Training on Audit Systems Risk-based audit programme Madrid, February 8, 2012 Tom VANOVERSCHELDE CA-D2-P09B Federal Agency for the Safety of the Food Chain Belgium (until 8/2011) Senior auditor HJ Heinz Ltd. Co. CAD2P09B - 1
Concept of risk Risk is the possibility that an event will occur and adversely affect the achievement of objectives. (enterprise risk management framework - ERM) Risk is the effect of uncertainty on objectives. (ISO guide 73 on risk management) Risk in the context of official controls is the probability of failure to comply with requirements or detect non-compliance by those who are responsible for either complying with animal health, animal welfare, plant health, feed and food law or for verifying compliance. It can be divided into three components: Compliance Risk, Official Control Risk and Audit Risk. CAD2P09B - 2
Some other concepts Audit universe Risk universe Risk assessment Risk appetite Risk strategy Risk management Risk and control matrix (RACM)... CAD2P09B - 3
Risks to be considered Sanitary risk Consumer health Animal or plant health Economic risk (impact) Reputation risk Media, consumers, politicians Food / feed operators International image risk Organizational risk Compliance risk... CAD2P09B - 4
Different types of risk apply CAD2P09B - 5
Overall risk level Course A: Auditing Implementing an audit system Risk strategy Avoid Share/ transfer Example of a risk: not detecting non compliance with relevant regulatory obligations during inspections Avoid Share = Not possible, we need to do those inspections = Food operator has final responsibility, external certification... Reduce = Checklists, training, supervision... Accept = Residual risk that remains... Reduce Accept Action plan Set of measures Risk management options (depends on risk appetite) Source scheme: IIA training on financial auditing, May 2010, Brussels CAD2P09B - 6
inherent versus residual risk Inherent risk Total risk to an activity if no controls or other mitigating factors are in place Controls & Mitigation Residual risk The risk that remains after putting controls or other factors in place CAD2P09B - 7
Player Sector / food operator Different levels Inherent risks Chemical, physical, microbiological Controls / measures GHP - GMP HACCP Residual risk Accepted residual risk by sector or operator Competent Authority Chemical, physical, microbiological Relative compliance risk of sector or operator Official inspections Sampling tests HACCP audits Certification Licensing/ registration Accepted residual risk by CA or by politicians (society) Internal audit Failing controls or mitigation measures Residual risks left by CA Test effectiveness/ efficiency of controls Assess levels of residual risks Audit risk (deficiencies or too much residual risk is not detected) CAD2P09B - 8
Risk-based programme Decision 677/2006 : result of a planning process identifying risk-based priorities at an appropriate risk-based frequency No further guidelines non-compulsory document in preparation Possible approaches: Formally quantified risk assessment Rather qualitative approach to risk Mix between both CAD2P09B - 9
Role management <-> auditors Management : Risk assessment of risks in the food chain Drafting the MANCP Staffing, training, overall organization Monitoring RACM : Risk and Control Matrix Auditors: Make (a draft / proposal of) the audit programme should be risk based Do audits and report on them. Assess the risk strategy of the CA and point out where risks are not sufficiently mitigated. By carrying out an individual audit, risk is an important consideration in defining scope / testing to do CAD2P09B - 10
Quantified riskassessment Risk is commonly determined by the formula probability x impact Estimation of : Impact : the impact when an event occurs Probability : the likelihood that the event will occur Other possible factors : cost detectability uncertainty CAD2P09B - 11
Consumer risk : Scoring probability Example CAD2P09B - 12
Consumer risk : Scoring impact Example CAD2P09B - 13
Scoring risks / audit scopes 5 5 10 15 20 25 4 4 8 12 16 20 3 3 6 9 12 15 2 2 4 6 8 10 1 1 2 3 4 5 Likelihood Impact 1 2 3 4 5 14 CAD2P09B - 14
Another example CAD2P09B - 15
Use of risk to prioritize CAD2P09B - 16
Qualitative risk assessment Implicit or explicit (documented or not) By management By key stakeholders (sector and consumer organizations, political level, ) Professional judgment of the auditors Take into account results of previous audits, FVO missions, incidents, new legislation CAD2P09B - 17
YES Why (not) use scoring? Quantified Easier to compare scores Scores can be used to make certain scopes more or less important Less subjective Common methodology for different types of risk Time consuming Auditors don t always have the knowledge Periodic review required Giving a score is also subjective Lower scoring areas might never be audited 677 audit everything in a 5-year period (subject to change) NO CAD2P09B - 18
Risk <-> 5-year coverage Dilemma between risk-based and - at the same time - cover all relevant areas within a 5-year cycle? CAD2P09B - 19
5-year coverage All relevant areas of 882/2004 audit universe Different approaches : High level <-> detailed Structured by sectors of the food chain, legislation, processes, organizational entities Interpretation of coverage based on FVO-meetings A full coverage of a certain domain is not realistic Auditing is always based on a sample Single audit : if areas were audited by other qualified bodies, the same work does not have to be repeated. CAD2P09B - 20
Coverage + risk All audit areas are listed in an audit universe Full coverage : shift from all areas are audited all areas have been considered Negligible risk audit areas can be considered as being covered (need to be part of audit universe) Not every area is audited in detail Risk assessment : defines priorities Different approaches to audit areas: Low risk : horizontal scan High(er) risk : multiple audits, horizontal and vertical approach CAD2P09B - 21
Horizontal and vertical approach Horizontal audit approach: when an audit focuses primarily on the implementation of general requirements e.g. Regulations 178/2002, 882/2004, 852/2004 or strategic objectives from the MANCP. Some practical examples: Implementation and control of traceability systems in the meat sector Legal instruments for dealing with non compliance Risk assessment and MANCP (inspections, sampling...) Crisis prevention and control Vertical audit approach: when an audit focuses primarily on sectorspecific requirements e.g. Regulation 853/2004, ABP Regulation, Feed Hygiene Regulation, Animal Welfare or BIP requirements. Some practical examples: Sampling and testing on use of hormones in cattle meat Infrastructure and hygiene inspections in retail businesses Export certification of pigs Infrastructure and hygiene in cutting plants Plant import controls in a border post Source definitions: Planning for audits of official control systems, draft version V10 CAD2P09B - 22
Audit universe Possible topics to audit Author of these images: E. Sloth CAD2P09B - 23
Sectors in the audit universe Primary sector Meat sector Import Wholesale sector Retail sector CAD2P09B - 24
From audit universe to risk universe (e.g. 1 sector at the time) Primary sector Meat sector Import Wholesale sector Retail sector CAD2P09B - 25
Horizontal subjects in the audit universe Primary sector Meat sector Import Wholesale sector Retail sector CAD2P09B - 26
Objectives of risk-based planning To contribute to consumer safety, animal health and welfare, plant health and increase stakeholder confidence in effective and efficient use of resources. This is achieved by ensuring that: audit universe(s) do not overlook any relevant areas; planning processes are able to identify and categorise main risks appropriately; the whole process is subject to regular review; and audit bodies (in case there are several) coordinate their planning processes. Extract from Planning for audits of official control systems, draft version V10 CAD2P09B - 27
Audit universe & coverage - Example 1 Import & intra-eu trade 2008 2009 2010 2011 2012 X Food production and wholesale Distribution (retail, B2C) X X Primary production X Slaughterhouses and the meat sector X CAD2P09B - 28
Audit universe & coverage example 2 CAD2P09B - 29
Audit universe & coverage Example 3 Source: Belgian audit universe situation on 31/12/2010 CAD2P09B - 30
Process flow diagram for risk based planning DRAFT Input 1.1 Process Output Competent authority 1.2 1.3 MANCP Others e.g. legislation Control processes Production chain Hazards Competent authority MANCP Define Audit Universe 2.1 2.2 Risk assessment Audit Universe Experts Stake holders Data / information Previous audits, inspections etc. Assess the probability: Current cases Previous findings Internal events External events Assess consequences Food safety Animal welfare Animal health Misleading Uncertainty Confidence Significance 2.3 Risk Universe Audit risks Auditors 3.1 3.2 3.2 Draft the audit programme Source: Planning for audits of official control systems, draft version V10 3.3 Audit programme CAD2P09B - 31
What to do? Find an approach which suits your organization. Coverage : how detailed do you want to plan / document it? Risk assessment : find a balance between cost and benefits Challenge to work risk-based and cover the relevant areas of 882/2004 CAD2P09B - 32