Adopting a risk-based approach during an ASI audit

3 October 2023

ASI supports a regular series of articles for the ASI Accredited Auditor Community of Practice, where auditors share with their peers testimonies on their auditing challenges and opportunities. This month, Vincent Douvernelle, ASI auditor accredited with GUTcert (AFNOR Group) since 2020, shares his recommendations for adopting a risk-based approach during an ASI audit.

Performing an ASI Performance Standard audit can be quite challenging as there are many criteria to consider and the time available is limited. Thus, to perform a consistent audit and have enough time to assess important criteria, it is highly recommended to adopt a risk-based approach.

In ASI audits, the risks in question are mainly those related to:

• strong expectations of stakeholders (e.g. greenhouse gases, corruption, community engagement …)
• complex social responsibility issues (e.g. responsible sourcing, criteria involving Indigenous peoples…)
• new and/or complex ASI criterion (e.g. conflict-affected and high-risk areas, biodiversity and ecosystem services, those relating to disclosure of performance…)
• areas where there may be insufficient operational controls in place.

Whilst most ASI auditors instinctively adopt a risk-based approach, adopting a methodical approach will improve efficiency. Let’s see how such a method can be used to do so.
The key phase takes place during the audit scheduling stage, when the auditor should identify the main risks of the Entity in its context. How to do so? By considering mainly:

• the data provided in the Entity’s self-assessment
• the type of audit performed (initial, surveillance, …)
• the level of maturity of the Entity and its current certifications (e.g. ISO 14001, 45001, …)
• the newness or complexity of some criteria in the Standards
• the auditor’s skills and knowledge about the Entity’s activity and context
• the results of a quick internet research on the Entity, its setting, size and scope of activities, including its Area of Influence
• asking a few questions to the Entity to get a better understanding of some specific aspects.

Once the main risks (typically less than 10) are identified, the auditor should use these to develop the audit agenda, ensuring that more time is scheduled for those criteria relating to the higher-risks, and to select the stakeholders to interview during the audit.
Note: This risk identification is to be considered as a tool for the auditor. It is not shared with the Entity.

During the audit phase, riskier criteria will receive a stronger focus. Stakeholders’ interviews must be used to support the collection of information on those higher risk aspects. As part of the evaluation of each criterion, aspects that should be further investigated will be sampled according to their risk level. Sampling may relate to the number of workers interviewed, the number of specific locations or work activities within the site to be observed, or the number of records cited and reviewed.

Finally, during the reporting phase, the auditor will also make sure that very precise evidence details are included in the report for the criteria with higher risks, in order to demonstrate the relevance and consistency of the audit. Typically, this should involve providing more detail in the Public Headline Statements for those criteria considered to be of higher risk, and certainly if and where a non-conformance has been identified.

In summary, the application of a risk-based approach to auditing is likely to require a little more effort initially during the planning phase, however it will result in a more accurate, efficient and fit-for-purpose audit that provides more benefit to the Entity and its stakeholders.

SHARE THIS ARTICLE