| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| articles:risk-based_audits [2022/08/30 16:06] – [Risk-Based Internal Audits] rrandall | articles:risk-based_audits [2023/02/17 21:21] (current) – [Pitfalls to defining Risk-based Audit Planning Criteria] rrandall |
|---|
| An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. | An "intended" benefit of promoting "risk-based" internal audits is to realize more dynamic audit planning - with companies adjusting their internal audit plans to focus on areas/processes where the most "value" can be achieved. |
| |
| <note>While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</note> | <WRAP center round info 80%> |
| | While [[https://www.iso.org/standard/70017.html|ISO 19011:2018, "Guidelines for auditing management systems"]], sec. 6.3.2.1, "Risk-based approach to planning" addresses this topic, it is too high-level and generic to be of any value.</WRAP> |
| |
| <note>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</note> | <WRAP center round info 80%>Whether an AS 9100 series certified company performs "risk-based" internal audits is one of the criteria specified in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]], which requires AS 9100 CBs (Certification Bodies... i.e., Registrars) to use the "//[[services:ocap|Organization Certification Analysis Process (OCAP)]]//" for determining an overall "risk rating" (High, Medium, Low) for each certified company.</WRAP> |
| |
| ==== Pitfalls to defining Risk-based Audit Planning Criteria ==== | ==== Pitfalls to defining Risk-based Audit Planning Criteria ==== |
| * monitoring and measuring equipment have a high accuracy ratio (i.e., the ratio between the instrument and the tolerance measured), e/g., ≥10:1. | * monitoring and measuring equipment have a high accuracy ratio (i.e., the ratio between the instrument and the tolerance measured), e/g., ≥10:1. |
| |
| <note tip>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</note> | <WRAP center round tip 80%>As you define the risk-based audit criteria for your organization... you will likely realize that the information from previous internal audits is not entirely adequate to support risk-based audit planning! Any shortcomings in the previous internal audit reports should be addressed by better defining the specific "objective evidence" to be recorded - so as to better support (or enhance) effective risk-based audit planning. Be sure to differentiate between "objective evidence" that contributes toward a more effective audit vs "non-value-added" information.</WRAP> |
| ==== Internal Audit Program Risk ==== | ==== Internal Audit Program Risk ==== |
| |
