These principles, when implemented effectively, provide the guidance needed to successfully manage and conduct audits of ISO management systems.

Here are 5 top tips you should implement to conduct value-added audits:

When audits detect problematic issues (often referred to as non-conformances), it is very important that management response includes the effective;

1. Align the audit program with the business’s objectives

Clause 5 of the ISO 19011:2018 Standard concerns managing an audit program, recognising there is more involved than creating an audit schedule. The audit program should consider a management systems functionality, complexity, maturity and the type of risks and opportunities associated with it.

2. Adopt a risk-based approach to audit planning 

Clause 6.3.2 of the ISO 19011:2018 Standard provides guidance on audit planning. By adopting a risk-based approach to planning, auditors can consider the risks of the audit activities and not achieving the audit objectives. A common problem is allocating sufficient time and resources. Many leaders do not understand the time required; they see auditors interviewing team members and believe this, plus some time to compile a report, is all that auditing involves.

3. Use the right people for the job

For the audit program to be effective in achieving its objectives, you need to have competent and qualified auditors to conduct the audit activities. Clause 7 in ISO 19011: 2018 discusses the evaluation of auditor competence and performance. If the audit team lacks knowledge or expertise, a technical expert should be used to close the knowledge gap. Auditors do not have to be experts in every single process, but they should understand the organisations;

  • Key organisational goals and issues
  • Management systems and requirements (and how they might interact)
  • Core business processes and how they impact each other
  • Risk-based approach to management at all levels
  • Regulatory frameworks

4. Audit the audit program

The audit process itself must be audited, and like all other processes, opportunities to improve it should be identified and implemented. The audit process ideally then becomes an opportunity to confirm the capability of the processes under audit, and to identify and share best practices within the business.

5. Don’t just treat the symptom

When audits detect problematic issues (often referred to as non-conformances), it is very important that management response includes the effective;

  • Containment and Correction of the problem
  • Corrective Action
  • Mitigation of any emerging risks related to actions taken

All of the above actions are important but conducting an effective corrective action process, including thorough root cause analysis, is absolutely vital to drive continual improvement. Businesses are often quick to react to the issue by treating the symptoms and are therefore likely to experience the issue again. Instead, the business should take a step back and understand the broader issue, working to resolve the root cause and eliminating the issue from reoccurring.