January 21, 2022


Sofema Aviation Services (SAS) www.sassofia.com considers best practices related to the performance of Risk-Based Audits.

Considering The Value of a Risk-Based Audit Approach

A risk-based approach to internal audits allows for assessment of the relevant importance of the particular activity or area within the business in the context of the performance of each area to be audited.

Once data is available concerning the expected and actual performance of a particular business area it becomes relatively straightforward to focus an appropriate level of audit activity and resource to achieve the required audit objective.

Risk-Based Audits if performed effectively can lead to higher product quality as well as improvements in productivity by focusing more quality time on the business areas which are either underperforming or in need of system and structural improvements.

Note – It is important to ensure Auditor Competence so that areas involving more complex products or processes are audited by persons with the required special skills or knowledge.

Assessment of Organizational Risk

The chosen process to assess risk depends on the organisation and may include any of the following techniques:

  • Standard risk analysis tools such as:

o Hazard Analysis,

o Fault Tree Analysis, or

o Failure Mode Effects Criticality Analysis (FMEA).

Areas to consider when assessing general risk including:

  • Risk to Product Quality. (rank according to criticality)
  • Risk to System Safety. (rank according to criticality)

Areas to consider when assessing Performance Risk including:

  • Review of the history of nonconformances, CAPAs. (areas with a higher number of non-conformities are given a higher risk score)

Areas to consider when assessing Compliance Risk including:

  • Review past findings perform a gap analysis against current regulatory requirements. Compare with previous reviews.

Develop your risk-based audit plan by using the data from the above assessments and combing the individual risk scores to create an overall risk score for each business area or process.

Building Risk into Your Audit Plan

  • Higher risk areas need to be audited more frequently.
  • For low-risk areas, the audit requirement may be relaxed to permit greater audit resources to be allocated to Higher Risk areas.

Conducting the Risk-based Audits

For a repeat audit review the data you already have from previous audits and consider:

  • Observations from previous audits.
  • Previous corrective action plans and their effectiveness.
  • Consider any areas that were not inspected during previous audits.
  • Focus on any Defects, adverse events, or Corrective Actions.
  • Consider any changes to processes or personnel since the last audit.

By reviewing each department’s existing procedures it is possible to understand which elements or processes the department views as high-risk. (do you agree?)

  • Focus your audit questions on these areas.

Risk-Based Audit Follow Up

  • Assign a risk level to each finding to clarify which findings need a quick response or escalation.
  • Address critical findings more quickly.

o Hi Risk findings should trigger the Corrective Action / Preventative Action (CAPA) process to ensure effective mitigation.

Continue to Monitor the Changes in Risk

The previously performed risk assessment was essentially a snapshot of your quality, performance, and compliance risks.

  • Any changes will impact this “snapshot” so it is important to periodically repeat the process to build up confidence in the integrity of the system.

Next Steps

Follow this link to our Library to find & Download related documents for Free.

Sofema offers EASA Compliant Organizational Development through Risk-Based Auditing & Measurement of Effectiveness as a 2 Days training program available as a classroom, either in-company or open or as a web-based instructor-led training course.

To view course details check here

Please see our websites www.sassofia.com & www.sofemaonline.com or email team@sassofia.com for additional training details.


Audit Plan, aviation, Corrective Action / Preventative Action (CAPA), EASA compliant, Failure Mode Effects Criticality Analysis (FMEA), Fault Tree Analysis, Hazard Analysis, Performance Risk, Risk-Based Audit, Risk-Based Auditing