19011 guide is an excellent fit with current management system standards. Due to the strategic reference, clear audit objectives are formulated in order to further increase the audit benefit. Findings refer not only to conformity, but also to the potential for improvement and best practices.

In practice, this is not always self-evident. Therefore, use the guide as an impulse generator for your audit process, for methods and the required audit competence.

fragen-antwort-dqs-fragezeichen auf wuerfeln aus holz auf tisch

We will be happy to answer your questions

Contact us!
Without obligation and free of charge.

Expertise and Trust

Since its foundation in 1985 as the first German certifier of management systems, DQS has been committed to the sustainable success of its customers. DQS has been committed to the sustainable success of its customers. With value-adding audits and customer-oriented concepts, we accompany organizations all the way to business excellence.

In addition to the assessment according to individual management system standards, the combined, simultaneous auditing of fully integrated management systems offers you numerous opportunities. The cross-thematic assessment makes use of synergies and at the same time identifies interactions as well as contradictions between the different subject areas.

In connection with ISO 19011, we also offer second-party audits as a service, for example as supplier audits.

In order to increase the benefits for our customers, we focus on their multiple qualifications in the selection and further training of our auditors: DQS auditors cover at least three sets of rules on average. Take us at our word. We look forward to talking to you. Contact us.

Christian Ziebe

Expert for Service Excellence, DIN SPEC 77224 and ISO 9001 with extensive experience in the financial services sector, including project and complaint management, EFQM assessor and regional head for Frankfurt of the German Society for Quality (DGQ).