11 replies to this topic

[khanhhuyen]

sorry can anyone help me with this part 3.4

a risk assessment for the frequency of internal audits

accompanied by internal audit plan for each department according to each clause in the standard

[adeletheqa]

Hi khanhhuyen,

 

This is how it's done in my workplace.

 

Open the Word document I attached to see the severity table, likelihood table, the matrix, and outcome decision criteria. (it will all make sense when you're looking at it) 

 

Firstly, you'll need to organise a list of the departments, then you can assess them. (Let me know if you need help with this too)

 

 

You need to assess the severity or consequence of NOT auditing each department.

Then assess the likelihood of NOT auditing the department.

 

Even though we always do our internal audits, we chose C (possible) because there is always that possibility that something can get in the way of you doing your job. Although, nothing has ever gotten in the way - internal audits are super important and if you don't get them done, your external auditor will be checking and you'll get an NC. 

 

After assessing each department and giving them a score (all ours are scored at either 13 or 18, which means the frequency is 6 monthly for ones scored at 13, and yearly for ones scored at 18), you can now plan your audits based on risk.

 

 

Hope this helps. Let me know if you have any questions.

 

Attached Files

•  risk assessment for auditing.docx   16.85KB   361 downloads

[Tony-C]

Hi khanhhuyen,

 

I would start with a basic system of 3 x 3 risk assessment for each element of the standard as shown in the attached example where a high severity (3) would be an unsafe or illegal product and high possibility of failure (3) gives a significance of 9 (High Risk).

 

 BRCGS Food Internal Audit Scheduling.pdf   745.81KB   386 downloads

 

Then schedule high risk internal audits quarterly, medium risk every 6 months and low risk annually.

 

Kind regards,

 

Tony

 

 

[khanhhuyen]

thanks everyone

[Tony-C]

Hi khanhhuyen,

 

For your information, the IFSQN offers a Practical Internal Auditor Training for Food Operations that does include internal audit risk assessment and scheduling.

 

This is a 4-hour training session plus exam that is live on Friday, December 02, 2022 or can be taken at your own leisure via the previous recording.

 

This interactive online training webinar enables participants to develop practical knowledge of the principles of internal auditing so that they can participate as part of your internal audit team. The webinar provides instruction on how to implement an Internal Audit system and how to prepare, conduct and report on an internal audit.

 

The course is delivered in 8 sections:

 

1. Introduction to Internal Auditing

2. Auditing Documentation

3. Audit Scheduling and Risk Assessment

4. Internal Audit Procedure including preparation, reporting and practical audit examples

5. Guidelines for Auditing Management Systems based on ISO 19011

6. GFSI and GFSI Benchmarked Standards Internal Audit Requirements

7. Internal Audit Exercise

8. Online test consisting of 25 multiple choice questions covering the topics taught in the course.

 

Kind regards,

 

Tony

[khanhhuyen]

Determine the terms to be evaluated for each department

Does anyone have a manual for this part?

[Duncan]

Hi khanhhuyen,

 

This is how it's done in my workplace.

 

Open the Word document I attached to see the severity table, likelihood table, the matrix, and outcome decision criteria. (it will all make sense when you're looking at it) 

 

Firstly, you'll need to organise a list of the departments, then you can assess them. (Let me know if you need help with this too)

 

 

You need to assess the severity or consequence of NOT auditing each department.

Then assess the likelihood of NOT auditing the department.

 

Even though we always do our internal audits, we chose C (possible) because there is always that possibility that something can get in the way of you doing your job. Although, nothing has ever gotten in the way - internal audits are super important and if you don't get them done, your external auditor will be checking and you'll get an NC. 

 

After assessing each department and giving them a score (all ours are scored at either 13 or 18, which means the frequency is 6 monthly for ones scored at 13, and yearly for ones scored at 18), you can now plan your audits based on risk.

 

 

Hope this helps. Let me know if you have any questions.

 

 

 

Hi Adele

 

I believe the risk assessment concerns the risk associated with the activity, not a failure to audit an activity - see the attached screenshot.

 

An easy way of approaching it would be to say fundamental requirements are high-risk activities because a loss of control in those areas could jeopardise food safety, quality, legality and/or authenticity... While non-fundamental requirements are not addressing activities with as high a risk association.... So you could call activities associated with fundamental clauses higher risk, and increase your auditing frequency to reflect that.

 

Similarly, with previous audit performance, you could look at the previous year's audits and identify a selection of audits that yielded a comparatively high level of non-conformance, and increase your auditing frequency to reflect that.

 

The standard isn't looking for an assessment of risk associated with failing to carry out audits. 

 

Hope this helps.

Attached Files

•  3.4.1.PNG   96.28KB   3 downloads

[Charles.C]

 

Determine the terms to be evaluated for each department

Does anyone have a manual for this part?

 

Hi khanhhuyen,

 

See the methodology  here -

 

http://www.ifsqn.com...dit/#entry95362

[Mo Ashrafkoo]

Hi khanhhuyen,
I want a more detailed explanation of how to divide the sections according to risk. How can I do this?
You know I want to do a risk assessment for all departments, but I want a more detailed explanation. 😔

This is how it's done in my workplace.

Open the Word document I attached to see the severity table, likelihood table, the matrix, and outcome decision criteria. (it will all make sense when you're looking at it)

Firstly, you'll need to organise a list of the departments, then you can assess them. (Let me know if you need help with this too)


You need to assess the severity or consequence of NOT auditing each department.
Then assess the likelihood of NOT auditing the department.

Even though we always do our internal audits, we chose C (possible) because there is always that possibility that something can get in the way of you doing your job. Although, nothing has ever gotten in the way - internal audits are super important and if you don't get them done, your external auditor will be checking and you'll get an NC.

After assessing each department and giving them a score (all ours are scored at either 13 or 18, which means the frequency is 6 monthly for ones scored at 13, and yearly for ones scored at 18), you can now plan your audits based on risk.


Hope this helps. Let me know if you have any questions.

[Tony-C]

 

Hi khanhhuyen,
I want a more detailed explanation of how to divide the sections according to risk. How can I do this?
You know I want to do a risk assessment for all departments, but I want a more detailed explanation. 😔

This is how it's done in my workplace.

Open the Word document I attached to see the severity table, likelihood table, the matrix, and outcome decision criteria. (it will all make sense when you're looking at it)

Firstly, you'll need to organise a list of the departments, then you can assess them. (Let me know if you need help with this too)


You need to assess the severity or consequence of NOT auditing each department.
Then assess the likelihood of NOT auditing the department.

Even though we always do our internal audits, we chose C (possible) because there is always that possibility that something can get in the way of you doing your job. Although, nothing has ever gotten in the way - internal audits are super important and if you don't get them done, your external auditor will be checking and you'll get an NC.

After assessing each department and giving them a score (all ours are scored at either 13 or 18, which means the frequency is 6 monthly for ones scored at 13, and yearly for ones scored at 18), you can now plan your audits based on risk.


Hope this helps. Let me know if you have any questions.

 

 

Hi Mo Ashrafkoo,

 

 

Welcome to the forums

 

I think you forgot to comment before posting?

 

The post you have quoted is wrong as pointed out by several members of the forums. As well as the requirements posted by Duncan and link to other similar topics by Charles, here is info from BRCGS Guidance:

Development of the internal audit schedule should begin with a risk assessment. The aim of this is to identify:

• all the areas or activities that need to be audited

• the frequency with which each part of the product safety and quality management system needs to be audited. This will be dependent on the risk inherent in each activity or section of the food safety and quality management system. For example, the site should be aware of the consequences of not complying with its own systems, which could lead to hazards not being identified in a timely manner. Therefore internal audits of CCPs are likely to be more frequent than those for less critical activities.

Frequency may also be influenced by known issues within the company or customer requirements.

 

Kind regards,

 

Tony

[Mo Ashrafkoo]

Hi Tony

I apologize for this mistake.
I am now required to determine the number of times of internal audits on the relevant departments of the company, such as production and human resources, but I do not know how.
All this is to be done through the danger posed by the department, so how is it done?

Kind regards

Mo Ashrafkoo

[Tony-C]

Hi Mo,

 

Have a look at the example in my previous post #3 in this topic and in particular the BRCGS Food Internal Audit Scheduling pdf I uploaded.

 

There are quite a few topics on this matter in the forums, so if you follow the links that have been posted in each topic, particularly by Charles C (God bless him), you will find quite a lot of useful information.

 

Kind regards,

 

Tony