From: Fayyaz Ahmed
Sent: Feb. 10, 2015
To: Q-Blog, Ask the Experts
Subject: API Q1, clause 5.3, Risk Assessment and Management
Fayyez Ahmed asks the following about API Q1:
An organization started its transition from API Q1 8th to API Q1 9th edition during September 2013. They still had not performed risk assessment between June -Nov 2013. This organization was audited by the API during Jan 2014. However, API Auditor did not issued an AAR.
This organization is going to be audited during 2015, can API Auditor now issue an audit AAR because the organization did not conducted a risk assessment between June 2013 – Nov 2013?
From: ATCS QBlog
Received: Feb. 12, 2015
I think I understand your point, but as you are aware is up to the assigned API Auditor to use his/her professional judgment to determine if the issuance of an AAR is justified. API Q1, 9th edition does require a documented procedure for risk management. However, unless the content of the organization’s procedure is known and we also know what was included in the Auditor’s observations, interviews and review of other audit evidence, it’s not possible to know why no AAR was issued.
After observing recent API audits held at various client locations, I can say that these assigned Auditors did verify the existence of the required procedures. In addition, they did review supporting risk assessment records.
My advice to any organization that is to be audited during 2015, is to ensure that their QMS meets all specified API Q1 requirements by conducting effective internal audits. This should minimize the probability of major nonconformances found by the Auditor. Other points to be kept in mind include,
- Even the most experienced Auditor may miss something during an audit.
- Audit results only provide a snapshot of the quality management system and not a complete picture.
- Risk assessments are not static. They must be periodically reassessed to determine the present level of uncertainty, potential of occurrence, impact and need for contingency planning.
In my opinion, an Auditor’s review of records to confirm an organization’s conformance to requirements is not restricted to any time limit. So in reply to your question, yes the Auditor could go back to 2013 if he/she sees a need. But as already mentioned, this would be a decision made by the Auditor.
I hope this helps.
Bill Aston, Managing Director