The clause-based audit results are limited to counting the number of auditor nonconformances and corrective actions at the end of the audit. The count acts as a measure of conformity but doesn’t provide management with a report on the status of the organization’s performance.
The preventive controls are the “plan” part of the plan, do, check, and act (PDCA) cycle. Determining the plan’s effectiveness facilitates an improvement to the plan. Therefore, it’s the system being audited and not a checklist of clauses.
The 2018 version replaced the 2011 version of the standard and clearly has a more risk-based approach in keeping with ISO 9001:2015 and related management system standards. Some of the changes described in ISO 19011:2018’s introduction include:
• Taking a risk-based approach to auditing principles
• Including audit program risk when managing an audit program
• More guidance on conducting an audit, particularly audit planning
• Adjusting terminology to reflect the process rather than the object
• An expansion of Annex A to guide auditing concepts such as organization context, leadership and commitment, virtual audits, compliance, and supply chain.
Are your current audit practices of planning, conducting, and reporting influenced by risk and focus on significant matters?
Are Your Audits Clause-Based or Risk-Based?
Even after ISO 19011:2018’s release, many auditors still perform clause-based auditing
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Reporting on the audit, as per the standard’s Clause 5.5.2, enables management to verify whether the risk-driven controls are effective, based on the following:
• Determining the extent to which the audited procedures/work instructions conform to the requirements of the ISO clause requirements
• Evaluating the capability of the management system to meet required statutory, regulatory, and other requirements pertaining to the organization
• Evaluating whether the management system effectively delivered the planned results, i.e., how many planned objectives were met over a predetermined period
• Identifying the number of corrective actions as a result of the audit
• Evaluating the suitability and adequacy of the management system in delivering the organization’s business objectives based on its strategy
• Evaluating any changes resulting from reassessing risk and opportunities to establish and achieve new objectives when implementing related actions
From ISO 19011:2018, auditor competence isn’t based on the ability to assess a management system using a clause-based approach. Rather, a risk-audit format replaces the traditional clause-audit template. The purpose is to determine the extent to which operational risks are managed and to provide a meaningful audit report. Auditor competence is based on the auditor’s capability to assess and verify that the risk-derived control criteria are effective and found to be implicit throughout the audit. As such, if your audit practices have remained unchanged since the inception of ISO 19011:2018, training is required to follow through on the planning, conducting, and reporting of the risk-based audits.
So please consider turning off your ad blocker for our site.
In a sense, clause-based audits seek evidence that the prescribed clause is applied per the original ISO maxim of “say as you do, do as you say.” This goes back to the inception of ISO 9001 standards in 1987. However, meeting the clause’s meaning doesn’t necessarily ensure controls for a process. Fulfilling the clause requirements doesn’t enable the auditor to report on the organization’s operational performance and its context.
A clause-based approach, as was the norm in ISO 19011:2011, is conducted as a checklist of the standard’s clauses. The auditor uses the clause checklist to establish whether a particular clause has been fulfilled. An organization is asked to show objective evidence, as indicated by its procedures and practices, that the clause is fulfilled. Auditors typically determine the extent to which the procedures and practices meet each clause requirement in order to decide whether there is conformity to the clause or not.
In addition to management standards such as ISO 9001:2015, regulations such as the Food Safety Modernization Act and the Sarbanes-Oxley Act are all risk-driven management systems. They should adopt a risk-based audit approach to determine if their operational risks are managed through the determined controls related to their compliance. They also follow the same ISO management system’s PDCA format that enables improvements when previously unidentified risks are found.
The point is, in the clause-based approach corrective actions are written by the auditor when the clause requirements aren’t met, whereas the risk-based auditor is concerned with the extent to which the risk is managed and the improvement of the preventive controls. Thus, the risk-based audit meets the condition of influencing the risk-driven plans, the conduct of the audit, and reporting on performance outcomes, which is described in the risk audit principle.