Skip to content
All posts

What is the risk-based approach to auditing?

ISO 9001:2015 formally adopts a more risk-based approach to Quality management. In this 3rd installment of Karen MacKenzie's 'The thing about auditing...' series looks at 7 ways which risk-based audits can provide a good return on your investment of time and wages.

The thing about auditing is that it is risk-based. We audit what is important – what poses the greatest risk to the organisation. Just as you would at home in carrying out checks last thing at night, you check the most important areas – the areas of highest risk: the front door, the back door, the windows, that the electrics are switched off.

 In the same way, we audit the key risks. If they haven’t been identified then it’s an excellent opportunity to do so, and determine some preventive action for them. Remember that corrective action fixes what has gone awry and prevents recurrence; but preventive action prevents occurrence in the first place.

So back to our auditor’s skilful questioning:

  • What is the purpose of the process?
  • What makes it work?
  • Where, and what are the risks?
  • How are the risks mitigated?

The essence of risk-based audit is therefore customer-focused, starting with the objectives of the activity being audited, moving on to the risks posed to the achievement of those objectives, and then to the procedures and processes in place to mitigate the risks. Risk-based audit is therefore an evolution rather than a revolution, although the results obtained can be revolutionary.

The foundation for risk-based auditing

This is the approach adopted by a more modern auditing approach and it is based on evaluating systems and processes rather than departments or functions. The Systems-Based Audit (SBA) is a horizontal rather than vertical approach, auditing across the organisation and looking for the areas where there are inconsistencies or interfaces where issues arise. Systems-based audit is therefore much less transaction-based than compliance-based; indeed the phrase ‘cradle to the grave’ is often used to describe it. To try it out, follow a small number of transactions through the system from start to finish and see if you can determine its effectiveness, for example its conformance with objectives and its ability to meet customer requirements.

Risk-based audit: 7 value-adding benefits

Risk-based audit builds on this SBA approach focusing on the areas of the highest risk to the organisation, and uses a different starting point: business objectives rather than controls. Of course, the audit itself is a risk-based activity – the auditor is risk assessing when sampling. If I examine 10% of a given set of records to obtain sufficient, valid, reliable evidence of conformance, my risk assessment as an auditor is that I am prepared to ‘risk’ that the other 90% unseen by me likely are conforming. ISO 19011:2011 provides very good information on sampling for new and/or aspiring auditors, and is never wasted on experienced auditors!

At the end of the day we are dealing with quality assurance, and an audit decision provides assurance on the degree of conformance with a set of audit criteria. When an organisation holds up its ISO 9001 certificate to the world, it hopes it is providing assurance of its ability to operate in accordance with the requirements of ISO 9001, and the audit tool is one of those used to provide that assurance. It’s so ‘value-adding’ because it can evaluate if the processes within the system are operating efficiently and effectively. It can show:

  1. where double handling takes place,
  2. where unnecessary steps are included,
  3. where critical steps are missed out,
  4. where equipment and machinery are not operating as they should or enhancing the process,
  5. where operators have not been fully inducted, briefed or trained,
  6. where there are inadequate work instructions to work with,
  7. where vital inspection and test activities have been missed out, or are failing to do what is required of them.

The identification of these things in itself leads to the solution to the problems. You can’t fix what you don’t know is broken and you can’t improve what you can’t measure. Moreover, you can’t decide what the most important priority is without identifying the consequences of not doing it – i.e. the risk!

Auditing is too much of an investment to not expect value-adding benefits back

The auditor as risk assessor definitely features heavily in the modern audit role. An independent assessment of how well the organisation is managing its threats is clearly a very significant and important role, and plays a significant part as a value-adding activity. Auditing is too much of an investment not to expect to get value added benefits back from it. It must:

  • show the degree of conformance with criteria and the evidence of that,
  • show where there is not conformance and the evidence of that,
  • show strengths and weaknesses, threats and opportunities,
  • show opportunities for improvement, for saving, for investment, for training and re-training, for raising awareness. And above all, for identifying consequences of both doing certain things and not doing certain things – for identifying risks.

Next time

To be a good risk-based auditor takes many attributes, not least confidence… The thing about auditing is the ability to manage other peoples’ insecurities, with confidence.

If you missed Karen's earlier articles in this series, you can view them here:

The Thing About Auditing - Communicating

4 Reasons why Auditor Standardisation Meetings are a 'No-Brainer'

 

ISO 9001:2015 Transition Workshop

2023 Update: SQMC continue to provide opportunitues for individuals and private groups to update their Quality Auditor qualifications to the 2015 version of ISO 9001. Click here to view details of the course content, and book your place on the next dates while they're still available.