Game, Set, Match
A behind-the-scenes look at the ISO 19011 revision playbook
by Lance B. Coleman Sr.
Every International Organization for Standardization (ISO) standard is reviewed periodically to stay abreast of changing industry norms, expectations and technology. I recently concluded a fantastic two-year term as chair of U.S. technical advisory group (TAG) 302 to project committee (PC) 302, which was created to revise ISO 19011:2011—Guidelines for auditing management systems.
In 2015, the United States submitted a proposal to the ISO Technical Management Board (TMB) to create a PC to revise ISO 19011:2011. The TMB is the governance body responsible for the general management of the technical committee structure within ISO. The structure of the committee and length of time allowed for revision were determined by the TMB.
So, what exactly is the revision process? For a committee that develops or revises a single standard, first an international PC is formed. In this case, it was PC 302—Guidelines for auditing management systems, under the leadership of chair Denise Robitaille.
PC 302 is made up of 42 voting countries and 12 observing countries. Countries determine whether they are voting or observing based on whether they wish to vote and advocate for their positions on revisions to the standard, or simply observe and offer comments and advice.
There also are liaisons that are internal and external to ISO that are important contributors to this process. They make technical contributions and participate actively in the working group.
For PC 302, the external liaisons were ASQ, the International Aerospace Quality Group, the Independent International Organization for Certification, the Latinoamerican Institute for Quality Assurance, IQNet, QuEST Forum and the Chartered Quality Institute.
Internal liaisons included ISO’s Committee on Conformity Assessment, IT security, archives and records, quality, environment, environmental auditing, medical devices, road traffic safety, asset management, governance, Occupational Health and Safety, and food safety.
Next, each participating member country—voting and contributing—forms a mirror committee (called a TAG in the United States) in its own country to present its consensus opinion on what aspects of the standard should be revised or eliminated, and what should be kept. The U.S. mirror committee was TAG 302, which had more than 50 voting members engaged throughout the two-year process.
During this standard revision cycle, PC 302 international meetings were held in Orlando, FL, Milan and Mexico City. The subject matter experts (SME) who presented the United States’ position during the international meetings were Richard Litts and Shauna Wilson.
Revision in action
The revision process plays out something like a tennis match:
Serve. In the first round, the voting members of the mirror committee review the standard and provide their recommended changes in the form of comments, which are submitted prior to the meeting. These comments are discussed and dispositioned by the mirror committee members. Each participating country and liaison brings its approved changes to the international meeting.
Return. After all the positions are presented at the international meeting, each comment is discussed and accepted, partially accepted, rejected or noted. The number of recommended changes can be extensive—a revision proposal can contain anywhere from one to more than 200 pages of comments. After the approved changes are agreed on, a committee draft (CD) is created.
Volley. Next, the CD goes back to the individual countries for their review and comment. Sometimes, changes are proposed to certain clauses without recommendation as to how to make the changes. With so many proposed revisions to review, these suggestions typically are rejected during the PC meetings. However, most comments are thoroughly discussed and, if approved, incorporated into the next draft.
Return volley. After the second review is complete and a new consensus from each country is reached on the changes, the revisions are sent back to the PC. A second international meeting is convened and the process repeats.
Out of the second international meeting comes the draft international standard (DIS). The DIS is sent to all member countries and liaisons for review. After a consensus is reached on the DIS, a third international meeting is held, at which each country submits its position on the DIS. Out of this final international meeting comes the final DIS.
Game, set, match. At this stage, only stylistic changes, small wording changes and correction of typos are made—technical changes are not allowed. Next, the scheduled release of the new standard is announced. In this case, ISO 19011:2018 is scheduled to be released early this month.
ISO 19011:2018 overview
Let’s look at the changes that were made to ISO 19011. ISO 19011:2018—Guidelines for auditing management systems provides the foundation for best auditing practices worldwide. Several hundred auditors from multiple sectors—many with decades of auditing and quality management experience—came together from around the globe during the course of two years to contribute to the latest version of this standard.
ISO 19011 is important because it forms the basis of auditing techniques for many certifications, such as ASQ’s certified quality auditor and Exemplar Global’s (as well as other certifying bodies’) lead quality management system (QMS) auditor certifications.
Most auditor certifications are a combination of bodies of knowledge (BoK)—auditing tools and methods, for example. For industry-specific certifications, additional requirements (whether regulatory, ISO or both) are combined with auditing tools and techniques.
For the ASQ-certified quality auditor designation—meant to allow auditors to audit successfully across multiple industries—auditing tools and techniques are combined with an in-depth study of quality tools, risk management, lean and Six Sigma, and basic statistics, for example. In these cases, the method for employing auditing tools and techniques comes from ISO 19011.
ISO 19011:2018 begins with the scope, normative references, and terms and definitions, similar to the related management system standards this standard explains how to audit. Next, the clause topics diverge to address the specifics of auditing as follows:
- Clause 4—Principles of auditing.
- Clause 5—Managing an audit program.
- Clause 6—Conducting an audit.
- Clause 7—Competence and evaluation of auditors.
- Annex A—Additional guidance for auditors planning and conducting audits.
The standard is well thought out and provides its own shortened version for auditors who just want to use it as a quick reference guide. The content of ISO 19011:2018 is summarized in a process flow diagram, as shown in Figure 1.
The top half of Figure 1 represents clause 5 and shows how an organization goes about establishing audit program guidelines. The bottom half of the figure represents clause 6 and shows how to conduct an audit. The figure references the paragraphs in the standard so you can find more information. Figure 2 is an overview of the audit information collection and verification process.
One significant change to the 2018 revision is a more in-depth discussion about addressing risks and opportunities for the audit program and the QMS it’s meant to monitor. This discussion ties into the emphasis on risk-based thinking in ISO 9001:2015 as well as the increased emphasis on risk in the industry-specific QMS requirements—IATF 16949, ISO 13485, AS 9100 and API-Q1. As expected, a risk-based approach was added to the principles of auditing. Also, guidance on managing an audit program, including audit program risk, has been expanded. New technologies are addressed in the discussion about virtual auditing in the annexes, which provide additional guidance for auditors around key topics.
There is expanded guidance on conducting an audit—particularly around planning it—as well as the generic auditor competence requirements. The updated requirements also require audit plans to be addressed as the output of the audit planning process.
The annex containing competence requirements for auditing specific management system disciplines was removed during the revision process. Currently, there are more than 70 management system standards (and more proposed), so it’s impossible to capture each discipline in an annex.
Annex A was expanded to provide guidance on new and revised auditing concepts in the ISO management system diaspora, such as organizational context, leadership commitment, virtual audits, compliance and supply chain.
ISO 19011:2018 provides a guideline for best auditing practices worldwide and is the foundation of most internationally recognized certified quality auditor BoKs. It can be used as a standalone auditor training manual or as a quick reference guide for experienced auditors, and is a worthwhile document for anyone interested in auditing.
I encourage you to participate in a TAG if given the opportunity.1 Participation provides useful information about possible changes to a standard that is important to your business, as well as fascinating insights into the behind-the-scenes process of creating and revising a standard. It also provides you with an opportunity to work and network with amazing SMEs from around the world.
- For more information about how to join a technical advisory group, contact email@example.com.
Lance B. Coleman Sr. is principal consultant at Full Moon Consulting in Kent, WA, and the 2018 ASQ Lean Enterprise Division Chair. He earned an associate degree in electrical engineering technology from Southern Polytechnical University in Marietta, GA. A senior member of ASQ, Coleman holds the following ASQ certifications: quality auditor, biomedical auditor, quality engineer and Six Sigma Green Belt, along with the Exemplar Global quality management systems principal QMS auditor certification. He is the author of Managing Organizational Risk Using the Supplier Audit Program (Quality Press, 2018).