ISO 19011 has been revised. The fourth edition, ISO 19011:2026, was published in May 2026 and it cancels and replaces the 2018 version that auditors have leaned on for years. If you audit management systems, whether as an internal auditor, a lead auditor or a quality manager running your own programme, this is the document that defines good practice for how an audit is planned, conducted and reported.
On this page
The good news is that this is a technical revision, not a rewrite. The seven principles are still there. The clause skeleton is unchanged. Your existing audit process will not suddenly be wrong. But there are real shifts in language and emphasis that change how a sharp auditor talks, plans and evidences their work. This guide walks through what actually changed and what it means in the field.
What Kind of Standard ISO 19011 Is
First, a reminder that matters for how you use it. ISO 19011 is guidance, not a requirements standard. You cannot certify an organisation against it. There is no shall to comply with. It is the recognised reference for how to audit a management system well, and certification bodies, internal audit teams and second party auditors all draw on it.
One consequence of that guidance status is important in 2026. Unlike a requirements standard, revised guidance applies immediately on release. There is no three year transition window. The 2026 edition is the current good practice reference from the day it was published. If you train auditors or write audit procedures, you are working to the 2026 text now.
If you are still building your foundation on what 19011 covers, our explainer on how the ISO 19011 guidelines shape modern audit practice is a good place to start before you dig into the changes.
The Structure Did Not Change
Anyone who knows the 2018 layout will feel at home. The clause structure is identical:
- Clause 1 Scope
- Clause 2 Normative references
- Clause 3 Terms and definitions
- Clause 4 Principles of auditing
- Clause 5 Managing an audit programme
- Clause 6 Conducting an audit
- Clause 7 Competence and evaluation of auditors
- Annex A Additional guidance for auditors
So the changes are evolutionary. They live inside the clauses, in the words chosen and the points emphasised, rather than in any reshuffle of the document. That is exactly why the differences are easy to miss if you only skim the contents page.
The Biggest Shift Is Language: From Audit to Auditing
The most visible change runs right through the document. Where 2018 spoke of audit methods and audit activities, 2026 speaks of auditing methods and auditing activities. It is a deliberate move from the noun to the gerund, framing the discipline as an ongoing activity rather than a single event.
This is not just cosmetic for trainers and procedure writers. If your audit procedures, checklists and report templates quote the old terms, they now sit slightly out of step with the reference standard. It is worth a find and replace pass when you next revise your documented information. Note one subtlety. The general phrase audit methodology is unchanged. Only the formal defined terms moved.
Two more terminology shifts are worth committing to memory:
- The word organization now refers to the auditee. The body carrying out the audit is the auditing organization. Keeping those two straight removes a lot of ambiguity in reports.
- External providers became organizations in the supply chain. That language change sits alongside a much bigger expansion of supply chain auditing guidance in Annex A.
There are smaller wording tidies too. The audit programme extent is now its scope. An audit conclusion is described as the result of an audit rather than the outcome. Several clause titles gained the word the, so you will read determining the feasibility of the audit. None of these change what you do, but they change the vocabulary an examiner or a certification body will expect to hear from a current auditor.
Clause 3: A New Term for Remote Auditing
Clause 3 gained a new defined term, remote auditing method, and the later definitions were renumbered to make room for it. That single addition signals where a lot of the 2026 energy went. Remote and hybrid auditing has moved from a bolt on to a recognised method with its own vocabulary.
Clause 3 also tidied the definition of an observer, clarifying that an observer does not include a technical expert. In practice that protects the integrity of your audit team roles. An observer watches. A technical expert contributes knowledge. The 2026 text makes sure nobody blurs the two on an attendance list.
Clause 4: The Seven Principles Stay, in a New Format
The seven principles of auditing are unchanged in substance. What changed is presentation. In 2018 they were listed as bullet points a to g. In 2026 they are set out as subclauses 4.2 to 4.8, which gives each one room to breathe. For the record, the seven are:
- Integrity, the foundation of professionalism
- Fair presentation, reporting truthfully and accurately
- Due professional care, applying diligence and judgement
- Confidentiality, the security of information
- Independence, the basis for impartiality and objectivity
- Evidence based approach, the rational method for reliable conclusions through sampling
- Risk based approach, considering risks and opportunities
If you teach these or are assessed on them, learn them as numbered subclauses now. The meaning you already hold is correct.
Clause 5: Managing the Programme With Climate and Technology in View
Clause 5 is where some of the most practical thinking landed. When you design an audit programme, 2026 asks you to consider two things the 2018 text did not call out.
The first is climate change. The standard now asks whether climate change is relevant to the auditee and, if it is, whether the audit programme reflects it. This mirrors the climate change amendments that ran through the management system standards, so it is consistent with where the wider ISO world is heading.
The second is the auditee application of technology and digital tools. If the organisation you audit runs its processes through software, automation or connected systems, your programme should account for that. It feeds directly into competence expectations in Clause 7, which we come to below.
There is also a sharper verb at work. Risks and opportunities are now determined rather than merely considered. The difference matters. Determining means you review the evidence and make a decision you can show. Considering can be waved through. Treat this as a quiet lift in the bar for how you document programme level risk thinking.
On that theme, Clause 5 expanded its examples of resourcing and programme risks. The list now explicitly names things like a lack of auditor independence and impartiality, unsuitable auditing methods, failure to conduct audits in line with the programme, and undue influence. That last one is worth pausing on. Undue influence covers pressure to defer or remove an audit, or to restrict its scope. Naming it gives programme managers language to push back when someone leans on the schedule. The examples also cover a lack of top management sponsorship, unavailability of the auditee or evidence, and insecure IT tools.
Finally, audit reports are now distributed to previously determined parties, meaning the recipients you set when the programme was built, rather than to relevant interested parties decided after the fact. It is a small change that improves discipline around who sees what.
If programme design is your weak spot, our walkthrough on how to build an internal audit programme from scratch pairs well with the 2026 emphasis on determining risk up front.
Clause 6: Conducting the Audit With Tighter Evidence Discipline
Clause 6 covers the audit itself, from document review to the closing meeting, and several 2026 changes will be felt directly by working auditors.
Document review now does more. As well as helping you prepare, it should help you determine the inherent risks of the auditee and the risks the audit itself poses to the auditing organisation. You are reading the documents with two risk lenses, not one.
Audit plans are now presented to the audit client as well as the auditee. In a certification context that means the client commissioning the audit sees the plan, which improves transparency. There is also new guidance on the risks specific to joint audits, where two or more auditing organisations audit together.
Communication during the audit is broadened. Where you find significant risks, or where you reach a point at which the audit objectives cannot be achieved, you now communicate that to the individual managing the audit programme, as well as to the client and the auditee. The programme manager is no longer the last to know.
The change that will matter most in day to day reporting concerns nonconformities. Two points stand out. First, when nonconformities are graded, the grading criteria should be defined and communicated, and the grade should be recorded. No more grading a finding major or minor on instinct without a stated basis. Second, when you raise a nonconformity you should record the reason the audit criteria were not met. That pushes auditors toward findings that explain themselves.
There is also a clear discipline point. Only nonconformities that were presented and discussed during the audit, including at the closing meeting, may appear in the report. No surprises after everyone has left the room. If you want to get the wording of findings right, our guide on what is an audit finding vs observation vs nonconformity lines up neatly with the 2026 expectation that findings are clear and defensible.
Clause 7: Competence Catches Up With Technology
Clause 7 deals with what makes an auditor competent, and 2026 modernised it. Competence now explicitly covers emerging technology, including the use of technology based evaluation tools such as those built on artificial intelligence, and the ability to audit technology based processes. An auditor who freezes the moment a process runs through software is no longer fully competent by the current reference.
Knowledge of statutory and regulatory requirements was widened to include data protection and information security. Given how much auditee data now lives in connected systems, that is a sensible and overdue addition.
There is a small but telling behaviour change. The 2018 trait tenacious became determined, with the meaning unchanged, and the phrase able to act with fortitude was deleted. The 2026 text prefers plain, current language for the personal behaviours it expects.
Auditor evaluation also broadened. The programme manager should now consider feedback from auditees and stakeholders when evaluating auditors, not only internal review. That brings the people on the receiving end of audits into the competence loop.
Annex A: Remote Auditing and Supply Chain Take Centre Stage
Annex A is informative guidance, and it is where the most visible reworking happened. Three areas changed.
Table A.1, which contrasts on site and remote methods, was updated, with a new signpost to the dedicated remote auditing guidance and to the companion technical specification ISO/IEC TS 17012:2024 on remote auditing methods. The 2026 edition leans on that companion document rather than trying to hold all the remote detail itself.
A.12, covering the audit of the supply chain and second party audits, was substantively expanded. This is where the external providers to supply chain language change pays off, with more practical guidance for auditors working across supplier relationships.
A.16 was retitled Using remote auditing methods, and the surrounding remote auditing guidance was extensively reworked. If you do any remote or hybrid auditing, this is the section to read closely. For a practical view of how remote work has reshaped audits, see our piece on remote auditing under ISO standards and what has changed.
What These Changes Mean for You in Practice
Pulling it together, here is what a practising auditor should actually do with the 2026 edition.
- Update your vocabulary. Talk about auditing methods and auditing activities, the result of an audit, and the scope of the programme. A current auditor sounds current.
- Refresh your templates. Audit plans, checklists and report templates that quote the 2018 terms should be revised when you next touch your documented information.
- Define your grading. If you grade findings, write down the criteria and communicate them, then record the grade against each nonconformity.
- Explain your findings. Record why the criteria were not met. A finding that explains itself survives challenge.
- Plan with climate and technology in view. When you design a programme, ask whether climate change is relevant and how the auditee uses digital tools.
- Build remote competence. The 2026 text treats remote auditing and technology based processes as core, not optional. Make sure your team can work that way.
None of this requires you to throw away how you audit. It asks you to sharpen the edges, to evidence your thinking and to keep pace with how organisations actually operate in 2026.
How Audit Workshop Keeps You Current
Standards move, and auditor training has to move with them. Our Internal Auditor and Lead Auditor courses are built on ISO 19011, and our content reflects the 2026 edition, from the seven principles as numbered subclauses to the expanded expectations around remote auditing, grading and competence. The courses are self paced and online, delivered by a practising lead auditor, and they are Exemplar Global certified, so you finish with a Certificate of Attainment and an Exemplar Global digital badge.
If you want to put the 2026 guidance into practice rather than just read about it, that is exactly what our auditor training is designed for.
