Risk based internal auditing

SGquality

Quite Involved in Discussions
#1
I am looking for a procedure on creating an internal audit schedule per ISO 13485 requirements using a risk-based approach. This facility is a new startup and in their 3rd year of business.

In the last calendar year, they had identified 10 processes as part of their entire QMS and audited them all. But this year, due to the Covid-19 situation, they want to scale back and probably eliminate certain processes that did not generate any major audit nonconformance.

Could you advise on how to come up with a risk-based approach?

Thank you very much
 
Elsmar Forum Sponsor

indubioush

Quite Involved in Discussions
#2
My suggestion is to create a two-year audit plan. The first year, audit the processes that had nonconformities in the previous audits. The second year, audit processes that did not have nonconformities. Make note of the rationale on the audit plan.

You are required to audit all areas at previously defined intervals. Therefore, you would not want to have an audit plan that only has some processes. You need to list all of them. Defined intervals mean annually for most companies, but this is not required.
 

John Predmore

Quite Involved in Discussions
#3
I am in a different industry, but today I looked at my own audit schedule. I listed all my processes and key procedures in a spreadsheet. Then I added columns for internal and external audit findings, KPIs that fell short of goal, any procedures which had major changes in recent months, and a catch-all column to note "criticality" to operations. In each of these tally columns I added notes where deficiencies were found in the past 12 months, or anything else that might spell risk. Using a COUNTA function, I added across the rows for a "Risk indicator" score. Most rows added to zero, and a few had a sum of one or two. I will try to audit the areas with more risk earlier and more frequently than the others.

The final schedule is up to me, but now I have a model I can show the outside auditor if he asks whether I made a risk-based decision.
 

SGquality

Quite Involved in Discussions
#4
I am in a different industry, but today I looked at my own audit schedule. I listed all my processes and key procedures in a spreadsheet. Then I added columns for internal and external audit findings, KPIs that fell short of goal, any procedures which had major changes in recent months, and a catch-all column to note "criticality" to operations. In each of these tally columns I added notes where deficiencies were found in the past 12 months, or anything else that might spell risk. Using a COUNTA function, I added across the rows for a "Risk indicator" score. Most rows added to zero, and a few had a sum of one or two. I will try to audit the areas with more risk earlier and more frequently than the others.

The final schedule is up to me, but now I have a model I can show the outside auditor if he asks whether I made a risk-based decision.
Thanks. Would it be possible to share the spreadsheet?
 

John Predmore

Quite Involved in Discussions
#5
I am in a different industry, but today I looked at my own audit schedule. I listed all my processes and key procedures in a spreadsheet. Then I added columns for internal and external audit findings, KPIs that fell short of goal, any procedures which had major changes in recent months, and a catch-all column to note "criticality" to operations. In each of these tally columns I added notes where deficiencies were found in the past 12 months, or anything else that might spell risk. Using a COUNTA function, I added across the rows for a "Risk indicator" score. Most rows added to zero, and a few had a sum of one or two. I will try to audit the areas with more risk earlier and more frequently than the others.
Here is enough to give you the idea. (Specific content related to my company deleted or disguised)
 

Attachments

outdoorsNW

Quite Involved in Discussions
#6
We use a similar system to what John described above. Each column has points entered. Some are only X points (fixed number) or zero, while others allow a range of values to capture severity. (ie a small problem would be one point but a big problem could be 5 or 10 points)

Using points is also easier for people less skilled with spreadsheets to use.

In addition we have a column for processes not audited in several years. This column, while helpful, also takes a bit of care to use because sometimes a process gets audited in detail as part of an audit of another process. Sometimes only half of a process gets audited as part of another audit, leading to questions of should the process be given points in the not audited in several years column.
 
Thread starter Similar threads Forum Replies Date
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
S Help me with preparing Internal Audit Schedule based on Risk analysis 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A Risk Based Internal Quality Audit Scheduling and Planning Internal Auditing 2
Ajit Basrur Risk Based Internal Auditing - Pharmaceutical Plants Internal Auditing 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
D Reduction of software class based on multiple external risk controls IEC 62304 - Medical Device Software Life Cycle Processes 5
D Validation of existing equipment - Risk based approach example ISO 13485:2016 - Medical Device Quality Management Systems 3
D Requirement of Pharmacovigilance (Drug Safety) Risk Based Strategic and Tactical Audit Plan General Auditing Discussions 0
Ed Panek Are audit non conformances also risk based? ISO 13485:2016 - Medical Device Quality Management Systems 1
C Usability IEC 62366-1:2015 and MDR 2017/745 - Risk based approach IEC 62366 - Medical Device Usability Engineering 1
M Informational USFDA draft guidance – A Risk-Based Approach to Monitoring of Clinical Investigations Questions and Answers Guidance for Industry Medical Device and FDA Regulations and Standards News 0
P Looking for Risk Assessment Template - Not necessarily Asset based IEC 27001 - Information Security Management Systems (ISMS) 1
S Can anybody share a sample risk assessment prepared based on ISO 17025:2017? ISO 17025 related Discussions 15
E Basic Risk based thinking questions Risk Management Principles and Generic Guidelines 5
Jen Kirley Risk Based Thinking and acts of God/Mother Nature Business Continuity & Resiliency Planning (BCRP) 1
T What is Risk-based Design? ISO 14971 - Medical Device Risk Management 15
Q Questions about the Risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 17
Sidney Vianna FAA and DCMA to leverage OASIS data to assist in planning risk-based oversight audits Federal Aviation Administration (FAA) Standards and Requirements 3
S ISO 13485:2016 - Risk-based Approach ISO 13485:2016 - Medical Device Quality Management Systems 3
S Risk based approach - Procedures already take a risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 3
S Risk Based Approach for ISO 13485:2016 Form/Procedure ISO 13485:2016 - Medical Device Quality Management Systems 23
Q Risk Based Thinking - Is a Documented Procedure required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
Chennaiite But who said we are new to Risk based thinking Imported Legacy Blogs 1
Y Examples of Risk and Opportunities based on ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
Q Is it worth the effort to implement ISO 31000 Risk based on ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
B Risk Requirements to meet the explicit Risk Based Approach of ISO 13485:2016 Examples ISO 13485:2016 - Medical Device Quality Management Systems 21
Sidney Vianna Are the TC 176 Documents on Risk Based Thinking useful to you? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
A Informational Risk Management (and Risk Based Thinking) in ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 54
J Timeframes for Risk-Based Biocompatibiilty Assessment Other Medical Device Related Standards 3
D Risk Based Inspection: Injection Molding Inspection, Prints (Drawings), Testing, Sampling and Related Topics 6
T Risk based Impact Level related to Customer Complaints 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
G Why do we use Sampling Plans based on Producer's Risk? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 20
RoxaneB Risk-Based Audit Results - Audit Program for Multiple Locations General Auditing Discussions 8
V Evolving QA from 'Compliance-based' to 'Science/Risk-based' approach US Food and Drug Administration (FDA) 2
AnaMariaVR2 Risk Based Approach to Validation [article] Qualification and Validation (including 21 CFR Part 11) 3
W Customer wants 'Risk Based Compliance' for our Plastic Component Other Medical Device and Orthopedic Related Topics 3
D PA, CA and Risk-Based Decision Making - Need Input Preventive Action and Continuous Improvement 7
C Is Risk Based Decision Making part of Preventive Action Preventive Action and Continuous Improvement 5
J Overall Residual Risk Procedure based on the 2007 version of ISO 14971 ISO 14971 - Medical Device Risk Management 4
S Supplier Risk Check Sheet based on Quality and Delivery needed Supplier Quality Assurance and other Supplier Issues 1
C ISO/ PAS 28000 Implementation Guide - I'm interested in its risk based approach Other ISO and International Standards and European Regulations 4
Jen Kirley Some Options for Risk Based Auditing The Reading Room 14
sathis Risk Based Certification General Auditing Discussions 2
Sidney Vianna Risk Based Audits - Will the industry change it's approach? Registrars and Notified Bodies 0
C How is risk management handled in a software-based product ISO 13485:2016 - Medical Device Quality Management Systems 1
Scott Catron Any difference in FDA inspections since the risk-based approach was announced? US Food and Drug Administration (FDA) 6
E Risk Based Audits ocussing on those areas of identified risk General Auditing Discussions 3
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 0

Similar threads

Top Bottom