RISK-BASED PLANNING FOR AUDITS OF OFFICIAL CONTROL SYSTEMS



Similar documents
INDEPENDENCE AND INDEPENDENT SCRUTINY

EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY

1. Consultation of the Committee (SCFCAH)

Integrated Assurance & Approval Strategy and Integrated Assurance & Approval Plans

Explanation where the company has partially applied or not applied King III principles

Central Bank of Ireland Guidelines on Preparing for Solvency II Pre-application for Internal Models

Audit of the control body through the monitoring of compliance with control plan. Measures for the irregularities

SANITARY AND PHYTOSANITARY MEASURES (SPS)

How to Support a Successful State Safety Programme (SSP) and Safety Management System (SMS) Implementation. Recommendations for Regulators

Council of the European Union Brussels, 5 March 2015 (OR. en)

EU Sanitary and Phytosanitary Standards. Ella STRICKLAND DG Health and Consumers, EU Commission Kampala, Uganda, 30 November 2010

National Occupational Standards. Compliance

High level principles for risk management

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

GUIDANCE NOTE ON THE CONCEPT OF RELIANCE

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

DATA QUALITY STRATEGY

DRAFT. Guidance for Member States and Programme Authorities Designation Procedure

COMMISSION STAFF WORKING DOCUMENT. Elements of the Union greenhouse gas inventory system and the Quality Assurance and Control (QA/QC) programme

Risk Management Strategy EEA & Norway Grants Adopted by the Financial Mechanism Committee on 27 February 2013.

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

AUDIT CERTIFICATE GUIDANCE NOTES 6 TH FRAMEWORK PROGRAMME

GUIDANCE DOCUMENT FOR COMPETENT AUTHORITIES FOR THE CONTROL OF COMPLIANCE WITH EU LEGISLATION ON:

Introduction to Quality Assessment

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND TO THE COUNCIL

EUROPEAN CENTRAL BANK

Handling impact assessments in Council

Foreword Introduction - The Global Food Safety Initiative (GFSI) Scope Section Overview Normative References...

Project reporting in FP6

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

MANAGEMENT SYSTEMS CERTIFICATION FROM AUTOMOTIVE SPECIALISTS

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

EU Directive on Statutory Audits of Annual and Consolidated Accounts and EU Regulation on Statutory Audit of Public Interest Entities

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Training Pack. Tactical Implementation Plans (TIP s)

EIOPACP 13/011. Guidelines on PreApplication of Internal Models

COMMISSION OF THE EUROPEAN COMMUNITIES. COMMISSION REGULATION (EC) No /..

Guidelines on operational functioning of colleges

FORUM ON TAX ADMINISTRATION

Hertsmere Borough Council. Data Quality Strategy. December

Workshop Privacy Impact Assessments The NOREA-PIA: design and experience

CHARITIES SORP (FRS 102)

Checklist for Operational Risk Management

WFP ENTERPRISE RISK MANAGEMENT POLICY

The Asset Management Landscape

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

Official Journal of the European Union

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

Guidance for Industry. Q10 Pharmaceutical Quality System

Authorisation Requirements and Standards for Debt Management Firms

Preparation of a Rail Safety Management System Guideline

Application of King III Corporate Governance Principles

FSPCOMP3 Assess and mitigate the compliance risks relevant to your organisation

ISO 14001:2015: Key Changes

Application of King III Corporate Governance Principles

ENTERPRISE RISK MANAGEMENT POLICY

REGULATIONS ON OPERATIONAL RISK MANAGEMENT OF THE BUDAPEST STOCK EXCHANGE LTD.

Audit of the Test of Design of Entity-Level Controls

How To Write A Report On The Food And Veterinary Policy In Czech Republic

A Guide to Corporate Governance for QFC Authorised Firms

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

Project Planning With IT

L 94/16 Official Journal of the European Union

Certification criteria for. OH&S Management Systems Foundation Training Course

BEST PRACTICE FOR THE DESIGN AND OPERATION OF HIGH HAZARD SITES

ISO/IEC Directives, Part 1 Consolidated ISO Supplement Procedures specific to ISO

Internal Audit Framework

GENERIC STANDARDS CUSTOMER RELATIONSHIPS FURTHER EXCELLENCE CUSTOMISED SOLUTIONS INDUSTRY STANDARDS TRAINING SERVICES THE ROUTE TO

Appendix 3 (normative) High level structure, identical core text, common terms and core definitions

Selection and use of the ISO 9000 family of standards

List of critical errors in internal models of insurance undertakings

Information Security Management System for Microsoft s Cloud Infrastructure

GUIDELINES ON VALUATION OF POLICY LIABILITIES OF GENERAL BUSINESS

Managing Risk in Procurement Guideline

CONTRACT MANAGEMENT FRAMEWORK

Fundamental Principles of Public-Sector Auditing

International Standards on Auditing (ISA) and their Use for Second Level Control of European Territorial Cooperation Programmes

CHARITIES SORP (FRSSE)

Eumedion response to the consultation questions on IIRC <IR> draft framework

2012 IAS CONFERENCE. Case Study N 2: Monitoring EU LAW Implementation. Pascal Hallez René Scholzen 12 October 2012

TGA key performance indicators and reporting measures

Guidelines on the Application of the Supervisory Review Process under Pillar 2 (CP03 revised)

ECLAC Economic Commission for Latin America and the Caribbean

MANAGEMENT SYSTEMS CERTIFICATION

Guide for the Development of Results-based Management and Accountability Frameworks

Maturity Model. March Version 1.0. P2MM Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce

Proposal for a RECOMMENDATION OF THE EUROPEAN COMMISSION

Transcription:

National Audit Systems Network RISK-BASED PLANNING FOR AUDITS OF OFFICIAL CONTROL SYSTEMS The network of national audit experts have produced this non-binding reference document based on agreed good practices to provide guidance on risk-based planning of for audits of official control systems. February 2014 Version 1

The National Audit Systems (NAS) Network The NAS network is a network of officials (auditors) from national competent authorities, responsible for the performance of audits of official control systems as provided for by article 4(6) of Regulation (EC) No 882/2004 1. The networks meet regularly, under the chairmanship of, and facilitated by, the FVO to exchange experiences in implementing national audit systems on official control activities. During the course of these exchanges; discussions, workshops etc. good principles and practices are identified and agreed by the network. To enable dissemination of information the network, working in plenary session and through sub-groups, facilitated by the FVO, consolidate agreed principles and good practices on specific topics into documents. These documents may be used as reference documents, however, they do not constitute an audit standard and are not legally binding. Risk-based planning for audits of official control systems OBJECTIVES The objective of this document is to guide and support Competent Authorities (CA) and audit bodies in performing risk-based planning for audits of official control systems by proposing general principles. The aim is to: Give some tools for those who are involved in the planning process with a view of being applicable to audits on a wide range of different official control systems. Support audit bodies in finding balance between full coverage during a 5-year period and appropriate risk-based prioritisation. The expected outcome is a well-documented risk-based planning process. This document is intended to assist in the implementation of Section 5.1 (Systematic Approach) first bullet point of the Annex to Commission Decision 2006/677/EC. SCOPE AND INTENDED AUDIENCE This guidance applies to planning of audits as required by Article 4(6) of Regulation (EC) No 882/2004. It is intended for use by CAs / audit bodies that carry out audits on official control (systems) according to the requirements of Article 4(6) of Regulation (EC) No 882/2004. It presents best practice in the development of risk-based audit programmes and audit plans in the area of official control activities e.g. feed, food, animal health and welfare and plant health. This document does not attempt to cover internal risks of the audit body, for example lack of auditor s competences or resources within the audit body. DEFINITION(S) This document should be read in conjunction with the definitions contained in Regulation (EC) No 882/2004 and Commission Decision 2006/677/EC bearing in mind that the definitions of those documents apply. 1 OJ L 191, 28.5.2004 Page 1

Audit universe 2 : An inventory of all audit areas relevant to responsibilities of CAs that is compiled and maintained to identify possible areas for audit during the audit planning process. The list should include all official control and key food, feed, plant health, animal health and animal welfare systems that could be audited as part of the overall cycle of planned work (including delegated bodies). The audit universe serves as the source from which the risk assessment for the five-year audit planning and the annual audit planning are performed. It is up to the CA to determine the detail in the audit universe, as it depends on among other things the complexity of the CA s audit system. The audit universe has to cover all areas of the MANCP relevant to the responsibilities of the CA. To minimise the potential for gaps and overlaps between CAs, it is best practice that the audit universe be determined as a coordinated process between CA s within MS. Risk universe 3 : Audit universe with risk categorisation applied to each audit area. N.B.: The terms audit universe and risk universe are reserved for the multi-annual risk-based planning process. However, analogous concepts exist for the annual planning as well as planning for an individual audit. For the sake of avoiding confusion, in the context of individual audits we use the term "audit area", which may then give rise to a complete inventory of audit topics within that area. Subsequently, those topics will be placed into appropriate risk categories (see Annex). Horizontal audits 4 : These are audits where the audit criteria are taken from general requirements e.g. Regulations (EC) Nos 178/2002, 882/2004, 852/2004 or strategic objectives from the MANCP. The main objective of these audits is to determine whether planned arrangements are implemented effectively and are suitable in achieving objectives. It may also include elements of verifying compliance with planned arrangements. Vertical audits: These are audits where the audit criteria are taken primarily from sectorspecific requirements e.g. Regulation (EC) No 853/2004, Regulation (EC) No 2073/2005, ABP Regulation, Feed Hygiene Regulation, Animal Welfare or BIP requirements. The main objective of these audits is to verify compliance with planned arrangements and to evaluate the effectiveness and suitability of the controls. Effectiveness: is generally speaking the capability of producing an (intended) effect or of achieving an objective. In this particular context it is the capability of a Competent Authority in achieving the objectives of Regulation 882/2004. It is not to be confused with efficiency, which is normally used when we want to refer to input-output ratio i.e. cost and/or resources required to produce an output. OBJECTIVES OF AUDITS The main objectives of audits as laid down in Article 4(6) are: To verify: CA's compliance with general 5 and specific 6 control requirements of feed and food law, plant health, animal health and welfare rules. 2 While the term "audit universe" is not used in official control legislation or Commission Decision 2006/677/EC, it is important to introduce it to allow CAs define the areas for which they will need to develop audit programs e.g. feed only, food only. 3 Risk universe is produced on the basis of audit universe, which serves as an input to the risk categorisation process. 4 The separation of the concepts of horizontal and vertical audits is somewhat artificial as they are quite commonly used in combination i.e. an audit may contain a horizontal vertical component. 5 e.g. Regulations (EC) Nos 178/2002, 882/2004, 852/2004 and MANCP objectives. 6 e.g. Regulations (EC) No 853/2004, ABP Regulation, Feed Hygiene Regulation and VMP residues. Page 2

To evaluate: To identify: Page 3 Risk-based planning for audits of official control systems Compliance of official controls with planned arrangements at a national level, which may include: o Control plans of any kind (MANCP, business-, operational-, control-, monitoring-plan etc.) with the purpose of giving effect to legal requirements. o Policies, strategies, procedures, guidelines. Suitability of the planned arrangements in achieving the objectives of Regulation (EC) No 882/2004. Effectiveness and consistency of the implementation of planned arrangements i.e. the capability to deliver the planned outcomes. Whether enforcement measures are effective, proportionate and dissuasive. Areas for improvement in the CA control and management systems. Audits may also play a supportive role in risk identification and analysis. OBJECTIVES OF RISK-BASED PLANNING OF AUDIT PROGRAMMES The main objective of risk-based planning of audit programmes is to contribute to consumer safety, animal health and welfare, plant health and increase stakeholder confidence in effective and efficient use of resources. This is achieved by ensuring that: Principles: Audit universe(s) do not overlook any relevant areas; Planning processes are able to identify and categorise main risks appropriately; The whole process is subject to regular review; and Audit bodies (in case there are several) coordinate their planning processes. 1. Risk based planning can be viewed as four separate processes, with clearly specified inputs and outputs for each. These processes are: establishing the audit universe, defining the risk universe, producing the audit programme and the review process. These are outlined in the Annex below. 2. Competent Authorities / Audit bodies should define their own Audit universe and use it for audit planning. While a CA / audit body is free to decide how to divide the audit universe into audit areas, it is important to ensure that: all the requirements of Regulation (EC) No 882/2004 and relevant feed and food law are covered; and The topics are defined and presented in a way that facilitates risk assessment and audit programming. 3. The audit areas within the audit universe should be risk categorised producing a risk universe. The risk assessment of audit areas should take into account the probability of a failure in a control area and the consequences of such failure. 4. Full coverage during a 5-year cycle can be achieved by using a combination of horizontal and vertical audits combined with annual review of negligible risk areas. On the basis of the output of the risk-based planning process, the areas identified as high-risk

should be covered using both horizontal and vertical audits, while low-risk areas can be covered by a lower frequency of horizontal audits. Negligible risk audit areas can be considered as being covered, when they have been included in the audit universe and taken into account in the planning process (including annual review). 5. All elements of the risk-based planning process should be subject to annual review. Review in this context means that e.g. audit universe, risk universe and prioritization process need to be updated as necessary. It does not imply that the whole process depicted in Diagram 1 should be repeated every year. Annual review is a check-point which serves the purpose of validating/verifying the existing audit universe, risk universe and prioritization methods to ensure that they are still fit for purpose. 6. All elements of the planning process should be clearly documented. "All elements" means that the main steps in the process should be described as well as records kept on the planning and review process. The level of detail depends on the circumstances but the general principle is that the planning process should be auditable. Page 4

ANNEX Page 5

The Process explanations to the diagram 1. Define audit universe 1.1. The entries in box 1.1 are not an exhaustive list of inputs. Whichever combination of these or other inputs is being used, sufficient and suitable information about official controls and CA should be available to define the actual audit universe. 1.2. It is important to take into account planning resources in order to have a realistic number of audit areas which can be assessed with the resources available. The purpose of defining the audit universe is to ensure that all areas to be covered by the audit planning process are taken into account and represented in a format that is useful/helpful in achieving that. 1.3. The output is a comprehensive list of areas covered by Regulation (EC) No 882/2004 which could be subject to audit i.e. the audit universe. 2. Define the risk universe. 2.1. The entries in box 2.1 are not an exhaustive list of inputs. Whatever information is being used it should be documented in order to provide transparency. At this stage it may be useful to make a distinction between inherent risks and for example, prior knowledge about CA's management system including accreditation/certification to an international standard. Evidence on good management systems and for example, good MANCP, annual reporting and review process may change the residual risk associated with a particular CA. 2.2. The purpose of this process is to identify and assess risks to different potential audit areas within the audit universe to define audit priorities by using the additional inputs from box 2.1. A documented process/procedure (method) should be in place to prioritise the audit areas in audit universe according to the probability and consequence (see above) of an undesirable event. The method should be capable of categorising audit areas into a minimum of 4 cells in order to be able to rank them (example 2x2 table, events etc. examples of almost everything). 2.3. Output (risk universe) from this step serves as an input for stage 3. 3. Audit programme 3.1. Input to the programming process may also include "interfering" factors like emerging issues, management requests, changes in available resources etc. 3.2. The purpose of this process is to take into account the risk universe, management requests, audit risks, resources and any other factors to produce an audit programme. 3.3. The programme/plan should include justification (very brief summary, sentence) for the selection of audit areas and related planning documentation should be retained for verification/validation purposes. 4. Review: the CA / audit body should review its planning process annually. The purpose of the evaluation/review is to ensure that audit priorities continue to reflect all relevant information e.g. findings from preceding audits and where possible, to improve the planning process. Examples of various stages of the planning process can be found in: http://audit-network.wikispaces.com/about Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information