In auditing RBT, I would have the following expectations:
- For clauses 6.1.1 and 6.1.2a: RBT were considered during QMS planning (e.g. SWOT or equivalent might have been utilized during strategic planning; for operational planning, tools like FMEA, Risk Matrices or Registries, etc. might be used to determine process risks/opportunities that need to be addressed). RBT can also be demonstrated to manage changes on QMS processes, products and services;
- For clauses 6.1.2b.1 and 4.4.1f: Controls are established on determined risks/opportunities. Controls can be physically present and/or specified in documented information such as control plans, procedures and instructions;
- For clauses 6.1.2b.2 and 9.1.3e: Effectiveness of the actions were evaluated, typically, through internal audits or evaluations of the set performance indicators. I'd like to see whether internal auditors look into the actions to address risks/opportunities;
- For clause 9.3.2e: One of the topics discussed in the management review was the result of the evaluation of the effectiveness of the actions taken to address risks/opportunities. The organization's lead internal auditor may have some sort of a summarized report on the audited actions on risks/opportunities;
- For clause 10.2.1e: I'll check whether reported NCs and implementation of CAs triggered the updating of the record of identified risks/opportunities, including actions.