Auditing Standards ISO 19011 v. ISO/IEC 17021-2

When ISO 17021-2 is published, will ISO 19011 be needed? This blog article explains the differences between the two auditing standards and an update on the current revision of ISO 19011.
ISO is an organization that develops, produces and provide technical standards to encourage standardisation. You might well ask yourself how there can be two working groups developing separate standards relating to auditing competency:

• ISO 19011
  
• ISO/IEC 17021-2
  

The simple answer is that ISO/IEC 17021-2 is a requirements standard intended for use by accreditation bodies to assess management systems certification bodies while ISO 19011 provides guidelines for first-, second- and third-party auditors for auditing management systems. Thus ISO 19011 identifies best practice and provides information on what should be done in carrying out an audit without specifying how it must be done.
How then are the two standards going to be used, whether separately or together? The third-party certification industry will use ISO 17021-2 to define requirements for audits and audit arrangements and accreditation bodies will determine whether a certification body’s auditing arrangements and activities comply with those requirements. Those developing ISO 19011 hope that enlightened people involved in third-party certification will also use the guidance standard to continue to develop their auditors, programmes and the audit process.
The ‘New’ ISO 19011
At the same time as ISO 17021-2 is being developed, the working group charged with reviewing ISO 19011 has been revising the standard. The main changes from the 2002 edition include an extension of the standard’s scope of application from quality and environmental management systems to all types of management systems auditing.
Continuing the development of management systems standards for health and safety, food and information security, for example, means that ISO 19011 must be able to accommodate differing requirements while still providing useful guidance. One phrase that has been used many times in the development process is: ‘An audit is an audit, is an audit.’
The revision will include an enhanced section 7 of the main standard which deals with auditor competence. The section covers:

• Behavioural aspects, such as generic knowledge and skills
  
• Discipline or sector-specific skills
  
• Evaluation and maintenance of competence.
  

An additional annex will provide standard specific guidance for auditor competence for quality, environment, occupational health and safety, security, preparedness and continuity, transportation safety and records management. For each standard the competence requirements are broken down into:

• Systems and principles
  
• Legal requirements
  
• Techniques used within the discipline
  
• Terminology and technology
  
• Sector- or organization-specific knowledge
  

A further annex provides examples of a process for evaluating auditor competence for combinations of management system standards in various sectors. The ISO working group developing ISO 19011 is encouraging more management systems standards committees within ISO to produce their own sector-specific guidance on competence before the next scheduled working group meeting in December 2010.
Risk-based auditing will be acknowledged for the first time in the revision. While the topic is not dealt with as a separate issue, the standard emphasizes the need to assess what an organization does and, by extension the significant risks associated with its activities in developing an audit programme, audit plans and in selecting competent auditors.
Integrated audits are also covered in sections five and seven, but without any specific guidance as to how an integrated audit differs from an audit of a system designed to meet one management system standard.
Annex C now includes further guidance on the use of alternative audit methods such as remote audits as part of a programme, more on the audit process and help in the use of audit sampling. The section on judgemental sampling even includes an attempt to capture the ‘auditor’s nose’ that many have seen in action where an experienced auditor uses their knowledge and skills and chooses the single record that contains a nonconformity from the hundreds available to select.
The revised ISO 19011 has been updated and restructured throughout to reflect changes to the auditing profession over the last eight years, but there is still extensive duplication between sections. For example, guidance for audit methods is mentioned in nine separate sections and has a whole annex of its own. It depends on your point of view as to whether having all the information available in one section at the expense of this duplication works well.
At the working group’s last meeting in Mexico, it dealt with more than 200 pages of comments from national standards bodies and produced the draft international standard that is currently being reviewed and commented on. From this point on it becomes more difficult to make substantive changes to the standard but the working group can still refine the text.
Publication of the revised standard is planned for late 2011.