How would YOU change auditing?

Over the last two weeks (here and here) I've talked about some proposed changes that might be coming sometime in the future for ISO 9001 and ISO 9000. I promised one more in this series, about ISO 19011, Guidelines for auditing management systems. This one will be a little shorter than the other two, because I haven't talked about it with as many people or heard as much feedback. Still, it matters. Any change to requirements will drive changes to how to audit those requirements. Even changes to the underlying concepts might change the approach that auditors take. One way or another, auditing is directly involved.

As before, I have to clarify that I don't know whether there is any schedule for updating ISO 19011. In fact, this standard is not written by TC176 at all, but by a different committee. I don't sit on that committee, so I have no access to their schedule. Maybe something is in the works, and maybe not. Still, as always, people have opinions. What follows are some of the opinions I've heard about how to update ISO 19011.

And as always, I want you to think while you read this, What are your opinions? How would YOU update ISO 19011, if it were up to you? Then I hope you'll leave a comment to let us know.

When I first asked my colleagues what they would like to see changed in ISO 19011, they started by talking about how much had changed in the world since the most recent edition was published, in 2018. Naturally the COVID-19 pandemic had a prominent place on this list. So did ISO's London Declaration. 

But there were other issues as well. They pointed out that there are many organizations with integrated management systems that address multiple standards at once. Does it really make sense to audit these piecemeal? they asked. Or should a single auditor be required to have the competence to check for quality topics and environmental topics and information security and energy management? 

Others pointed out that the topic of risk was added to the latest edition of ISO 9001 (in the form of "risk-based thinking") without a lot of guidance to auditors. How are we supposed to check that the organization is practicing risk-based thinking? Is it good enough if the CEO says "Sure, I think about risks every morning while I'm driving to work"?

Still others talked about the advances in technology that obsoleted some assumptions behind the earlier standard, or about the challenges they faced auditing Context of the organization or Interested parties.

And then out of these thoughts came some suggestions for concrete changes:

• The experience of the COVID-19 pandemic led some people to hope for clear guidance on how to conduct remote audits.
• The fact of the London Declaration (that all ISO standards must consider climate topics) led others to hope for clear guidance how to audit for climate awareness. We all know that a hamburger stand has a different climate footprint from a chemical plant: so what should auditors look for?
• The proliferation of integrated management systems inclined some people to ask for more clarification on auditor competence requirements.
• The discussion of risk meant that others looked for the standard to address the nature of disruptive events, and what evidence auditors can accept to prove that an organization has met the challenge of these events adequately.
• Advances in technology drove some people to want guidance on cybersecurity topics, or on data science.
• Perplexity over Context of the organization and Interested parties led others to hope for guidance on, for example, auditing ESG (Environmental, social, and governance) topics.

There were also a couple of specific technical suggestions to make this diagram or that annex clearer than they are today.

These are the suggestions I've heard people make over the last few months. Now it's your turn. What updates do YOU want to see?

Please leave a comment and let me know.