In this blog we will discuss the concept of risk-based auditing: the approach behind our AuditXP tool. According to ISO 19011, an audit is a “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”. It divides audit into three types: internal audit, external provider audit and certification and/or accreditation audit. Internal audits aim to check, review, and improve internal (QHSE) management systems, while external audits aim to assess legal, regulatory, or certificate compliance. Therefore, the tasks include both in-depth auditing, such as checking the performance of specific barriers and safety activities and general auditing, such as the compliance of management systems.

Advantages risk-based auditing

A company commonly incorporates more than one formal QHSE related management system (e.g. ISO 31001, ISO 45001, ISO 14001). Each management system contains a mass of information or a large number of documented sub-systems, even if some of these are redundant. Risk-based auditing can help these redundancies since it focuses on the risky issues regarding multiple objectives of organizational management.

“Risk-based auditing is not about the risks involved in conducting an audit (‘audit risk’), but about how the main risks within the organization become the guiding principles of the auditors. This ensures that the results of the audit mainly concern those things that really improve the organization”1 . CGE risk-based auditing using AuditXP derives from this thinking. It is not only a tool but an approach to achieve both risk control and regulatory compliance. With a software solution as AuditXP, companies can implement risk-based auditing.


Risk-based auditing with AuditXP

CGE solutions focus on barrier-based risk management (Figure 1). This is a systematical approach to manage (QHSE) risks in an organization. By using the bowtie method, companies develop risk scenarios. To control the risks and achieve an acceptable or ‘ALARP’ level, barriers are implemented in the scenarios. To make sure that these barriers perform as they should, companies need to implement management activities on these barriers, e.g. planning, training, inspection, etc. Therefore, the three concepts: of (i) bowtie, (ii) barrier, and (iii) management system are essential for the barrier-based risk management. If you want to know more about the bowtie method, you can read one of our previous blogs.


CGE risk-bask auditing provides a systematic way to implement barrier inspections, management monitoring, and compliance auditing. These implementations can be completely or partly assisted by using AuditXP. AuditXP is an add-on for the BowTieXP software package. It is used to generate barrier related audit questionnaires or surveys. Therefore, we can use AuditXP to check the performance of safety barriers and corresponding activities: (i) inspecting barrier performance, (ii) inspecting management performance, and (iii) checking the regulatory compliance.

Figure 1. CGE risk-based auditing

1. Using AuditXP to inspect barrier performance

Barrier performance is a critical indicator of a company’s QHSE risk management. It is the monitoring data in these management systems since they determine the quality of the risk control. Well performing barriers can prevent unwanted events chain from reoccurring, therefore they need a continuous or regular inspection. How to assess these barriers’ performance is a controversial issue. Questioning is a direct way to obtain data about the barriers’ performance.

In AuditXP, you can design a survey for the performance of various barriers. First, you need to ask specific questions, which can indicate the performance of a barrier. For example, questions to assess the current reliability and availability of a hardware barrier. Thereafter, assign these questions to certain barriers. If you want to create a survey to check only a selection of barriers, a targeted survey can be designed. When following the survey preparation you can distribute it to the people accountable for these barriers. After they filled out all relevant information, the data is obtained by importing the answers through AuditXP (Figure 2).

Figure 2. An example of questions with answers in barrier performance

2. Using AuditXP to inspect management performance

The performance of safety barriers is directly affected by management systems (a set of planned activities). A proper condition of barriers requires a good performance of an organization on different management aspects. For example, ISO45001 suggests an organization should have support like resources, competence, awareness, etc. These resources, competence and awareness, support the implementation of barriers from an organizational level to an operational level. Assessing management performance is an important task for auditing. As the management is delivered by the activities, we can assess the performance of these activities. Management performance is a group of performance indicators for a company’s QHSE management.

By using AuditXP, you’re also allowed to design a survey containing questions that focus on management activities instead of the barriers itself. For example, a bowtie has a barrier “Defensive driving”, which is supported by an activity – “Defensive driving training” – to assure the barriers’ performance. In order to assess the barrier management, you can design questions regarding this activity. These questions are incorporated in different surveys and upon completion of the surveys, you can once again obtain the desired data (Figure 3).

Figure 3. An example of questions with answers in performance of management activities

3. Using AuditXP to check the regulatory compliance

Checking performance data of barriers and management activities provides explicit and reliable evidence for external auditing. Companies can use this data for their regulatory or statuary compliance. Third parties (e.g. external auditors) also can use AuditXP to implement external auditing.

In order to check if an organization’s QHSE management complies with a regulatory management system (e.g. ISO standards, API regulations, etc.), users first need to define the compliance framework and the objectives within. These objectives should be described specifically because they guide users to create questions for the purpose of regulatory compliance.

AuditXP facilitates you to connect objectives to relevant barriers or activities. If users aim to design a survey according to the objectives in a compliance framework and assign the questions to corresponding barriers or activities. The answers to these questions in this survey indicate if the organization achieves the objectives within that compliance framework. Besides answering the posed question, respondents can also provide comments on a barrier or an activity. Based on this data, you can determine the maturity level/quality of compliance with this framework.

In summary, CGE risk-based auditing provides a systematic way to implement barrier inspections, management monitoring, and compliance auditing. These implementations can be completely or partly assisted by using AuditXP. Do you want to know more about the tool for this approach? Learn more here.