Are Your Audits Clause-Based or Risk-Based?

The clause-based audit results are limited to counting the number of auditor nonconformances and corrective actions at the end of the audit. The count acts as a measure of conformity but doesn’t provide management with a report on the status of the organization’s performance.

The preventive controls are the “plan” part of the plan, do, check, and act (PDCA) cycle. Determining the plan’s effectiveness facilitates an improvement to the plan. Therefore, it’s the system being audited and not a checklist of clauses.

The 2018 version replaced the 2011 version of the standard and clearly has a more risk-based approach in keeping with ISO 9001:2015 and related management system standards. Some of the changes described in ISO 19011:2018’s introduction include:
• Taking a risk-based approach to auditing principles
• Including audit program risk when managing an audit program
• More guidance on conducting an audit, particularly audit planning
• Adjusting terminology to reflect the process rather than the object
• An expansion of Annex A to guide auditing concepts such as organization context, leadership and commitment, virtual audits, compliance, and supply chain.

Are your current audit practices of planning, conducting, and reporting influenced by risk and focus on significant matters?  

Risk Management

Are Your Audits Clause-Based or Risk-Based?

Even after ISO 19011:2018’s release, many auditors still perform clause-based auditing

Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.

Reporting on the audit, as per the standard’s Clause 5.5.2, enables management to verify whether the risk-driven controls are effective, based on the following:
• Determining the extent to which the audited procedures/work instructions conform to the requirements of the ISO clause requirements
• Evaluating the capability of the management system to meet required statutory, regulatory, and other requirements pertaining to the organization
• Evaluating whether the management system effectively delivered the planned results, i.e., how many planned objectives were met over a predetermined period
• Identifying the number of corrective actions as a result of the audit
• Evaluating the suitability and adequacy of the management system in delivering the organization’s business objectives based on its strategy
• Evaluating any changes resulting from reassessing risk and opportunities to establish and achieve new objectives when implementing related actions

From ISO 19011:2018, auditor competence isn’t based on the ability to assess a management system using a clause-based approach. Rather, a risk-audit format replaces the traditional clause-audit template. The purpose is to determine the extent to which operational risks are managed and to provide a meaningful audit report. Auditor competence is based on the auditor’s capability to assess and verify that the risk-derived control criteria are effective and found to be implicit throughout the audit. As such, if your audit practices have remained unchanged since the inception of ISO 19011:2018, training is required to follow through on the planning, conducting, and reporting of the risk-based audits.

So please consider turning off your ad blocker for our site.

In a sense, clause-based audits seek evidence that the prescribed clause is applied per the original ISO maxim of “say as you do, do as you say.” This goes back to the inception of ISO 9001 standards in 1987. However, meeting the clause’s meaning doesn’t necessarily ensure controls for a process. Fulfilling the clause requirements doesn’t enable the auditor to report on the organization’s operational performance and its context. 

A clause-based approach, as was the norm in ISO 19011:2011, is conducted as a checklist of the standard’s clauses. The auditor uses the clause checklist to establish whether a particular clause has been fulfilled. An organization is asked to show objective evidence, as indicated by its procedures and practices, that the clause is fulfilled. Auditors typically determine the extent to which the procedures and practices meet each clause requirement in order to decide whether there is conformity to the clause or not.

In addition to management standards such as ISO 9001:2015, regulations such as the Food Safety Modernization Act and the Sarbanes-Oxley Act are all risk-driven management systems. They should adopt a risk-based audit approach to determine if their operational risks are managed through the determined controls related to their compliance. They also follow the same ISO management system’s PDCA format that enables improvements when previously unidentified risks are found.

The point is, in the clause-based approach corrective actions are written by the auditor when the clause requirements aren’t met, whereas the risk-based auditor is concerned with the extent to which the risk is managed and the improvement of the preventive controls. Thus, the risk-based audit meets the condition of influencing the risk-driven plans, the conduct of the audit, and reporting on performance outcomes, which is described in the risk audit principle.


Quality Digest


Published: Thursday, August 24, 2023 – 12:03

However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads.

The purpose of risk is to determine or plan preventive controls to manage such risk so that the objectives of “the process, function or activity” are met or deemed effective.

What are clause-based audits?

Consequently, the risk-based audit is more meaningful when compared to clause-based auditing in an organization. As such, risk-based audits are important to the strategic management of an organization to determine whether its controls are enabling the intended objectives and outcomes.

Sections a–f of Clause 5.5.2 require an alternate audit format to generate the identified reports. Thus, the planning and conducting of the audit will differ from the traditional clause-based audit checklist. New auditor competence is necessary to fulfill this requirement because the 2011 version of ISO 19011:2018 has been canceled.

Consequently, if your audit practice has remained unchanged since 2018, this article focuses on ISO 19011:2018 required audit practice. It’s the audit practice that should be applied to risk-driven management systems. 

Risk-based audits should assess the control/plan status and alert management about the organization’s performance, especially how it meets its strategic objectives. Each criterion is required to be addressed to provide a measure of the controls’ effectiveness.

With its risk-based approach to auditing, ISO 19011:2018 Annex A.10 states that “an audit of an organization’s approach to determining risks and opportunities should not be performed as a stand-alone activity. It should be implicit during the entire audit of a management system.” (The emphasis is mine.)

According to ISO, ISO 19011 “provides guidance on auditing management systems, including the principles of auditing, managing an audit program, and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process.”

In keeping with the requirements of ISO 19011:2018, risk-driven operations should be audited via a risk-based technique to determine if the risk-derived controls over the operations were effective for meeting the organization’s strategic plan. Thus, risk-based audits add value. A trained risk-based auditor will be a meaningful resource for the organization to verify whether its planned performance objectives are met. This is very different from conducting the type of audits to retain a certificate. The focus is on the performance outputs, which are significant.