Are Your Audits Clause-Based or Risk-Based?

The clause-based audit results are limited to counting the number of auditor nonconformances and corrective actions at the end of the audit. The count acts as a measure of conformity but doesn’t provide management with a report on the status of the organization’s performance.

According to ISO, ISO 19011 “provides guidance on auditing management systems, including the principles of auditing, managing an audit program, and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process.”

A clause-based approach, as was the norm in ISO 19011:2011, is conducted as a checklist of the standard’s clauses. The auditor uses the clause checklist to establish whether a particular clause has been fulfilled. An organization is asked to show objective evidence, as indicated by its procedures and practices, that the clause is fulfilled. Auditors typically determine the extent to which the procedures and practices meet each clause requirement in order to decide whether there is conformity to the clause or not.

Sections a–f of Clause 5.5.2 require an alternate audit format to generate the identified reports. Thus, the planning and conducting of the audit will differ from the traditional clause-based audit checklist. New auditor competence is necessary to fulfill this requirement because the 2011 version of ISO 19011:2018 has been canceled.

In addition to management standards such as ISO 9001:2015, regulations such as the Food Safety Modernization Act and the Sarbanes-Oxley Act are all risk-driven management systems. They should adopt a risk-based audit approach to determine if their operational risks are managed through the determined controls related to their compliance. They also follow the same ISO management system’s PDCA format that enables improvements when previously unidentified risks are found.

The purpose of risk per ISO 9001, according to its introduction, is to determine or plan preventive controls to manage such risk so that the objectives of “the process, function or activity” are met or deemed effective. In audit speak, these controls, usually procedures or work instructions, are called “criteria” because the controls are the criteria to avoid the effects of nonconformances, incidents, or degradation.

Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.

ISO 19011:2018 states that a risk-based audit approach should be taken. It replaces the 2011 version that focused on a clause-based auditing technique. According to the standard, the risk-based principle means that “risk should substantively influence the planning, conducting and reporting of audits to ensure that audits are focused on matters that are significant for the audit client and for achieving the audit program objectives.” It is against this background that a comparison between clause-based and risk-based audits is necessary to show how the practices differ. 

Management can compare the results of both internal and external risk-based audits to determine whether the company is achieving its strategic plans. The differentiation In a sense, clause-based audits seek evidence that the prescribed clause is applied per the original ISO maxim of “say as you do, do as you say.” This goes back to the inception of ISO 9001 standards in 1987. However, meeting the clause’s meaning doesn’t necessarily ensure controls for a process. Fulfilling the clause requirements doesn’t enable the auditor to report on the organization’s operational performance and its context.  Are your current audit practices of planning, conducting, and reporting influenced by risk and focus on significant matters?   From ISO 19011:2018, auditor competence isn’t based on the ability to assess a management system using a clause-based approach. Rather, a risk-audit format replaces the traditional clause-audit template. The purpose is to determine the extent to which operational risks are managed and to provide a meaningful audit report. Auditor competence is based on the auditor’s capability to assess and verify that the risk-derived control criteria are effective and found to be implicit throughout the audit. As such, if your audit practices have remained unchanged since the inception of ISO 19011:2018, training is required to follow through on the planning, conducting, and reporting of the risk-based audits. Thus, Annex A.10 directs auditors not to perform stand-alone or clause-type audits to uncover risks and opportunities. So what is the alternative to clause-based auditing? Risk-based audits The 2018 version replaced the 2011 version of the standard and clearly has a more risk-based approach in keeping with ISO 9001:2015 and related management system standards. Some of the changes described in ISO 19011:2018’s introduction include: • Taking a risk-based approach to auditing principles • Including audit program risk when managing an audit program • More guidance on conducting an audit, particularly audit planning • Adjusting terminology to reflect the process rather than the object • An expansion of Annex A to guide auditing concepts such as organization context, leadership and commitment, virtual audits, compliance, and supply chain. In keeping with the requirements of ISO 19011:2018, risk-driven operations should be audited via a risk-based technique to determine if the risk-derived controls over the operations were effective for meeting the organization’s strategic plan. Thus, risk-based audits add value. A trained risk-based auditor will be a meaningful resource for the organization to verify whether its planned performance objectives are met. This is very different from conducting the type of audits to retain a certificate. The focus is on the performance outputs, which are significant. Thanks, Quality Digest منبع: https://www.qualitydigest.com/inside/risk-management-article/are-your-audits-clause-based-or-risk-based-082423.htmlReporting on the audit, as per the standard’s Clause 5.5.2, enables management to verify whether the risk-driven controls are effective, based on the following: • Determining the extent to which the audited procedures/work instructions conform to the requirements of the ISO clause requirements • Evaluating the capability of the management system to meet required statutory, regulatory, and other requirements pertaining to the organization • Evaluating whether the management system effectively delivered the planned results, i.e., how many planned objectives were met over a predetermined period • Identifying the number of corrective actions as a result of the audit • Evaluating the suitability and adequacy of the management system in delivering the organization’s business objectives based on its strategy • Evaluating any changes resulting from reassessing risk and opportunities to establish and achieve new objectives when implementing related actions So please consider turning off your ad blocker for our site. Consequently, if your audit practice has remained unchanged since 2018, this article focuses on ISO 19011:2018 required audit practice. It’s the audit practice that should be applied to risk-driven management systems.  However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. The purpose of risk is to determine or plan preventive controls to manage such risk so that the objectives of “the process, function or activity” are met or deemed effective.

What are clause-based audits?

Risk-based audits, on the other hand, are focused on outcomes by determining whether a plan or control derived from a risk exercise is effective. According to ISO 19011:2018 Annex A.4, “Auditors should be focused on the intended result of the management system throughout the audit process. While processes and what they achieve are important, the result of the management system and its performance is what counts.” The excerpt from A.4 says it all: A different type of audit approach is required.

Top management should know that new skills are required to frame their management system to measure the effectiveness of the risk-derived controls per the audit objectives. The performance and conversation language should encourage the organization to approach activities from a risk perspective and to demonstrate them in their control procedures. Appropriate objective evidence of performance is facilitated through the respective reports. Training cannot be solely for auditors; top management must understand the significance of risk-based audits as a management tool for the organization.

Conclusion

I’ve observed that ISO management system audits have remained largely unchanged, even after the advent of ISO 19011:2018, the auditing standard that superseded ISO 19011:2011. Auditors are still using clause-based auditing, despite ISO 19011:2018’s direction to take a risk-based approach.

Risk-based audits should assess the control/plan status and alert management about the organization’s performance, especially how it meets its strategic objectives. Each criterion is required to be addressed to provide a measure of the controls’ effectiveness.

With its risk-based approach to auditing, ISO 19011:2018 Annex A.10 states that “an audit of an organization’s approach to determining risks and opportunities should not be performed as a stand-alone activity. It should be implicit during the entire audit of a management system.” (The emphasis is mine.)