In response to the demand for guidance on combined management system audits, ISO 19011:2018 (Guidelines for Auditing Management Systems) was released in July 2018.
It is a meta-standard that demonstrates how entities may design audit programs for their management systems, including risk management systems, environmental management systems, and quality management systems.
One of the primary aspects of this guidance is to ensure that the audit program’s objectives are well-aligned with the entity’s core business objectives and that the requirements and best interests of the clients and other stakeholders are taken care of.
The principles are essential for an audit to be an efficient and reliable way of supporting management systems and providing entities with opportunities for continual development.
There are seven principles laid out in ISO 19011, as follows:
Integrity: The Foundation of Professionalism
Auditors and any person in charge of an audit program should perform the audit diligently, honestly, and responsibly. They must be mindful of any factors that may impact their objectivity and stay away from conflict.
Other than ensuring that they have the competence to perform the audit, they should remain unprejudiced while doing so, that is, to maintain their objectivity and fairness in all dealings.
Auditors must ensure that they observe and comply with all applicable legal obligations and be aware of any influences that may be exerted on their judgment when conducting an audit.
Fair Presentation: The Obligation to Report Truthfully and Accurately
All audit findings, audit conclusions, and audit reports presented by the auditors must accurately and truthfully reflect the audit procedures performed.
Any unresolved disagreement between the audit team and the entity being audited should be sufficiently documented and disclosed together with all significant difficulties faced during the audit.
This covers any challenges, arguments with other auditors, or barriers encountered throughout the audit.
The communication should be objective, accurate, honest, clear, comprehensive, and carried out timely. This covers the communication of audit results and submitting the audit report to the client on time.
In short, all communications the auditors have made during the course of an audit have to be documented, and all the reported information should be truthful, timely, reasonable, clear, and complete.
Due Professional Care: The Application of Diligence and Judgement in Auditing
Auditors must show due professional care in light of the importance of the audit tasks they are undertaking. They should also consider the confidence put in them by the audit client and other interested parties.
An essential aspect of this principle is that an auditor must make sound judgments in all circumstances when carrying out their tasks and perform these tasks with adequate due professional care.
Confidentiality: Security of Information
Auditors should utilize and protect the information obtained in the course of an audit with caution.
This idea encompasses the safe handling of confidential and sensitive information by taking extra safeguards necessary, such as disposing of confidential paper documents properly after they are no longer needed and informing the client immediately if any leakage of confidential information is detected.
Throughout the audit, auditors must maintain the confidentiality of all information they come into contact with. They must exercise due diligence to ensure that any information obtained is respected and appropriately secured.
Such information should not be misappropriated for personal advantage by the auditor or the audit client or in any way that is harmful to the audit client’s legitimate interests.
Independence: The Basis for The Impartiality of The Audit and Objectivity of The Audit Conclusions
By nature, audits should be unbiased and objective when the auditor carries out the audit activities, to the greatest extent feasible.
They should never interfere with the activity, and they should never act in a manner that may lead others to perceive that they are biased or have a conflict of interest.
Internal auditors should, if feasible, be independent of the person in control of the function being audited. Auditors must retain their objectivity throughout the audit process to ensure that audit findings and conclusions are based only on facts derived from audit evidence.
In smaller entities, auditors may not be completely independent of the activity being audited. In such cases, the auditor and the entity should collaborate to explore all possible options for eliminating bias and encouraging impartiality.
Evidence-Based Approach: The Rational Method for Reaching Reliable and Reproducible Audit Results
Evidence is a necessary component of a successful audit and the foundation of reasonable, trustworthy, and reproducible audit results.
That being said, it is imperative that all audit evidence gathered by the auditors can be easily verifiable.
Because an audit is undertaken over a fixed period of time as agreed with the audit client and with limited resources, evidence typically relies on a sample of the information available.
That is to say, audit evidence is gathered through a formalized process called audit sampling. An appropriate amount of sampling should be applied in an audit as it is closely connected to the level of confidence that can be put in the audit findings presented by the auditors.
As an auditor dedicated to producing accurate and dependable audit findings, audit conclusions must be established on facts rather than views or judgments.
Audit sampling typically consists of the following steps:
- Clearly defining sampling goals
- Determining how much and what will be sampled
- Choosing a sampling method
- Defining the sample size
- Performing the sampling
- Documenting and reporting all findings and exceptions
Risk-based approach: The Consideration of Risks and Opportunities
Risk management is an important consideration while planning for, performing, and documenting an audit. A risk-based approach helps drive the audits more clearly toward topics of high importance to the audit clients and the attainment of audit goals.
Based on the information available, the auditor should decide which matters will raise a significant risk to the audit objectives. This will allow the audit to be conducted more effectively and efficiently.