Risk-Based Internal Audits

Certification Bodies (CBs) are placing greater emphasis on companies performing “risk-based” internal audits. While this term is not defined in any ISO or AS standard that I am aware of, the “ISO 9001 Auditing Practices Group - Guidance on: Internal Audits” (dated 2020-07-19) does contain a very good description of “what” a “risk-based audit” is.

ISO 9001 Auditing Practices Group - Guidance on: Internal Audits”, page 1-2 states:

By applying risk-based thinking, this requirement is intended to focus the internal audit program on those processes and areas where past history indicates that problems have occurred, or where problems are likely to be ongoing, or are likely to occur, because of the nature of the processes themselves. These problems may result from issues such as human factors, process capability, measurement sensitivity, changing customer requirements, changes in the work environment, etc.
The processes with higher levels of risk or nonconformities should have priority in the internal audit programme.

Special attention should be given to processes where risk is influenced by factors such as:

  • severe consequences of failure on process capability.
  • customer dissatisfaction.
  • noncompliance with product (or process) statutory and regulatory requirements.

Expanding on the above description of a “risk-based audit”, focus on the “risks”… rather than the “risk controls”. The purpose of the internal audit is to verify the effectiveness of those “risk controls”.

Some specific “factors” that “could” be considered when planning a “risk-based internal audit” (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes:

  • Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified?
  • Experiencing high numbers of new employees and/or high employee “turn-over”?
  • Where “key” employees have been added or replaced?
  • That have undergone significant change(s) (e.g., improvements, new product line(s) introduced, new equipment added – such as automation)?
  • With complex processes (e.g., Design)?
  • Involving “Special” processes (e.g., Soldering, Welding)?
  • Considered to have High or Medium risk levels (particularly subject to human factors (e.g., human errors))?
  • Requiring the use of customer-mandated suppliers?

When performing “Risk-Based Planning for an Internal Audit”, you should also review the previous internal audit results to determine whether there are any areas/processes…

  • Where nonconformities were issued? If so, which area and how many nonconformities (Majors/Minors) were identified?
  • Where Quality Objectives had not been achieved, and actions implemented in order to achieve them?
  • That received “valid” customer complaints or reports of nonconforming products or services during the previous internal audit cycle?
  • Where multiple instances of the same or similar nonconformities identified (e.g., in a Pareto Chart)?
  • That had “Open” or “Pending” corrective Actions at the conclusion of the audit?
  • Considered to have High or Medium risk levels?

An “intended” benefit of promoting “risk-based” internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most “value” can be achieved.

While ISO 19011:2018, "Guidelines for auditing management systems", sec., “Risk-based approach to planning” addresses this topic, it is too high-level and generic to be of any value.

Whether an AS 9100 series certified company performs “risk-based” internal audits is one of the criteria specified in SAE AS9104/1A, which requires AS 9100 CBs (Certification Bodies… i.e., Registrars) to use the “Organization Certification Analysis Process (OCAP)” for determining an overall “risk rating” (High, Medium, Low) for each certified company.

Pitfalls to defining Risk-based Audit Planning Criteria

When defining risk-based audit criteria… it is tempting to actually begin auditing in order to prepare for the audit!! IF you're asking questions that will be asked during the audit… then you've crossed over from “Audit Planning” into actually performing the audit! While there is some information that can be gathered immediately prior to the audit (e.g., changes in personnel, New Products that have been introduced, areas that have undergone significant changes), this should be high-level information. Detailed information will be gathered during the actual audit.

☝ Remember… the “real” purpose of a quality audit is to evaluate the “effectiveness” of the risk controls put in place to eliminate OR mitigate risks of delivering nonconforming products.

For example, if you've determined that there are one or more special processes being performed, a common risk-mitigation controls include requiring that:

As you define the risk-based audit criteria for your organization… you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific “objective evidence” to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between “objective evidence” that contributes toward a more effective audit vs “non-value-added” information.

Internal Audit Program Risk

While “risk-based internal audits” focus on audit planning, a higher-level component is the overall “internal audit program risks”. However, the “Internal Audit Program Risks” are rarely considered because ISO 9001/AS9100, sec. 9.2.2 defines the requirements for the internal audit program.

Nevertheless, ISO 19011:2018, "Guidelines for auditing management systems" addresses this topic by identifying the following “risks” that should be taken into “consideration” when developing an “internal audit program”.

ISO 19011:2018, sec. 5.3, “Determining and evaluating audit program risks and opportunities”
There are risks and opportunities related to the context of the auditee that can be associated with an audit program and can affect the achievement of its objectives. The individual(s) managing the audit program should identify and present to the audit client the risks and opportunities considered when developing the audit program and resource requirements, so that they can be addressed appropriately.
There can be risks associated with the following:
a) planning, e.g. failure to set relevant audit objectives and determine the extent, number, duration, locations and schedule of the audits;
b) resources, e.g. allowing insufficient time, equipment and/or training for developing the audit program or conducting an audit;
c) selection of the audit team, e.g. insufficient overall competence to conduct audits effectively;
d) communication, e.g., ineffective external/internal communication processes/channels;
e) implementation, e.g. ineffective coordination of the audits within the audit program, or not considering information security and confidentiality;
f) control of documented information, e.g. ineffective determination of the necessary documented information required by auditors and relevant interested parties, failure to adequately protect audit records to demonstrate audit program effectiveness;
g) monitoring, reviewing and improving the audit program, e.g. ineffective monitoring of audit program outcomes;
h) availability and cooperation of auditee and availability of evidence to be sampled.

Opportunities for improving the audit program can include:

  • allowing multiple audits to be conducted in a single visit;
  • minimizing time and distances traveling to site;
  • matching the level of competence of the audit team to the level of competence needed to achieve the audit objectives;
  • aligning audit dates with the availability of auditee’s key staff.

In addition, ISO 19011:2018, "Guidelines for auditing management systems", sec. 4, “Principles of auditing”, cites “auditor independence” as one of the 7 principles. And acknowledges that for “small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited”.

e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions

Auditors should be independent of the activity being audited wherever practicable, and should in all cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be independent from the function being audited if practicable. Auditors should maintain objectivity throughout the audit process to ensure that the audit findings and conclusions are based only on the audit evidence.
For small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited, but every effort should be made to remove bias and encourage objectivity.

Further, ISO 19011:2018, "Guidelines for auditing management systems", sec. 5.5.4, “Selecting Audit Team Members” addresses the “objectivity and impartiality” of the auditors.