Better Training for Safer Food Initiative

Transcription

1 Better Training for Safer Food Initiative Risk-Based Audit Programme COURSE A: Training on Setting up and Implementing an Audit System Programme CA-D3-P12 & P13 Bratislava, Slovakia March 2017

2 Content The concept of risk Use of risk in the development of an audit programme Existing guidance 1 1

3 Concept of risk Risk is the possibility that an event will occur and adversely affect the achievement of objectives. (enterprise risk management framework - ERM) Risk is the effect of uncertainty on objectives. (ISO guide 73 on risk management) Risk in the context of official controls is the probability of failure to comply with requirements or detect non-compliance by those who are responsible for either complying with animal health, animal welfare, plant health, feed and food law or for verifying compliance. It can be divided into three components: Compliance Risk, Official Control Risk and Audit Risk. 2 2

4 Some other concepts Audit universe Risk universe Risk assessment Risk appetite Risk strategy Risk management

5 Risks to be considered The concept of risk Use of risk in the development of an audit programme Existing guidance 4 4

6 Risks to be Sanitary risk considered Consumer health Animal or plant health Economic risk (impact) Reputation risk Media, consumers, politicians Food / feed operators International image risk Organizational risk Compliance risk... 5

7 Different types of risk apply 6 6

8 Overall risk level Risk strategy Avoid Example of a risk: not detecting non compliance with relevant regulatory obligations during inspections Avoid = Not possible, we need to do those inspections Share = Food operator has final responsibility, external certification... Reduce = Checklists, training, supervision... Accept = Residual risk that remains... Share/ transfer Reduce Accept Action plan Set of measures Risk management options (depends on risk appetite) 7 Source scheme: IIA training on financial auditing, May 2010, Brussels 7

9 Inherent versus residual risk Inherent risk Total risk to an activity if no controls or other mitigating factors are in place Controls & Mitigation Residual risk The risk that remains after putting controls or other factors in place 8 8

10 Different levels Player Inherent risks Controls / measures Residual risk Sector / food operator Chemical, physical, microbiological GHP - GMP HACCP Accepted residual risk by sector or operator Competent Authority Chemical, physical, microbiological Relative compliance risk of sector or operator Official inspections Sampling tests HACCP audits Certification Licensing/ registration Accepted residual risk by CA or by politicians (society) Internal audit Failing controls or mitigation measures Residual risks left by CA Test effectiveness/ efficiency of controls Assess levels of residual risks Audit risk (deficiencies or too much residual risk is not 9 detected) 9

11 Risk-based programme Decision 677/2006 : result of a planning process identifying risk-based priorities at an appropriate risk-based frequency Guidance in the published document Planning for audit programme of official control systems Assess the risk related to audit areas The audit programme is based on the result of the risk assessment 10 10

12 Objectives of risk-based planning To contribute to consumer safety, animal health and welfare, plant health and increase stakeholder confidence in effective and efficient use of resources. This is achieved by ensuring that: oaudit universe(s) do not overlook any relevant areas; oplanning processes are able to identify and categorise main risks appropriately; othe whole process is subject to regular review; and oaudit bodies (in case there are several) coordinate their planning processes. Source: Planning for audits of official control systems, 11 11

13 Role management <-> auditors Management : Risk assessment of risks in the food chain Drafting the MANCP Staffing, training, overall organization Monitoring RACM : Risk and Control Matrix Auditors: Make (a draft / proposal of) the audit programme should be risk based Do audits and report on them. Assess the risk strategy of the CA and point out where risks are not sufficiently mitigated. By carrying out an individual audit, risk is an important consideration in defining scope / testing to do 12 12

14 Step 1 : define the audit universe An inventory of all audit areas relevant to responsibilities of CAs that is compiled and maintained to identify possible areas for audit during the audit planning process. Requirements o o Covers all requirements of applicable legislation The topics are defined and presented in a way that facilitates risk assessment and audit programming

15 Audit universe Possible topics to audit Author of these images: E. Sloth 14 14

16 Sectors in the audit universe Primary sector Meat sector Wholesale sector Import Retail sector Author of these images: E. Sloth 15

17 Step 2 : define the risk universe Audit universe with risk categorisation applied to each audit area Requirements o Identify and assess risks to different potential audit areas o Risk assessment includes the probability and consequence of an undesirable event o The process should be documented 16 16

18 From audit universe to risk universe (e.g. 1 sector at the time) Primary sector Meat sector Wholesale sector Import Retail sector 17 Author of these images: E. Sloth

19 Quantified risk-assessment Risk is commonly determined by the formula Estimation of : probability x impact Impact : the impact when an event occurs Probability : the likelihood that the event will occur Other possible factors : cost detectability 18 18

20 How can you assess risk? Reputational risk Economic or political risk Internal Control Assess probability and the impact Inherent Sanitary Risk Change Complexity Calculate a weighted average Last Audit Management Input Incidents new risks Fraud Numeric Score

21 Scoring risks / audit areas Likelihood Impact

22 Use scoring? YES Quantified Easier to compare scores Scores can be used to make certain scopes more or less important Less subjective Common methodology for different types of risk Time consuming Auditors don t always have the knowledge Periodic review required Giving a score is also subjective Lower scoring areas might never be audited 677 audit everything in a 5-year period (subject to change) 21 NO 21

23 Sanitary risk emerging risks Inherent risk for consumer health, animal or plant health RASFF notifications New emerging risks in the food chain (egg. radioactivity in Japanese products, E. coli O104, Schmallenberg virus...) What is the role of the internal audit in handling emerging risks? 22 22

24 Inputs for risk : Management Knows the business very well Helpful in identifying key risk areas Management is the audit s main client Possible issues : ono audits in certain (sensitive) areas otoo strong influence by management owho is management exactly? oauditors are no firemen! 23 23

25 Inputs for risk : change Legislation and authority Complexity of operations Changing reporting lines, ways of working, legislation, IT systems... Changes in staff, many people leaving the business New contractors Austerity measures and budget costs 24 24

26 Inputs for risk : Internal control Results of Management review Key Performance Indicators Complaints Continuing issues within an area or department Non-compliance with certain regulations FVO inspections

27 Inputs for risk : Previous audits How long ago was the last audit performed? Follow-up engagements could be planned according to the result of previous audits Formalized <-> judgment auditors Use of classification oindividual findings (A, B, minor, major...) ooverall audit result Are audit findings scored by their importance in your country? 26 26

28 Inputs for risk : Quality standards Most quality standards ask for certain audit frequency for certified / accredited activities ISO 9001 : audit every scope at least once in every certification cycle ISO : all aspects of the standard audited every year ISO : yearly audit of quality system, all lab methods at least once in the accreditation cycle Environmental standards : ISO 14001, Emas

29 Inputs for risk : Political economic priorities Economic importance of specific sectors Political parties and their program (egg. animal welfare) History of incidents (egg. dioxin in Belgium, animal diseases in some countries) Media exposure Overall acceptance of risk ( culture ) 28 28

30 Step 2 : Producing the audit programme The audit programme should: o Be based on the risk assessment o Cover all relevant areas of 882/2004 in a 5 year period Different approaches based on risk: o High(er) risk : multiple audits, horizontal and vertical approach o Lower risk : horizontal scan o Negligible risk areas can be considered as covered 29 29

31 Horizontal and vertical approach Horizontal audit approach: when an audit focuses primarily on the implementation of general requirements e.g. Regulations 178/2002, 882/2004, 852/2004 or strategic objectives from the MANCP. Vertical audit approach: when an audit focuses primarily on sector-specific requirements e.g. Regulation 853/2004, ABP Regulation, Feed Hygiene Regulation, Animal Welfare or BIP requirements. Some practical examples: Implementation and control of traceability systems in the meat sector Legal instruments for dealing with non compliance Risk assessment and MANCP (inspections, sampling...) Crisis prevention and control Some practical examples: Sampling and testing on use of hormones in cattle meat Infrastructure and hygiene inspections in retail businesses Export certification of pigs Infrastructure and hygiene in cutting plants Plant import controls in a border post 30 Source definitions: Planning for audits of official control systems 30

32 Horizontal subjects in the audit universe Primary sector Meat sector Wholesale sector Import Retail sector Author of these images: E. Sloth 31 31

33 Audit universe & coverage - Example 1 Import & intra-eu trade X Food production and wholesale Distribution (retail, B2C) X X Primary production X Slaughterhouses and the meat sector X 32

34 Audit universe & coverage example

35 Audit universe & coverage Example 3 34 Source: Belgian audit universe situation on 31/12/

36 Step 4 : Review Risk changes over time!!! Yearly annual review of: o Audit universe : complete and adequate o Review risk ratings and priorities o Update based on latest information o For all areas under Regulation 882/2004 Keep record of this review process should be auditable 35 35

37 36 Source: Planning for audits of official control systems,

38 Simple advice Effective, efficient and risk-focused auditors do not spend all the time behind their desk The essence of understanding risks is to perform audits, visit locations, interview people. The use of risk methodologies does not replace that

39 Thank you for your attention AENOR Consortium 6, Génova street Madrid SPAIN Tel: Mail: Better Training for Safer Food BTSF European Commission Consumers, Health and Food Executive Agency DRB A3/042 L-2920 Luxembourg