Featured Product
This Week in Quality Digest Live
Risk Management Features
Master Gage and Tool Co.
Why it matters for accurate measurements
Jón Bergsteinsson
Understanding the standard is essential
Megan Wallin-Kerth
Or, how mistakes factor into a kaizen mindset
Shaneé Dawkins
Learn how to spot and avoid common phishing tactics
Gleb Tsipursky
Tension between desire for flexibility and perceived need to be visible for career advancement

More Features

Risk Management News
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance
Educational offerings available in Santa Clara in December 2023
Greater accuracy in under 3 seconds of inspection time

More News

Jeffrey Lewis

Risk Management

Are Your Audits Clause-Based or Risk-Based?

Even after ISO 19011:2018’s release, many auditors still perform clause-based auditing

Published: Thursday, August 24, 2023 - 11:03

I’ve observed that ISO management system audits have remained largely unchanged, even after the advent of ISO 19011:2018, the auditing standard that superseded ISO 19011:2011. Auditors are still using clause-based auditing, despite ISO 19011:2018’s direction to take a risk-based approach.

According to ISO, ISO 19011 “provides guidance on auditing management systems, including the principles of auditing, managing an audit program, and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process.”

The 2018 version replaced the 2011 version of the standard and clearly has a more risk-based approach in keeping with ISO 9001:2015 and related management system standards. Some of the changes described in ISO 19011:2018’s introduction include:
• Taking a risk-based approach to auditing principles
• Including audit program risk when managing an audit program
• More guidance on conducting an audit, particularly audit planning
• Adjusting terminology to reflect the process rather than the object
• An expansion of Annex A to guide auditing concepts such as organization context, leadership and commitment, virtual audits, compliance, and supply chain.

Consequently, if your audit practice has remained unchanged since 2018, this article focuses on ISO 19011:2018 required audit practice. It’s the audit practice that should be applied to risk-driven management systems. 

ISO 19011:2018 states that a risk-based audit approach should be taken. It replaces the 2011 version that focused on a clause-based auditing technique. According to the standard, the risk-based principle means that “risk should substantively influence the planning, conducting and reporting of audits to ensure that audits are focused on matters that are significant for the audit client and for achieving the audit program objectives.” It is against this background that a comparison between clause-based and risk-based audits is necessary to show how the practices differ. 

The purpose of risk is to determine or plan preventive controls to manage such risk so that the objectives of “the process, function or activity” are met or deemed effective.

What are clause-based audits?

A clause-based approach, as was the norm in ISO 19011:2011, is conducted as a checklist of the standard’s clauses. The auditor uses the clause checklist to establish whether a particular clause has been fulfilled. An organization is asked to show objective evidence, as indicated by its procedures and practices, that the clause is fulfilled. Auditors typically determine the extent to which the procedures and practices meet each clause requirement in order to decide whether there is conformity to the clause or not.

The clause-based audit results are limited to counting the number of auditor nonconformances and corrective actions at the end of the audit. The count acts as a measure of conformity but doesn’t provide management with a report on the status of the organization’s performance.

With its risk-based approach to auditing, ISO 19011:2018 Annex A.10 states that “an audit of an organization’s approach to determining risks and opportunities should not be performed as a stand-alone activity. It should be implicit during the entire audit of a management system.” (The emphasis is mine.)

Thus, Annex A.10 directs auditors not to perform stand-alone or clause-type audits to uncover risks and opportunities. So what is the alternative to clause-based auditing?

Risk-based audits

The purpose of risk per ISO 9001, according to its introduction, is to determine or plan preventive controls to manage such risk so that the objectives of “the process, function or activity” are met or deemed effective. In audit speak, these controls, usually procedures or work instructions, are called “criteria” because the controls are the criteria to avoid the effects of nonconformances, incidents, or degradation.

The preventive controls are the “plan” part of the plan, do, check, and act (PDCA) cycle. Determining the plan’s effectiveness facilitates an improvement to the plan. Therefore, it’s the system being audited and not a checklist of clauses.

Risk-based audits should assess the control/plan status and alert management about the organization’s performance, especially how it meets its strategic objectives. Each criterion is required to be addressed to provide a measure of the controls’ effectiveness.

Reporting on the audit, as per the standard’s Clause 5.5.2, enables management to verify whether the risk-driven controls are effective, based on the following:
• Determining the extent to which the audited procedures/work instructions conform to the requirements of the ISO clause requirements
• Evaluating the capability of the management system to meet required statutory, regulatory, and other requirements pertaining to the organization
• Evaluating whether the management system effectively delivered the planned results, i.e., how many planned objectives were met over a predetermined period
• Identifying the number of corrective actions as a result of the audit
• Evaluating the suitability and adequacy of the management system in delivering the organization’s business objectives based on its strategy
• Evaluating any changes resulting from reassessing risk and opportunities to establish and achieve new objectives when implementing related actions

Sections a–f of Clause 5.5.2 require an alternate audit format to generate the identified reports. Thus, the planning and conducting of the audit will differ from the traditional clause-based audit checklist. New auditor competence is necessary to fulfill this requirement because the 2011 version of ISO 19011:2018 has been canceled.

Management can compare the results of both internal and external risk-based audits to determine whether the company is achieving its strategic plans.

The differentiation

In a sense, clause-based audits seek evidence that the prescribed clause is applied per the original ISO maxim of “say as you do, do as you say.” This goes back to the inception of ISO 9001 standards in 1987. However, meeting the clause’s meaning doesn’t necessarily ensure controls for a process. Fulfilling the clause requirements doesn’t enable the auditor to report on the organization’s operational performance and its context. 

Risk-based audits, on the other hand, are focused on outcomes by determining whether a plan or control derived from a risk exercise is effective. According to ISO 19011:2018 Annex A.4, “Auditors should be focused on the intended result of the management system throughout the audit process. While processes and what they achieve are important, the result of the management system and its performance is what counts.” The excerpt from A.4 says it all: A different type of audit approach is required.

Consequently, the risk-based audit is more meaningful when compared to clause-based auditing in an organization. As such, risk-based audits are important to the strategic management of an organization to determine whether its controls are enabling the intended objectives and outcomes.

In addition to management standards such as ISO 9001:2015, regulations such as the Food Safety Modernization Act and the Sarbanes-Oxley Act are all risk-driven management systems. They should adopt a risk-based audit approach to determine if their operational risks are managed through the determined controls related to their compliance. They also follow the same ISO management system’s PDCA format that enables improvements when previously unidentified risks are found.

The point is, in the clause-based approach corrective actions are written by the auditor when the clause requirements aren’t met, whereas the risk-based auditor is concerned with the extent to which the risk is managed and the improvement of the preventive controls. Thus, the risk-based audit meets the condition of influencing the risk-driven plans, the conduct of the audit, and reporting on performance outcomes, which is described in the risk audit principle.


Are your current audit practices of planning, conducting, and reporting influenced by risk and focus on significant matters?  

From ISO 19011:2018, auditor competence isn’t based on the ability to assess a management system using a clause-based approach. Rather, a risk-audit format replaces the traditional clause-audit template. The purpose is to determine the extent to which operational risks are managed and to provide a meaningful audit report. Auditor competence is based on the auditor’s capability to assess and verify that the risk-derived control criteria are effective and found to be implicit throughout the audit. As such, if your audit practices have remained unchanged since the inception of ISO 19011:2018, training is required to follow through on the planning, conducting, and reporting of the risk-based audits.

Top management should know that new skills are required to frame their management system to measure the effectiveness of the risk-derived controls per the audit objectives. The performance and conversation language should encourage the organization to approach activities from a risk perspective and to demonstrate them in their control procedures. Appropriate objective evidence of performance is facilitated through the respective reports. Training cannot be solely for auditors; top management must understand the significance of risk-based audits as a management tool for the organization.


In keeping with the requirements of ISO 19011:2018, risk-driven operations should be audited via a risk-based technique to determine if the risk-derived controls over the operations were effective for meeting the organization’s strategic plan. Thus, risk-based audits add value. A trained risk-based auditor will be a meaningful resource for the organization to verify whether its planned performance objectives are met. This is very different from conducting the type of audits to retain a certificate. The focus is on the performance outputs, which are significant.


About The Author

Jeffrey Lewis’s picture

Jeffrey Lewis

Jeffrey Lewis’ journey in pursuing a single management system began in 1999 with the article “Maintenance Management as a Quality Process.” In 2007, he received the QAI “Best of the Best Award” for the best practice process for using technology to reduce all siloed operational disciplines into one management system. Since 2004, Lewis has consulted, implemented, and audited ISO management standards for the State of California. Recently, for Chevron Lubricants, he conducted training on executing risk-based internal audits, which LRQA accepted. Today, at singlemanagementsystem.com, you will find an ANSI/IACET-accredited risk-based auditing course. At fsmafoodsafety.com, you will find an application of the single management system for managing all the Food Safety Modernization Act (FSMA) requirements. The technology also includes a seamless supplier/FSVP interface in the single management system to satisfy the law so that no other media is needed to meet the legal requirements, simplifying the duties of the PCQI.