Risk-Based Auditing

ISO 19011:2018, Guidelines for Auditing Management Systems, includes a new audit principle, the “Risk-based approach: an audit approach that considers risks and opportunities.”

The risk-based approach should substantively influence the planning, conducting, and reporting of audits to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit program objectives.

This article highlights the references to risk throughout the ISO 19011:2018 standard.

Risk Definition

Risk is defined at clause 3.19 as the “effect of uncertainty”. Notes explain that an “effect” is a deviation from the expected – positive or negative, and that “uncertainty” is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence and likelihood.

Additional Notes state that risk is often characterized by reference to potential events and consequences, or a combination of these. The Notes also state that risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated of occurrence.

Auditee Contact

Clause 6.2.2 identifies multiple topics to be addressed when the audit team leader establishes contact with the auditee, including to:

1. Request access to relevant information for planning purposes, including information on the risks and opportunities the organization has identified and how they are addressed;
2. Determine any areas of interest, concern, or risks to the auditee in relation to the specific audit.

Audit Preparation

When performing a review of the auditee’s documented information to prepare for the audit, clause 6.3.1 states that the review should take into account the context of the auditee’s organization, including its size, nature, and complexity, and its related risks and opportunities.

Audit Planning

The audit team leader should adopt a risk-based approach to planning the audit based on the information in the audit program and the documented information provided by the auditee.

According to clause 6.3.2, audit planning should consider the risks of the audit activities on the auditee’s processes and provide the basis for the agreement among the audit client, audit team, and the auditee regarding the conduct of the audit.

The amount of detail provided in the audit plan should reflect the scope and complexity of the audit, as well as, the risk of not achieving the audit objectives.

In planning the audit, the audit team leader should consider the risks to achieving the audit objectives created by ineffective audit planning, and the risks to the auditee created by performing the audit.

Risks to the auditee can result from the presence of the audit team members adversely influencing the auditee’s arrangements for health and safety, environment, and quality, and its products, services, personnel, or infrastructure (e.g., contamination in clean room facilities).

Audit planning should address or reference the allocation of appropriate resources based upon consideration of the risks and opportunities related to the activities that are to be audited.

Audit planning should take into account any specific actions to be taken to address risks to achieving the audit objectives and the resulting opportunities.

Audit Guides

Guides, appointed by the auditee, should assist the audit team and act on the request of the audit team leader or the auditor to which they have been assigned. According to 6.4.2, their responsibilities should include ensuring that rules concerning location-specific arrangements for access, health and safety, environmental, security, confidentiality, and other issues are known and respected by the audit team members and observers and that any risks are addressed.

Opening Meeting

The purpose of the opening meeting, according to clause 6.4.3, is to:

1. Confirm the agreement of all participants to the audit plan;
2. Introduce the audit team and their roles;
3. Ensure that all planned audit activities can be performed.

An important topic to introduce will be the audit methods to manage risks to the organization which may result from the presence of the audit team members.

Audit Communication

During the audit, the audit team leader should periodically communicate the progress, any significant findings, and any concerns to the auditee and audit client. Clause 6.4.4 states that evidence collected during the audit that suggests an immediate and significant risk should be reported without delay to the auditee and, as appropriate, to the audit client.

Information Verification

Clause 6.4.7 states that information relevant to the audit objectives, scope, and criteria, including information relating to interfaces between functions, activities, and processes, should be collected by means of appropriate sampling and should be verified, as far as practicable.

If, during the collection of objective evidence, the audit team becomes aware of any new or changed circumstances, or risks or opportunities, these should be addressed by the team.

Audit Finding

An “audit finding” is defined at clause 3.10 as the results of evaluating the collected audit evidence against audit criteria. Notes for that definition state that audit findings indicate conformity or nonconformity, and can lead to the identification of risks, opportunities for improvement, or recording of good practices.

Nonconformity Grading

According to clause 6.4.8, nonconformities can be graded depending on the context of the organization and its risks. This grading can be quantitative (e.g., 1 to 5) and qualitative (e.g., minor, major). They should be reviewed with the auditee to obtain acknowledgement that the audit evidence is accurate and that the nonconformities are understood.

Audit Conclusions

Audit conclusions should address issues such as the extent of conformity, achievement of objectives, and improvement of the management system. Clause 6.4.9 also states that audit conclusions should include the identification of risks and effectiveness of actions taken by the auditee to address risks.

Closing Meeting

A closing meeting should be held to present the audit findings and conclusions. Clause 6.4.10 states that the degree of detail should take into account the effectiveness of the management system in achieving the auditee’s objectives, including consideration of its context and risks and opportunities.

Audit Report

The audit team leader should report the audit conclusions in accordance with the audit program. The audit report should provide a complete, accurate, concise, and clear record of the audit. Clause 6.5 states the report should note that audits by nature are a sampling exercise, and therefore, there is a risk that the audit evidence examined may not be representative.

Audit Completion

The audit is completed when all planned audit activities have been carried out, or as otherwise agreed with the audit client (e.g., there might be an unexpected situation that prevents the audit being completed according to the audit plan). According to clause 6.6, lessons learned from the audit can identify risks and opportunities for the audit program and the auditee.

Auditor Competence

In deciding the necessary competence for an auditor, clause 7.2 states that an auditor’s knowledge and skills related to the types and levels of risks and opportunities addressed by the management system should be considered.

An auditor should be able to understand the types of risks and opportunities associated with auditing and the principles of the risk-based approach to auditing.

The discipline and sector-specific competence of auditors should include the principles, methods, and techniques relevant to the discipline and sector, such that the auditor can determine and evaluate the risks and opportunities associated with the audit objectives.

An audit team leader should have the competence to discuss strategic issues with top management of the auditee to determine if they have considered these strategic issues when evaluating their risks and opportunities.

Auditing Risks

As part of the assignment of an individual audit, the determination and management of the organization’s risk and opportunities can be included. Annex A.10 states that the core objectives for such an audit assignment are to:

  • give assurance on the credibility of the risk and opportunity identification process;
  • give assurance that risks and opportunities are correctly determined and managed;
  • review how the organization addresses its determined risks and opportunities.

An audit of an organization’s approach to the determination of risks and opportunities should not be performed as a stand-alone activity. It should be implicit during the entire audit of a management system, including when interviewing top management.

An auditor should act in accordance with the following steps and collect objective evidence as follows:

a) Inputs used by the organization for determining its risks and opportunities, which may include:

  • analysis of external and internal issues;
  • the strategic direction of the organization
  • interested parties and their requirements;
  • potential sources of risk such as environmental aspects, safety hazards, etc.

b) Methods by which risks and opportunities are evaluated, which can differ between disciplines and sectors.

The organization’s treatment of its risks and opportunities, including the level of risk it wishes to accept and how it is controlled, will require the application of professional judgement by the auditor.

Auditor Training

Our onsite “Internal Auditor” courses have been updated for the revised guidance in ISO 19011:2018. Please see our website to view the descriptions for our Internal Auditor courses based on the ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, AS9100:2016, AS9110:2016, AS9120:2016, ISO 13485:2016, and ISO 27001:2013 management system standards.