Did you know that the International Organization for Standardization has authored some 25803 standards (including other specifications) for organizations to use and that they undergo a regular cycle of review to ensure alignment with user needs? Many quality people know that ISO 9001:2015 is going through the process of being updated and is scheduled to be published sometime in 2026.  

Fewer may be aware that ISO 19011 – the guidance for auditing management systems - is also under review and feedback is currently being solicited.¹ Originally numbered as ISO 10011, it was withdrawn and replaced by ISO 19011, which was intended for first and second party audit purposes and ISO/IEC 17021 for the specific needs of conformity assessment bodies – more commonly known as certification bodies or registrars – and their audits. ISO 10011 was published in part to answer the needs of organizations who were implementing ISO 9001, 9002 or 9003 which were published in 1987 and required internal audits to be performed – but no one really knew what that meant.  

In typical organizations (often manufacturing industries) which were implementing ISO 9000 based quality management systems, or a predecessor such as BS 5750, Mil-Q-9858, the audits which had been experienced were often either performed by the customer, an agency on the customer’s behalf or a regulatory body. External audits like these are conducted for one or two specific purposes, none of which really suited the purpose of internal audits. Hence, ISO 19011 was authored in 2002 to provide a framework for implementing what is rarely an institutional function in an organization - unlike those which are the core, value-adding or supporting functions of an organization. The “day-to-day” things which are done.  

The guidance is provided mainly in three key areas of the “how to” of (internal) auditing: 

• Audit program management  
• The audit process  
• Auditor competence  

In the past thirty years that the guidance has been published, it’s somewhat paradoxical that the available training for people wishing to implement internal audits focuses on only one part of ISO 19011 – the audit process - and some references to parts of the rest, such as audit principles. Rarely, if ever, are audit program management or auditor competencies actually covered in the training. This last facet of auditing is hardly given a thought, since many organizations begin the implementation of their audits by selecting candidates to be auditors, without actually understanding the entry level characteristics. Commonly, the first action taken by an organization is to send someone – anyone - to auditor training. But who should an organization select to perform these important checks of the health of the quality management system and report back to the leadership in a way that they’d understand and act appropriately? Shouldn’t the horse (selecting the person) come before the wagon (training)?  

Section 7 of ISO 19011 describes a good deal of the attributes to be found – or developed - in an auditor including:  

• Personal behaviors  
• Generic knowledge and skills  
• Industry specific knowledge and skills  

It then goes on to describe additional attributes which may be suitable for larger organizations which demand an audit team to be managed – the so-called “lead auditor.”  

Just as with any other job, competency isn’t a “one and done” event, the guidance goes on to ensure that auditors continue with their skills development in part from periodic evaluation. Without mentioning specific tools ISO 19011 does mention the ability to communicate with a wide range of stakeholders as a competency. Furthermore, decision making, problem solving and exercising judgement (critical thinking) are included. We can see that the candidates chosen to perform audits aren’t conjured from thin air. It’s well known that “soft skills” are important in the workplace. Add to this, the often-overlooked aspect, which is that an auditor may be communicating something of significance or gravitas regarding the performance of the organization to the leadership. Shouldn’t the auditor have some credibility in their eyes?  

Available training comes in a huge variety of formats, from on-line, self-paced offerings to hybrid, instructor-led and in-person instructor-led courses. These can range in duration from a few hours to the popular thirty-six hour “lead auditor” training course. These tend to teach some of the technical skills, spending time on dissecting ISO 9001 requirements, or the third-party certification process, discussing grading of audit findings and similar arcane features. Clearly, the soft skills aspects are left to the organization to develop.  

If the organization has managed to negotiate the difficult path to selecting an appropriate candidate to perform audits, then the first section of guidance – the audit program management aspects - becomes important. An audit program is defined² as “one or more audits”. Since ISO 19011 isn’t written exclusively for internal auditors, the authors are aware of its potential use by second party (supplier) auditors who may be required to audit the supply chain annually. For internal audits, however, an audit program is likely to be a number greater than one. Although a common practice is to schedule audits to an annual calendar, this isn’t what’s actually required. No doubt, there will be some raised eyebrows, but what gets certified and what’s actually required can be at odds with each other. The timing of audits should be determined by the events within the organization and the frequency dictated by the results by those events. If a contract with a new customer has been won, it might be helpful to monitor its progress through the various processes until it is ready for shipment – to provide confidence that something’s not been overlooked.  

ISO 9001 specifically alludes to influences which might indicate an internal audit is necessary or just plain useful, that is because of changes affecting the quality management system bring uncertainty (risk). The “importance” of process should also be considered, which leaves it up to the organization to decide. Clearly, not all processes are equally important when it comes to satisfying customer, regulatory, or internal requirements. What makes them “important”? Ask management! They should be able to give clear insights into the impact of a process on the ability to satisfy these requirements.  

Hence, when considering an audit program, consulting with management is a good place to start. This will align the performance of audits with something management is interested in.

We may see a new revision to ISO 19011 in the coming year. It’s already a comprehensive guide and unlikely to change significantly. Any organization looking to get beyond the “Groundhog Day” of doing the same types of internal quality system audits they have always done should buy the new version of ISO 19011 as soon as it is released for publication. Like a good friend, it can be very helpful.