Skip to content
Introduction to risk-based auditing
Taken from ISO 19011:2018
‘The training provides guidance on auditing management systems, including the principles of auditing, managing an audit program and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process. These activities include the individual(s) managing the audit program, auditors and audit teams.
The differences compared to the second edition are as follows:
— addition of the risk-based approach to the principles of auditing;
— expansion of the guidance on managing an audit program, including audit program risk;
— expansion of the guidance on conducting an audit, particularly the section on audit planning;
— expansion of the generic competence requirements for auditors;
— adjustment of terminology to reflect the process and not the object (“thing”);
— removal of the annex containing competence requirements for auditing specific management system disciplines (due to the large number of individual management system standards, it would not be practical to include competence requirements for all disciplines);
— expansion of Annex A to provide guidance on auditing (new) concepts such as organization context, leadership and commitment, virtual audits, compliance and supply chain.
Audit results can provide input to the analysis aspect of business planning, and can contribute to the identification of improvement needs and activities’.
Participants become familiar with the Standard through 100-question tests directing trainees through the Standard to shift from clause to risk-based audits and the content to support the shift.
The program enables organizations to be prepared for risk-based audits. According to A.10 of the Standard, ‘ An audit of an organization’s approach to the determination of risks and opportunities and should not be performed as a standalone activity.
a) inputs used by the organizations for determining its risks and opportunities
b) methods by which risk and opportunities are evaluated, which can differ between disciplines and sectors.
The trainee auditor learns of the organization’s treatment of risks and opportunities including the level of risk, it wishes to accept and how it is controlled and the application of professional judgment by the auditor. The basis of professional judgment in a multi-discipline process is determined.
Risk-based training is conducted via Powerpoint. Participants are directed through a systematic methodology that differentiates clause based audits from risk-based audits combined or single management systems. The Powerpoint further details the differences between the 2011 and 2018 versions of the Standard. The PowerPoint directs how the objective evidence; results provide input to the analysis aspect of business planning, and how it contributes to the identification of improvement needs and activities. Participants are tested on the Powerpoint content to determine their competency as it relates to multidiscipline audits and other facets relating to the audit’s usefulness as a management tool.
The internal auditor then follows through with all the requirements to conduct an audit of the organization. The acceptance of the internal audit by the external registrar auditor demonstrates the integrity of the Certified Management System Auditor Competency program.