Risk-based audit planning in practice

Written by Paul Simpson, Bywater associate and quality expert.

In my earlier blog post, I wrote about the need for an internal audit programme to consider the importance of the organisation’s processes and for the audit programme to be suitable for the organisation’s needs. What, then does that mean for an individual audit plan?

The good practice that each MSS requires is given in Annex SL:

9.2.2 Internal audit programme

The organization shall plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.

Focusing on the planning aspect here and continuing to address the quality management system (QMS) processes as an example:

• As an auditor we have been assigned an audit now to plan and carry out. Firstly, what information on importance/risk have we been given by the person assigning the responsibility to us? If they have used Failure Mode and Effects Analysis (FMEA) then perhaps we have the Risk Priority Number (RPN) for the process we are scheduled to audit. Remembering that the RPN is the product of the ratings for: the Severity of the impact of a process failure; the likelihood of Occurrence of that failure; and the rating for our ability to Detect a failure before it affects the customer. So (S x O x D = RPN). The audit programme manager should have used this RPN to decide the frequency of audit of the process and the planned duration of the audit. Both of these are helpful for us, as auditors, to help in planning.
• It is part of the competence criteria for an internal audit or that we understand how the organisation works and we can evaluate the process that we have been given to audit. If not, walk away now! What do we know as auditors that will help us cover the process risk? We can familiarise ourselves with the FMEA tables that were used to drive the RPN. The Bywater sample tables are here. Ideally we can access the risk rating for each of the elements of the RPN and any justification for the rating. Even without knowing the specific S, O, D ratings we can have a rough idea of what led to the RPN we were given. If not we can always ask the audit programme manager.
• Taking an example, we can use the RPN to look back to the tables: if, say, the RPN is 125 (with middling scores for each criteria) then we know that ‘our’ process is not vital to the customer but contributes to internal efficiency (S); is stable, generally working well but could be improved (O), and; has reasonable internal controls to prevent external failures (D).
• We can take this assumption or the real-world figures and paint a picture that will help us plan for the approach to the audit. It will be quite different from an RPN of the high hundreds when we are expecting to walk into a war zone!
• What other importance/risk factors can you include in your plan? One of the best things about being an internal auditor is that we are part of the system and we see and hear things related to the process that we have been asked to audit. Even if it is just water-cooler chat, any of the workplace gossip about what is working well and what isn’t can be worth a question when you are on the audit. Similarly, if there has been a recent customer complaint since the audit programme was established it’s a valid trail to follow. There’s a danger that in looking at performance figures we lose some of the independence that we have and the audit becomes a finger-pointing exercise, so we don’t want to fall into that trap.

All of this risk information is incredibly valuable but will mean nothing unless it is used to plan and carry out the audit. We should extract these golden nuggets and share them with the people involved in the process that we are about to audit. Continuing this transparent approach runs the risk of people feeling that they are being investigated. We have to ensure that the message gets across that we are trying to make the system better and our ‘fresh eyes’ may help with the understanding of process effectiveness.

Providing an example again: If we have delved in to the background of the process RPN and the reasons for the individual scores for S, O and D we can add this information into the plan, perhaps in the attached format: Risk-based audit plan

On the plan we let the auditees know what areas of risk we will be focusing on:

Severity

• The perceived importance of the process and any prioritisation of customers we will be looking to select as part of our sample.
• Any regulatory requirements related to the product or service that we provide that we will be looking to cover during the audit.

Occurrence

• Results of previous internal and external audits that we will be checking corrective actions for.
• Any current measures of process performance.
• Any organisational changes that we will be looking to evaluate.
• Any process changes that we will be testing the effectiveness of.
• Any customer complaints relevant to the process we will be auditing.

Detection

• Any of the organisational changes (from detection) that we feel may mean we don’t find process issues.
• Any of the customer complaints that we believe should have picked up internally.
• A review of internal process controls and process measures.

By sharing this information in advance with the auditee we are seen to be open and transparent. We lose no independence or impartiality as we are working from information in the public domain (at least within our organisation). We should now be able to have open, honest conversations about evidence that exists and focus the audit on these key areas with a view to process improvement. This is, after all, the purpose of the internal audit.