Risk based audit program - Audit-network Based Audit... · Federal Agency for the Security of the Food Chain Audit program 1 Risk based audit program ... Audit universe 40 sectors

Federal Agency for the Security of the Food Chain Audit program 1

Risk based audit program

27/03/2015

Tom Lierman

Internal auditor FASFC

Federal Agency for the Safety of the Food Chain

Belgium


• Audit program: set of one or more audits planned for a specific time

frame and directed towards a specific purpose

• Systematic Approach (5.1): “A systematic approach should be

applied to the planning, conduct, follow-up and management of

audits”

Audit process should:

• be the result of a transparent planning process identifying

risk-based priorities in line with the competent authority’s

responsibilities under Regulation 882/2004;

• form part of an audit program that ensures adequate

coverage of all relevant areas of activity and all relevant

competent authorities within the sectors covered by Regulation

882/2004 at an appropriate risk-based frequency over a

period not exceeding five years.

Audit program – Decision 2006/677


Goal of the audit program:

• prioritize the work of audit body because auditing each year each

process in detail is not possible

• risk based: putting the audit work capacity (volume) on the right

scope

The principles of the NAS working group “Risk-based planning for

audits of official control systems” were taking into account

Development of the audit program (2013-2014)


Issues in Belgium:

• Quality system: ISO 9001, ISO 17020, ISO 17025

• Belgian legislation: COSO/INTOSAI

• FVO: cycle of 5 year

Based on audit universe structure: split in 2 parts (2 risk universes):

• universe of processes: all processes of FASFC 47 processes

• universe of FBO’s sectors (production chain): all types of FBO’s

40 sectors

Development of the audit program (2013-2014)


47 processes

• All activities of our Agency are classified in 47 processes

• Based on the process map of the FASFC-processes

• Simplification by:

– Business plan

– Structure of our organization

– Previous audit universe

– List of executed internal audits since 2007

Risk analysis:

• which process is the most important/most vulnerable one?

• 8 criteria

Process universe


8 criteria to measure the vulnerability of processes

1. Process included in the core business of FASFC (control, sample

analysis, regulation) or related to the realization of strategic objectives

– Yes: 10 (certainly)

– + / - : 5

– No : 1 (certainly not)

2. Processes that support overall the QMS (10, 5, 1)

3. Geographical dispersion or dispersion between several external entities

– 20: process applicable in the local offices/laboratories/external entities of

the FASFC

– 1: process only applicable in the central office

4. Non-conformity in this process causes potential risk for human health?

– Yes: 30 (certainly)

– + / - : 15

– No : 1 (certainly not)


8 criteria to measure the vulnerability of processes

5. Non-conformity in this process causes a potential financial impact for

FASFC (10, 5, 1)

6. Non-conformity in this process causes a potential economic impact for

FBO’s (10, 5, 1)

7. Topics / themes submitted by Management or audit committee:

identification of a specific risk

– 30: yes

– 1: no

8. Date of the latest internal audit

– 1: less than 3 years

– 5: between 3 to 4 years

– 10: later than 4 years

Extra criteria:

- subjective choices by internal audit service (sooner or later)

- choices have to be documented



40 sectors

• All items/scopes with activities under the Regulation 882/2004 and

Directive 2000/29 are classified in 40 sectors

• Based on our “activity tree” of the FBO

• Simplification by:

– Business plan

– Previous audit universe

– List of executed internal audits since 2007

Risk analysis:

• We consider that all sectors are equally important

• Which sector is the most vulnerable one?

• 5 criteria

Universe of FBO sectors


5 criteria

1. Date of the latest internal audit (10, 5, 1)

2. Topics / themes submitted by Management or Committee:

identification of a specific risk (30, 1)

3. Date of the latest evaluation mission inside the Control

administration (10, 5, 1)

4. Date of the last FVO mission (10, 5, 1)

5. Public awareness concerning this sector / Press releases in the

latest year? (10, 1)

8 criteria to measure the vulnerability of sectors



Audit

universe

40 sectors

47 processes

Risk analysis

Process universe: 8 criteria Sector universe: 5 criteria

Scores Results

P

R

I

O

R

I

T

I

S

E


• Semi-quantitative

• Several scores/weights: 1/5/10 – 1/15/30 – 1/20 – 1/30

strengthen the weight to some risk criteria

• public health (core business)

• input of management & audit committee (perception of

specific risks)

• geographical dispersion or dispersion between several

entities

• Multi-annual approach: prospection on 3 year planning

• Reviewed annually

Risk based audit program


Coverage of the universes (2012 – 2016) Covered

2012 - 2016

index

S: Sector

P: Process

Sector

DG FASFC

Sector / Process

YES

NO

PARTLY

Main

scope

Part of

scopeMain scope

Part of

scopeMain scope

Part of

scope

S01 DIS Community:

Milk kitchen, camping, barrack, cultural centre, party

room, sports hall, shelter, refuge centre, youth hostel,

holiday centre, holiday village, day-care centre, central

institutional kitchen, school, children's shelter, hospital,

institution (municipal, regional, federal), boarding school,

dining area, refectory, rest home, maternity clinic, prison,

trading partnership, factory

PARTLY2013-04

2013-18

S02 DIS Ambulantory retail trade in food and HORECAPARTLY 2012-07

2013-04

2013-18

S03 DIS Non ambulantory retail trade in food

Food bank, bakery-patisserie, ice-cream maker, retail

trade in drinks, fruit and vegetables, fish shop, dairy

products, butcher, meat products, confectionery,

chocolate factory, grocery, mini-supermarket, night shop,

hypermarket, points of sale distribution systems, cultural

centre, cinema, school, gas station,...)

PARTLY 2012-07 2013-04

S04 DIS HORECA non ambulatory:

cafe, snack bar, fast food restaurant, chip shop, pancake

restaurant, restaurant, sandwichbar, domestic caterer,...YES 2014-04

S05 DIS Distributor of plants and other products that are unfit for

human consumption

garden centre, wholesale trade and retail trade,

ornamental plants, wood, bark, Petfood, Feed, pesticide,

fertilizer, seeds for sowing, packaging, material in contact

with food,...

PARTLY 2012-07 2013-06

S06 DPA Slaughterhouse (all varieties)PARTLY 2012-25 2013-17

S07 DPA Production animal trade, auction, stable wholesale trader,

cattle market, collection centres, animal transportYES 2012-03 2013-07

S08 DPA (poultry) hatchery, establishment poultry for reproduction

and selection2015

S09 DPA Establishment with milk producing animals and

transportation of milkPARTLY 2014-06

S10 DPA Establishment with production animals: bees, frogs and

snails, lagomorphs, crustaceans and molluscs 2015

S11 DPA Establishment with production animals: aquacultureYES 2014-08

Audit Universe FASFC 2012 2013 2014


6

8

33

14

5

28

21

6

20

0

5

10

15

20

25

30

35

Completely covered Partly covered not yet audited

Process universe

31/12/2012

31/12/2013

31/12/2014

Coverage of the universes (2012 – 2016)


9

5

26

13

8

19 19

8

13

0

5

10

15

20

25

30

Completely covered Partly covered not yet audited

Sector universe

31/12/2012

31/12/2013

31/12/2014

Coverage of the universes (2012 – 2016)

Documents

Risk based audit program - Audit-network Based Audit... · Federal Agency for the Security of the Food Chain Audit program 1 Risk based audit program ... Audit universe 40 sectors