1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

"Risk Based" Internal Auditing - a discussion...

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Dec 22, 2015.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    In preparing for some work, next year, I wanted to run a couple of thoughts by our learned friends for feedback on this subject. In considering the topic, there seems to me to be 2 distinct types of what we might call "risk based (internal) audits":

    a) where the audits are planned (strategic) to take a look at some aspect of the management system which management need assurance is under control during some circumstances they consider to be an "opportunity" and also a "risk" - the purpose of the audit being to confirm the controls are in place and functioning as planned, and

    b) where an internal auditor "stumbles" over something (tactical) during their audit, such as an out of control condition on a process parameter but no non-conforming product (apparently) resulted (for example) however the condition was only recorded etc. The auditor could pursue discussion about the potential for further processing, results etc reaching the customer (latent defects).

    Anyone care to comment?
     
  2. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Both can be risk based. I am writing a paper on risk-based auditing but have not made much progress lately...

    ISO standards have always inferred risk when telling us to plan audits based on status and importance. Status can mean major changes, a new design, recent employee turnover, previous performance in assessments, etc. This is known risk. Top management could be asked if there is anything they would like us to look at. Sometimes they value an outsider's opinion more than an insider's, and sometimes they just want our analytical skills.

    Unknown risk is when we stumble on something and follow an audit trail to arrive at the appropriate element for issuing a nonconformity, or not if the client can show it is a non-issue. This happens to me a lot. I always advocate to "follow your nose" as our view from the unfamiliar, or just "inspector's luck" can help notice something that insiders have just grown used to seeing, or do not realize is an issue.
     
  3. Candi1024

    Candi1024 Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    129
    Likes Received:
    83
    Trophy Points:
    27
    Location:
    Pennsylvania
    Ohhhhh, and here I thought "risk based" was how many things could you let slide before there was too much "risk" of an auditor finding the errors!!:oops:

    :D Just kidding! ;)
     
  4. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    I once had a client who defined "Preventive action" as anything they found internally so I didn't.
     
    Candi1024 likes this.
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Just as a quick side note - this is an example of why there really needs to be some type of accredited, professional development/qualification for people who design/implement management systems, not just for auditors.
     
    MCW8888 and Jennifer Kirley like this.
  6. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    I was thinking more along the lines of accredited "auditor-management training". :eek:
     
  7. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Ah yes. Accreditation would be a good thing, but I've been falsely taught in an accredited class (the phantom requirement to use the core manuals for TS 16949 registration). They didn't put that on the exams though. o_O
     
  8. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    The ASQ Certified Auditor is pretty good, but once getting the card people can still do what they like.
     
  9. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    Merry Christmas to all.

    To my mind, an Auditor, rather than evaluating the risk per se, is better off evaluating the Organization's way of managing the non-conforming situation in respect of the "risk" associated with it. The point is, the Auditor's ability to evaluate risk in the domain that goes beyond his/her empirical knowledge is certainly vulnerable to his conclusion being characterized as questionable, opinion-based or unfair and it can rightly be so. Auditees are Auditees after all; trust them to exhibit highest level of persuasion in converting an issue into a non-issue. Why wouldn't they, if the risk is going to be projected in red background to the Top Management in the Closing meeting.
     
  10. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    It takes a lot of experience for an auditor to conduct an effective risk-based auditing.
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Perhaps you'd give us some background as to why...
     
  12. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Our CB auditors are just looking for deviations from the ISO standards. Once they find a comfortable number of deviations that can get them off the hook of being audited by a witness auditor they are comfortable with that. Sometimes the justification for findings are not clear.
     
  13. Somashekar

    Somashekar Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    114
    Likes Received:
    98
    Trophy Points:
    27
    Understanding the context of the organization becomes the starting point of the risk based internal auditing. In fact it dictates the way your QMS is set up and is moving further. The next area is the changes faced by the organization, includes changes in the context, as well as internal changes.
    Processes directly confronting the changes begins to direct changes within the organization. An internal auditor therefore must be so well trained to identify this chain of process interaction and probe its effectiveness. To identify and schedule such internal audits timely is now the part of the leadership initiative. When the leadership do not understand this and further the executive managers get no authority for conducting such checks and balances, the mundane 6 monthly internal auditing of the typical "Say what you do >>> Do what you say" will be done and paper records (rubbish) will be generated. Perhaps what is missing here is the authoritative MR which the new standard does not state as a requirement. Some of the well established QMS who migrate to the new revision will understand and shift the approach towards risk based internal auditing. The others will see no change and do no change. The new breed who take up the new standard afresh must be inducted into such internal auditing and get into the top down approach to internal auditing process...
     
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I was hoping to keep away from any references to or about CB auditors. The biggest value for internal audits has little/nothing to do with CB audits. How does an experienced (internal) auditor relate to risk based audits, in your experience?
     
    Jennifer Kirley likes this.
  15. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    Agree there. But my understanding of Andy's thoughts in the OP throwing open for comments is, an Internal Auditor trying to figure out whether the gross thing observed during his Audit is a nuclear bomb or just a dog poop.
     
  16. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    My experience as an internal auditor is to audit the process and it's effectiveness in meeting the objectives. Nonconformance are classified as High risk (directly impacts the customer requirements and effectiveness of QMS); Medium risk ( slight deviation from Quality Assurance protocol) and low risk (observations that needs improvement). Your comments are helpful.
     
  17. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Background: The Internal Auditor classroom training was planned based on "tick-box" checklist which is easy to use. Deviations to checklists are classified as major, minor and observation. I have checklists that are processed based. The process based checklist was developed from all of the suggestions from this forum, the TC176 guidelines and the Elsmar Cove.
     
  18. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    The Internal Auditor training for ISO9001:2015 started to use the Risk-based auditing. For example we learned that a Nonconformance should be written in 4 parts:(a) Description of requirements -either the company policy or procedure /or ISO standard (2) statement of finding (3) Objective evidence (4) Justification of risk.
     
  19. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    This would be a good practice, in my view. Too often, action requests are written without clarity as to why they matter - what is the value? In the past we have simply pointed to a clause in the standard ("It matters because the standard requires it") but it makes sense to take the trouble to explain the risk the auditor recognizes. The process owner might not have recognized the risk - there is a lot of confusion out there - or might not know that thing is happening. This has been easier with environmental: "See that jug of propylene glycol sitting right next to the floor drain? If that jug was to get kicked over and the stuff go into the drain, would that be bad?" With quality we refer to customer needs or requirements. It seems fitting to include it in a write up.
     
    drgnrider and Andy Nichols like this.
  20. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Could you give us an example of how this "justification of risk" was communicated/explained? I can see people reporting "We'll lose our certification" as a risk...:rolleyes: