ISO 19011 was published in May 2026. If you read my article on the 2018 version, here I cover the new edition.

The structure remains the same: audit principles, audit programme, conduct, auditor competence. What changes is the content within those chapters.

Remote audits are now a normal method

The 2026 version formally defines remote audit at clause 3.4: a method used to conduct audit activities from any location other than the auditee’s premises. Adding it to the definitions is the signal that this is no longer a fallback option.

Clause 5.1 goes further: the audit programme must now document the audit methods to be used, including remote audit methods (item g). This is no longer implicit; it is a programme requirement.

Clause 3.6 also clarifies that audit scope now includes physical and virtual locations. A cloud environment or digital platform is an auditable site.

Annex A.16 governs the practical conduct of remote audits. It covers:

  • Technical preparation: verifying access, agreed protocols, contingency plans in case of outage.
  • Data security and confidentiality, including managing breaks (mute, turn off camera).
  • Requesting permission before any screen capture or recording.
  • Specific competence required: the auditor must master the technology tools used and know how to conduct a remote audit effectively.

Annex A.17 adds detail on remote interviews (clause g): in a virtual context, non-verbal communication is limited. The auditor must adapt the type of questions to obtain objective evidence.

For complete operational details, the standard refers to ISO/IEC TS 17012:2024.

The audit programme must manage its own risks

Clause 4.8 establishes the risk-based approach as a fundamental principle. Clause 5.3 applies it directly to the audit programme itself.

Risks to assess include notably:

  • Selection of audit method: on-site, remote, taking into account whether the chosen method can achieve the audit objective (clause 5.3 d).
  • Security of ICT methods used: unsecured platforms, inadequate tool selection (clause 5.3 k).
  • Coordination and confidentiality in implementation (clause 5.3 f).

The programme must document these risks and actions to address them. Clause 5.1 b) is explicit: the programme must include the risks and opportunities associated with the audit programme (see 5.3) and actions to address them.

Combined audits of multiple standards have their own competence requirements

Clause 7.2.3.5 introduces specific requirements for audits covering multiple disciplines. The audit team member must understand the interactions and synergies between the different management systems.

The team leader must understand the requirements of each audited standard and recognize the limits of their own competence in each discipline.

Annex A.13 specifies how to prepare working documents for combined audits: group similar requirements from different criteria and coordinate checklists to avoid duplication.

Annex A.18.4 addresses findings linked to multiple criteria. When a finding touches several standards, the auditor may either issue separate findings for each criterion or a single finding that groups references to the different systems. The audit client agreement determines the approach.

Auditor competence integrates technology and critical thinking

Clause 7.2.3.2 a) lists the required generic knowledge and competencies. Point 10 is new and concrete:

The auditor must understand the opportunity and consequences of using ICT and emerging technologies to conduct audits, including AI-based assessment tools.

This is the first time AI is explicitly mentioned in the standard.

Point 4 reiterates the requirement to prioritize and focus on significant subjects. This is critical thinking applied: do not cover all clauses equally, but concentrate effort where risk is higher.

Clause 7.6 governs continuing professional development. It must account notably for developments in audit practice, including the use of technology (clause 7.6 b).

Auditor health and safety are formalized

Clause 7.2.3.4 d) 3) specifies that the team leader must take into account the health and safety of audit team members, including by ensuring that relevant health, safety, and security provisions are respected.

Annex A.15 details what this means in practice for on-site visits:

Obtain information on security, health (recommended vaccinations, quarantine), cultural norms, and working hours.

  • Confirm availability of required personal protective equipment (PPE).
  • Communicate emergency procedures: emergency exits, assembly points.
  • Do not touch or handle equipment unless explicitly permitted.

This is not new in practice. It is new in the normative text.

Sources

The text cited in this article is taken directly from ISO 19011:2026. The standard is available from ISO at iso.org/standard/19011. It is copyrighted. I have included this information to point you to the right places in the standard.