ISO 19011:2018 Risk-Based approach
A seventh auditing principle? Surely not! Risk-based approach, hmmm, surely we have been always been doing that in auditing? Well yes, possibly, but to what extent? Try these questions on for size:
1. Does risk influence your overarching audit programme?
2. Does risk influence what your auditors cover in their audits?
3. Do your auditors know how to ask risk-based or hypothetical questions?
4. Do your auditors know how to audit risk management or “risk-based thinking”?
5. Do your auditors have actions in place to assess the risk of audit objectives not being met?
Hence, risk in management systems and risk in management system auditing is quite multi-faceted. Let us now imagine how your average company might respond to each of the above questions:
1. Does risk influence your overarching audit programme?
“We audit our critical processes more frequently.”
2. Does risk influence what your auditors cover in their audits?
“We instruct our auditors to focus on high risk areas.”
3. Do your auditors know how to ask risk-based or hypothetical questions?
“We encourage our auditors to use ‘what if’ scenarios to test out potential risk.”
4. Do your auditors know how to audit risk management or “risk-based thinking”?
“We tell our auditors to check if area managers are routinely looking at risks & opportunities.”
5. Do your auditors have actions in place to assess the risk of audit objectives not being met?
“We give ample time for our auditors to prepare to increase the effectiveness of our audit programme.”
Auditor competence is coming under more scrutiny and gets higher billing in the latest ISO 19011 standard. If you ask auditors to prove their competence, they might show you a training certificate. But does that demonstrate competence? Probably not if you use the ISO 9000 definition of competence “ability to apply knowledge and skills to achieve intended results”. So how can we ensure that auditors are not only trained but that they demonstrate the learning during the audits. Here are three ways:
1. an experienced auditor observes them once or twice a year and provides feedback.
2. an experienced auditor reviews their audit reports and provides feedback.
3. feedback is obtained from those involved in the audit.
The third method may not be effective as you could get remarks like “he was very friendly” and “she was very interested” which although are positive auditor traits, they don’t demonstrate that a good audit was carried out. You may even get, “it was a great audit, we did not receive any nonconformities” which also tells us nothing. So, a mix of 1 and 2 may be the most reliable and it would be very good practice to draw up a list of competencies for your auditors and then measure them against these when an audit is carried out. Some competencies may be specific to the live audit and some may be specific to the report.
Risk-based approach is subtle, and its benefits are multiple.