| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| articles:risk-based_audits [2022/06/03 07:41] – [Risk-Based Internal Audits] rrandall | articles:risk-based_audits [2023/02/17 21:21] (current) – [Pitfalls to defining Risk-based Audit Planning Criteria] rrandall |
|---|
| </blockquote> | </blockquote> |
| |
| Expanding on the above description of a "risk-based audit", some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes: | Expanding on the above description of a "risk-based audit", focus on the "risks"... rather than the "risk controls". The purpose of the internal audit is to verify the effectiveness of those "risk controls". |
| | |
| | Some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes: |
| * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified? | * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified? |
| * Where nonconformities were issued during the previous Internal Audit? (If so, which area and how many nonconformities (Majors/Minors) were identified? | * Experiencing high numbers of new employees and/or high employee "turn-over"? |
| * Failing to meet established Quality Objectives? If so, which areas/processes? | * Where “key” employees have been added or replaced? |
| * That received "valid" customer complaints (since the last full internal audit)? | * That have undergone significant change(s) (e.g., improvements, new product line(s) introduced, new equipment added – such as automation)? |
| * That were responsible for the shipment of nonconforming product(s) to customers ("escapes"); whether or not reported by the customer as a complaint? | * With complex processes (e.g., Design)? |
| * Where multiple instances of nonconforming products were identified (e.g., in a Pareto Chart)? | * Involving “Special” processes (e.g., Soldering, Welding)? |
| * That have been the subject of one or more "Corrective Actions"? | |
| * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))? | * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))? |
| * With complex processes (e.g., Unique/Special Processes, Design Responsible)? | |
| * Requiring personnel to hold valid competency certifications (e.g., [[https://www.aws.org/certification/professionalcertifications|American Welding Society (AWS)]], [[https://www.cmsc.org/professional-certification-for-metrologists|Coordinate Metrology Society]], [[https://www.ipc.org/ipc-designer-certification-program|Institute of Printed Circuits (IPC)]], [[https://www.pmi.org/certifications|Project Management Institute]])? | |
| * Requiring the use of customer-mandated suppliers? | * Requiring the use of customer-mandated suppliers? |
| * Experiencing high numbers of new employees and/or high employee "turn-over"? | |
| * Where the functions and/or processes have undergone a significant change (e.g., improvement)? | |
| * Where new processes have been implemented (e.g., a new product line introduced)? | |
| |
| <note important>If known in advance of the audit, a couple of other factors that may be worthy of consideration are processes where monitoring and measuring equipment: | When performing "Risk-Based Planning for an Internal Audit", you should also review the previous internal audit results to determine whether there are any areas/processes... |
| * Require frequent calibration (e.g., prior to each use, on a short interval) | * Where nonconformities were issued? If so, which area and how many nonconformities (Majors/Minors) were identified? |
| * Has a low "accuracy ratio" (i.e., the ratio between the instrument and the tolerance measured. Note: any "accuracy ratio" ≤3:1 should be considered "high" risk.) | * Where Quality Objectives had not been achieved, and actions implemented in order to achieve them? |
| </note> | * That received "valid" customer complaints or reports of nonconforming products or services during the previous internal audit cycle? |
| | * Where multiple instances of the same or similar nonconformities identified (e.g., in a Pareto Chart)? |
| | * That had “Open” or “Pending” corrective Actions at the conclusion of the audit? |
| | * Considered to have High or Medium risk levels? |
| An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. | An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. |
| |
| <note>While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</note> | <WRAP center round info 80%> |
| | While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</WRAP> |
| | |
| | <WRAP center round info 80%>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</WRAP> |
| | |
| | ==== Pitfalls to defining Risk-based Audit Planning Criteria ==== |
| | |
| | When defining risk-based audit criteria... it is tempting to actually begin auditing in order to prepare for the audit!! IF you're asking questions that will be asked during the audit... then you've crossed over from "Audit Planning" into actually performing the audit! While there is some information that can be gathered immediately prior to the audit (e.g., changes in personnel, New Products that have been introduced, areas that have undergone significant changes), this should be high-level information. Detailed information will be gathered during the actual audit. |
| | |
| | ☝ Remember... the "real" purpose of a quality audit is to evaluate the "effectiveness" of the risk controls put in place to eliminate OR mitigate risks of delivering nonconforming products. |
| | |
| | For example, if you've determined that there are one or more special processes being performed, a common __risk-mitigation controls__ include requiring that: |
| | * personnel to hold valid competency certifications (e.g., [[https://www.aws.org/certification/professionalcertifications|American Welding Society (AWS)]], [[https://www.cmsc.org/professional-certification-for-metrologists|Coordinate Metrology Society]], [[https://www.ipc.org/ipc-designer-certification-program|Institute of Printed Circuits (IPC)]], [[https://www.pmi.org/certifications|Project Management Institute]]). Do not confuse the risk with the risk mitigation control. |
| | * monitoring and measuring equipment have a high accuracy ratio (i.e., the ratio between the instrument and the tolerance measured), e/g., ≥10:1. |
| |
| <note>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</note> | <WRAP center round tip 80%>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</WRAP> |
| <note warning>When defining risk-based audit criteria... it is tempting to actually begin auditing in order to prepare for the audit!! IF you're asking questions that will be asked during the audit... then you've crossed over from "Audit Planning" into actually performing the audit! While there is some information that can be gathered immediately before the audit (e.g., changes in personnel, New Products that have been introduced, areas that have undergone significant changes), this should be high-level information. Detailed information will be gathered during the actual audit.</note> | |
| ==== Internal Audit Program Risk ==== | ==== Internal Audit Program Risk ==== |
| |
