Over recent years, a move to “risk-based thinking” has dominated quality standards like ISO 9001: 2015. It now informs the approach of quality professionals.
Unfortunately, the concept isn’t always remembered – or properly understood – when it comes to internal audits. As in the past, the focus is still on “ticking off boxes”.
Here, we look at how risk-based thinking should affect internal auditing processes.
A typical audit with no consideration of risk
In a traditional internal audit the focus is on compliance with external requirements with little or no consideration of risk.
The audit schedule is based on the audit cycle. It focuses on deficiencies in controls and cases of non-compliance with policies and procedures.
Internal audit resources are spread over all business activities and business risks are not mapped.
Frequently, there’s disagreement with the business management over the action plans, which leads to delays in implementation.
This can lead to audit results that mean very little, with boxes ticked to ensure a company meets the clauses of the ISO 9001 standard, but a failure to truly address quality issues.
For example, a company proudly hangs its ISO certificate in its reception area, yet fails to deal with repeated complaints from a customer who is experiencing ongoing quality issues.
What a risk-based internal audit involves
A risk-based internal audit (RBIA) links internal auditing to an organization’s overall risk framework, putting risk at its center.
A RBIA is driven by the most recent risk assessments with management’s highest priority risks being addressed first.
The focus shifts from deficiencies in all internal controls and cases of non-compliance with an organization’s policies and procedures to the way in which risks specifically are controlled.
A RBIA brings an audit in line with real business goals and priorities and the risks associated with those goals. Internal auditors manage the internal control activities and help an organization develop its risk management processes by defining its risk landscape.
The benefits of a RBIA include:
- easier for an organization to adapt to changing conditions
- better understanding and management of risks
- identification of risks and placement of internal controls to ensure best performance
- easier to understand risks and their effects.
Steps for conducting a risk-based internal audit
To conduct an effective RBIA, internal auditors must have a deep understanding of an organization’s business, its strategies, goals and objectives, so that the audit can focus on the organization’s most critical risk areas. Management must work closely with auditors to align business strategy and risks.
An organization’s directors must ensure the risk management framework includes:
- identification and evaluation of risks that threaten the organization’s goals
- an approved risk appetite so that risks can be easily identified as being above or below it
- development of an internal control system to reduce threats to below the risk appetite
- risks must be recorded, assessed and classified in order of threat
- defined responsibility for providing assurance on risk management framework.
A RBIA is usually implemented in three steps.
Step 1: Assessing risk maturity
An overview is obtained regarding the assessment, management and risk monitoring. This shows the reliability of the risk for audit planning purposes.
Step 2: Periodic audit planning
An audit is planned for a specific period where all areas requiring objective assurance are identified and prioritized. The risk management processes, the management of key risks and the recording and reporting of risks are included.
Step 3: Individual audit assignments
Individual risk-based assignments are executed that provide assurance on part of the risk management framework. For example, on the mitigation of individual or groups of risks.
Risk and audit management software from isoTracker
isoTracker can help your organization perform a risk-based internal audit. We can help with both risk assessment and the internal auditing process.
Our software dramatically simplifies risk management. It provides an integrated, centralized, cloud-based system for identifying, assessing, monitoring, and mitigating risks. It uses automated notifications and workflows to assign and track risk mitigation tasks, and benefit from up-to-date risk analytics.
Our cloud-based audit management software simplifies compliance and helps companies conduct and pass audits, and drives improvements.
It has built-in features for ensuring that audit and compliance issues are reliably resolved.
Our risk and audit management modules can integrate seamlessly as part of a full QMS or stand alone and be used independently.
isoTracker’s QMS software: affordable and modular
isoTracker offers modular, subscription-based quality management software that’s secure, cloud-based and affordable. As well as audit and risk management software to help with a risk-based internal audit, we offer document management, complaints management, and training modules, with built-in CAPA capabilities.
Digital quality management is one, straightforward way for small to medium manufacturing businesses to start realizing value from Industry 4.0 – and with isoTracker’s QMS, it’s easy and cost-effective to implement.
Sign up for a free 60-day trial of isoTracker’s quality management software or contact us to discuss your needs.
