ISO/FDIS 19011 – Guidelines for auditing management systems

ISO 19011:2026 keeps the overall structure and intent of ISO 19011:2018, but it significantly modernises the guidance around how audits are designed and delivered, especially for remote and hybrid audits. The core clauses (scope, principles, managing an audit programme, conducting audits, and auditor competence) remain aligned, so existing audit programmes based on the 2018 edition do not need wholesale redesign; however, organisations will need to update methods, procedures, and competence criteria to reflect the new emphasis on technology-enabled auditing and risk‑based design.

Strategic focus and scope

The 2026 FDIS keeps the same purpose: guidance on auditing management systems (all types, sizes, and sectors), including internal (1st party) and external (2nd and some 3rd party) audits. The Introduction now explicitly positions ISO 19011 alongside ISO/IEC TS 17012:2024 and highlights the need to support audits where criteria may be a mix of standards, internal policies, regulatory requirements, and supply‑chain requirements. It also reinforces that guidance is generic and should be tailored to the organisation’s complexity and maturity, and to combined or integrated audits across multiple disciplines.​

Principles of auditing

The seven principles are unchanged in title (integrity, fair presentation, due professional care, confidentiality, independence, evidence‑based approach, risk‑based approach), but the wording is tightened and clarified. The 2026 text more clearly links the risk‑based approach to decisions about audit programme design, selection of remote vs on‑site methods, and focus on significant issues for the audit client and programme objectives. Confidentiality and independence principles now explicitly reference information security and conflicts of interest in technology‑enabled audits (e.g. remote access, shared platforms).​​

Managing the audit programme (Clause 5)

Stronger integration of remote and hybrid methods

In 2018, remote audits were mentioned briefly in Annex A, and audit‑programme guidance was largely technology‑neutral. The 2026 draft embeds remote auditing throughout Clause 5 and explicitly requires that the audit programme description state which auditing methods (on‑site, remote, hybrid) will be used, including reference to Annex A.16 and ISO/IEC TS 17012. Audit‑programme information must now consider “application of technology such as digital tools” and the balance between remote and on‑site methods to ensure objectives are achieved.​

Expanded treatment of risks and opportunities

Both editions require consideration of risks and opportunities, but 2026 makes them more explicit and detailed. The new text adds examples of risks relating to: selection of audit method (e.g. remote vs on‑site), technology security and reliability, loss or unavailability of auditors, and lack of auditee cooperation or ICT competence. Opportunities are more clearly framed around efficient use of remote tools, combining audits in a single visit, and aligning methods with ICT capabilities.​

Programme scope, resources and governance

The 2026 version refines terminology (“scope of the audit programme” instead of “extent”), but the intent is similar. It adds explicit criteria for participation of observers and for selecting remote tools, and stresses that the programme must be scaled to the complexity of the organisation, including multi‑site and externally‑provided functions. Resource planning now requires explicit consideration of network bandwidth, hardware/software, time zones, language, and security of ICT platforms when remote methods are used. Governance responsibilities of those managing the audit programme are strengthened: they must ensure the integrity of the programme, prevent undue influence, and engage in continual professional development in areas like risk management and ICT.​

Conducting audits (Clause 6)

Lifecycle view with method decisions up front

In 2018, Clause 6 already followed a logical audit lifecycle, but method selection (remote/on‑site) appeared mainly in Annex A. The 2026 FDIS integrates method decisions into initiating, planning, conducting and follow‑up, aligning with the idea that remote vs on‑site is a design decision, not just a delivery choice. When establishing contact with the auditee, auditors must now confirm not only scope and criteria but also technology arrangements, confidentiality and handling (storage, transfer, release) of electronic information, and feasibility considering local/regional events.​

Audit planning and risk‑based feasibility

The risk‑based planning subclause is expanded to require explicit consideration of risks created by auditing methods, including health and safety, product quality, and information security impacts when auditors are on‑site or connected remotely. Feasibility assessment must now consider adequacy of ICT, auditee cooperation, and external circumstances (e.g. travel restrictions), and require alternative plans if objectives cannot be met. Audit plans must clearly identify which activities will be remote, which sites or virtual locations are in scope, and how time and breaks are scheduled to account for remote communication constraints.

Information access, virtual locations and evidence

The 2018 edition introduced “virtual locations” but with limited guidance; the 2026 draft links them directly to remote auditing methods and clarifies that audit location is where information is available to the audit team, whether physical or virtual. New wording in 6.4.5 emphasises that determining where, when and how to access information is critical, and that methods may need to change during the audit if evidence cannot be adequately verified. Annex guidance stresses verifying completeness, correctness, consistency and currency of digital records, and calls for clearer documentation of how evidence was obtained (on‑site vs remote).

Findings, grading and reporting

The mechanics of findings and conclusions are similar, but 2026 clarifies that when nonconformities are graded, the grading criteria must be defined and communicated, and that reports should indicate the methods used (on‑site, remote, hybrid). Annex A.18 retains guidance on determining and recording findings, but now explicitly refers to “audit findings” and “audit conclusions” to align with updated terminology. This supports better transparency when regulators or accreditation bodies review remote or hybrid audits.​​​

Auditor competence and evaluation (Clause 7)

Both versions require auditors and audit programme managers to be competent in audit principles, management‑system standards and organisational context. The 2026 draft adds more emphasis on information and communication technology (ICT) skills, understanding of remote auditing methods, and the ability to evaluate risks and opportunities associated with digital tools. It also encourages continual professional development, specifically in remote audit techniques, risk management and project/process management, reflecting the more complex planning and coordination required.​

The annex on competence by discipline, removed in 2018, is still absent, but Annex A now points auditors to sector‑specific standards (e.g. ISO/IEC 27007 for ISMS, which is being updated to align with the new ISO 19011). This reinforces the idea that discipline‑specific auditor competence is handled in sector documents, while ISO 19011 focuses on generic audit competence and methods.​​

Annex A: expanded practical guidance

Annex A remains an informative toolbox but is significantly strengthened around digital and remote practice.

• A.1 (audit methods) now gives more structured guidance on selecting on‑site vs remote vs hybrid methods, including examples and criteria tied to risk, digital maturity and evidence needs.​
• A.16 (remote auditing methods) is expanded with content from ISO/IEC TS 17012: it explains conditions, opportunities and limitations of remote audits, feasibility assessment, platform security, contingency planning for technology failure, and balancing remote and on‑site activities across the audit programme.​
• Guidance on virtual locations is strengthened, clarifying the distinction between remote methods and auditing of virtual locations (e.g. cloud‑based processes), which helps auditors plan appropriate sampling and observation.​​
• Existing topics such as auditing context, leadership, risks and opportunities, supply chains and performance remain, but are updated to reference hybrid evidence sources and digital records.​

Practical implications for organisations and auditors

For organisations already aligned with ISO 19011:2018, the 2026 revision is evolutionary rather than revolutionary: the same PDCA‑based framework for audit programmes, risk‑based approach and competence model still apply. The main work will be to:

• update audit procedures and manuals to explicitly cover remote and hybrid methods, including feasibility, technology selection, data security and contingency plans;​​
• revise audit‑programme templates and plans so they document methods, virtual locations, and how risks and opportunities were addressed;​​
• strengthen auditor training and evaluation in ICT skills, remote interviewing, digital evidence verification and cross‑site coordination;​​
• ensure records and reports clearly indicate how evidence was obtained and how nonconformities were graded, supporting accreditation and regulatory scrutiny.​​

In short, ISO 19011:2026 formalises what many organisations began doing during and after COVID‑19: treating remote and hybrid audits as normal, making risk‑based design choices across the entire audit lifecycle, and supporting this with clearer guidance and alignment with ISO/IEC TS 17012.

Other resources:

• ISO webpage, for ISO/FDIS 19011
• GCC Certification Process
• Auditor Training Courses