Risk based internal auditing

[SGquality]

I am looking for a procedure on creating an internal audit schedule per ISO 13485 requirements using a risk-based approach. This facility is a new startup and in their 3rd year of business.

In the last calendar year, they had identified 10 processes as part of their entire QMS and audited them all. But this year, due to the Covid-19 situation, they want to scale back and probably eliminate certain processes that did not generate any major audit nonconformance.

Could you advise on how to come up with a risk-based approach?

Thank you very much

 

[indubioush]

My suggestion is to create a two-year audit plan. The first year, audit the processes that had nonconformities in the previous audits. The second year, audit processes that did not have nonconformities. Make note of the rationale on the audit plan.

You are required to audit all areas at previously defined intervals. Therefore, you would not want to have an audit plan that only has some processes. You need to list all of them. Defined intervals mean annually for most companies, but this is not required.

 

[John Predmore]

I am in a different industry, but today I looked at my own audit schedule. I listed all my processes and key procedures in a spreadsheet. Then I added columns for internal and external audit findings, KPIs that fell short of goal, any procedures which had major changes in recent months, and a catch-all column to note "criticality" to operations. In each of these tally columns I added notes where deficiencies were found in the past 12 months, or anything else that might spell risk. Using a COUNTA function, I added across the rows for a "Risk indicator" score. Most rows added to zero, and a few had a sum of one or two. I will try to audit the areas with more risk earlier and more frequently than the others.

The final schedule is up to me, but now I have a model I can show the outside auditor if he asks whether I made a risk-based decision.

 

[SGquality]

I am in a different industry, but today I looked at my own audit schedule. I listed all my processes and key procedures in a spreadsheet. Then I added columns for internal and external audit findings, KPIs that fell short of goal, any procedures which had major changes in recent months, and a catch-all column to note "criticality" to operations. In each of these tally columns I added notes where deficiencies were found in the past 12 months, or anything else that might spell risk. Using a COUNTA function, I added across the rows for a "Risk indicator" score. Most rows added to zero, and a few had a sum of one or two. I will try to audit the areas with more risk earlier and more frequently than the others.

The final schedule is up to me, but now I have a model I can show the outside auditor if he asks whether I made a risk-based decision.

Thanks. Would it be possible to share the spreadsheet?

 

[John Predmore]

I am in a different industry, but today I looked at my own audit schedule. I listed all my processes and key procedures in a spreadsheet. Then I added columns for internal and external audit findings, KPIs that fell short of goal, any procedures which had major changes in recent months, and a catch-all column to note "criticality" to operations. In each of these tally columns I added notes where deficiencies were found in the past 12 months, or anything else that might spell risk. Using a COUNTA function, I added across the rows for a "Risk indicator" score. Most rows added to zero, and a few had a sum of one or two. I will try to audit the areas with more risk earlier and more frequently than the others.

Here is enough to give you the idea. (Specific content related to my company deleted or disguised)

 

[outdoorsNW]

We use a similar system to what John described above. Each column has points entered. Some are only X points (fixed number) or zero, while others allow a range of values to capture severity. (ie a small problem would be one point but a big problem could be 5 or 10 points)

Using points is also easier for people less skilled with spreadsheets to use.

In addition we have a column for processes not audited in several years. This column, while helpful, also takes a bit of care to use because sometimes a process gets audited in detail as part of an audit of another process. Sometimes only half of a process gets audited as part of another audit, leading to questions of should the process be given points in the not audited in several years column.

 

[SGquality]

Much appreciated

Here is enough to give you the idea. (Specific content related to my company deleted or disguised)