ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits

Pmarszal

Involved In Discussions
#1
I am reviewing the new ISO 19011:2018 and seeing that a risk based approach is required for planning, conducting and reporting of internal audits.

My questions is this:

Our organization already takes into consideration the status and importance of each process and area, as well as results of previous audits to determine the frequency. Although typically frequency remains at once per year, during the audit planning, the length of the audit is based on the same criteria and based on that criteria, audit length is extended to more days.

Is this enough to claim compliance or do we need to have a proper documented risk assessment for the planning, conducting and reporting of internal audits?

I am just trying to determine how much I need to revise my internal audit SOP to comply.

Thank you in advance.
 
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#2
I am reviewing the new ISO 19011:2018 and seeing that a risk based approach is required for planning, conducting and reporting of internal audits.
Actually, as ISO 19011 is a guidance standard, nothing is really required. All is suggested and it is up to each organizations in their different levels of internal audit maturity journey to implement the suggestions/guidance as they see fit.

My questions is this:

Our organization already takes into consideration the status and importance of each process and area, as well as results of previous audits to determine the frequency. Although typically frequency remains at once per year, during the audit planning, the length of the audit is based on the same criteria and based on that criteria, audit length is extended to more days.

Is this enough to claim compliance or do we need to have a proper documented risk assessment for the planning, conducting and reporting of internal audits?
If frequency of internal audit remains once a year, no matter what, you are not truly taking action on frequency based on status, importance, past performance, criticality, risk, etc..Unless there are very little business changes in the organization, an annual internal audit cycle seems utterly stagnant. In my experience, in order to add value to top management, internal auditing has to be made very agile and react to internal and external risks and challenges, in a timely manner. A stale, annual cycle of internal audits seem to be the norm for many companies that fail to extract business benefits from their internal audit program.

My recommendation is for you to thoroughly review 19011:2018 ¶ 5.3 - Determining and evaluating audit program risks and opportunities and ¶ 6.3.2.1 - Risk-based approach to planning. These are the two areas where the principle of risk-based approach to internal audits are more explicit in the latest version of 19011.

Good luck.
 

kalehner

Involved - Posts
Advertiser
#3
ISO 19011:2018 does a poor job of describing a “risk-based approach”. In the beginning of the standard (Clause 4) it says this:

"g) Risk-based approach: an audit approach that considers risks and opportunities

The risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit programme objectives".

Then in 6.3.2.1 Risk-based approach to planning it throws that entire concept of “ensure that audits are focused on matters that are significant” out the window by not addressing this concept at all. Instead this clause focuses on risk to the auditee from the audit process when it says

“Audit planning should consider the risks of the audit activities on the auditee’s processes”.

As a member of the US TAG for TC 302 I was disappointed by the transparency of this standards development process. How does the final guidance have a clause that almost directly contradicts itself when it comes to the question of risk-based approach?. Nice try TC 302 but you missed the mark on “risk-based approach”.
 
#4
Kalehner: If you'd give us a bit of info about the organization - scope of QMS, headcount etc. it would be easier to discuss. However, I too am in the camp of believing that if you fully understand "status and importance" (which I take to be the same as "risk and impact") then suggesting that doing annual audits tells me there's a disconnect...
 

kalehner

Involved - Posts
Advertiser
#5
AndyN: Is that question for me? Not sure I understand. Headcount? Scope of QMS? What has that to do with my comment on ISO 19011:2018 treatment of "risk-based approach. ?
 

John Broomfield

Staff member
Super Moderator
#6
pmarszal,

May we take it that you are auditing processes according to their status and importance instead of auditing them once a year whether they need it or not?

How often do you audit leadership process compared with, say, the control of information? Have you a member of top management team on your team of competent auditors?

What would cause you to re-evaluate the frequency of planned audits?

How do your auditors sample according to risk and opportunity? Are they competent to do this or do they still have standard checklists?

How do you monitor the performance of your auditors in preparing for audits, conducting audits, evaluating evidence and reporting the results?

John
 

KimGr

Involved In Discussions
#7
We review the internal audit schedule during each management review and adjust it according to performance, past audit results, and risks/opportunities identified (including upcoming or already implemented changes). That is how I am answering how we schedule audits and to me it ticks off all the boxes. Am I sending my auditors where they are most needed and are they helping? I too was a little frustrated with the contradictory language (glad to see someone on the committee agrees and I wasn't reading it wrong!) so I just went down the value-added path. It's all in the management review, why not use it?
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#8
Then in 6.3.2.1 Risk-based approach to planning it throws that entire concept of “ensure that audits are focused on matters that are significant” out the window by not addressing this concept at all. Instead this clause focuses on risk to the auditee from the audit process when it says

“Audit planning should consider the risks of the audit activities on the auditee’s processes”.
I think you are exaggerating as it does not throw out the entire concept of risk based audit planning. It just reminds us that auditing has a component of disruption and potential to impact the operation being audited. The example they list (potential contamination of clean rooms) is spot on.
 
Thread starter Similar threads Forum Replies Date
N ISO 19011:2018 - 5.4.2 "...audit program should engage in appropriate continual development..." Training - Internal, External, Online and Distance Learning 4
Sidney Vianna ISO 19011:2018 Released - July 2018 Other ISO and International Standards and European Regulations 1
Sidney Vianna ISO 19011:2018 Released July 2018 General Auditing Discussions 8
Sidney Vianna ISO 19011:2018 is released July 2018 Other ISO and International Standards and European Regulations 0
Q ISO 19011 - Looking for a Presentation Material Other ISO and International Standards and European Regulations 6
S How to transition from ISO 19011:2002 to ISO 19011:2011 General Auditing Discussions 2
S ISO 19011 - Remote Auditing Imported Legacy Blogs 5
F Is this situation against ISO 19011? Internal Auditing 2
A ISO 19011 Can't see the wood from the trees! Customer and Company Specific Requirements 2
A ISO 19011:2012 - Emphasis on Risk Analysis, Competence of Auditors and Vocabulary Internal Auditing 2
C Practical Examples of completed ISO 19011:2011 Audit Reports General Auditing Discussions 5
U Need speaker for ISO 19011:2011 at Quality Conference Texas General Auditing Discussions 3
AnaMariaVR2 GMP News: New Version of ISO 19011 on Auditing published Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
sridharafep Certification Bodies - ISO 19011 and ISO 17011 Requirements Registrars and Notified Bodies 2
D Does anyone know about an ISO 19011 Amendment? General Auditing Discussions 2
S Quality Auditing System - Audit Plan per guidance from ISO 19011 Internal Auditing 8
M Internal Auditor Competency based upon Skill Sets based on ISO 19011 Internal Auditing 20
Paul Simpson ISO 19011 revision - Your thoughts General Auditing Discussions 53
Paul Simpson New ISO 19011 - What do Covers think should be in the next edition? General Auditing Discussions 12
L Where to buy the ISO 19011 guidance document General Auditing Discussions 18
Stijloor What do you think about QE19011S-2004? (ISO 19011) General Auditing Discussions 9
P Has anyone compared ISO 19011:2002 to ISO 20000-2 (Service Management)? Internal Auditing 4
M ISO 9001:2000 Audit Nonconformance - "Failure to have the document ISO 19011" ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
R What are the Shortcomings of ISO 19011? General Auditing Discussions 33
Geoff Cotton What is ISO 19011? Has it superceded ISO 14010, 14011, 14012 & 10011? General Auditing Discussions 6
S I have a copy of ISO 19011. Do you have one? General Auditing Discussions 15
S What will ISO 19011 replace? General Auditing Discussions 22
S ISO 19011 (Quality and/or environmental management systems) has been published by ISO General Auditing Discussions 5
S ISO 19011 - Where can I find a copy? General Auditing Discussions 17
R ISO/FDIS 19011 (Espa?ol) General Auditing Discussions 0
Marc ISO 19011 - Report on US TAG Standards Group Meetings General Auditing Discussions 17
T ISO 10011 Dead - 19011 Is Released - A summary of differences General Auditing Discussions 18
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 2
A ISO 17021-1:2015 toolkit General Auditing Discussions 2
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 4
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
C SOP Template needed for ISO 13485 6.3 Infrastructure ISO 13485:2016 - Medical Device Quality Management Systems 5
T ISO 13485 8.3 - Non-Conforming Materials - on-line rework or part of process? ISO 13485:2016 - Medical Device Quality Management Systems 11
T ISO 9001 8.5.2. - Identification and traceability to Identify Outputs - Services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
T Outsourced process in ISO 45001 Occupational Health & Safety Management Standards 2
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
M Gap analysis on ISO 14971:2019 with previous revision ISO 14971 - Medical Device Risk Management 2
T ISO 9001:2015 - Small Shop ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
T ISO 17025:2017 requirement 5.7.b. about maintenance the integrity of the management system ISO 17025 related Discussions 1
M ISO 9001:2015 case study sample ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
M Sample of Nonconformity report for ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
Q ISO 9001 8.5.1 - Control of production and service performance ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
B Do IFU designs have to be document controlled under ISO 13485? Document Control Systems, Procedures, Forms and Templates 2
H ISO 13485 - Separate Microbiology Audits ISO 13485:2016 - Medical Device Quality Management Systems 3
M Case study help as per ISO 9001: 2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
Similar threads


















































Top Bottom