ISO 19011:2018 – Risk based Auditing
The only ANSI Accredited Internal Auditor Training for Adults. ISO 19011:2018 is an audit standard to support the risk driven organization. The requirement is a more detailed audit which dovetails into six individual mandatory reports, to inform on the status of the organization’s performance scoresheet.
19011:2018 Requirements
19011:2018 has a requirement for an Audit Program Manager with separate responsibilities for the Auditor.
A one discipline report cannot inform on all the disciplines related to the organization’s performance, as it relates to internal and external issues. It is incumbent upon management to utilize the internal and external auditor results. The number of corrective actions as the sole measure of performance is not a measure of achieving the strategic plan, which is what matters to an organization.
The need is to determine whether the operations management was effective in meeting the strategic goals and if improvements are needed. It is critical that Internal Auditors conduct internal audits according to 19011:2018 to deliver the required reports from both Top Management and the Operations.
The Standard itself states…that it ‘adopts the combined audit approach when two or more management systems of different disciplines are audited together. Where these systems are integrated into a single management system, the principles and processes of auditing are the same as for a combined audit’. The point is, although the principles and audit processes are the same or individual Standard audits – the risk associated with each discipline cannot be considered independently; there is an expectation of an integrated discipline audit for the operations. In other words, a single management system construct is required prior to executing a risk-based audit per 19011:2018. It is a true assessment of the strategic plan / Operations conundrum.
Components & Requirements
The components & requirements associated with the training course for the Audit Program Manager and the Internal auditor are as follows
- The Single Management System construct to include top management and Operations and scorecard
- The Conduct of a Risk Based Audit
19011:2018 requires an audit to be conducted for qualifying as an auditor. Consequently, the audit is conducted internally at the trainee’s organization of a full audit process. Competence is determined by
- The trainee demonstrated the audit principles
- A completed risk based audit with completed mandatory reports