Management system audit requirements may include reference to documents such as policies, objectives, processes, procedures, instructions, quality plans, which can when combined with an audit scope statement, deliver internal audits which can be either wide-ranging or focused on any aspect of the organization or part thereof and which has the potential to address risk performance.
ISO 19011 considers that there is a risk associated with delivering an audit program which addresses all the requirements of the various standard or the management system are covered within a year.
Why does this method of scheduling create a risk?
Essentially audit programs which are fitted into an annual 12month calendar program rarely take risk into consideration.
Since there are very little pre-audit considerations related to risk elements during the planning phase of the audits or to put it in context to consider the “effect of uncertainty on audit objectives.”
During the delivery of the internal audit, any non-conformances (whilst rectified following the finding) are typically factored into future audits which is leaning towards a consideration of risk but into the future.
What’s in an Audit?
Every performed audit during the planning phase should reference a defined scope. The scope typically provides direction related to the criteria as a reference point as well as a focus for the auditor.
The audit scope may consider the whole management system or an individual process within the Management System.
Driving Audit Value
To enable the use of internal audits as an effective tool, the scope should be adjusted to consider the parts of the management system that have been associated with an identified risk.
Experience shows that actual processes are typically lower in risk exposure when compared with the interface between organizations and their processes that present the highest risk.
Audits are in basic terms, a gap analysis or a comparison of the degree of conformity to a specified requirement.
The requirement against which the audit is conducted may be modified to better suit the risk profile identified.
Typical Criteria may be used to identify risk for example related to:
a) Regulatory Requirements
b) Customer or Client Requirements
c) Service Level Agreements
Audit Planning Tools
Performing an audit can be a complex task and a number of planning tools are available to auditors
Checklists – The use of checklists may sometimes be found to miss the point of the audit by not going deep enough – however when used as an aide memoir the checklist often serves a valuable purpose.
The final comment related to checklists is that effective audit must go deeper into a management system than simply asking “checkbox” questions.
Sofema Aviation Services www.sassofia.com and SofemaOnline www.sofemaonline.com offers classroom and online training related to EASA & ISO 19011 Compliant Aviation Quality Assurance (QA) & Root Cause Assessment (RCA) please see the websites or email office@sassofia.com or online@sassofia.com
