Search the Elsmar Cove!
**Search ALL of** with DuckDuckGo Especially for content not in the forum
Such as files in the Cove "Members" Directory
Social Distancing - It's not just YOUR life - It's ALL of OUR lives!
Me <——————— 6 Feet ———————-> You

Preventive Action and Risk Assessment Audit

Audit Coordinator

Involved In Discussions
I found this site then a few months later, it was gone, and so HAPPY it's back now!!
Anyway, I am fairly new to quality (4 years) and am the audit coordinator for my company. I was certified as Lead QMS AS9100 auditor a year ago but it focused on clause auditing and not process auditing. So I am in the process of converting all of our audits for ISO 14001, AS9100, OHSAS 18001, and ISO 9001 from clause to process audits. Our quality manager and I have identified our processes, one of which is Preventative Action/Risk Assessment.
Knowing that more emphasis is placed on risk assessment in the newly released ISO 9001, I am wondering, first, if we should create an audit just for Preventive/Risk Assessment as a stand alone process audit or incorporate these elements into every other process audit.
If you think it should be audited as a stand alone audit, does anyone have an example of a preventative/risk assessment "checklist"? Personally, I'd rather incorporate it into all the other process audits as that would be a simpler audit to conduct; just asking each process owner how they plan on mitigating risk and documentation thereof.
Any advice or help is appreciated!

John Broomfield

Staff member
Super Moderator
For each process you audit you are concerned about the effectiveness of its controls in preventing nonconformity. These controls are a result of planning/designing the process with due regard for what could go wrong and the impact of the potential failure to meet requirements.

Being as you are concerned how well the system prevents nonconformity, you'll look first at the objective of the process and the actions taken on its inputs (material, data, information or person to which the process or work is meant to add value). How well does the system supply competent people and/or capable equipment to control the process? What is the behavior of the process and how does the person and/or machine know when to or not to take action before nonconforming output is the result?

While seeking evidence of risk-based thinking you'll see if these preventive controls are proportionate and in keeping with top management's toleration of risk so the controls are cost effective. This can be tricky because top management may not even be aware of the risks being taken. You may need to take evidence of such risks up the chain of command to determine their awareness and acceptance of significant risks of failure/ineffectiveness/nonconformity. In doing this part of the audit investigation you'll be determining the potential impact on customers and whether they have agreed to share the risk.

Lastly, you may sample the consequences of failing to adequately control the process and its inputs with due regard for the customer and other stakeholders.

In seeking evidence of effectiveness and conformity you may find evidence of what needs to be improved. By engaging the auditee in this process (and thinking) usually they see and agree the need for improvement just before you have to bring the evidence and nature of the nonconformity (includes ineffectiveness) to their attention for corrective action.

Sent from my iPad using Tapatalk


Staff member
Super Moderator
Hi.. Your audit to assess the effectiveness of process and interactions is welcome. However note that the new ISO 9001 wants you to apply a risk based thinking into the QMS activities.
Hence you seek answers to find the extent of though applied in every process, to assess whether the prospects and consequences of actions are well understood before interactions begin to happen. You would not look for any document, unless there is one made and you become aware.
Risk assessment applied to any area and maintained as a document are a different set of things based on internal or external requirement.
Risk based thinking is not risk assessment in total .....

Audit Coordinator

Involved In Discussions
Thank you both for your replies. So, in short, it sounds like it's best to incorporate risked based thinking/assessment into each process audit. I understand what needs to be determined and why, I just didn't know how to approach it - as a process by itself or as an element of each process.
Thanks again for your input.


Staff member
Super Moderator
The prospects / consequences in a process can be due to risks foreseen at any element level. You will have to assess if such a thinking has gone through to determine risks at the probable elements level, and how that activity has been made robust to the extent possible and practicable. Its also perfectly fine if a specific risk is known and an awareness based decision is made to live with that risk. Please do not determine the risks as you perceive, and look for it in the audit. Rather your questions must bring out the risk based thinking application made.
Last edited:

Audit Coordinator

Involved In Discussions
Let me clarify what I was really asking.
First, I understand and agree with what has been stated above. My question really was regarding the approach. I can make it a stand alone audit or I can put those types of questions that probe risk based thinking into every process audit. When I say a stand alone audit, that means that the auditor would be working off of an audit format that would include only risk based questions but he/she would need to cover every relevant process in this audit.
The alternative is that these same types of questions would be integrated into all the process audits that I've already created. Does it make sense of what I'm really asking now? :mybad:

Later entry:
In doing more research, I've found the following, and have attached it to this posting. So, never mind my original question as this answers whether or not we will be be making Risk Management/Assessment a process audit or incorporating it into all the process audits....


Last edited:
Top Bottom