Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision |
articles:risk-based_audits [2022/06/05 21:15] – [Risk-Based Internal Audits] rrandall | articles:risk-based_audits [2023/02/17 21:20] – [Risk-Based Internal Audits] rrandall |
---|
</blockquote> | </blockquote> |
| |
Expanding on the above description of a "risk-based audit", focus on the "risks"... rather than the "risk controls". The purpose of the internal audit is to verify the e]]ffectiveness of those "risk controls". | Expanding on the above description of a "risk-based audit", focus on the "risks"... rather than the "risk controls". The purpose of the internal audit is to verify the effectiveness of those "risk controls". |
| |
Some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes: | Some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes: |
* Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified? | * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified? |
* Where nonconformities were issued during the previous Internal Audit? (If so, which area and how many nonconformities (Majors/Minors) were identified? | * Experiencing high numbers of new employees and/or high employee "turn-over"? |
* Failing to meet established Quality Objectives? If so, which areas/processes? | * Where “key” employees have been added or replaced? |
* That received "valid" customer complaints (since the last full internal audit)? | * That have undergone significant change(s) (e.g., improvements, new product line(s) introduced, new equipment added – such as automation)? |
* That were responsible for the shipment of nonconforming product(s) to customers ("escapes"); whether or not reported by the customer as a complaint? | * With complex processes (e.g., Design)? |
* Where multiple instances of nonconforming products were identified (e.g., in a Pareto Chart)? | * Involving “Special” processes (e.g., Soldering, Welding)? |
* That have been the subject of one or more "Corrective Actions"? | |
* Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))? | * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))? |
* With complex processes (e.g., Unique/Special Processes, Design Responsible)? | |
* Requiring the use of customer-mandated suppliers? | * Requiring the use of customer-mandated suppliers? |
* Experiencing high numbers of new employees and/or high employee "turn-over"? | |
* Where the functions and/or processes have undergone a significant change (e.g., improvement)? | When performing "Risk-Based Planning for an Internal Audit", you should also review the previous internal audit results to determine whether there are any areas/processes... |
* Where new processes have been implemented (e.g., a new product line introduced)? | * Where nonconformities were issued? If so, which area and how many nonconformities (Majors/Minors) were identified? |
| * Where Quality Objectives had not been achieved, and actions implemented in order to achieve them? |
| * That received "valid" customer complaints or reports of nonconforming products or services during the previous internal audit cycle? |
| * Where multiple instances of the same or similar nonconformities identified (e.g., in a Pareto Chart)? |
| * That had “Open” or “Pending” corrective Actions at the conclusion of the audit? |
| * Considered to have High or Medium risk levels? |
| |
An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. | An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. |
| |
<note>While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</note> | <WRAP center round info 80%> |
| While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</WRAP> |
| |
<note>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</note> | <WRAP center round info 80%>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</WRAP> |
| |
==== Pitfalls to defining Risk-based Audit Planning Criteria ==== | ==== Pitfalls to defining Risk-based Audit Planning Criteria ==== |