E
eric abbott
Does anyone have experience of Risk based auditing i.e. focussing on those areas of identified risk rather than on those which, if non-compliant would have no significant impact on the process.
Regards
Eric
Regards
Eric
S
stefanson
Hi Eric,
I have evaluated organizations for risk of delivering nonconforming products and violating regulatory requirements. I call them Risk Assessment Audits or Risk Analyses or Risk Reduction System Evaluations. Should allegations of product liability or regulatory compliance be raised, organizations need to have systems, practices and records in place to send the investigators elsewhere.
What would you like to know?
I have evaluated organizations for risk of delivering nonconforming products and violating regulatory requirements. I call them Risk Assessment Audits or Risk Analyses or Risk Reduction System Evaluations. Should allegations of product liability or regulatory compliance be raised, organizations need to have systems, practices and records in place to send the investigators elsewhere.
What would you like to know?
G
Greg Mack
Hi Eric,
I have used a risk based assessment for our internal audit schedule. As we have a National system (across Australia) involving five business units, I have asked each Department Manager in all businesses to assess each procedure based on risk to the business.
A rating of "1" is considered a high risk, "2" is considered a medium risk, and "3" a low one. These are then scheduled to be audited six monthly, annually and biennially respectively.
This was a good and easy approach which has worked well for us and also impressed our third party auditors. It is an easy approach to compiling an audit schedule based on risk.
Recently (last week) I re-issued our schedule and changed it somewhat. I have made the schedule more of a "real-time" schedule rather than an excessive planned approach, and also cut back dramatically on the base schedule.
Now we have our category "1's" which are audited by an internal Corporate Team annually. Category "2's" are scheduled once every two years, and category "3's" are considered optional based on need as they are not considered a risk to the day-to-day operation of the business.
The intent is that the trends identified in the Corrective/Preventive Action system are added to the audit schedule on a progressive basis. So this then reflects the current "real-time risks" of the business rather than trying to plan risks over two years based on gut-feel.
Of course, should the business wish to audit areas at a higher rate than the base schedule then that is up to each respective business.
This approach seems to be good on paper so far, and time will tell how effective it is. I am banking on it being a winner though.
Hope this insight helps.
I have used a risk based assessment for our internal audit schedule. As we have a National system (across Australia) involving five business units, I have asked each Department Manager in all businesses to assess each procedure based on risk to the business.
A rating of "1" is considered a high risk, "2" is considered a medium risk, and "3" a low one. These are then scheduled to be audited six monthly, annually and biennially respectively.
This was a good and easy approach which has worked well for us and also impressed our third party auditors. It is an easy approach to compiling an audit schedule based on risk.
Recently (last week) I re-issued our schedule and changed it somewhat. I have made the schedule more of a "real-time" schedule rather than an excessive planned approach, and also cut back dramatically on the base schedule.
Now we have our category "1's" which are audited by an internal Corporate Team annually. Category "2's" are scheduled once every two years, and category "3's" are considered optional based on need as they are not considered a risk to the day-to-day operation of the business.
The intent is that the trends identified in the Corrective/Preventive Action system are added to the audit schedule on a progressive basis. So this then reflects the current "real-time risks" of the business rather than trying to plan risks over two years based on gut-feel.
Of course, should the business wish to audit areas at a higher rate than the base schedule then that is up to each respective business.
This approach seems to be good on paper so far, and time will tell how effective it is. I am banking on it being a winner though.
Hope this insight helps.
Similar threads
