THE COMPETENT AUDITOR
Risky Business
by Peter Holtmann
Risk appetite and aversion make excellent inputs into determining an organization’s audit program.
A
uditing is risky business. The choice of becoming an auditor, choosing your field of expertise, gaining an understanding of the standards, and applying to technical areas all rely on a professional’s competence. What underlies this competence is the confidence to complete the task. This confidence is achieved through the ability to resolve the risk inherent in the process. Let’s talk risk. Compliance auditing, surveillance and inspection audits, internal audits, and reviews all operate on the same premise—review past performance against current practice to predict future compliance. This is very similar to risk analysis. The auditor is looking for risks and assessing their likelihood of occurrence and the severity of the risk in the event the risk is realized. If the risk is high, a corrective action is issued; if it is low, an observation; if the risk is managed, the organization is in compliance. However, risk is subjective and depends on an individual’s assessment of likelihood and severity, which, in turn, is determined by an individual’s appetite for risk. Let me expand on this topic: risk is usually equated with finances or health and safety. Gambling or investment is something we attribute to risk. Would you leverage your life savings on an investment? Some of you would have immediately yelled, “Are you crazy?!” Others may have said, “Depends on the odds.” In health and safety if I had said to you, “Let’s go cave diving this weekend,” some of you would have said, “Never in 10 THE AUDITOR • MAY–JUNE 2011
these? How should the audit profesa million years!” while others may sional determine when to deploy varihave said, “Sounds like fun!” ous tools or understand This concept of How do we their appropriateness? risk is emerging in the Now onto my subject auditing profession as determine of choice: the individual. an attribute that is to auditors’ An individual’s risk apbe considered. Curcompetence petite must be considered. rently, ISO/TC 176 is To become an auditor developing a new ISO in risk is to understand the 19011, which integrates management risks involved. In some risk. Sections 5.2.3, fields, audit/inspectorate knowledge? 7.3.1(e), 7.3.3(b), 7.6.2, outcomes carry a legal A.2–A.4, and B.2–B.5 responsibility for the lifetime of the speak of knowing how to identify product or service inspected, such and assess risk as an audit outcome. as in electrical inspections. After an Clearly, an auditor needs to perelectrical installation is completed, form risk assessments before, during, it falls upon an individual to inspect and as part of making findings after an for compliance to rules and safety of audit, but where is the training comuse. Should the inspector sign off on ing from, and more important, how the work, he or she is as liable as the do we understand the risk appetite installer for the lifetime of the installfor the auditor/team leader? From ment. Death, injury, or damage caused my experience, risk management by faulty installation is as much the training is not a part of any auditor responsibility of the inspector as the training courses. I also have not yet installer. seen an agreed upon international In the conformity assessment standard for risk management. So field, an auditor makes claims that how do we determine auditors’ the outcomes are only as good as competence in risk management the evidence presented at the time of knowledge? In this instance, there is audit. Let’s take food safety (FS) for no ability to rely on industry experiinstance. An auditor can inspect a food ence, as risk hasn’t yet become part product manufacturer and make the of the language of “doing business.” assessment that based on the evidence Environmental impact studies and presented, the organization is followworkplace safety assessments are ing FS practices and that the food is prevalent but not commonplace safe to eat. In the following week, the and they don’t translate into a risk factory undergoes a major product assessment methodology. recall based on FS risks. Where is Next, there is the question of risk the auditor in this chain of events? assessment methodology. Are we He or she is somewhat protected by talking Monte Carlo analysis, Pareto, the disclaimer of “audit,” and yet the causal analysis, or a combination of COMMENTS? • feedback@theauditoronline.com