Providers of Internal Audit Courses have concentrated predominately on Quality and Environmental management systems, but it is becoming clear that 18001 (the Health and Safety Standard), ISO27001 (the Information Security Standard), ISO20001 (The IT Service Management Standard) plus the automotive Standard TS 16949 and the Aerospace Standard AS9100 and many others are featuring more and more. These need to be audited on a regular basis.
Our own internal auditing course will be updated to reflect these changes, once the standard is published.
The new auditing Standard focuses far more on RISK, including the risk of not carrying out audits correctly, either through inappropriately defined audit objectives, insufficient competence of auditors or inadequate risk evaluation methods.
Competence of auditors in the Standards being audited features in the new annex A to 19011 and details the discipline- specific knowledge and skills of auditors for:
- Information Security
- Resilience, Security, Preparedness and Continuity (RSPC)
- Transportation Safety
Where sampling of systems takes place, e.g where it is not practical nor cost effective to examine 100% of the items, a representative sample of the population may be used to provide sufficient evidence that the sample is truly representative of the whole population. Annex C provides an informative strategy for auditors. This section also recognises that the "Auditor’s nose" can be used to choose a sample based on size, selection, methodology and previous experience. Where extensive sampling is required the Standard refers the reader to Sampling Plan Standards (e.g. ISO 2859)
And finally there is far more emphasis on the evaluation of auditors/team leaders to ensure competence, skills, knowledge and personal behaviour.
This update is well overdue as the original standard was produced in 2002 and we can look forward to its publication in 2011.