Risk-based

auditing

• Varieties and levels of assurance

• ISO 19011
• Audit planning and TOR
• ‘The Audit Adventure’
Varieties of assurance available

High level, strategic £££

“Consultants in”
Management review
HSE-MS audit?
Financial accounting
Daily / shift checks

Operational level, compliance £

The three levels of assurance (ISO 19011)

First party Examples:

Internal checks Shift inspection
(Self assessment) Pre-start check

Second party HSE-MS

Independent
internal
(Internal audit)
audit

Third party ISO 14001 /

External
ISO 45001
(Certification body)
audit
ISO 19011:2011
• Guidelines for auditing management systems
• Audit activities
• Initiate
• Prepare
• Conduct
• Report
• Principles of auditing
• Independence
• Integrity
• Fair presentation
• Due professional care
• Confidentiality
• Evidence-based approach
 Initiate - audit plan (3-5 years?)
Single audit Interface

• Intensity (auditors x days)

• Frequency / intervals
Terms of reference (TOR) – for each audit

Objectives Ref. F/w Scope

Assure ISO 14001 Included?
Alert ISO 45001 Excluded?
Advise other Interfaces
 Audit activities – Prepare, Conduct, Report
Prepare ~20% Conduct fieldwork ~60% Report ~20%
RISK

A
Review à Verify à Finding

Decide
Audit B
audit
team opinion
meet Review à Verify à Finding
Prepare
Prepare C and
work plan present
Review à Verify à Finding
audit
report
D
Review à Verify à Finding

A,B,C,D are significant inherent risks selected for this audit

Prepare workplan = risk assessment

Employees, customers,
Who? contractors, partners, society

Business interruption, fines,

How big? compensation, reputation, pain
and suffering, morale, pollution,
sustainability

How often? Patterns of past losses,

novelty of the project,
nature of work, training,
other controls
Assessing risk

Likelihood
(Probability)

Severity
(Impact, Consequence, Cost)

Don’t be too clever!

Avoid number games!
 Simple risk matrix, and ‘Black Swans’

High

Impact /
Consequence /
Severity (y)
Low

Probability /
Likelihood (x)
 Seeing risks relatively - organisation risk profile

Control reduces inherent risk to residual risk

High

CONSEQUENCE / SEVERITY / IMPACT

SABOTAGE
FIRE

FIRE

ROAD
INCIDENT
SPILL

SPILL
Key to risk level
IMPROVE
TOLERATE UNACCEPTABLE
Low SFRP

Low Medium High

PROBABILITY / LIKELIHOOD
Risk reduction and control strategies

MS (Annex SL)
4Ts Leadership
Planning
4. TOLERATE 3. TRANSFER Support & Operation
Performance eval’n
Improvement

2. TREAT 1. TERMINATE Approval

Higher level approval
often required for
risks of greater
significance
The Audit Adventure TM
Asbury auditing book, Chapter 5
 Stephen Asbury ‘The Audit Adventure’ TM
High-level prep. High-level,
of risk-based high-value
audit workplan conclusion

Detailed
fieldwork:
Review and
Verify
 Workshop 2 – Using ISO 45001 as an auditor would

Using your earlier scenario (sketch, page 2), add the

ISO 45001 elements that an auditor would use to provide
assurance (or alerts) on the effectiveness of your HSE-MS
Stephen Asbury Bookshop
• Book 2 – Introduction to CSR = £29.99 (or price-match Amazon)
• Book 3 – HSEQ-MS and auditing = £38.99
• Book 4 – Dynamic risk assessment = £38.99
• Book 5 – Advanced CSR = £34.99
• Plain or signed

Cash or credit card