The audit process consists to assess compliance of the regulatory requirements in comparison with the company’s implementation process, always considering the auditor’s professional judgment.
ISO 19011: 2018 – Guidelines for auditing management systems recommends the following:
“It is appropriate that auditors apply your professional judgment during the audit process and avoid focusing on specific requirements of each Section of the standard in order to achieve the intended result of the management system.”
“Some Sections of ISO management system standards are not readily suitable for auditing in terms of comparing between set of criteria and the content of a work procedure or instruction.”
In these two statements, the Standard establishes the need for the auditor to be open-minded for correct diligence and professional judgment, warning that the auditor should not be bound only by the requirements of the standards. ISO 19001 continues and warns of the need for professional judgment in a correct professional judgment process:
“In these situations, auditors should use their professional judgment to determine whether the Section’s intent has been accomplished or not.”
Always in all my lectures and training I use the following statement “The standards of management systems establish WHAT MUST be done, HOW to be done depends on organizations”. At some point, some professionals understand from this statement that the HOW can be done in any way, really forgetting the professional judgment process by the auditor in an audit process.
Professional judgment is of fundamental importance to assess whether how the management system was implemented meets the requirements of the reference standard. Here are some examples:
In a recent audit of ISO 27001 one of our auditors pointed out non-compliance in Annex A.9.1 Access Control, the implemented process did not really keep the processes in compliance. However, the auditee argued that how to implement it depended on the company and not the auditor’s judgment.
This is a classic case that the organization forgets that professional judgment is the responsibility of the process auditor, obviously covered by all attention to the regulatory requirements and with all openness to the client of an appeal process, if necessary.
Therefore, I reaffirm and add: the management systems rules establish WHAT SHOULD be done, the HOW to be done depends on the organizations, to be evaluated by the auditor’s professional judgment.