This is an old revision of the document!

OCAP – Internal Audit

The “Risk Factor” criteria relating to internal audit performance is:

AS9104/1A, Table 5 - Internal audit program risk analysis
Internal Audit Program Risk Characteristics
High Performing Audit Program Low • Properly resourced audit program
• Multi-event audit program, audit full QMS annually
• Audit program driven by risk and data
• Effective corrective action program
Average Audit Program Medium • Limited resources for audit program
• Internal audit is an annual event
• Full QMS is covered annually
• Conforming corrective action program
Low Performing Audit Program High • Audit program is not properly resourced
• Primarily desktop audits
• Audit program does not prevent major nonconformities from third-party audits
• Full QMS not covered annually
• Ineffective corrective action program

Strategy

  1. To ensure a “Properly resourced audit program”, have more than one qualified internal auditor. If your company has limited resources, then consider outsourcing either a portion or the entirety of the internal audit program to a company that specializes in quality auditing… and can support AS9100 internal auditing activities (e.g., Quality Auditing, LLC).
  2. The criterion relating to a “Multi-event audit program, audit full QMS annually” means that, in order to be classified as a low risk, the company must “spread out” their internal audits over the course of a year (e.g., Quarterly, Monthly). For small companies, this could be difficult, but with only two or three core processes, these could be broken out to be 2 or 3 separate audits (with separate audit reports).
  3. The criterion relating to an “Audit program driven by risk and data” is not defined AS9104/1A. For further guidance see Risk-Based Internal Audits. And use my free “Risk-Based Audit Planning Criteria” form (in MS Word).
  4. The best way to ensure that you have an “effective corrective action program”, is to avoid engaging in Corrective Action "Whac-A-Mole".