What ISO standard revisions really mean for auditors

Written by Paul Simpson, Bywater associate and quality expert.

Our ability to operate as an auditor relies on our competence and that includes being up to date with the standards that our organisations are using. Whether we are internal auditors (first party), supplier auditors (second party) or provide an independent assessment of another organisation’s management system (third party), this competence is required. The management system standard (MSS) sets up part of the requirements that we auditors assess a management system against. The other requirements (audit criteria) that we use are the legal requirements that the system is set out to meet and the relevant policies and procedures that the organisation has in place. In the same way, when a law or regulation changes or a policy is updated, the requirements change and the auditor’s expectations change.

So, what does that mean in practice? We should all be following a process to meet the upcoming revisions to the ISO (International Organization for Standardization) MSSs and, as drafts are published, start to think about what it means to us in our day jobs.

With any changes to a MSS there is a balance. The wording or layout may change but does the requirement change? Taking a couple of examples:

• The ordering of clauses has changed throughout the latest draft of ISO 9001 (DIS 9001). In theory this should not affect the way we approach an audit as all requirements have to be assessed. The lack of logical flow in the bullets might jar but we should be able to get over this and audit the system as described.
• The current 2015 requirement for leadership to take accountability for the effectiveness of the quality management system was given prime position in the order of Clause 5.1 (Clause 5.1.1 a). As auditors we should know that accountability is the primary responsibility for the organisation’s leaders. In DIS 9001 it has disappeared to the bottom of the list. We should continue to plan our audits and carry out our audits of the senior leaders with that prime responsibility in mind.

So with these couple of examples of the changes in DIS 9001, we can see that the changes should not materially affect the way we operate as auditors.

Next, let’s look at a couple of proposed changes that will affect the way we go about planning and conducting our audits.

• In 2024 an amendment to ISO 9001 was issued based on the JTCG insistence that all ISO MSSs cover climate change. The amendment has been around for some time now, and the same text is included in DIS 9001. It’s worth re-evaluating how climate change can impact an organisation’s QMS. My earlier article discusses this. In summary, climate change may be considered relevant by the organisation, or they may have decided that it doesn’t affect their ability to meet customer requirements. As auditors we should test that decision but should not impose our views on the system.
• DIS 9001 has a new requirement in bullet Clause 5.1.1 i) promoting quality culture and ethical behaviour. This is a new requirement for leaders in the context of quality management systems (QMS) but is an expectation for all organisations that we deal with. As auditors, we now must evaluate whether this requirement is satisfied effectively. To do so, we need to understand what this requirement expects. The two concepts are separate.
  • Ethical behaviour is something that leaders can promote, and, like the process approach and risk-based-thinking from the 2015 edition, we should be looking to see that leaders are doing this and evaluating whether the level of effort is appropriate for the ethical risks that the organisation faces. In practice, what we can expect to see as auditors will vary from country to country and by organisation size and type. There is no single right way to meet the requirement but plenty of guidance is available from reputable sources like The Chartered Institute of Personnel and Development.
  • Quality culture is the end result, positive or negative, of all the things that the leaders of the organisation do to influence how employees behave with respect to quality – focusing on the enablers of a positive culture such as transparency, team working and an improvement focus. As auditors we should look beyond the words to the effectiveness of what senior leaders do in building their organisation’s culture.

So we need to build our own competence for these two areas from DIS 9001 to be able to assess the new requirements. As internal auditors, we can look at what the QMS says and simply audit to see that the activities and processes are effective. As second party auditors, we need to decide what good looks like from a supplier (or potential supplier) perspective. And as third party auditors, we should not impose our expectations but should test what the organisation says it is doing is suitable for the sector it operates in. This could be verbal or documented, depending on how the organisation operates its QMS.