Are Your Audits Clause-Based or Risk-Based?

In keeping with the requirements of ISO 19011:2018, risk-driven operations should be audited via a risk-based technique to determine if the risk-derived controls over the operations were effective for meeting the organization’s strategic plan. Thus, risk-based audits add value. A trained risk-based auditor will be a meaningful resource for the organization to verify whether its planned performance objectives are met. This is very different from conducting the type of audits to retain a certificate. The focus is on the performance outputs, which are significant.

The purpose of risk per ISO 9001, according to its introduction, is to determine or plan preventive controls to manage such risk so that the objectives of “the process, function or activity” are met or deemed effective. In audit speak, these controls, usually procedures or work instructions, are called “criteria” because the controls are the criteria to avoid the effects of nonconformances, incidents, or degradation.

Sections a–f of Clause 5.5.2 require an alternate audit format to generate the identified reports. Thus, the planning and conducting of the audit will differ from the traditional clause-based audit checklist. New auditor competence is necessary to fulfill this requirement because the 2011 version of ISO 19011:2018 has been canceled.

The clause-based audit results are limited to counting the number of auditor nonconformances and corrective actions at the end of the audit. The count acts as a measure of conformity but doesn’t provide management with a report on the status of the organization’s performance.

A clause-based approach, as was the norm in ISO 19011:2011, is conducted as a checklist of the standard’s clauses. The auditor uses the clause checklist to establish whether a particular clause has been fulfilled. An organization is asked to show objective evidence, as indicated by its procedures and practices, that the clause is fulfilled. Auditors typically determine the extent to which the procedures and practices meet each clause requirement in order to decide whether there is conformity to the clause or not.

Top management should know that new skills are required to frame their management system to measure the effectiveness of the risk-derived controls per the audit objectives. The performance and conversation language should encourage the organization to approach activities from a risk perspective and to demonstrate them in their control procedures. Appropriate objective evidence of performance is facilitated through the respective reports. Training cannot be solely for auditors; top management must understand the significance of risk-based audits as a management tool for the organization.


Reporting on the audit, as per the standard’s Clause 5.5.2, enables management to verify whether the risk-driven controls are effective, based on the following:
• Determining the extent to which the audited procedures/work instructions conform to the requirements of the ISO clause requirements
• Evaluating the capability of the management system to meet required statutory, regulatory, and other requirements pertaining to the organization
• Evaluating whether the management system effectively delivered the planned results, i.e., how many planned objectives were met over a predetermined period
• Identifying the number of corrective actions as a result of the audit
• Evaluating the suitability and adequacy of the management system in delivering the organization’s business objectives based on its strategy
• Evaluating any changes resulting from reassessing risk and opportunities to establish and achieve new objectives when implementing related actions

Risk Management

Are Your Audits Clause-Based or Risk-Based?

Even after ISO 19011:2018’s release, many auditors still perform clause-based auditing

In a sense, clause-based audits seek evidence that the prescribed clause is applied per the original ISO maxim of “say as you do, do as you say.” This goes back to the inception of ISO 9001 standards in 1987. However, meeting the clause’s meaning doesn’t necessarily ensure controls for a process. Fulfilling the clause requirements doesn’t enable the auditor to report on the organization’s operational performance and its context. 

ISO 19011:2018 states that a risk-based audit approach should be taken. It replaces the 2011 version that focused on a clause-based auditing technique. According to the standard, the risk-based principle means that “risk should substantively influence the planning, conducting and reporting of audits to ensure that audits are focused on matters that are significant for the audit client and for achieving the audit program objectives.” It is against this background that a comparison between clause-based and risk-based audits is necessary to show how the practices differ. 

Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.

The point is, in the clause-based approach corrective actions are written by the auditor when the clause requirements aren’t met, whereas the risk-based auditor is concerned with the extent to which the risk is managed and the improvement of the preventive controls. Thus, the risk-based audit meets the condition of influencing the risk-driven plans, the conduct of the audit, and reporting on performance outcomes, which is described in the risk audit principle.


Consequently, the risk-based audit is more meaningful when compared to clause-based auditing in an organization. As such, risk-based audits are important to the strategic management of an organization to determine whether its controls are enabling the intended objectives and outcomes.

However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads.

Risk-based audits should assess the control/plan status and alert management about the organization’s performance, especially how it meets its strategic objectives. Each criterion is required to be addressed to provide a measure of the controls’ effectiveness.

Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types.

Quality Digest


Thus, Annex A.10 directs auditors not to perform stand-alone or clause-type audits to uncover risks and opportunities. So what is the alternative to clause-based auditing?

Risk-based audits

From ISO 19011:2018, auditor competence isn’t based on the ability to assess a management system using a clause-based approach. Rather, a risk-audit format replaces the traditional clause-audit template. The purpose is to determine the extent to which operational risks are managed and to provide a meaningful audit report. Auditor competence is based on the auditor’s capability to assess and verify that the risk-derived control criteria are effective and found to be implicit throughout the audit. As such, if your audit practices have remained unchanged since the inception of ISO 19011:2018, training is required to follow through on the planning, conducting, and reporting of the risk-based audits.

Consequently, if your audit practice has remained unchanged since 2018, this article focuses on ISO 19011:2018 required audit practice. It’s the audit practice that should be applied to risk-driven management systems. 

Are your current audit practices of planning, conducting, and reporting influenced by risk and focus on significant matters?  

Risk-based audits, on the other hand, are focused on outcomes by determining whether a plan or control derived from a risk exercise is effective. According to ISO 19011:2018 Annex A.4, “Auditors should be focused on the intended result of the management system throughout the audit process. While processes and what they achieve are important, the result of the management system and its performance is what counts.” The excerpt from A.4 says it all: A different type of audit approach is required.

The purpose of risk is to determine or plan preventive controls to manage such risk so that the objectives of “the process, function or activity” are met or deemed effective.

What are clause-based audits?

In addition to management standards such as ISO 9001:2015, regulations such as the Food Safety Modernization Act and the Sarbanes-Oxley Act are all risk-driven management systems. They should adopt a risk-based audit approach to determine if their operational risks are managed through the determined controls related to their compliance. They also follow the same ISO management system’s PDCA format that enables improvements when previously unidentified risks are found.

The 2018 version replaced the 2011 version of the standard and clearly has a more risk-based approach in keeping with ISO 9001:2015 and related management system standards. Some of the changes described in ISO 19011:2018’s introduction include:
• Taking a risk-based approach to auditing principles
• Including audit program risk when managing an audit program
• More guidance on conducting an audit, particularly audit planning
• Adjusting terminology to reflect the process rather than the object
• An expansion of Annex A to guide auditing concepts such as organization context, leadership and commitment, virtual audits, compliance, and supply chain.

I’ve observed that ISO management system audits have remained largely unchanged, even after the advent of ISO 19011:2018, the auditing standard that superseded ISO 19011:2011. Auditors are still using clause-based auditing, despite ISO 19011:2018’s direction to take a risk-based approach.

According to ISO, ISO 19011 “provides guidance on auditing management systems, including the principles of auditing, managing an audit program, and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process.”

With its risk-based approach to auditing, ISO 19011:2018 Annex A.10 states that “an audit of an organization’s approach to determining risks and opportunities should not be performed as a stand-alone activity. It should be implicit during the entire audit of a management system.” (The emphasis is mine.)