Whittington & Associates Newsletter

Newsletter sign-upSign up for our monthly email newsletter to get the latest guidance on ISO 9001, AS9100, AS9110, AS9120, ISO 13485, IATF 16949, ISO 14001, ISO 27001, ISO 45001, ISO 20000, and related ISO standards.

If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.

Guidelines for Recruitment

Oct 1, 2018 in Newsletter | Comments Off on Guidelines for Recruitment

ISO 30405:2016, “Human resource management – Guidelines for recruitment”

Recruitment is a major part of human resource management, including the necessary activities an organization undertakes to attract, source, assess, and employ people.

The impact of recruitment on organizational performance was noted in a survey conducted of 4,288 executives from 102 countries by the World Federation of People Management Association. It found that organizations ranked in the top 20% in terms of ability to deliver on recruiting, experienced up to 3.5 times the revenue growth and as much as twice the average profit margin of other organizations.

ISO 30405 aims to help organizations focus and deliver on recruitment performance objectives by providing guidance on:

1. recruitment policy development;
2. the flow from the sourcing of potential applicants to the boarding of new recruits;
3. evaluation and measurement.

The 19-page ISO 30405 standard is available for about $138 at this ISO web page.

Related Human Resource Management standards on recruitment are:

  • ISO/TS 30407:2017, “Cost-Per-Hire”;
  • ISO/TS 30410:2018, “Impact of hire metric”;
  • ISO/TS 30411:2018, “Quality of hire metric”.

Internal Auditor Code of Conduct

Oct 1, 2018 in Newsletter | Comments Off on Internal Auditor Code of Conduct

To communicate the integrity, objectivity, confidentiality, and competence expected of internal auditors, as well as, to provide a means for them to pledge their commitment to these principles.

The integrity of internal auditors establishes trust and provides the basis for relying on their judgment. As an internal auditor, I pledge to:

1. Perform my audit assignments with honesty, accuracy, fairness, and discretion.
2. Not engage in activities that might discredit the audit program or our organization.
3. Report audit results truthfully and disclose any unresolved diverging opinions.
4. Act in a professional and courteous manner, even under adverse audit conditions.

Internal auditors must be objective in gathering, evaluating, and communicating information about the activities being examined. They must make a balanced and impartial assessment of all the relevant facts and not be unduly influenced by their interests, or those of others, in making judgments. As an internal auditor, I pledge to:

5. Disclose any activity or relationship that may affect my unbiased assessment.
6. Not accept anything that may impair, or appear to impair, my judgment.
7. Include all the material facts to avoid any distortion of my audit report.

Internal auditors must respect the value and ownership of the information they receive and not disclose it without the appropriate authority, unless obligated for legal or professional reasons. As an internal auditor, I pledge to:

8. Limit the sampled records to those needed to assess performance within the audit scope.
9. Exercise discretion in the use and protection of information acquired during my audit duties.
10. Not use the information for personal gain or in any way detrimental to the organization.

Internal auditors must apply their knowledge, skills, and experience in the performance of their assessment duties. As an internal auditor, I pledge to:

11. Accept assignments only if I possess the necessary knowledge, skills, and experience.
12. Perform audits in accordance with the procedures and practices of the organization.
13. Continually improve my proficiency and the quality and value of my audit services.
14. Assist other auditors under my supervision to develop their audit management skills.
15. Use my auditing knowledge to help improve the performance of our management system.
16. Prepare well for my audit assignments and report findings using verifiable evidence.

I agree to act in accordance with this Code of Conduct to uphold the integrity of our audit program and the ethical standards of our organization.

Signed by: ___________________________

Printed Name: ________________________

Date:  ______________________________

Risk-Based Auditing

Oct 1, 2018 in Newsletter | Comments Off on Risk-Based Auditing

ISO 19011:2018, Guidelines for Auditing Management Systems, includes a new audit principle, the “Risk-based approach: an audit approach that considers risks and opportunities.”

The risk-based approach should substantively influence the planning, conducting, and reporting of audits to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit program objectives.

This article highlights the references to risk throughout the ISO 19011:2018 standard.

Risk Definition

Risk is defined at clause 3.19 as the “effect of uncertainty”. Notes explain that an “effect” is a deviation from the expected – positive or negative, and that “uncertainty” is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence and likelihood.

Additional Notes state that risk is often characterized by reference to potential events and consequences, or a combination of these. The Notes also state that risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated of occurrence.

Auditee Contact

Clause 6.2.2 identifies multiple topics to be addressed when the audit team leader establishes contact with the auditee, including to:

1. Request access to relevant information for planning purposes, including information on the risks and opportunities the organization has identified and how they are addressed;
2. Determine any areas of interest, concern, or risks to the auditee in relation to the specific audit.

Audit Preparation

When performing a review of the auditee’s documented information to prepare for the audit, clause 6.3.1 states that the review should take into account the context of the auditee’s organization, including its size, nature, and complexity, and its related risks and opportunities.

Audit Planning

The audit team leader should adopt a risk-based approach to planning the audit based on the information in the audit program and the documented information provided by the auditee.

According to clause 6.3.2, audit planning should consider the risks of the audit activities on the auditee’s processes and provide the basis for the agreement among the audit client, audit team, and the auditee regarding the conduct of the audit.

The amount of detail provided in the audit plan should reflect the scope and complexity of the audit, as well as, the risk of not achieving the audit objectives.

In planning the audit, the audit team leader should consider the risks to achieving the audit objectives created by ineffective audit planning, and the risks to the auditee created by performing the audit.

Risks to the auditee can result from the presence of the audit team members adversely influencing the auditee’s arrangements for health and safety, environment, and quality, and its products, services, personnel, or infrastructure (e.g., contamination in clean room facilities).

Audit planning should address or reference the allocation of appropriate resources based upon consideration of the risks and opportunities related to the activities that are to be audited.

Audit planning should take into account any specific actions to be taken to address risks to achieving the audit objectives and the resulting opportunities.

Audit Guides

Guides, appointed by the auditee, should assist the audit team and act on the request of the audit team leader or the auditor to which they have been assigned. According to 6.4.2, their responsibilities should include ensuring that rules concerning location-specific arrangements for access, health and safety, environmental, security, confidentiality, and other issues are known and respected by the audit team members and observers and that any risks are addressed.

Opening Meeting

The purpose of the opening meeting, according to clause 6.4.3, is to:

1. Confirm the agreement of all participants to the audit plan;
2. Introduce the audit team and their roles;
3. Ensure that all planned audit activities can be performed.

An important topic to introduce will be the audit methods to manage risks to the organization which may result from the presence of the audit team members.

Audit Communication

During the audit, the audit team leader should periodically communicate the progress, any significant findings, and any concerns to the auditee and audit client. Clause 6.4.4 states that evidence collected during the audit that suggests an immediate and significant risk should be reported without delay to the auditee and, as appropriate, to the audit client.

Information Verification

Clause 6.4.7 states that information relevant to the audit objectives, scope, and criteria, including information relating to interfaces between functions, activities, and processes, should be collected by means of appropriate sampling and should be verified, as far as practicable.

If, during the collection of objective evidence, the audit team becomes aware of any new or changed circumstances, or risks or opportunities, these should be addressed by the team.

Audit Finding

An “audit finding” is defined at clause 3.10 as the results of evaluating the collected audit evidence against audit criteria. Notes for that definition state that audit findings indicate conformity or nonconformity, and can lead to the identification of risks, opportunities for improvement, or recording of good practices.

Nonconformity Grading

According to clause 6.4.8, nonconformities can be graded depending on the context of the organization and its risks. This grading can be quantitative (e.g., 1 to 5) and qualitative (e.g., minor, major). They should be reviewed with the auditee to obtain acknowledgement that the audit evidence is accurate and that the nonconformities are understood.

Audit Conclusions

Audit conclusions should address issues such as the extent of conformity, achievement of objectives, and improvement of the management system. Clause 6.4.9 also states that audit conclusions should include the identification of risks and effectiveness of actions taken by the auditee to address risks.

Closing Meeting

A closing meeting should be held to present the audit findings and conclusions. Clause 6.4.10 states that the degree of detail should take into account the effectiveness of the management system in achieving the auditee’s objectives, including consideration of its context and risks and opportunities.

Audit Report

The audit team leader should report the audit conclusions in accordance with the audit program. The audit report should provide a complete, accurate, concise, and clear record of the audit. Clause 6.5 states the report should note that audits by nature are a sampling exercise, and therefore, there is a risk that the audit evidence examined may not be representative.

Audit Completion

The audit is completed when all planned audit activities have been carried out, or as otherwise agreed with the audit client (e.g., there might be an unexpected situation that prevents the audit being completed according to the audit plan). According to clause 6.6, lessons learned from the audit can identify risks and opportunities for the audit program and the auditee.

Auditor Competence

In deciding the necessary competence for an auditor, clause 7.2 states that an auditor’s knowledge and skills related to the types and levels of risks and opportunities addressed by the management system should be considered.

An auditor should be able to understand the types of risks and opportunities associated with auditing and the principles of the risk-based approach to auditing.

The discipline and sector-specific competence of auditors should include the principles, methods, and techniques relevant to the discipline and sector, such that the auditor can determine and evaluate the risks and opportunities associated with the audit objectives.

An audit team leader should have the competence to discuss strategic issues with top management of the auditee to determine if they have considered these strategic issues when evaluating their risks and opportunities.

Auditing Risks

As part of the assignment of an individual audit, the determination and management of the organization’s risk and opportunities can be included. Annex A.10 states that the core objectives for such an audit assignment are to:

  • give assurance on the credibility of the risk and opportunity identification process;
  • give assurance that risks and opportunities are correctly determined and managed;
  • review how the organization addresses its determined risks and opportunities.

An audit of an organization’s approach to the determination of risks and opportunities should not be performed as a stand-alone activity. It should be implicit during the entire audit of a management system, including when interviewing top management.

An auditor should act in accordance with the following steps and collect objective evidence as follows:

a) Inputs used by the organization for determining its risks and opportunities, which may include:

  • analysis of external and internal issues;
  • the strategic direction of the organization
  • interested parties and their requirements;
  • potential sources of risk such as environmental aspects, safety hazards, etc.

b) Methods by which risks and opportunities are evaluated, which can differ between disciplines and sectors.

The organization’s treatment of its risks and opportunities, including the level of risk it wishes to accept and how it is controlled, will require the application of professional judgement by the auditor.

Auditor Training

Our onsite “Internal Auditor” courses have been updated for the revised guidance in ISO 19011:2018. Please see our website to view the descriptions for our Internal Auditor courses based on the ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, AS9100:2016, AS9110:2016, AS9120:2016, ISO 13485:2016, and ISO 27001:2013 management system standards.

Audit Program Risks

Oct 1, 2018 in Newsletter | Comments Off on Audit Program Risks

According to ISO 19011:2018, Guidelines for auditing management systems, a main difference compared to ISO 19011:2011, is the expansion of the guidance on managing an audit program, including audit program risk.

An “audit program” is defined in clause 3.4 as the arrangements for a set of one or more audits planned for a specific timeframe and directed towards a specific purpose.

According to clause 5.1, the extent of an audit program should be based on the size and nature of the auditee, as well as, on the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of the management systems to be audited.

The guidance also states that audit priority should be given to allocating resources and methods to matters in a management system with higher inherent risk and lower level of performance.

Program Objectives

Audit program objectives should be consistent with the audit client’s strategic direction and support management system policy and objectives. Clause 5.2 identifies multiple factors for setting audit program objectives, including any identified risks and opportunities to the auditee.

Program Risks

There are risks and opportunities related to the context of the auditee that can be associated with an audit program and can affect the achievement of its objectives. The audit program manager should identify and present to the audit client the risks and opportunities considered when developing the audit program and resource requirements, so that they can be addressed appropriately.

According to clause 5.3, there can be risks associated with the following:

1. Planning, e.g., failure to set relevant audit objectives and determine the extent, number, duration, locations and schedule of the audits;
2. Resources, e.g., allowing insufficient time, equipment and/or training for developing the audit program or conducting an audit;
3. Selection of the audit team, e.g., insufficient overall competence to conduct audits effectively;
4. Communication, e.g., ineffective external/internal communication processes/channels;
5. Implementation, e.g., ineffective coordination of the audits within the audit program, or not considering information security and confidentiality;
6. Control of documented information, e.g., ineffective determination of the necessary documented information required by auditors and relevant interested parties, failure to adequately protect audit records to demonstrate audit program effectiveness;
7. Monitoring, reviewing and improving the audit program, e.g., ineffective monitoring of audit program outcomes;
8. Availability and cooperation of auditee and availability of evidence to be sampled.

Program Manager

Clause 5.4.1 provides a list of the roles and responsibilities of the audit program manager. One of the responsibilities is to determine the external and internal issues, and risks and opportunities that can affect the audit program, and implement actions to address them, integrating these actions in all relevant auditing activities, as appropriate.

According to clause 5.4.2, the audit program manager should have the necessary competence to manage the program and its associated risks and opportunities, and external and internal issues, effectively and efficiently.

The competence of the audit program manager should include knowledge of:

1. Audit principles, methods, and processes;
2. Management system standards, other relevant standards, and reference documents;
3. Information regarding the auditee and its context;
4. Legal requirements relevant to the business activities of the auditee.

As appropriate, knowledge of risk management, project and process management, and information and communications technology may be considered.

Clause 5.4.3 identifies multiple factors to be considered by the audit program manager when the extent of the audit program is being established, including:

  • Significant changes to the auditee’s context or operations, and related risks and opportunities;
  • Occurrence of internal and external events, such as nonconformities of products or service, information security leaks, health and safety incidents, criminal acts, or environmental incidents;
  • Business risks and opportunities, including actions to address them.

Program Resources

When determining resources for the audit program, the audit program manager should consider the factors listed in clause 5.4.4, including the extent of the audit program and its risks and opportunities.

Program Implementation

Once the audit program has been established, and related resources have been determined, it is necessary to implement the operational planning and the coordination of all the activities
within the program.

According to clause 5.5, the audit program manager should communicate the relevant parts of the audit program, including the risks and opportunities involved, to relevant interested parties and inform them periodically of its progress, using established external and internal communication channels.

The audit program manager should also ensure the conduct of audits in accordance with the audit program, managing all operational risks, opportunities, and issues (i.e., unexpected events), as they arise during the deployment of the program.

Individual Audits

Clause 5.5.2 states that the objectives for an individual audit are to define what is to be accomplished by the audit and may include:

1. Determining the extent of conformity of the management system to be audited, or parts of it, with the audit criteria;
2. Evaluating the capability of the management system to assist the organization in meeting relevant legal requirements and other requirements to which the organization is committed;
3. Evaluating the effectiveness of the management system in meeting its intended results;
4. Identifying opportunities for potential improvement of the management system;
5. Evaluating the suitability and adequacy of the management system with respect to the context and strategic direction of the auditee;
6. Evaluating the capability of the management system to establish and achieve objectives and effectively address risks and opportunities, in a changing context, including the implementation of the related actions.

The scope of an individual audit should be consistent with the audit program and audit objectives. It includes such factors as locations, functions, activities. and processes to be audited, as well as, the time-period covered by the audit.

The audit criteria are used as a reference against which conformity is determined. These may include one or more of the following: applicable policies, processes, procedures, performance criteria (including objectives), legal requirements, management system requirements, information regarding the context, and the risks and opportunities as determined by the auditee, sector codes of conduct, or other planned arrangements.

Audit Methods

Clause 5.5.3 states that the audit program manager should select and determine the methods for effectively and efficiently conducting an audit, depending on the defined audit objectives, scope, and criteria.

Audits can be performed on-site, remotely, or as a combination. The use of these methods should be suitably balanced, based on, among others, consideration of associated risks and opportunities.

According to Annex A.1, the feasibility of remote audit activities can depend on several factors, e.g., the level of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel, and regulatory requirements.


The risk associated with sampling is that the samples may not be representative of the population from which they are selected. Therefore, the auditor’s conclusion may be biased and different from that which would be reached if the entire population was examined. There may be other risks depending on the variability within the population to be sampled and the method chosen.

Lead Auditor

To ensure the effective conduct of an individual audit, clause 5.5.5 lists information that should be provided to the audit team leader, including the information needed for evaluating and addressing identified risks and opportunities to the achievement of the audit objectives.

Audit Records

The audit program manager should ensure that audit records are generated, managed, and maintained to demonstrate the implementation of the audit program. Processes should be established to ensure that any information security and confidentiality needs associated with the audit records are addressed.

Clause 5.5.7 lists examples of audit records, including those addressing audit program risks and opportunities, and relevant external and internal issues.

Program Improvements

The audit program manager and the audit client should review the audit program to assess whether its objectives have been achieved. Lessons learned from the audit program review should be used as inputs for the improvement of the program.

Clause 5.7 states that the audit program review should consider multiple topics, including the effectiveness of the actions to address the risks and opportunities, and internal and external issues associated with the audit program.

Auditor Training

Our onsite “Internal Auditor” courses have been updated for the revised guidance in ISO 19011:2018. Please see our website to view our Internal Auditor course descriptions for the ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, AS9100:2016, AS9110:2016, AS9120:2016, ISO 13485:2016, and ISO 27001:2013 management system standards.

ISO 20000-1:2018

Oct 1, 2018 in Newsletter | Comments Off on ISO 20000-1:2018

The third edition of ISO 20000-1, Information technology – Service management – Part 1: Service management system requirements, has been published.

ISO 20000-1:2018 specifies requirements for an organization to establish, implement, maintain, and continually improve a service management system (SMS). The specified requirements include the planning, design, transition, delivery, and improvement of services to meet the service requirements and deliver value.

ISO 20000-1:2018 can be used by:

a) a customer seeking services and requiring assurance regarding the quality of those services;

b) a customer requiring a consistent approach to the service lifecycle by all its service providers, including those in a supply chain;

c) an organization to demonstrate its capability for the planning, design, transition, delivery, and improvement of services;

d) an organization to monitor, measure, and review its SMS and the services;

e) an organization to improve the planning, design, transition, delivery, and improvement of services through effective implementation and operation of an SMS;

f) an organization or other party performing conformity assessments against the requirements specified in the standard;

g) a provider of training or advice in service management.

The term “service” as used in ISO 20000-1 refers to the service or services in the scope of the SMS. The term “organization” refers to the organization in the scope of the SMS that manages and delivers services to customers.

The organization in the scope of the SMS can be part of a larger organization, for example, a department of a large corporation. An organization, or part of an organization, that manages and delivers a service or services to internal or external customers can also be known as a service provider.

The 31-page ISO 20000-1:2018 can be ordered at this ISO web page for about $138.

The standard can be ordered at this ANSI web page for $162.00 or a member price of $129.60.