1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

"Risk Based" Internal Auditing - a discussion...

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Dec 22, 2015.

  1. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    Sorry if I am cynical here. In my earlier Organization we used to mention risk statement in the Supplier audit report against each improvement points, sort of. Many a time, we conceive the need for improvement first (intuition at work) and then fabricate the risk appropriately; appropriate enough that our reports get accepted by the Reviewer before releasing to Suppliers. My argument is, there is a huge element of subjectivity involved in the idea of risk that writing one in relevance to Interested Parties or to the Context of the Organization is not going to be a tough job. Honestly, making mountain out of a mole-hill is not an uncommon scenario during Audits. While I sincerely believe that the new version of ISO has made it more practical and even more meaningful by introducing the concept of risk, I wish we, beneficiaries of ISO, aren't deprived of this advantage by an Auditor making some hyperbolic statements.
     
    Andy Nichols likes this.
  2. Claes Gefvenberg

    Claes Gefvenberg Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    230
    Likes Received:
    208
    Trophy Points:
    42
    Location:
    Eskilstuna, Sweden
    This is in fact something we already do as part of our Management Review: Apart from what we already have to cover in audits, our management decides on one or several particular audit focus areas.
     
    MCW8888 and Jennifer Kirley like this.
  3. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Certainly it will be a tough job, and tougher still for supplier audits as there is so little time spent there and supplier control has always been hard.

    Quality is sure to be harder than environmental. There's an element of certainty to the effects of a trickling forbidden substance to an open drain. There's always just an element though, usually nearly overwhelmed by a "What are the odds of someone kicking that over?" denial. In quality there is the problem of positive correlation - it is very difficult to single out a sole dependent variable in order to target and measure effectiveness of action taken.

    But we are talking about risk. We can, and are now asked to estimate the degree of risk by way of how often the task is done, etc. Context just helps us decide if it's relevant or not.
     
  4. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    It is sometimes difficult to go this route, however, when management realize what is at stake when a high risk finding is documented, they are very responsive.
     
    Jennifer Kirley likes this.
  5. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Loosing the certificate (unless it is a TS audit where suspension can be a risk if there is a major) is hardly anything that would move management. What is important to them are their Corporate dashboard which are: Customer Satisfaction, Delivery Performance, and most of all Compliance to Corporate health and safety. Corporate have all these measurable that are tract and communicated on a monthly basis. Associating risk with any of these performance indicators trigger continuous improvement. This is still a new change for us but it is gaining traction at the same time there are support processes that are pushing back on the process approach.
     
    Jennifer Kirley likes this.
  6. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    As always, customer satisfaction is key and remains so in the risk-based version of 9001. Risk is about type and degree of loss potential. We have always had this. Management has often looked at the risk, made a decision and confronted the outcomes after time. We have lawsuits recording this process, particularly in automotive. A horse can always choose to die of thirst.

    Auditors are messengers. Risk is part of the message. The newest versions of the standards finally give us a bit more basis upon which to formulate the message. It is right and proper that we articulate it when we can.
     
    Claes Gefvenberg and MCW8888 like this.
  7. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    If the risk-based internal auditing is not utilized, the intent of ISO9001:2015 is not met; for this new standard is the Continuous Improvement of the 2008 version.
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm not sure this is accurate. What's required is "risk" to be considered in the QMS. "Risk based" auditing has ALWAYS been a requirement, while the standard has stated an "audit program shall be established...taking into consideration status and importance..." and not JUST the 2015 version. People overlooked it, didn't know what to do and neither did (some) CB auditors (partly because their training is the same as everyone else's).
     
  9. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    That clause was IMPLIED. The statement was regurgitated in most of the audit reports I have seen. Like Preventive Action, it was left for open interpretation by the organization. I can say "mia culpa" for allowing this to happen and the external auditors never said anything about it. Again this was based on my previous training as IA.
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It was a requirement - if "status and importance" isn't risk-based, what is it?
     
  11. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    When reviewing an internal audit program, I have been asked to look for process audits vs. clause-by-clause checklists - I was not asked to look for risk-based auditing.

    That said, Andy is correct; status and importance has been there for years and it does involve a type of risk consideration. It can include a process that has recently had a major change - that is arguably about risk too. Too often, the simple expectations for status and importance have not been met in audit planning. CB auditors will still want to see it.

    We will also still want to see if the internal audits are verifying effectiveness. That is too seldom done too. Since risk is defined as "the effect of uncertainty..." then we might think of being effective as minimizing uncertainty... which is a type of risk-based approach. Naturally I would be happy to see more, but for starters I would like to see more clients to apply even this much.

    But let us go further. If we are auditing a risk based system, when including the review of the consideration of risk that process owners have taken as part of the process, aren't we now starting to include risk-based thinking in our auditing? Even the audit process owner might have done that (what might the effect of uncertainty mean in internal audit program? Failure to find an issue? Incorrectly pointing to something that is okay? What would that mean for the customer?) and that can be a part of risk-based auditing too.
     
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Great post, Jennifer!
     
  13. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Thank you. :)
     
  14. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    We startred
    All our customer oriented processes are considered important (e.g. high risk)so we walked the process backward using a shipping document and audit based on compliance to work instructions. We find our nonconformance just by doing that. In a 3-year cycle we covered all the clauses of the ISO standard. For an external auditor that seems to have met the requirements of ISO and was deemed effective. We never interpreted "status and importance" as risk. I am not going back to that manner of thinking again. After passing a Lead Auditor training course in ISO9001:2015 I resolve to improve the auditing process in my organization.
     
  15. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    MCW8888, your approach sounds better than many I have seen. If I was your CB auditor I would have enjoyed reviewing your findings! Do you also occasionally take a look at the aggregate data to decide things like system-wide effectiveness in the support processes? That could be addressing a type of risk (missing a pattern of "onesies" pointing to a larger issue).

    I wish I could have been present for your 2015 Lead Auditor course. I would love to see what they are teaching.
     
  16. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I guess I don't understand. Do you mean that now, (if it were still in the requirements) you would consider status and importance to be synonymous with risk?
     
  17. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Absolutely, because now the standard explicitely requires to do a risk-based internal auditing.
     
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Awesome!
     
  19. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    I came out of that training course with a renewed appreciation of the risk-based internal auditing. I wish I could've taken it from one of the consultants at Cove.
     
  20. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Who delivered the training?
     
    Andy Nichols likes this.