ISO 19011: Auditing Management Systems (Guidelines)

iso 19011

An audit process is required before a certified body can certify the organisation. The definition of an audit is stated under ISO 19011:2018 – Guidelines for Auditing Management Systems as:

“The systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.”

To simplify, it means that the organisation will need to go through an internal audit (first-party audit) and external audit (second-party and third-party audits).

Whereby the individuals involved will carry out audit activities according to guiding principles to ensure that the organisation contain competence requirements in compliance with the international standard.

Therefore, a guideline for auditing management systems, such as ISO 19011, is created to guide audit teams on an audit management program, principles of auditing, and the evaluation of individuals responsible for audit management systems.

ISO 19011 prepares audit programs by providing a high-level structure for organisations to plan, carry out, and enhance their audit programs. This article will explain the purpose of ISO 19011 and its seven principles.

What is the purpose of ISO 19011?

The purpose of ISO 19011 is to provide guidelines for auditing management systems. It is one of the international standards used to help organisations with their audit program.

Organisations are given guidance from ISO 19011 on creating audit programs for auditing their management systems, including risk management systems, quality management systems, and environmental management systems.

ISO 19011 consists of three sections, namely:

  1. Managing an audit programme
  2. Seven principles of auditing approach for evaluating the competence of auditors
  3. Competence requirements and evaluation of auditors

ISO 19011 focuses on applying continuous improvement ideas to an audit program.

The audit teams adopt this to prepare audit programs that ensure audit objectives are well-aligned with the main business objectives of the organisation and ensure that consumers’ demands and other stakeholders’ interests are put first.

What are the seven principles of auditing?

ISO 19011:2018 defined seven guiding principles of auditing, forming the fundamentals of the audit programme and process. This helps to ensure that your audits are trustworthy and efficient in supporting the organisation’s ISO management systems.

The seven principles of auditing are:

1. Integrity

Adherence to ISO 19011’s integrity principle is the foundation of professionalism. Auditors and individuals responsible for managing internal or external audits have to ensure the following:

  • Ethically performing work with honesty and responsibility;
  • Ensure competence before undertaking audit activities (e.g. do not claim competence in auditing specific ISO management system standards if the competence requirements have not been met) ;
  • Be impartial by removing any form of biases in their dealings ;
  • Be aware and alert to external influences that may cloud their judgement during the audit process.

2. Fair presentation

The second principle, fair presentation, from ISO 19011 is to truthfully and accurately report and reflect any audit findings, conclusions and reports during your audit program. Any disputes between the audit team and auditee throughout the audit program must also be reported.

3. Due professional care

The third principle of ISO 19011 is to exercise due professional care. This is the ability to ensure that due diligence and correct judgement are applied during the audit process regardless of the type of management system standards being audited.

Any form of judgment made shall be reasonable in all audit programs.

4. Confidentiality

The fourth principle of ISO 19011 is to ensure the security of all information used during the audit program remains confidential and is not being abused for personal or in any way harmful to the legitimate interests of the auditee.

Confidentiality is also one of the objectives of the ISO 27001 Information Security Management System that can be built into your organisational processes!

There is also an increasing importance in organisations handling sensitive and confidential information. Auditing firms that certify management systems are also usually compliant with ISO 27001.

5. Independence

The fifth principle of ISO 19011 is independence. This principle is the basis for impartiality, where bias is removed from your audit program.

For example, a small organisation that wishes to conduct an internal audit of its quality management system will likely face a situation where internal auditors are not independent of the function they are responsible for, leading to the “ownself check ownself” issue.

6. Evidence-based approach

The sixth principle of ISO 19011 is one of the auditing approaches that should be applied in your management system audit program. This can be done by evaluating the audit samples’ sufficiency in audit evidence obtained during an audit program.

If audit samples are justified to be sufficient, your audit program conclusion will result in assurance to the auditee with high confidence.

7. Risk-based approach

The final principle of ISO 19011 is to ensure that your audit approach considers the risks and opportunities, focusing on matters significant to the auditee to achieve the audit program objectives.

For example, the audit findings or conclusions in an internal audit or third-party audit program on a quality management system should be based on the risks identified that may compromise the audit objectives.

Such as ensuring the quality of the auditee’s processes instead of non-relevant findings that are insignificant.

What is the latest version of ISO 19011?

The current revision is ISO 19011:2018, published in July 2018 to cater to a rising demand for guidelines on combined management system audits. There is increasing importance on the risk-based approach to the principles of auditing stated In the current version of ISO 19011.

Is ISO 19011 certifiable?

ISO 19011:2018 is not a set of requirements an organisation needs to follow. Therefore, ISO 19011 is not certifiable. However, your organisation should instead implement ISO 19011 guidelines as necessary to meet the unique demands and specifications of the specific audit program.

What is the difference between ISO 9001 and ISO 19011?

Both ISO 9001:2015 – Quality Management Systems — Requirements and ISO 19011:2018 – Guidelines for Auditing Management Systems aspire to create an efficient ISO management system that assists firms in maintaining high-quality services and goods.

The purpose of these ISO standards differs accordingly. The ISO 9001:2015 quality management system aims to establish benchmarks for developing quality measures and criteria for organisational processes to adhere to management system standards.

At the same time, ISO 19011:2018 helps firms adhere to auditing principles, manage their audit program and identify opportunities for continuous improvement by precisely identifying areas and evaluating the effectiveness of their management systems.

Additionally, each ISO standard varies in terms of certifiability. ISO 9001:2015 is certifiable, while ISO 19011:2018 is not certifiable.

What are the different types of ISO audit processes?

ISO 19011:2018 provides a framework for an audit team to carry out the audit process regardless of the size and type of the audit team.

Auditors should demonstrate professional care in carrying out the audit process by stating the audit objectives, generating the audit findings in line with the trust placed in them by the auditee, and acknowledging the significance of their work.

According to the international standard, there are two main types of internal or external audits.

Internal audits

Internal audits are also known as first-party audits or self-audits. An internal audit checklist is provided to the organisation for them to conduct an audit program to assess the efficiency of its quality management system.

And whether these internal audits also enable organisations to identify flaws in their internal processes and maintain continual management system improvement, which aligns with the ISO requirements.

Post-internal audit: an internal audit report should be issued as part of the audit program for auditors to report on the audit findings and conclusion, remembering the auditing principles highlighted as part of the ISO 19011 requirements!

External audits

External audits consist of both second-party audits and third-party audits. The individuals involved in these audits are parties external to the organisations.

Second-party audits

Second-party audits comprise the audit of an organisation’s customers, clients or contracted stakeholders working with the organisation.

This is also frequently known as a supplier or vendor audit, where the organisation themselves are auditing their customers, clients or vendors.

Hence, auditing principles by ISO 19011 are required for organisations to create an audit program suited for the respective auditees.

Third-party audits

Third-party audits are conducted by independent organisations, such as government agencies or certification-granting bodies, which have no competing interest with the auditing organisation.

This is the only audit allowing the organisation to receive the certification of ISO standards.

As these independent organisations frequently conduct auditing activities, third-party auditors are usually compliant and have competence requirements with ISO 19011.


ISO 19011:2018 standard provides a general guideline for auditing management systems so that the individuals responsible for supervising the audit programs can systematically ensure that the audit program objectives are aligned with the management system standards.

ISO 19011:2018 also allow for any non-conformity to be handled appropriately, thus boosting the continuous improvement of an audit program.

These include ensuring that the audit objectives align with the organisation’s primary goals and prioritising the demands and interests of customers and other stakeholders.

Feel free to approach our consultant in Stendard to learn more about applying ISO 19011:2018 to your organisation’s management system.

Learn More

our Academy e-learning course:

Do you have any questions?

Drop us an inquiry now!