====== OCAP – Internal Audit ======

The [[articles:ocap|OCAP]] "Risk Factor" criteria relating to internal audit performance is:
^  AS9104/1A, Table 5 - Internal audit program risk analysis  ^^^
^  Internal Audit Program  ^  Risk  ^  Characteristics  ^
|  High Performing Audit Program  |  Low  | • Properly resourced audit program \\ • Multi-event audit program, audit full QMS annually \\  • Audit program driven by risk and data \\  • Effective corrective action program  |
|  Average Audit Program  |  Medium  | • Limited resources for audit program \\ • Internal audit is an annual event \\  • Full QMS is covered annually \\  • Conforming corrective action program  |
|  Low Performing Audit Program  |  High  | • Audit program is not properly resourced \\ • Primarily desktop audits \\ • Audit program does not prevent major nonconformities from third-party audits \\ • Full QMS not covered annually \\ • Ineffective corrective action program  | 

__Strategy__ \\ 
  - To ensure a "Properly resourced audit program", have more than one qualified internal auditor. If your company has limited resources, then consider outsourcing either a portion or the entirety of the internal audit program to a company that specializes in quality auditing... and can support AS9100 internal auditing activities (e.g., [[https://www.qualityauditing.com/aerospace|Quality Auditing, LLC]]).
  - The criterion relating to a "//Multi-event audit program, audit full QMS annually//" means that, in order to be classified as a low risk, the company must "spread out" their internal audits over the course of a year (e.g., Quarterly, Monthly). For small companies, this could be difficult, but with only two or three core processes, these could be broken out to be 2 or 3 separate audits (with separate audit reports).
  - The criterion relating to an "//Audit program driven by risk and data//" is not defined AS9104/1A. For further guidance see [[articles:risk-based_audits|Risk-Based Internal Audits]]. And use my free {{ :downloads:risk-based_audit_planning_criteria_2022_.docx |“Risk-Based Audit Planning Criteria” form (in MS Word)}}.
  - The best way to ensure that you have an "effective corrective action program", is to avoid engaging in [[articles:whac-a-mole|Corrective Action "Whac-A-Mole"]].

{{page>wiki:pathforward}}