Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
articles:risk-based_audits [2022/06/05 21:17] – [Risk-Based Internal Audits] rrandallarticles:risk-based_audits [2023/02/17 21:21] (current) – [Pitfalls to defining Risk-based Audit Planning Criteria] rrandall
Line 18: Line 18:
 Some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes: Some specific "factors" that "could" be considered when planning a "risk-based internal audit" (e.g., scheduled over the course of a year) include, but are NOT limited to area/processes:
     * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified?     * Where the CB issued nonconformities during their most recent audit? If so, which area and how many nonconformities (Majors/Minors) were identified?
-    * Where nonconformities were issued during the previous Internal Audit? (If so, which area and how many nonconformities (Majors/Minors) were identified+    * Experiencing high numbers of new employees and/or high employee "turn-over"
-    * Failing to meet established Quality Objectives? If so, which areas/processes+    * Where “key” employees have been added or replaced
-    * That received "valid" customer complaints (since the last full internal audit)+    * That have undergone significant change(s(e.g., improvements, new product line(s) introduced, new equipment added – such as automation)? 
-    * That were responsible for the shipment of nonconforming product(s) to customers ("escapes"); whether or not reported by the customer as a complaint+    * With complex processes (e.g., Design)? 
-    * Where multiple instances of nonconforming products were identified (e.g., in a Pareto Chart)? +    * Involving “Special” processes (e.g., Soldering, Welding)?
-    * That have been the subject of one or more "Corrective Actions"?+
     * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))?     * Considered to have High or Medium risk levels (particularly subject to [[articles:human_factors|human factors]] (e.g., human errors))?
-    * With complex processes (e.g., Unique/Special Processes, Design Responsible)? 
     * Requiring the use of customer-mandated suppliers?     * Requiring the use of customer-mandated suppliers?
-    * Experiencing high numbers of new employees and/or high employee "turn-over"+ 
-    * Where the functions and/or processes have undergone a significant change (e.g., improvement)? +When performing "Risk-Based Planning for an Internal Audit", you should also review the previous internal audit results to determine whether there are any areas/processes..
-    * Where new processes have been implemented (e.g., a new product line introduced)?+    * Where nonconformities were issued? If sowhich area and how many nonconformities (Majors/Minorswere identified
 +    * Where Quality Objectives had not been achieved, and actions implemented in order to achieve them? 
 +    * That received "valid" customer complaints or reports of nonconforming products or services during the previous internal audit cycle? 
 +    * Where multiple instances of the same or similar nonconformities identified (e.g., in Pareto Chart)
 +    * That had “Open” or “Pending” corrective Actions at the conclusion of the audit? 
 +    * Considered to have High or Medium risk levels?
  
 An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved.  An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. 
  
-<note>While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</note>+<WRAP center round info 80%> 
 +While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</WRAP>
  
-<note>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</note>+<WRAP center round info 80%>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</WRAP>
  
 ==== Pitfalls to defining Risk-based Audit Planning Criteria ==== ==== Pitfalls to defining Risk-based Audit Planning Criteria ====
Line 47: Line 51:
   * monitoring and measuring equipment have a high accuracy ratio (i.e., the ratio between the instrument and the tolerance measured), e/g., ≥10:1.   * monitoring and measuring equipment have a high accuracy ratio (i.e., the ratio between the instrument and the tolerance measured), e/g., ≥10:1.
  
-<note tip>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</note>+<WRAP center round tip 80%>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</WRAP>
 ==== Internal Audit Program Risk ==== ==== Internal Audit Program Risk ====