ISO 19011:2018 – Risk based Auditing

19011:2018 Requirements

19011:2018 has a requirement for an Audit Program Manager with separate responsibilities for the Auditor.
A one discipline report cannot inform on all the disciplines related to the organization’s performance, as it relates to internal and external issues. It is incumbent upon management to utilize the internal and external auditor results. The number of corrective actions as the sole measure of performance is not a measure of achieving the strategic plan, which is what matters to an organization.
The need is to determine whether the operations management was effective in meeting the strategic goals and if improvements are needed. It is critical that Internal Auditors conduct internal audits according to 19011:2018 to deliver the required reports from both Top Management and the Operations.

Moreover, did the external and internal audit – have the same outcome or conclusions. Therefore, audits with the same mandatory reports are the outcomes to be considered for evaluating performance by both types of auditors.
The Standard itself states…that it ‘adopts the combined audit approach when two or more management systems of different disciplines are audited together. Where these systems are integrated into a single management system, the principles and processes of auditing are the same as for a combined audit’. The point is, although the principles and audit processes are the same or individual Standard audits – the risk associated with each discipline cannot be considered independently; there is an expectation of an integrated discipline audit for the operations. In other words, a single management system construct is required prior to executing a risk-based audit per 19011:2018. It is a true assessment of the strategic plan / Operations conundrum.