Risk-based audit programme

Similar documents
RISK-BASED PLANNING FOR AUDITS OF OFFICIAL CONTROL SYSTEMS

Foreword Introduction - The Global Food Safety Initiative (GFSI) Scope Section Overview Normative References...

The implementation of self checking systems in Belgium

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology

Policy : Enterprise Risk Management Policy

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

EU Sanitary and Phytosanitary Standards. Ella STRICKLAND DG Health and Consumers, EU Commission Kampala, Uganda, 30 November 2010

Schweppes Australia Head Office Level 5, 111 Cecil Street South Melbourne Victoria

FAMI-QS Certification Rules for Operators. Rules for Operators

FOOD SAFETY MANAGEMENT SYSTEMS (FSMS): REQUIREMENTS FOR ANY ORGANISATION IN THE FOOD CHAIN (ISO 22000:2005)

Checklist for Operational Risk Management

ENTERPRISE RISK MANAGEMENT POLICY

Certification criteria for. Food Safety Management Systems Auditor Conversion Training Course

Welcome! DeLaval Cleaning Solutions Dallas Customer Training Session (GFSI) November 2012

EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY

Safety Regulation Group SAFETY MANAGEMENT SYSTEMS GUIDANCE TO ORGANISATIONS. April

Abu Dhabi EHSMS Regulatory Framework (AD EHSMS RF)

Analyzing Risks in Healthcare. February 12, 2014

Project Risk Management

Exhibit 1: Structure of a heat map

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

Global Food Safety Systems Food-Borne Pathogen Control

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

IMPLEMENTING ISO 14001:

IFAD Policy on Enterprise Risk Management

Enterprise Risk Management Update Executive Summary December 2010

Overview of GFSI and Accredited Certification

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

The Lowitja Institute Risk Management Plan

QUALITY RISK MANAGEMENT (QRM): A REVIEW

FSSC Certification scheme for food safety systems in compliance with ISO 22000: 2005 and technical specifications for sector PRPs PART II

Jonathan Wilson. Sector Manager (Health & Safety)

Food Safety Management in the Hospital

Internal Audit Checklist

The PNC Financial Services Group, Inc. Business Continuity Program

Audit of the Test of Design of Entity-Level Controls

BRC Food Safety and Quality Management System. New Issue 7

Business Management System Manual. Context, Scope and Responsibilities

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Improved Utilization of Self-Inspection Programs within the GMP Environment A Quality Risk Management Approach

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

IS Audit and Assurance Guideline 2202 Risk Assessment in Planning

CONSULTATION DELIVERING LIFETIME ASSURED BEEF

Safety Management Systems (SMS) guidance for organisations

Periodic risk assessment by internal audit

FOOD LAW ENFORCEMENT IN SCOTLAND

Contaminated Products Insurance Application Form

Food Safety and Quality Management System

POLICY. Number: Title: Enterprise Risk Management. Authorization

General Regulations. Part Ⅱ - Quality Management System Rules ENGLISH VERSION 5.0

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND TO THE COUNCIL

FSSC Certification scheme for food safety systems in compliance with ISO 22000: 2005 and technical specifications for sector PRPs PART I

Enterprise Risk Management in Colleges and Universities

FASFC policy on food safety in the short supply chain

Title: OHS Risk Management Procedure

Matthew E. Breecher Breecher & Company PC November 12, 2008

Audit of the control body through the monitoring of compliance with control plan. Measures for the irregularities

Aberdeen City Council IT Security (Network and perimeter)

CONCEPTS OF FOOD SAFETY QUALITY MANAGEMENT SYSTEMS. Mrs. Malini Rajendran

Contact address: Global Food Safety Initiative Foundation c/o The Consumer Goods Forum 22/24 rue du Gouverneur Général Eboué Issy-les-Moulineaux

Country Specific Experience with Export Certificates

OAC Presentation to UNESCO Member States

FMEA and HACCP: A comparison. Steve Murphy Marc Schaeffers

FOOD SAFETY SYSTEM CERTIFICATION FSSC 22000

Enterprise Risk Management: Taking the First Steps

Enterprise Risk Management

15 Guiding Principles

DISCUSSION PAPER ON THE POSSIBLE DEVELOPMENT OF GUIDANCE ON THE USE OF SYSTEMS EQUIVALENCE/COMPARABILITY. (Paper prepared by New Zealand)

Selection and use of ISO 9000

RISK MANAGEMENT & ISO 9001:2015. Greg Hutchins PE CERM Quality + Engineering CERM Academy GregH@CERMAcademy.com 800.COMPETE or

Global Food Safety Initiative. Food Safety Auditor Competencies

BRC Food Safety Management System Implementation Workbook

COSO Internal Control Integrated Framework (2013)

An Introduction to ISO 22000: Food Safety Management Systems

Example of a food company quality

HACCP: Hazard Analysis Critical Control Points. Dr. Angela Shaw Department of Food Science and Human Nutrition Extension and Outreach

CHAPTER 7 PLANNING THE AUDIT: IDENTIFYING AND RESPONDING TO THE RISKS OF MATERIAL MISSTATEMENT

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

PMI Risk Management Professional (PMI-RMP) Exam Content Outline

A blueprint for an Enterprise Information Security Assurance System. Acuity Risk Management LLP

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

A Risk Management Standard

Developing an Effective Enterprise Risk Management Program

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Risk Management Policy Adopted by:

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL

Title: Rio Tinto management system

V1.0 - Eurojuris ISO 9001:2008 Certified

Risk Management Policy

The website link is

UNICEF s Quality Assurance System for Procurement of Micronutrient Powders (MNP)

GUIDE TO IMPLEMENTING A REGULATORY FOOD SAFETY AUDITOR SYSTEM

Enterprise Risk Management Framework Strengthening our commitment to risk management

Enterprise-Wide Risk Assessment

Transcription:

Training on Audit Systems Risk-based audit programme Madrid, February 8, 2012 Tom VANOVERSCHELDE CA-D2-P09B Federal Agency for the Safety of the Food Chain Belgium (until 8/2011) Senior auditor HJ Heinz Ltd. Co. CAD2P09B - 1

Concept of risk Risk is the possibility that an event will occur and adversely affect the achievement of objectives. (enterprise risk management framework - ERM) Risk is the effect of uncertainty on objectives. (ISO guide 73 on risk management) Risk in the context of official controls is the probability of failure to comply with requirements or detect non-compliance by those who are responsible for either complying with animal health, animal welfare, plant health, feed and food law or for verifying compliance. It can be divided into three components: Compliance Risk, Official Control Risk and Audit Risk. CAD2P09B - 2

Some other concepts Audit universe Risk universe Risk assessment Risk appetite Risk strategy Risk management Risk and control matrix (RACM)... CAD2P09B - 3

Risks to be considered Sanitary risk Consumer health Animal or plant health Economic risk (impact) Reputation risk Media, consumers, politicians Food / feed operators International image risk Organizational risk Compliance risk... CAD2P09B - 4

Different types of risk apply CAD2P09B - 5

Overall risk level Course A: Auditing Implementing an audit system Risk strategy Avoid Share/ transfer Example of a risk: not detecting non compliance with relevant regulatory obligations during inspections Avoid Share = Not possible, we need to do those inspections = Food operator has final responsibility, external certification... Reduce = Checklists, training, supervision... Accept = Residual risk that remains... Reduce Accept Action plan Set of measures Risk management options (depends on risk appetite) Source scheme: IIA training on financial auditing, May 2010, Brussels CAD2P09B - 6

inherent versus residual risk Inherent risk Total risk to an activity if no controls or other mitigating factors are in place Controls & Mitigation Residual risk The risk that remains after putting controls or other factors in place CAD2P09B - 7

Player Sector / food operator Different levels Inherent risks Chemical, physical, microbiological Controls / measures GHP - GMP HACCP Residual risk Accepted residual risk by sector or operator Competent Authority Chemical, physical, microbiological Relative compliance risk of sector or operator Official inspections Sampling tests HACCP audits Certification Licensing/ registration Accepted residual risk by CA or by politicians (society) Internal audit Failing controls or mitigation measures Residual risks left by CA Test effectiveness/ efficiency of controls Assess levels of residual risks Audit risk (deficiencies or too much residual risk is not detected) CAD2P09B - 8

Risk-based programme Decision 677/2006 : result of a planning process identifying risk-based priorities at an appropriate risk-based frequency No further guidelines non-compulsory document in preparation Possible approaches: Formally quantified risk assessment Rather qualitative approach to risk Mix between both CAD2P09B - 9

Role management <-> auditors Management : Risk assessment of risks in the food chain Drafting the MANCP Staffing, training, overall organization Monitoring RACM : Risk and Control Matrix Auditors: Make (a draft / proposal of) the audit programme should be risk based Do audits and report on them. Assess the risk strategy of the CA and point out where risks are not sufficiently mitigated. By carrying out an individual audit, risk is an important consideration in defining scope / testing to do CAD2P09B - 10

Quantified riskassessment Risk is commonly determined by the formula probability x impact Estimation of : Impact : the impact when an event occurs Probability : the likelihood that the event will occur Other possible factors : cost detectability uncertainty CAD2P09B - 11

Consumer risk : Scoring probability Example CAD2P09B - 12

Consumer risk : Scoring impact Example CAD2P09B - 13

Scoring risks / audit scopes 5 5 10 15 20 25 4 4 8 12 16 20 3 3 6 9 12 15 2 2 4 6 8 10 1 1 2 3 4 5 Likelihood Impact 1 2 3 4 5 14 CAD2P09B - 14

Another example CAD2P09B - 15

Use of risk to prioritize CAD2P09B - 16

Qualitative risk assessment Implicit or explicit (documented or not) By management By key stakeholders (sector and consumer organizations, political level, ) Professional judgment of the auditors Take into account results of previous audits, FVO missions, incidents, new legislation CAD2P09B - 17

YES Why (not) use scoring? Quantified Easier to compare scores Scores can be used to make certain scopes more or less important Less subjective Common methodology for different types of risk Time consuming Auditors don t always have the knowledge Periodic review required Giving a score is also subjective Lower scoring areas might never be audited 677 audit everything in a 5-year period (subject to change) NO CAD2P09B - 18

Risk <-> 5-year coverage Dilemma between risk-based and - at the same time - cover all relevant areas within a 5-year cycle? CAD2P09B - 19

5-year coverage All relevant areas of 882/2004 audit universe Different approaches : High level <-> detailed Structured by sectors of the food chain, legislation, processes, organizational entities Interpretation of coverage based on FVO-meetings A full coverage of a certain domain is not realistic Auditing is always based on a sample Single audit : if areas were audited by other qualified bodies, the same work does not have to be repeated. CAD2P09B - 20

Coverage + risk All audit areas are listed in an audit universe Full coverage : shift from all areas are audited all areas have been considered Negligible risk audit areas can be considered as being covered (need to be part of audit universe) Not every area is audited in detail Risk assessment : defines priorities Different approaches to audit areas: Low risk : horizontal scan High(er) risk : multiple audits, horizontal and vertical approach CAD2P09B - 21

Horizontal and vertical approach Horizontal audit approach: when an audit focuses primarily on the implementation of general requirements e.g. Regulations 178/2002, 882/2004, 852/2004 or strategic objectives from the MANCP. Some practical examples: Implementation and control of traceability systems in the meat sector Legal instruments for dealing with non compliance Risk assessment and MANCP (inspections, sampling...) Crisis prevention and control Vertical audit approach: when an audit focuses primarily on sectorspecific requirements e.g. Regulation 853/2004, ABP Regulation, Feed Hygiene Regulation, Animal Welfare or BIP requirements. Some practical examples: Sampling and testing on use of hormones in cattle meat Infrastructure and hygiene inspections in retail businesses Export certification of pigs Infrastructure and hygiene in cutting plants Plant import controls in a border post Source definitions: Planning for audits of official control systems, draft version V10 CAD2P09B - 22

Audit universe Possible topics to audit Author of these images: E. Sloth CAD2P09B - 23

Sectors in the audit universe Primary sector Meat sector Import Wholesale sector Retail sector CAD2P09B - 24

From audit universe to risk universe (e.g. 1 sector at the time) Primary sector Meat sector Import Wholesale sector Retail sector CAD2P09B - 25

Horizontal subjects in the audit universe Primary sector Meat sector Import Wholesale sector Retail sector CAD2P09B - 26

Objectives of risk-based planning To contribute to consumer safety, animal health and welfare, plant health and increase stakeholder confidence in effective and efficient use of resources. This is achieved by ensuring that: audit universe(s) do not overlook any relevant areas; planning processes are able to identify and categorise main risks appropriately; the whole process is subject to regular review; and audit bodies (in case there are several) coordinate their planning processes. Extract from Planning for audits of official control systems, draft version V10 CAD2P09B - 27

Audit universe & coverage - Example 1 Import & intra-eu trade 2008 2009 2010 2011 2012 X Food production and wholesale Distribution (retail, B2C) X X Primary production X Slaughterhouses and the meat sector X CAD2P09B - 28

Audit universe & coverage example 2 CAD2P09B - 29

Audit universe & coverage Example 3 Source: Belgian audit universe situation on 31/12/2010 CAD2P09B - 30

Process flow diagram for risk based planning DRAFT Input 1.1 Process Output Competent authority 1.2 1.3 MANCP Others e.g. legislation Control processes Production chain Hazards Competent authority MANCP Define Audit Universe 2.1 2.2 Risk assessment Audit Universe Experts Stake holders Data / information Previous audits, inspections etc. Assess the probability: Current cases Previous findings Internal events External events Assess consequences Food safety Animal welfare Animal health Misleading Uncertainty Confidence Significance 2.3 Risk Universe Audit risks Auditors 3.1 3.2 3.2 Draft the audit programme Source: Planning for audits of official control systems, draft version V10 3.3 Audit programme CAD2P09B - 31

What to do? Find an approach which suits your organization. Coverage : how detailed do you want to plan / document it? Risk assessment : find a balance between cost and benefits Challenge to work risk-based and cover the relevant areas of 882/2004 CAD2P09B - 32

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information