How to take a risk-based approach to your audit program

One of the key requirements in ISO 19011:2018 is a risk-based approach. 

So, what actually is a risk-based approach to auditing? And how can you embed a risk-based approach? 


First, what a risk-based approach is not...
  1. Accepting there are significant risks without any treatment plan.
  2. Taking 'risky' behaviour and considering this a risk-based approach. 


What is it then? 

"We can audit anything, but we cannot audit everything. We can't be auditing the mole hills while ignoring the mountains in the distance." - Richard Chambers, IIA


Risk-based thinking is the new 7th principle in ISO 19011:2018.

A risk-based approach is all about focusing your audit program on the areas which will have the most significant impact on your organisation's ability to do business. 

The risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure audits are focused on matters significant for the auditee and for achieving the audit programmes objectives.

ISO 19011:2018 on a risk-based approach 


So how do you decide which risk areas are the mountains and which are the mole hills?

Too many auditors are completely unaware of what else is going on in the business. The workforce doesn't always freely want to admit where the problems are, either out of fear of being exposed, worry about exposing others, or having more work to complete. 

So, sadly, auditors are spending their time, energy and effort focusing on auditing 'high risk' areas based on nothing more than a hunch. 

All the while, there's a big, scary, angry troll hiding under the bridge, waiting to jump out at your business. 


You need a system to seek out the most potentially destructive trolls and manage them. A joined-up, holistic approach to a risk-based audit program requires a system which enables you to:

  • Capture and monitor performance, feedback and data from customers, staff, suppliers and other external sources
  • Manage risk assessments collaboratively 
  • Have visibility over business changes and the interlinking processes
  • Assess audit findings and escalating highest risk / impact areas 

This system needs to be available for the audit program manager to plan, manage, complete audits, and manage the CAPA program. 

Risk assessment methodology 1

Find out why Qualsys has the UK's highest rated integrated management system software by arranging your own tailored 30-minute online demonstration here: 

In the tailored demonstration, you will see how you can: 

  • Have complete visibility over business risks
  • Embed risk-based thinking across your organisation 
  • Manage a holistic, joined-up audit program which drives value and business impact 


Request a demonstration

Topics: Risk Management, Risk Based Thinking, ISO 19011

Share your thoughts on this article