Skip to content
Why does my company need risk-based auditing? It is doing fine with clause based auditing
Clause based auditing only informs that the clause is met; it does not inform on the effectiveness of the Management System
What is the reason?
Because the clause in itself does not operationalize the system, we have explained the difference on our main page. In addition, the ISO Management System Standards requires the risk to the business of internal and external issues to be considered to determine its strategic direction.
My company only needs the certificate, and we will pass anyway; there is no history of failed certifications for clause based auditing.
That may be so for certification. Is that it is your primary focus? Your operations can benefit otherwise by understanding if operational risks exist and are managed.
What do you mean?
Risk exercise identifies operational controls. Enhanced control means more enabled management.
If I am to be audited based on risk, does the company need to do anything differently? Is my company certified to only one Standard?
Although certified only one Standard, the risk from other disciplines can contribute and affect your operations’ status because controls via the certified Standard is not provided to manage risk across the board. You need to know how to do so.
If it is the case, how do I fix that?
By taking a holistic approach to the operations by having an integrated management system
We have an integrated manual. Isn’t that the same thing?
Integrated manual means combined documentation from the Standards; it does not represent integrated operations!
* From ISO 19011:2018 Pg. vii
This document adopts the combined audit approach when two or more management systems of different disciplines are audited together. Where these systems are integrated into a single management system, the principles and processes of auditing are the same as for a combined audit (sometimes known as an integrated audit).
Many industries have more than one discipline covered by one or more standards and legal requirements.
Is there a difference?
An integrated manual does not necessarily identify the risks across the process to operate as a single management system; it may just mean the standards are combined in one document.
How are integrated operations achieved to prepare for a risk-based audit?
It is part of the program of preparing the organization which the ‘Certified Management System Risk Auditor’ program delivers.
How do we know it is the correct approach – your program is not certified by an ‘authority.’
ISO does not require any internal auditor certification to be delivered by any authority. Besides the most typical of programs – explain each clause – with no provision for the application. Ours is an internal auditor program that trains and applies a holistic risk approach to accommodate the ‘how-to’ for risk-based audits, with an applied methodology to enable a single management system*.
Keep in mind I have won two awards in two different countries pertaining to single management systems. Organizations such as the IRCA and Exemplar– have no authority with evidence of awards for single management system formats.
11 Our issue with internal audits is that we do not get sufficient information to make a difference; we go through the motions to satisfy the requirement. How can we change that?
The training we provide comes with a format for your internal audits to follow a risk-based audit process, from which the effectiveness will be determined. In clause based audits, one not able to measure effectiveness, although previous standards had the requirement.