Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
articles:risk-based_audits [2022/06/06 03:14] – [Pitfalls to defining Risk-based Audit Planning Criteria] rrandallarticles:risk-based_audits [2023/02/18 04:21] (current) – [Pitfalls to defining Risk-based Audit Planning Criteria] rrandall
Line 14: Line 14:
 </blockquote> </blockquote>
  
-Expanding on the above description of a "risk-based audit", focus on the "risks"... rather than the "risk controls". The purpose of the internal audit is to verify the e]]ffectiveness of those "risk controls".+Expanding on the above description of a "risk-based audit", focus on the "risks"... rather than the "risk controls". The purpose of the internal audit is to verify the effectiveness of those "risk controls".
  
 Some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes: Some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes:
     * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified?     * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified?
-    * Where nonconformities were issued during the previous Internal Audit? (If so, which area and how many nonconformities (Majors/Minors) were identified+    * Experiencing high numbers of new employees and/or high employee "turn-over"
-    * Failing to meet established Quality Objectives? If so, which areas/processes+    * Where “key” employees have been added or replaced
-    * That received "valid" customer complaints (since the last full internal audit)+    * That have undergone significant change(s(e.g., improvements, new product line(s) introduced, new equipment added – such as automation)? 
-    * That were responsible for the shipment of nonconforming product(s) to customers ("escapes"); whether or not reported by the customer as a complaint+    * With complex processes (e.g., Design)? 
-    * Where multiple instances of nonconforming products were identified (e.g., in a Pareto Chart)? +    * Involving “Special” processes (e.g., Soldering, Welding)?
-    * That have been the subject of one or more "Corrective Actions"?+
     * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))?     * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))?
-    * With complex processes (e.g., Unique/Special Processes, Design Responsible)? 
     * Requiring the use of customer-mandated suppliers?     * Requiring the use of customer-mandated suppliers?
-    * Experiencing high numbers of new employees and/or high employee "turn-over"? 
-    * Where the functions and/or processes have undergone a significant change (e.g., improvement)? 
-    * Where new processes have been implemented (e.g., a new product line introduced)? 
  
-<note important>If known in advance of the audit, a couple of other factors that may be worthy of consideration are processes where monitoring and measuring equipment: +When performing "Risk-Based Planning for an Internal Audit", you should also review the previous internal audit results to determine whether there are any areas/processes... 
-    * Require frequent calibration (e.g.prior to each use, on a short interval) +    * Where nonconformities were issued? If so, which area and how many nonconformities (Majors/Minors) were identified? 
-    * Has a low "accuracy ratio" (i.e., the ratio between the instrument and the tolerance measured. Note: any "accuracy ratio" ≤3:1 should be considered "high" risk.) +    * Where Quality Objectives had not been achievedand actions implemented in order to achieve them? 
-</note>+    * That received "validcustomer complaints or reports of nonconforming products or services during the previous internal audit cycle? 
 +    * Where multiple instances of the same or similar nonconformities identified (e.g., in a Pareto Chart)? 
 +    * That had “Open” or “Pending” corrective Actions at the conclusion of the audit? 
 +    * Considered to have High or Medium risk levels? 
 An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved.  An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. 
  
-<note>While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</note>+<WRAP center round info 80%> 
 +While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</WRAP>
  
-<note>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</note>+<WRAP center round info 80%>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</WRAP>
  
 ==== Pitfalls to defining Risk-based Audit Planning Criteria ==== ==== Pitfalls to defining Risk-based Audit Planning Criteria ====
Line 51: Line 51:
   * monitoring and measuring equipment have a high accuracy ratio (i.e., the ratio between the instrument and the tolerance measured), e/g., ≥10:1.   * monitoring and measuring equipment have a high accuracy ratio (i.e., the ratio between the instrument and the tolerance measured), e/g., ≥10:1.
  
-<note tip>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</note>+<WRAP center round tip 80%>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</WRAP>
 ==== Internal Audit Program Risk ==== ==== Internal Audit Program Risk ====