ISO 19011 stands apart from other ISO management system standards because it does not create compliance obligations. Instead, it provides guidance that shapes how audits are planned, conducted, and reported across every ISO standard worth auditing. For quality managers, internal auditors, and certification bodies, understanding how ISO 19011 actually influences audit practice is essential to performing credible audits that drive genuine improvement rather than surface level checkbox exercises.
On this page
The standard has evolved significantly since its first edition in 2002, with the 2018 version introducing principles based auditing as a core framework. Yet many organisations still audit as if they were checking conformity to a procedure manual. This gap between what ISO 19011 recommends and what actually happens in practice creates risk. Audits become perfunctory. Nonconformities get missed. Root causes remain buried beneath superficial observations. Understanding how ISO 19011 shapes modern audit practice means recognising that audit competence is no longer just about knowing a standard; it is about developing auditors who can think critically, ask the right questions, and gather evidence that reveals the actual state of your management system.
What ISO 19011 Actually Does
ISO 19011:2018 provides guidelines for auditing management systems. It covers the principles that underpin all credible audits, the competence required of auditors, the planning and conduct of audits, and the reporting of results. The standard applies to first party audits (internal audits), second party audits (supplier or customer audits), and third party audits (certification body audits). It is not a standard you certify against. No certification body will issue a certificate saying your organisation audits in accordance with ISO 19011. Instead, ISO 19011 is a reference framework that informs how management system standards require audits to be performed.
The 2018 revision introduced a fundamental shift. Rather than prescribing a step by step audit methodology, ISO 19011 now emphasises seven core principles that must guide all auditing activity. These principles are impartiality, confidentiality, professional conduct, due diligence, independence, evidence based approach, and confidentiality. This shift created a problem for many organisations: checklists were suddenly less useful. A checklist can tell you whether a procedure exists, but it cannot assess whether the procedure actually works or whether it is being followed in practice. ISO 19011 pushed auditors toward more sophisticated thinking about what constitutes audit evidence and what makes an audit result meaningful.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesThe Seven Principles That Drive Modern Audit Practice
The principles in ISO 19011 are not aspirational. They directly influence how audits are designed and executed in practice. Understanding each principle and how it translates into day to day audit decisions is where competent auditing begins.
Impartiality and Independence
Impartiality means the auditor conducts the audit without bias or conflict of interest. Independence means the auditor is free from pressure to reach predetermined conclusions. In practice, this is far more complex than it sounds. An internal auditor reporting to the quality manager has inherent pressures. An auditor who also performs consulting work in the same area is vulnerable to conflicts of interest. The principle requires that auditors maintain professional distance and that audit results are reported truthfully, not softened to protect relationships or careers.
Many organisations fail this test. An internal auditor who knows their role depends on not finding too many nonconformities will unconsciously look less deeply. A certification auditor under commercial pressure to complete audits quickly may accept weak evidence. ISO 19011 places the responsibility squarely on the organisation to establish systems and expectations that protect auditor impartiality. This includes clear reporting lines, protection for auditors who identify serious nonconformities, and explicit policies that audit findings cannot be overruled for commercial convenience.
Confidentiality
Audit findings are often sensitive. They reveal where processes fail, where compliance is weak, where risks exist. ISO 19011 requires that audit information be protected and used only for legitimate purposes. This principle protects the auditee's interests and also protects the audit's credibility. If people fear that audit findings will be used against them personally, they will be less forthcoming. If people believe audit results will be kept confidential within appropriate boundaries, they are more likely to engage honestly with the audit process.
In practice, confidentiality means knowing who has access to draft audit reports, who sees the final report, and what happens to the evidence gathered during the audit. It also means not discussing audit findings in casual conversation or in forums where they might be misunderstood or distorted. A nonconformity discussed in the wrong context can become gossip that damages morale. The same finding documented properly and shared through appropriate channels becomes the basis for improvement.
Professional Conduct
Auditors must conduct themselves with integrity, discretion, and truthfulness. They must not accept gifts or favours. They must admit the limits of their knowledge. They must not allow personal opinions or values to drive audit judgements. In a practical sense, this means an auditor does not socialise extensively with the people being audited, does not accept hospitality beyond basic provision of facilities, and does not allow personal dislike of a process owner to colour their assessment of whether a process is actually effective.
Professional conduct also requires auditors to be culturally aware and respectful. An auditor working across multiple facilities in different countries must recognise that communication styles, attitudes to authority, and approaches to documentation vary. The principle is not to impose a single cultural model but to assess whether the management system operates effectively within its cultural context.
Due Diligence
Auditors must perform their work with care and diligence. This means preparing thoroughly, gathering sufficient evidence before reaching conclusions, following through on identified issues, and resisting the urge to shortcut the audit process to save time or money. Due diligence requires auditors to ask follow up questions when answers do not quite make sense, to trace processes from documentation through to actual execution, and to test whether controls are operating as described.
In organisations rushing to complete audits, due diligence is often the first casualty. An auditor might accept that a procedure exists and assume it is followed, rather than taking the time to observe actual performance. An auditor might document that interviews were conducted without recording what people actually said or identifying inconsistencies between different accounts. Due diligence requires that auditors slow down enough to do their work properly.
Evidence Based Approach
This principle directly challenges the assumption that conformity to documentation equals effective management. An evidence based approach requires auditors to gather objective information and base conclusions on that information rather than assumptions, hearsay, or what seems reasonable. An auditor must not conclude that a process is ineffective because they personally would do it differently. An auditor must conclude that a process is ineffective only when evidence demonstrates that it is not producing intended outcomes.
The evidence based approach in ISO 19011 has shaped modern understanding of what constitutes valid audit evidence. Auditors must distinguish between direct evidence (observation of actual work), indirect evidence (documents showing what was intended or what should have happened), and testimonial evidence (what people say about how work is done). A strong audit conclusion rests on multiple forms of evidence that all point in the same direction, not on a single account or document.
Confidentiality as a Distinct Principle
ISO 19011 lists confidentiality twice in its principles, reflecting its importance. Beyond the basic principle of protecting information, confidentiality is also about understanding what information the auditor has a right to access, what information is privileged, and how to handle sensitive data. In organisations with unions, for example, auditors may not have access to individual performance records. In regulated industries, some information may be subject to legal holds or regulatory confidentiality requirements.
How ISO 19011 Shapes Internal Audit Programme Design
The principles of ISO 19011 do not just guide the conduct of individual audits. They fundamentally shape how an effective internal audit programme is designed. Understanding how to plan an internal audit programme requires knowing that the programme itself must reflect these principles from the outset.
An effective internal audit programme establishes clear audit objectives that define what the auditor is assessing. Rather than "audit the quality system," a proper audit objective states "assess whether the design and implementation of process controls in the sales function are adequate to meet ISO 9001 requirements and organisational quality objectives." This clarity allows the auditor to gather relevant evidence rather than everything.
The programme must also establish the audit scope by clearly defining which processes, functions, and time periods the auditor will examine. Scope creep is common when audits lack clear boundaries. An auditor starts by examining the sales process and somehow ends up assessing human resources policies. The programme must define what is in scope and what is out of scope before the audit begins.
Audit frequency is another critical design element that ISO 19011 influences indirectly. The principle of due diligence requires that audit frequency be sufficient to provide confidence in the system, but it does not prescribe how often that is. Some organisations audit every process annually. Others audit high risk processes twice yearly and lower risk processes every two years. The audit programme must justify its frequency based on risk assessment and the need for timely detection of issues.
Auditor competence requirements must also be embedded in the programme design. Learning how to become an ISO internal auditor means understanding that organisations must define what competence looks like for their auditors and ensure those standards are met. An internal auditor auditing the research and development function probably needs some technical knowledge of R&D processes. An auditor auditing financial controls probably needs basic accounting knowledge. The programme should define these competence requirements explicitly rather than assuming all auditors can audit any process.
Competence Requirements in Modern Audit Practice
ISO 19011 Section 7 addresses auditor competence in detail. The standard recognises that competence is not simply certification. An auditor holding a Lead Auditor certificate has demonstrated knowledge of ISO management systems and audit methodology at a point in time. But competence is broader. It includes knowledge of the specific industry or sector, knowledge of the particular processes being audited, communication skills, and the ability to analyse information objectively.
The standard also distinguishes between technical competence (knowledge of the standard and audit methodology) and sector competence (knowledge of the industry, processes, and context). An internal auditor in a pharmaceutical manufacturing company auditing the quality control laboratory needs both technical competence in ISO 9001 requirements for internal audits and sector competence in pharmaceutical testing methods and regulations. An auditor with only technical competence will miss critical issues because they do not understand what effective performance looks like in that context.
Modern audit practice has also recognised the importance of personal attributes in auditor competence. An auditor might be technically competent and still perform poorly if they lack communication skills, emotional intelligence, or the ability to remain objective when facing a defensive auditee. ISO 19011 identifies personal attributes that contribute to audit effectiveness: diplomacy, ability to listen, decisiveness, and cultural awareness. These attributes are harder to teach than technical knowledge, but they are equally important to audit quality.
The standard also recognises that competence must be maintained. An auditor cannot certify once and remain competent indefinitely. Professional development, exposure to new situations, and reflection on audit experience are all part of maintaining competence. Organisations serious about audit quality establish systems for auditor development that go beyond minimum compliance with certification requirements.
Evidence Gathering Under ISO 19011
One of the most significant impacts of ISO 19011 on modern audit practice is its emphasis on evidence based conclusions. This has shifted how auditors gather information and what they consider valid audit evidence. Understanding how to gather audit evidence that stands up to scrutiny is now a core competence for all auditors.
ISO 19011 defines audit evidence as records, statements of fact, or other information relevant to the audit objectives and criteria. The standard does not accept mere assertions or impressions. An auditor cannot conclude that a process is ineffective because it "feels" inadequate. An auditor must gather specific evidence that demonstrates the conclusion.
Evidence comes in multiple forms. Documentary evidence includes policies, procedures, work instructions, records, emails, and other written or electronic information. Testimonial evidence comes from interviews with people involved in the processes being audited. Observational evidence comes from watching actual work being performed. A robust audit conclusion integrates all three types of evidence.
The distinction between evidence and interpretation is critical. The auditor may observe that a certificate on the wall of a calibration laboratory expired three months ago. That is evidence. The auditor's interpretation is that equipment has not been calibrated, which is a reasonable interpretation. But the auditor should verify this interpretation by checking calibration records, by asking the laboratory manager what happened, and by understanding whether uncalibrated equipment was actually used in the interim. The evidence gathering process continues until the picture is clear.
ISO 19011 also emphasises that auditors must gather sufficient evidence before drawing conclusions. Insufficient evidence can lead to audit findings that are not justified. A finding based on a single observation from a single day may not reflect actual performance. An auditor must determine how many instances of evidence are needed to support a conclusion. If a procedure requires that all temperature readings be recorded, finding one instance where a reading was not recorded suggests a potential issue. Finding that readings were omitted in 20 percent of instances provides stronger evidence of a systemic problem.
The Role of Audit Methodology
While ISO 19011 does not prescribe a single audit methodology, it does influence how effective audits are structured. Modern audit practice increasingly follows a phases approach: planning, conducting, and reporting. Within each phase, the principles of ISO 19011 shape the specific activities.
The planning phase includes defining audit objectives, establishing audit criteria (which standards or requirements will be assessed), determining the audit scope, assessing risks that might affect the audit, allocating resources, and determining audit frequency. This phase is often rushed in practice, but ISO 19011 requires due diligence in planning. An audit based on unclear objectives or criteria will not generate useful results.
The conducting phase includes opening meetings, gathering evidence, conducting interviews, observing work, reviewing records, analysing findings, and closing meetings. Modern audits conducted under the principles of ISO 19011 tend to be more conversational and exploratory than older compliance audits. Rather than simply asking "do you have a procedure for X?", an auditor might ask "walk me through how you handle this situation" and then observe the process in action.
The reporting phase includes documenting findings, determining whether findings constitute nonconformities or observations, drafting the audit report, and following up on corrective actions. ISO 19011 requires that audit reports be clear, timely, and factual. A report that states "the process is not effective" without providing specific evidence or describing what evidence led to this conclusion fails the standard of clarity required by ISO 19011.
How Organisations Translate ISO 19011 Into Practice
Understanding ISO 19011 as a reference document is one thing. Actually implementing its principles in day to day audit work is more challenging. Many organisations bridge this gap by developing audit procedures that translate the principles into specific audit activities.
A robust internal audit procedure under ISO 19011 will define when audits occur, who can be an auditor, how auditors are selected for each audit (to protect impartiality), what the audit process consists of step by step, how evidence is documented, how findings are categorised and reported, and how follow up on corrective actions is managed. This procedure does not need to be lengthy. What matters is that it reflects the principles of ISO 19011 and is actually followed in practice.
Many organisations also develop audit checklists despite the shift in ISO 19011 toward principles based auditing. A well designed checklist remains useful if it is understood as a memory aid rather than a script. An auditor should use a checklist to ensure all relevant areas are covered, but the auditor should adjust the checklist based on what is discovered during the audit. If the checklist says "verify that calibration records are maintained" and the auditor discovers during interviews that calibration is outsourced to a supplier, the auditor should adjust the audit scope to examine supplier oversight rather than internal calibration practices.
Training in ISO 19011 principles is also important for audit quality. Auditors who understand the principles can adapt to different situations and think critically about audit processes. Auditors trained only on rote checklist application struggle when faced with situations that do not fit the checklist. The best auditor training develops both knowledge of ISO standards and capability in the auditing process as guided by ISO 19011.
Common Misunderstandings About ISO 19011
Despite its importance, several misunderstandings about ISO 19011 persist in audit practice. Recognising these misunderstandings is important for improving audit quality.
The first misunderstanding is that ISO 19011 only applies to certification audits. In fact, ISO 19011 guidance applies to all audits of management systems, whether conducted internally, by suppliers, or by certification bodies. An organisation conducting an internal audit in accordance with ISO 9001 Clause 9.2 is expected to follow the principles and guidance in ISO 19011, even though ISO 9001 does not explicitly reference ISO 19011.
The second misunderstanding is that ISO 19011 has eliminated the need for audit procedures and checklists. In fact, ISO 19011 simply emphasises that procedures and checklists should be tools that support thinking, not substitutes for it. A well designed audit procedure that incorporates ISO 19011 principles is more effective than no procedure at all.
The third misunderstanding is that auditor competence is demonstrated by certification alone. While certification is important, competence includes practical experience, sector knowledge, and the personal attributes that make an auditor effective. An organisation should not assign audits to someone simply because they hold a certificate if that person lacks relevant sector experience or has not demonstrated effectiveness in previous audits.
The fourth misunderstanding is that ISO 19011 requires lengthy audits. In fact, audit duration depends on scope and complexity, not on ISO 19011 requirements. A short audit can be thorough and defensible if it is well planned and executed with due diligence. A lengthy audit can be ineffective if the auditor gathers evidence without focus or does not reach clear conclusions.
The Impact of ISO 19011 on Certification Audits
Certification bodies have significant incentive to follow ISO 19011 well. Their credibility depends on audits being conducted competently and finding significant nonconformities that prevent non conforming organisations from obtaining certification. A certification body that audits superficially or lets marginal conformity pass as acceptable damages its reputation and exposes its accrediting body to risk.
Modern certification audits conducted under ISO 19011 principles tend to be more rigorous than audits from a decade ago. Auditors probe more deeply into how processes actually operate. Auditors are more likely to conduct interviews away from the process owner and to observe actual work. Auditors are more likely to track processes across multiple functional areas rather than accepting information at face value from a single source. This is good for organisations because it means that when they obtain certification, the certification has genuine meaning.
Certification bodies also invest in auditor competence and quality assurance. Lead auditors receive extensive training in auditing methodology. Certification bodies conduct witness audits where experienced auditors observe and provide feedback to developing auditors. Audit results are reviewed to ensure quality. Understanding what to expect during an ISO certification audit includes recognising that the auditor will be thorough because ISO 19011 principles and the certification body's own quality systems demand it.
Looking Forward: How ISO 19011 Continues to Shape Audit Practice
ISO 19011 is not a static standard. The International Organisation for Standardisation continues to update it as auditing practices evolve and new insights emerge about what makes audits effective. Recent developments include greater emphasis on remote auditing, which became necessary during the COVID 19 pandemic and has continued as a practical option. ISO 19011 guidance on remote auditing addresses how to gather evidence, maintain impartiality, and protect confidentiality when audits are conducted remotely.
Another developing area is risk based auditing. While ISO 19011 has long emphasised that audit programmes should be based on risk assessment, organisations are becoming more sophisticated in their risk assessment approaches. Rather than auditing all processes equally, audit programmes increasingly focus resources on high risk areas. An auditor conducting a risk based audit must have competence in risk assessment as well as auditing. They must understand why a particular process is high risk and structure the audit accordingly.
Sustainability and ESG (environmental, social, and governance) factors are also influencing how ISO 19011 is applied. As organisations manage multiple management systems including ISO 9001 for quality, ISO 14001 for environment, and ISO 45001 for health and safety, auditors need competence in all three standards and the ability to audit integrated management systems. An effective internal audit programme might combine audits of different standards in a single audit engagement rather than conducting separate audits for each standard. This integration requires sophisticated audit planning and auditor competence.
Audit Workshop offers accredited ISO training across ISO 9001, ISO 14001, and ISO 45001 at Foundation, Internal Auditor, and Lead Auditor levels. Our courses are Exemplar Global recognised and designed for professionals who want both standard knowledge and practical audit skills.
