| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| articles:risk-based_audits [2022/06/03 09:10] – [Risk-Based Internal Audits] rrandall | articles:risk-based_audits [2023/02/17 21:21] (current) – [Pitfalls to defining Risk-based Audit Planning Criteria] rrandall |
|---|
| </blockquote> | </blockquote> |
| |
| Expanding on the above description of a "risk-based audit", some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes: | Expanding on the above description of a "risk-based audit", focus on the "risks"... rather than the "risk controls". The purpose of the internal audit is to verify the effectiveness of those "risk controls". |
| | |
| | Some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes: |
| * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified? | * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified? |
| * Where nonconformities were issued during the previous Internal Audit? (If so, which area and how many nonconformities (Majors/Minors) were identified? | * Experiencing high numbers of new employees and/or high employee "turn-over"? |
| * Failing to meet established Quality Objectives? If so, which areas/processes? | * Where “key” employees have been added or replaced? |
| * That received "valid" customer complaints (since the last full internal audit)? | * That have undergone significant change(s) (e.g., improvements, new product line(s) introduced, new equipment added – such as automation)? |
| * That were responsible for the shipment of nonconforming product(s) to customers ("escapes"); whether or not reported by the customer as a complaint? | * With complex processes (e.g., Design)? |
| * Where multiple instances of nonconforming products were identified (e.g., in a Pareto Chart)? | * Involving “Special” processes (e.g., Soldering, Welding)? |
| * That have been the subject of one or more "Corrective Actions"? | |
| * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))? | * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))? |
| * With complex processes (e.g., Unique/Special Processes, Design Responsible)? | |
| * Requiring personnel to hold valid competency certifications (e.g., [[https://www.aws.org/certification/professionalcertifications|American Welding Society (AWS)]], [[https://www.cmsc.org/professional-certification-for-metrologists|Coordinate Metrology Society]], [[https://www.ipc.org/ipc-designer-certification-program|Institute of Printed Circuits (IPC)]], [[https://www.pmi.org/certifications|Project Management Institute]])? | |
| * Requiring the use of customer-mandated suppliers? | * Requiring the use of customer-mandated suppliers? |
| * Experiencing high numbers of new employees and/or high employee "turn-over"? | |
| * Where the functions and/or processes have undergone a significant change (e.g., improvement)? | |
| * Where new processes have been implemented (e.g., a new product line introduced)? | |
| |
| <note important>If known in advance of the audit, a couple of other factors that may be worthy of consideration are processes where monitoring and measuring equipment: | When performing "Risk-Based Planning for an Internal Audit", you should also review the previous internal audit results to determine whether there are any areas/processes... |
| * Require frequent calibration (e.g., prior to each use, on a short interval) | * Where nonconformities were issued? If so, which area and how many nonconformities (Majors/Minors) were identified? |
| * Has a low "accuracy ratio" (i.e., the ratio between the instrument and the tolerance measured. Note: any "accuracy ratio" ≤3:1 should be considered "high" risk.) | * Where Quality Objectives had not been achieved, and actions implemented in order to achieve them? |
| </note> | * That received "valid" customer complaints or reports of nonconforming products or services during the previous internal audit cycle? |
| | * Where multiple instances of the same or similar nonconformities identified (e.g., in a Pareto Chart)? |
| | * That had “Open” or “Pending” corrective Actions at the conclusion of the audit? |
| | * Considered to have High or Medium risk levels? |
| An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. | An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. |
| |
| <note>While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</note> | <WRAP center round info 80%> |
| | While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</WRAP> |
| |
| <note>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</note> | <WRAP center round info 80%>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</WRAP> |
| |
| ==== Pitfalls to defining Risk-based Audit Planning Criteria ==== | ==== Pitfalls to defining Risk-based Audit Planning Criteria ==== |
| ☝ Remember... the "real" purpose of a quality audit is to evaluate the "effectiveness" of the risk controls put in place to eliminate OR mitigate risks of delivering nonconforming products. | ☝ Remember... the "real" purpose of a quality audit is to evaluate the "effectiveness" of the risk controls put in place to eliminate OR mitigate risks of delivering nonconforming products. |
| |
| For example, if we're determined that there are one or more special processes being performed, a common risk-mitigation control is to | For example, if you've determined that there are one or more special processes being performed, a common __risk-mitigation controls__ include requiring that: |
| | * personnel to hold valid competency certifications (e.g., [[https://www.aws.org/certification/professionalcertifications|American Welding Society (AWS)]], [[https://www.cmsc.org/professional-certification-for-metrologists|Coordinate Metrology Society]], [[https://www.ipc.org/ipc-designer-certification-program|Institute of Printed Circuits (IPC)]], [[https://www.pmi.org/certifications|Project Management Institute]]). Do not confuse the risk with the risk mitigation control. |
| | * monitoring and measuring equipment have a high accuracy ratio (i.e., the ratio between the instrument and the tolerance measured), e/g., ≥10:1. |
| |
| <note tip>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</note> | <WRAP center round tip 80%>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</WRAP> |
| ==== Internal Audit Program Risk ==== | ==== Internal Audit Program Risk ==== |
| |
