Guidelines for auditing management systems (ISO 19011:2026)

This document gives guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process. These individuals include those managing the audit programme, auditors and audit teams.
It is applicable to all organizations that need to plan and conduct audits of management systems or manage an audit programme.
The application of this document to other types of audits is possible, provided that special consideration is given to the specific competence needed and the objectives to be achieved.

Leitfaden zur Auditierung von Managementsystemen (ISO 19011:2026)

Lignes directrices pour l'audit des systèmes de management (ISO 19011:2026)

Le présent document donne des lignes directrices sur l’audit de systèmes de management, comprenant les principes de l’audit, le pilotage d’un programme d’audit et la réalisation d’audits de systèmes de management. Il donne également des lignes directrices sur l’évaluation de la compétence des personnes impliquées dans le processus d’audit. Ces personnes incluent les responsables du pilotage du programme d’audit, les auditeurs et les équipes d’audit.
Il est applicable à tous les organismes qui doivent planifier et réaliser des audits de systèmes de management ou piloter un programme d’audit.
Le présent document peut, en principe, s’appliquer à d’autres types d’audits, à condition toutefois d’accorder une attention toute particulière aux compétences spécifiques requises et aux objectifs à atteindre.

Smernice za presojo sistemov vodenja (ISO 19011:2026)

Ta dokument podaja smernice za presojo sistemov vodenja, vključno z načeli presoje, upravljanjem programa presoje in izvedbo presoj sistemov vodenja, ter smernice za ocenjevanje usposobljenosti posameznikov, vključenih v proces presoje. Ti posamezniki vključujejo tiste, ki upravljajo program presoje, presojevalce in presojne skupine.
Uporaben je za vse organizacije, ki morajo načrtovati in izvajati presoje sistemov vodenja ali upravljati program presoje.
Uporaba tega dokumenta za druge vrste presoj je možna, pod pogojem, da se posebno pozornost nameni specifični usposobljenosti, ki je potrebna, in ciljem, ki jih je treba doseči.

General Information

Status
Published
Public Enquiry End Date
01-Jun-2025
Publication Date
30-Jun-2026
Technical Committee
UGA - Conformity assessment
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
10-Jun-2026
Due Date
15-Aug-2026
Completion Date
01-Jul-2026

Buy Documents

Standard

SIST EN ISO 19011:2026

English language (56 pages)
Preview
Preview
e-Library read for
1 day

Relations

Effective Date
01-Sep-2026

Overview

SIST EN ISO 19011:2026 provides comprehensive guidelines for auditing management systems. This international standard is designed to assist organizations in planning, conducting, and managing audits of management systems, covering the principles of auditing, the establishment and management of audit programmes, and the evaluation of audit team competence. It is applicable to organizations of all sizes and sectors, whether undertaking internal audits, auditing external providers, or managing broader audit programmes. The standard also allows for use in other types of audits, provided that unique competence requirements and objectives are considered.

ISO 19011:2026 ensures that organizations can audit against a variety of criteria, including requirements from different management system standards (such as quality, environmental, and information security), statutory and regulatory needs, and internal procedures. It supports a risk-based approach, adaptable to the complexity, size, and context of the organization.

Key Topics

  • Principles of Auditing: The standard provides a foundation based on seven main principles: integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and a risk-based approach. These principles ensure audits are effective, impartial, and add value.
  • Managing an Audit Programme: Guidance is given on establishing, implementing, and monitoring audit programmes-including setting objectives, evaluating risks and opportunities, resource allocation, and continual improvement.
  • Conducting Audits: Clear processes are outlined for initiating, preparing, executing, and following up on audits. This includes planning audit activities, collecting objective evidence, determining findings and conclusions, and reporting.
  • Competence and Evaluation: The standard details how to determine, develop, and assess the competence of individuals involved in the audit process-from auditors and audit team leaders to technical experts and observers.
  • Remote Auditing Methods: The latest edition expands guidance on integrating remote auditing techniques and managing virtual locations, aligning with evolving organizational structures and technologies.

Applications

ISO 19011:2026 is highly versatile and practical for a wide range of organizational needs:

  • Internal and External Audits: Useful for both first-party (internal) audits and second-party (external provider) audits. It also supports third-party activities for purposes beyond certification.
  • Multiple Management System Audits: Supports combined and integrated audits, enabling efficient assessment of more than one discipline (e.g., quality, environment, and safety management systems) in a single process.
  • Programme Management: Provides structure for managing ongoing audit activities, ensuring the consistent application of best practices, proper resourcing, and alignment with organizational objectives and risks.
  • Training and Competence Development: Can be used by training providers and organizations to develop auditor training frameworks, competence benchmarks, and evaluation criteria.
  • Support for Certification Bodies: Although not intended to specify certification requirements, ISO 19011:2026 offers guidance that can supplement third-party certification activities and enhance overall audit quality.

Adopting ISO 19011:2026 helps organizations gain reliable insights into system performance, compliance, and continual improvement, while minimizing audit risks and optimizing resource use.

Related Standards

Organizations utilizing ISO 19011:2026 may also benefit from the following related management system and conformity assessment standards:

  • ISO 9001 – Quality management systems
  • ISO 14001 – Environmental management systems
  • ISO/IEC 27001 – Information security management systems
  • ISO 45001 – Occupational health and safety management systems
  • ISO/IEC 17021-1 – Requirements for bodies providing audit and certification of management systems
  • ISO/IEC TS 17012 – Guidelines for the use of remote auditing methods

Leveraging ISO 19011:2026 alongside these standards enables a comprehensive, effective, and harmonized approach to management systems auditing, fostering continual improvement, credibility, and stakeholder confidence.

Buy Documents

Standard

SIST EN ISO 19011:2026

English language (56 pages)
Preview
Preview
e-Library read for
1 day

Get Certified

Connect with accredited certification bodies for this standard

BSI Group

BSI (British Standards Institution) is the business standards company that helps organizations make excellence a habit.

UKAS United Kingdom Verified

Bureau Veritas

Bureau Veritas is a world leader in laboratory testing, inspection and certification services.

COFRAC France Verified

DNV

DNV is an independent assurance and risk management provider.

NA Norway Verified

Sponsored listings

Frequently Asked Questions

SIST EN ISO 19011:2026 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Guidelines for auditing management systems (ISO 19011:2026)". This standard covers: This document gives guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process. These individuals include those managing the audit programme, auditors and audit teams. It is applicable to all organizations that need to plan and conduct audits of management systems or manage an audit programme. The application of this document to other types of audits is possible, provided that special consideration is given to the specific competence needed and the objectives to be achieved.

This document gives guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process. These individuals include those managing the audit programme, auditors and audit teams. It is applicable to all organizations that need to plan and conduct audits of management systems or manage an audit programme. The application of this document to other types of audits is possible, provided that special consideration is given to the specific competence needed and the objectives to be achieved.

SIST EN ISO 19011:2026 is classified under the following ICS (International Classification for Standards) categories: 03.100.70 - Management systems; 03.120.10 - Quality management and quality assurance; 03.120.20 - Product and company certification. Conformity assessment; 13.020.10 - Environmental management. The ICS classification helps identify the subject area and facilitates finding related standards.

SIST EN ISO 19011:2026 has the following relationships with other standards: It is inter standard links to SIST EN ISO 19011:2018. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

SIST EN ISO 19011:2026 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.

Standards Content (Sample)


SLOVENSKI STANDARD
01-september-2026
Nadomešča:
SIST EN ISO 19011:2018
Smernice za presojanje sistemov vodenja (ISO 19011:2026)
Guidelines for auditing management systems (ISO 19011:2026)
Leitfaden zur Auditierung von Managementsystemen (ISO 19011:2026)
Lignes directrices pour l'audit des systèmes de management (ISO 19011:2026)
Ta slovenski standard je istoveten z: EN ISO 19011:2026
ICS:
03.100.70 Sistemi vodenja Management systems
03.120.10 Vodenje in zagotavljanje Quality management and
kakovosti quality assurance
13.020.10 Ravnanje z okoljem Environmental management
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO 19011

NORME EUROPÉENNE
EUROPÄISCHE NORM
May 2026
ICS 03.120.20
Supersedes EN ISO 19011:2018
English version
Guidelines for auditing management systems (ISO
19011:2026)
Lignes directrices pour l'audit des systèmes de Leitfaden zur Auditierung von Managementsystemen
management (ISO 19011:2026) (ISO 19011:2026)
This European Standard was approved by CEN on 14 May 2026.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2026 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO 19011:2026 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
This document (EN ISO 19011:2026) has been prepared by Technical Committee ISO/PC 302
"Guidelines for auditing management systems" in collaboration with Technical Committee CEN-
CENELEC/ JTC 1 “Criteria for conformity assessment bodies” the secretariat of which is held by BSI.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by November 2026, and conflicting national standards
shall be withdrawn at the latest by November 2026.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO 19011:2018.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN and CENELEC
websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO 19011:2026 has been approved by CEN-CENELEC as EN ISO 19011:2026 without any
modification.
International
Standard
ISO 19011
Fourth edition
Guidelines for auditing
2026-05
management systems
Lignes directrices pour l’audit des systèmes de management
Reference number
ISO 19011:2026(en) © ISO 2026
ISO 19011:2026(en)
© ISO 2026
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
ISO 19011:2026(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles of auditing . 5
4.1 General .5
4.2 Integrity .5
4.3 Fair presentation .5
4.4 Due professional care .5
4.5 Confidentiality .6
4.6 Independence .6
4.7 Evidence-based approach .6
4.8 Risk-based approach .6
5 Managing an audit programme . 6
5.1 General .6
5.2 Establishing audit programme objectives .9
5.3 Determining and evaluating audit programme risks and opportunities .9
5.4 Establishing the audit programme .10
5.4.1 Roles and responsibilities of individual(s) managing the audit programme .10
5.4.2 Competence of individual(s) managing the audit programme .11
5.4.3 Establishing the scope of the audit programme .11
5.4.4 Determining audit programme resources . 12
5.5 Implementing the audit programme . 12
5.5.1 General . 12
5.5.2 Defining the objectives, scope and criteria for an individual audit . 13
5.5.3 Selecting and determining auditing methods .14
5.5.4 Selecting audit team members .14
5.5.5 Assigning responsibility for an individual audit to the audit team leader . 15
5.5.6 Managing audit programme results .16
5.5.7 Managing audit related records .16
5.6 Monitoring the audit programme .17
5.7 Reviewing and improving the audit programme.17
6 Conducting an audit .18
6.1 General .18
6.2 Initiating the audit .18
6.2.1 General .18
6.2.2 Establishing contact with the auditee .18
6.2.3 Determining the feasibility of the audit.19
6.3 Preparing auditing activities .19
6.3.1 Performing the review of documented information .19
6.3.2 Audit planning .19
6.3.3 Assigning work to the audit team .21
6.3.4 Preparing documented information for the audit .21
6.4 Conducting auditing activities .21
6.4.1 General .21
6.4.2 Assigning the roles and responsibilities of guides and observers .21
6.4.3 Conducting the opening meeting . 22
6.4.4 Communicating during the audit . 23
6.4.5 Providing access to audit information . 23
6.4.6 Reviewing documented information while conducting the audit . 23
6.4.7 Collecting and verifying information.24
6.4.8 Generating the audit findings . 25

iii
ISO 19011:2026(en)
6.4.9 Determining the audit conclusions . 25
6.4.10 Conducting the closing meeting. 26
6.5 Preparing and distributing the audit report . .27
6.5.1 Preparing the audit report .27
6.5.2 Distributing the audit report .27
6.6 Completing the audit . 28
6.7 Conducting the audit follow-up . 28
7 Competence and evaluation of auditors .28
7.1 General . 28
7.2 Determining auditor competence . 29
7.2.1 General . 29
7.2.2 Personal behaviour . 29
7.2.3 Knowledge and skills . 30
7.2.4 Achieving auditor competence .32
7.2.5 Achieving audit team leader competence . 33
7.3 Establishing the auditor evaluation criteria . 33
7.4 Selecting the appropriate auditor evaluation method . 33
7.5 Conducting the auditor evaluation . 33
7.6 Maintaining and improving auditor competence . 34
Annex A (informative) Additional guidance for auditors for planning and conducting audits .35
Bibliography .46

iv
ISO 19011:2026(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO’s adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Project Committee ISO/PC 302, Guidelines for auditing management systems,
in collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/CLC/
JTC 1, Criteria for conformity assessment bodies, in accordance with the Agreement on technical cooperation
between ISO and CEN (Vienna Agreement).
This fourth edition cancels and replaces the third edition (ISO 19011:2018), which has been technically
revised.
The main changes are as follows:
— expansion of guidance on remote auditing methods through the introduction of guidance contained in
ISO/IEC TS 17012;
— expansion of Annex A to provide guidance on remote auditing methods and virtual locations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

v
ISO 19011:2026(en)
Introduction
Since the third edition of this document was published in 2018, several management system standards
have been published in new fields. Most of them have a common structure, identical core requirements,
and common terms and core definitions. As a result, there is a need to consider a broader approach to
management system auditing, as well as to provide guidance that is more generic.
This document provides guidance which can be applied to audit against a range of audit criteria (separately
or in combination) including, but not limited to:
— requirements specified in one or more management system standards;
— policies, processes and requirements specified by the organization or other relevant interested parties;
— statutory and regulatory requirements;
— one or more management system processes defined by the organization and/or other parties;
— management system plan(s) relating to the provision of specific results of a management system (e.g.
quality plan, project plan).
This document provides guidance for all organizations regardless of their size and type, and audits of varying
scopes. This includes those conducted by large audit teams, typically of larger organizations, and those by
single auditors, whether in large or small organizations. This guidance should be adapted as appropriate to
the scope and complexity of the audit programme.
This document concentrates on internal audits (first party) and audits conducted by organizations on
their external providers and other external interested parties (second party). This document can also be
useful for external audits conducted for purposes other than third-party management system certification.
ISO/IEC 17021-1 provides requirements for auditing management systems for third-party certification;
however, this document can provide useful additional guidance (see Table 1).
Table 1 — Different types of audits
First party Second party Third party
Internal audit External provider audit Certification audit or accreditation
assessment
Audit by the external interested party Statutory, regulatory and similar
of an organization audit
ISO/IEC TS 17012 addresses the growing need for remote auditing methods. Its aim is to provide guidance
on implementing remote auditing methods effectively while supporting the general principles of auditing as
outlined in this document.
To simplify the readability of this document, the singular form of “management system” is preferred, but the
reader can adapt the implementation of the guidance to their own situation. This also applies to the use of
“individual” and “individuals”, “auditor” and “auditors”.
This document is intended to apply to a broad range of potential users, including auditors, organizations
implementing management systems and organizations needing to conduct management system audits for
contractual or regulatory reasons. The guidance in this document can be applied to users in developing their
own audit-related requirements.
The guidance in this document can also be used for the purpose of self-declaration and can be useful to
organizations involved in the training, qualification and certification of persons participating in the audit
programme.
The guidance in this document is intended to be flexible. As indicated at various points in the text, the use
of this guidance can differ depending on the size and level of maturity of an organization’s management
system. The nature and complexity of the organization to be audited, as well as the objectives and scope of
the audits to be conducted, should also be considered.

vi
ISO 19011:2026(en)
This document adopts the combined audit approach when two or more management systems of different
disciplines are audited together. Where these systems are integrated into a single management system,
the principles and processes of auditing are the same as for a combined audit (sometimes known as an
“integrated audit”).
vii
International Standard ISO 19011:2026(en)
Guidelines for auditing management systems
1 Scope
This document gives guidance on auditing management systems, including the principles of auditing,
managing an audit programme and conducting management system audits, as well as guidance on the
evaluation of competence of individuals involved in the audit process. These individuals include those
managing the audit programme, auditors and audit teams.
It is applicable to all organizations that need to plan and conduct audits of management systems or manage
an audit programme.
The application of this document to other types of audits is possible, provided that special consideration is
given to the specific competence needed and the objectives to be achieved.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
audit
systematic, independent and documented process (3.25) for obtaining objective evidence (3.9) and evaluating
it objectively to determine the extent to which the audit criteria (3.8) are fulfilled
Note 1 to entry: Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization
itself.
Note 2 to entry: External audits include those generally called second and third-party audits. Second-party audits are
conducted by parties having an interest in the organization, such as customers, or by other individuals on their behalf.
Third-party audits are conducted by independent auditing organizations, such as those providing certification/
registration of conformity (3.21) or governmental agencies and regulatory authorities.
[SOURCE: ISO 9000:2026, 3.12.1, modified — “documented and “objective” added to the definition. Notes to
entry replaced.]
3.2
combined audit
audit (3.1) carried out together at a single auditee (3.14) on two or more management systems (3.19)
[SOURCE: ISO 9000:2026, 3.12.2, modified — Note 1 to entry deleted.]

ISO 19011:2026(en)
3.3
joint audit
audit (3.1) carried out at a single auditee (3.14) by two or more auditing organizations
[SOURCE: ISO 9000:2026, 3.12.3]
3.4
remote auditing method
method used for conducting audit activities from any place other than the location of the auditee (3.14)
Note 1 to entry: Remote auditing methods can be used in combination with on-site methods to achieve a full and
effective audit (3.1).
Note 2 to entry: Remote auditing methods can be used for virtual locations, i.e. where an organization performs work
or provides a service using an online environment, enabling individuals to execute processes (3.25) irrespective of
physical locations.
Note 3 to entry: Remote auditing methods can be used by the auditor (3.16) at one site of the auditee to audit another
site.
[SOURCE: ISO/IEC TS 17012:2024, 3.1]
3.5
audit programme
arrangements for a set of one or more audits (3.1) planned for a specific time frame and directed towards a
specific purpose
3.6
audit scope
extent and boundaries of an audit (3.1)
Note 1 to entry: The audit scope generally includes a description of the physical and virtual locations (see 3.4, Note 2 to
entry), functions, organizational units, activities and processes (3.25), as well as the time period covered.
3.7
audit plan
description of the activities and arrangements for an audit (3.1)
3.8
audit criteria
set of requirements (3.24) used as a reference against which objective evidence (3.9) is compared
Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words “compliance”
or “non-compliance” are often used in an audit finding (3.11).
Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements, contractual
obligations, industry standards, etc.
3.9
objective evidence
data supporting the existence or verity of something
Note 1 to entry: Objective evidence can be obtained through observation, measurement, test or by other means.
[SOURCE: ISO 9000:2026, 3.8.6, modified — Note 2 to entry deleted.]
3.10
audit evidence
records, statements of fact or other information, which are relevant to the audit criteria (3.8) and verifiable

ISO 19011:2026(en)
3.11
audit finding
results of the evaluation of the collected audit evidence (3.10) against audit criteria (3.8)
Note 1 to entry: Audit findings indicate conformity (3.21) or nonconformity (3.22).
Note 2 to entry: Audit findings can lead to the identification of risks (3.20), opportunities for improvement or recording
good practices.
Note 3 to entry: If the audit criteria are selected from statutory requirements or regulatory requirements, the audit
finding is termed “compliance” or “non-compliance”.
3.12
audit conclusion
result of an audit (3.1), after consideration of the audit objectives and all audit findings (3.11)
3.13
audit client
organization or person requesting an audit (3.1)
Note 1 to entry: In the case of internal audit, the audit client can also be the auditee (3.14) or the individual(s) managing
the audit programme (3.5). Requests for external audit can come from sources such as regulatory authorities,
contracting parties, or potential or existing customers.
[SOURCE: ISO 9000:2026, 3.12.4, modified — Note 1 to entry added.]
3.14
auditee
organization as a whole or parts thereof being audited
3.15
audit team
one or more persons conducting an audit (3.1), supported if needed by technical experts (3.17)
Note 1 to entry: One auditor (3.16) of the audit team is appointed as the audit team leader.
Note 2 to entry: The audit team can include auditors-in-training.
3.16
auditor
person who conducts an audit (3.1)
3.17
technical expert
person who provides specific knowledge or expertise to the audit team (3.15)
Note 1 to entry: Specific knowledge or expertise relates to the organization, the activity, process (3.25), product,
service, discipline to be audited, language or culture.
Note 2 to entry: A technical expert to the audit team does not act as an auditor (3.16).
3.18
observer
individual who accompanies the audit team (3.15) but does not act as an auditor (3.16) nor a technical expert
(3.17)
3.19
management system
set of interrelated or interacting elements of an organization to establish policies and objectives, as well as
processes (3.25) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines, e.g. quality management,
financial management or environmental management.

ISO 19011:2026(en)
Note 2 to entry: The management system elements establish the organization’s structure, roles and responsibilities,
planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those objectives.
Note 3 to entry: The scope of a management system can include the whole of the organization, specific and identified
functions of the organization, specific and identified sections of the organization, or one or more functions across a
group of organizations.
[SOURCE: ISO 9000:2026, 3.4.2, modified — Examples added to Note 1 to entry. Note 2 to entry expanded.
Notes 3 and 4 to entry deleted.]
3.20
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events and consequences, or a combination of
these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes
in circumstances) and the associated likelihood of occurrence.
[SOURCE: ISO 9000:2026, 3.7.2, modified — Note 5 to entry deleted.]
3.21
conformity
fulfilment of a requirement (3.24)
[SOURCE: ISO 9000:2026, 3.5.9, modified — Note 1 to entry deleted.]
3.22
nonconformity
non-fulfilment of a requirement (3.24)
[SOURCE: ISO 9000:2026, 3.5.13]
3.23
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO 9000:2026, 3.10.6]
3.24
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested
parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information.
[SOURCE: ISO 9000:2026, 3.5.1, modified — Notes 3, 4 and 5 to entry deleted.]
3.25
process
set of interrelated or interacting activities that use inputs to deliver an intended result
[SOURCE: ISO 9000:2026, 3.3.1, modified — “or transforms” deleted and “intended” added in the definition.
Notes to entry deleted.]
ISO 19011:2026(en)
3.26
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to managing activities, processes (3.25), products, services, systems or
organizations.
[SOURCE: ISO 9000:2026, 3.7.3]
3.27
effectiveness
extent to which planned activities are realized and planned results are achieved
[SOURCE: ISO 9000:2026, 3.7.17]
4 Principles of auditing
4.1 General
Auditing is characterized by reliance on a number of principles. These principles should help to make the
audit an effective and reliable tool in support of management policies and controls, by providing information
on which an organization can act in order to improve its performance. Adherence to these principles is
fundamental to provide audit conclusions that are relevant and sufficient, and for enabling auditors, working
independently from one another, to reach similar conclusions in similar circumstances.
The guidance given in Clauses 5 to 7 is based on the seven principles outlined in 4.2 to 4.8.
4.2 Integrity
Integrity is the foundation of professionalism.
Auditors and the individual(s) managing an audit programme should:
a) perform their work ethically, with honesty and responsibility;
b) only undertake auditing activities if they are competent to do so;
c) perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings;
d) be sensitive to any influences that can be exerted on their judgement while carrying out an audit.
4.3 Fair presentation
Fair presentation is the obligation to report truthfully and accurately.
Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the auditing
activities. Significant obstacles encountered during the audit and unresolved diverging opinions between the
audit team and the auditee should be reported. The communication should be truthful, accurate, objective,
timely, clear and complete.
4.4 Due professional care
Due professional care is the application of diligence and judgement in auditing.
Auditors should exercise due care irrespective of the importance of the task they perform, and the confidence
placed in them by the audit client and other interested parties. An important factor in carrying out their
work with due professional care is having the ability to make reasoned judgements in all audit situations.

ISO 19011:2026(en)
4.5 Confidentiality
Confidentiality is security and privacy of information.
Auditors should exercise discretion in the use and protection of information acquired in the course of their
auditing activities. Audit information should not be used inappropriately for personal gain by the auditor or
the audit client, or in a manner detrimental to the legitimate interests of the auditee. This principle includes
the proper handling of sensitive or confidential information.
4.6 Independence
Independence is the basis for the impartiality of the audit and objectivity of the audit conclusions.
Auditors should be independent of the activity being audited wherever practicable and should in all cases act
in a manner that is free from bias and conflict of interest. Auditors should maintain objectivity throughout
the audit process to ensure that the audit findings and conclusions are based only on the audit evidence.
When it is not possible for internal auditors to be independent of the activity being audited, every effort
should be made to remove bias and encourage objectivity.
4.7 Evidence-based approach
Evidence-based approach is the rational method for reaching reliable and reproducible audit conclusions in
a systematic audit process.
Audit evidence should be verifiable. It should be based on samples of the information available, since an
audit is conducted during a specified duration and with finite resources. An appropriate use of sampling
should be applied, since this is closely related to the confidence that can be placed in the audit conclusions.
4.8 Risk-based approach
Risk-based approach is an audit approach that considers risks and opportunities.
The risk-based approach should substantively influence the planning and implementation of the audit
programme, and the planning, conducting and reporting of audits in order to ensure that audits are focused
on matters that are significant for the audit client, and for achieving the audit programme objectives.
5 Managing an audit programme
5.1 General
An audit programme should be established. It can include audits addressing one or more management
system standards or other requirements, conducted either separately or in combination (combined audit).
The extent of an audit programme should be based on the size and nature of the auditee, as well as on the
functionality, complexity, the type of risks and opportunities, the scope, and the level of maturity of the
management system(s) to be audited.
The functionality of the management system can be even more complex in the case of multiple locations or
when important functions are sourced externally.
Particular attention should be paid to where important decisions are made and to the design, planning and
review of the audit programme.
The audit programme should be scaled in accordance with the size and complexity of the organization.
In order to understand the context of the auditee, the audit programme should take into account the
organization’s:
— organizational objectives;
ISO 19011:2026(en)
— relevant external and internal issues;
— needs and expectations of relevant interested parties;
— application of technology such as digital tools;
— information security and confidentiality requirements.
When allocating resources and methods to the audit programme, priority should be given to matters in the
management system with higher inherent risk and lower levels of performance.
Competent individuals should be assigned to manage the audit programme (see 5.4.2).
The audit programme should include information and identify resources to enable the audits to be conducted
effectively within the specified time frames. The information should include:
a) objectives for the audit programme (see 5.2);
b) risks and opportunities associated with the audit programme (see 5.3) and the actions to address them;
c) scope (extent, boundaries, locations) of each audit within the audit programme;
d) schedule (number/duration/frequency) of the audits;
e) audit types, such as internal or external;
f) audit criteria;
g) auditing methods to be employed, including remote auditing methods (see Clause A.16);
h) criteria for selecting the audit team (audit team leader, auditors and, if needed, technical experts);
i) criteria for participation of observers, where relevant;
j) the organization’s context based on external and internal issues;
k) relevant documented information.
Some of this information is not always available until more detailed audit planning is completed.
The implementation of the audit programme should be monitored and assessed on an ongoing basis (see 5.6)
to ensure its audit programme objectives have been achieved. The audit programme should be reviewed in
order to determine the need for changes and possible opportunities for improvements (see 5.7).
Figure 1 illustrates the process flow for the management of an audit programme.

ISO 19011:2026(en)
NOTE 1 This figure illustrates the application of the Plan-Do-Check-Act cycle in this document.
NOTE 2 Clause/subclause numbering refers to the relevant clauses/subclauses of this document.
NOTE 3 Conductin
...