ISO Auditing: How can you take your business to the ‘Next Level’?

Share on facebook
Share on email
Share on twitter
Share on linkedin

Organisations that use ISO Management Systems enjoy many advantages. Even if you don’t plan to go for ISO certification, your business can extract great value from an internal audit and it can provide top management a realistic view of how likely they are to meet objectives.

There are so many reasons to think about audit as a partner in your management operations, so let’s dive into the world of ISO audits and discover the benefits.

Learn more about the Risk-based Auditing Approach! Download our FREE guide Risk-Based Approach to Auditing an ISO Management System.


An ISO audit can apply to an entire organisation or it may be applied to a specific function, process or production step. Some audits serve an administrative purpose, such as auditing documents, risk or performance or following up on completed corrective actions.

The formal definition of an ISO audit is found in the ISO standard – Guidelines for Auditing Management Systems Standards, which is:

“the systematic, independent and documented process for obtaining audit evidence (records, statements of fact or other information which are relevant and verifiable) and evaluating it objectively to determine the extent to which the audit criteria (a set of policies, procedures or requirements) are fulfilled.” ISO 19011:2018 – Guidelines for Auditing Management Systems.


There are three main types of ISO audits:

  • First-party (internal)
  • Second-party (external / supplier)
  • Third-party (certification)

First-party Audit

An Internal Audit is conducted on a process or set of processes to ensure they meet the organisation’s internal requirements and is used for evaluating the effectiveness of the Management System. The value of the Internal Audit is that it takes a critical look at your company and how it operates and improves the effectiveness of risk management, control and governance processes.

Second-party Audit

A Second-party or Supplier Audit is valuable for strengthening a company’s supply chain and verifying that suppliers meet or exceed predetermined requirements. A Supplier Audit can prevent quality, environmental or health and safety issues from reaching your customers.

Third-party Audit

A Third-party or Compliance audit is carried out by a Certification Body (CB) and evaluates whether the Management System meets the requirements of a specific ISO standard. If successful, the Third-party Audit will provide the organisation with a certification of conformity with the given standard.

The ISO 19011:2018 standard stipulates that a third-party Auditor must acquire the necessary knowledge and skills to be employed by a CB and pledge to abide by a code of ethical conduct in the performance of an audit. ISO certification confers numerous benefits such as increasing your organisation’s credibility and enabling you to secure business.

Surveillance Audit

These audits are held in years one and two after initial certification and in years one and two following each recertification. The audit is conducted by a Certification Body.

Recertification Audit

These audits are held every three years with a Certified Body performing the audit The goal is to continue to demonstrate management’s commitment to and ongoing improvement of the Management System to ensure its effectiveness.


Knowledge of the ISO standard(s) and conducting effective interviews are essential parts of the Internal Auditor’s job. Unskilled auditors will collect little useful information and their interview questions are likely to elicit predictable answers which are of no value. So ensure that your Internal Auditors are properly trained.

Our ISO Auditor Training courses are an efficient way of doing this: View our public Auditor Training courses here or Sign Up for an Online Learning Course here.


Audits are aimed at enhancing productivity, detecting problems at an early stage and ensuring that policy and objectives are being followed by everyone in the organisation. Below is a roundup of the benefits offered by auditing your ISO Management System:

  • Audits help us to analyse the compliance of our process with respect to the set ISO standards.
  • Audits aid us in identifying our strengths and weaknesses, which are necessary for us to tackle the various opportunities and threats in our industry.
  • We are able to assess and identify the areas for improvement of our efficiency.
  • Audits help us to identify deviations from our objectives and goals and provide us with the opportunity to correct them.
  • Above all, audits helps to bring in positive changes in departments by correcting the nonconformities observed and preventing them from recurring.


Are your Internal Auditors adequately trained to sufficiently audit ISO Management Systems?

Risk ZA’s focus is to conduct audits according to the new ISO 19011:2018 standard’s requirements which focus on a Risk-based Approach during the audit process.

Learn more about the Risk-based Auditing Approach! Download our FREE guide Risk-Based Approach to Auditing an ISO Management System.


Risk ZA assists businesses in Southern Africa make excellence a habit. We are experts in delivering a cost-effective route to ISO certification and make sure that ISO Management Systems work for you through our ISO Training, Auditing of Management Systems and our Consulting Services.

For more information about our wide range of training and consulting services, please contact our expert team on +27 (0) 31 569 5900, email info@riskza.com.

You can share this blog post on your preferred social media platform:

Share on facebook
Share on email
Share on twitter
Share on linkedin

Producing Superior Quality Food To Protect Customers

Share on facebook
Share on email
Share on twitter
Share on linkedin

The last couple of years have provided ample evidence that control of food safety is critical. Recent media reports have clearly shown severe shortcomings in the food industry that have threatened consumers’ health and safety.

Unsafe food is a risk for all of us – consumers can become seriously ill and the food industry can face costly corrective actions. These ongoing problems cry out for additional tools to reduce or eliminate risks. Communication and raising awareness of potential hazards throughout the entire food chain are crucial as food safety is a joint responsibility for all participating parties.

The ISO 22000:2018 Food Safety Management System aims to ensure that there are no weak links in the food supply chain.

Since ISO 22000 was first published in 2005, the standard has been well received by the food industry but new food safety risks prompted the need for a revision. The latest edition was published on 19th June 2018 and maintains a strong link to the Codex Alimentarius standards. It also addresses emerging food safety challenges and aligns the strategic direction of an organisation with its Food Safety Management objectives.


The ISO Food Safety Management System is flexible and can be used by all organisations in the food chain. By using the standard the food industry shares a common food safety language, thus reducing the risk of critical errors and maximising the use of resources. Enterprises that can apply the standard include:

  • Growers
  • Transporters
  • Packagers
  • Processors
  • Retailers
  • Bottlers, and
  • Restaurants


Food companies applying the ISO Food Safety Management System will be able to:

  • Embed and improve internal processes and provide consistently safe food.
  • Provide confidence that their organisation’s practices and procedures are effective and robust.
  • Assure customers and other parties through the certification process that food safety hazards are controlled and that their enterprise can provide safe products.
  • Continually improve their Food Safety Management System by reviewing and updating the system at planned intervals so that all activities related to food safety are always optimised and effective.
  • Ensure adequate control at all stages of the food supply chain to stop the introduction of food safety hazards.


To increase the acceptance of the ISO 22000:2018 Food Safety Management System and ensure that accredited certification programmes are implemented in a professional and trustworthy manner, the technical specification: ISO/TS 22003:2013 Food safety management systems – Requirements for bodies providing audit and certification of food safety management systems was published in 2007 and reviewed in 2016.


The British Retail Consortium (BRC) and the International Featured Standard (IFS) are standards that are recognised by many European retailers and are now required from suppliers of private-label goods.

BRC and IFS include provisions to prevent malicious acts (food defence) and to manage the authenticity of raw materials (food fraud). This is not the case with ISO 22000:2018 but the 2018 version allows for these provisions to be incorporated into the Food Safety Management System.


FSSC 22000 or Food Safety System Certification 22000 is a certification system, which incorporates ISO 22000 and other requirements, in particular food fraud and food defence. FSSC 22000 is recognised by the Global Food Safety Initiative (GFSI) and can be used by many agri-food businesses.
All of the GFSI-benchmarked Food Safety Management Systems are based on the following three components which must function as a system to minimise the risks for creating a food safety incident:

  • PRPs
  • Other requirements needed for a management system


Risk-based thinking plays a central role in the ISO 22000:2018 Food Safety standard. Organisations are given the tools to assess, identify and evaluate food safety hazards and address how to reduce their impact on consumers. ISO 22000:2018 follows the risk management principles outlined in the ISO 31000:2018 Risk Management standard but there are differences between the two standards.

Download our FREE Guide to learn about the importance of Risk-based Thinking in Food Safety Management.


Better processes
Dynamic control of food safety hazards through HACCP and PRPs is a cost-effective way of controlling food safety, from ingredients to production, storage and distribution.

  • HACCP (Hazard Analysis and Critical Control Points) requires that potential hazards are identified and controlled at specific points in the process.
  • PRPs (Prerequisite Programmes) stipulate the prerequisites for producing safe food in various food sectors.

Better competence
Workers learn good hygiene practices through training programmes.

Better infrastructure
Sites, production flows and factory layouts are arranged for satisfactory sanitary conditions.

Better planning
A clear project plan defines how, when and by whom risks and objectives should be managed.

Better teamwork
Effective communication helps employees work towards the same goal of food safety.

Better leadership
Management shows commitment to food safety through policies, resources and actions.

Better performance
Management reviews performance and objectives regularly to drive continual improvement

Better documentation
Food safety policies, procedures, work instructions and records are carefully documented for reference.

Click here to read about ISO Document and Control procedures and Software Solutions.

The ultimate goal of the ISO 22000:2018 Food Safety Management System is to put good quality, safe food on the tables of consumers. Now that’s something to celebrate! Bon appétit!


Are you ready to update your Food Safety Management System?

Risk ZA offers a wide range of ISO 22000:2018 Food Safety Management Training courses. Grow your skills by attending our courses which are presented by leading industry experts. Click here to check the training course schedule and find the one that suits you best.

For more information and assistance, please contact our friendly team on
+27 (0) 31 569 5900, email info@riskza.com.

You can share this blog post on your preferred social media platform:

Share on facebook
Share on email
Share on twitter
Share on linkedin

Risk Management: Improving Business Performance with Proactive Risk Reduction

Share on facebook
Share on email
Share on twitter
Share on linkedin

Business leaders navigate a complex environment in which the pace of change is rapidly accelerating and this has put pressure on companies to focus on risk management. The risk environment is equally challenging. Organisations are juggling a multitude of risks and it is becoming extremely difficult for enterprises to identify and reduce the impact of risk on their organisations. While managing the failure of critical assets is the top pressure, executives should not forget the risks associated with non-compliance, environmental, financial, logistical and supplier issues.

As such, Enterprise Risk Management (ERM) and Enterprise Resilience have become hot topics. But what are they and are they the same concept?

Enterprise resilience and ERM are related concepts that are associated with risk, but they are different. Enterprise Risk Management is a process that organisations use to rigorously identify, assess, manage and monitor risks that may affect their operations and objectives.

Enterprise resilience, on the other hand, is a capability. It describes an organisation’s capacity to anticipate and react to change that could represent opportunities and threats. Resilience includes two important components: organisational capacity and the ability to adapt and grow from a disruptive experience.


There are four stages to achieving enterprise which include:

  • Stage 1 – prepare and plan for the risk event
  • Stage 2 – absorb the consequences of the risk event
  • Stage 3 – recover from the risk event
  • Stage 4 – successfully adapt to the risk event

ERM is the mainstay of Stage 1 and assists with the other three stages as it cuts across organisational silos and considers internal and external risks, such as cyber-attacks and natural disasters. In this way, ERM allows management to identify risks and absorb the negative impact and assists with recovery by allowing organisations to assess and mitigate risks and plan for adverse events.


A healthy corporate culture promotes long-term resilience. The opposite may also be true. If the board and senior leadership are too focused on containing incidents and minimising bad press to preserve reputation and share value, this may lead to inappropriate responses in crises, and to inappropriate strategies to prepare the company to bounce back better.

Your governance, your values and your stakeholder relationships all determine your resilience. So do your processes.


Good governance comprises four essential elements:

Transparency – being clear and unambiguous about the company’s structure, operations and performance, both externally and internally; and, maintaining a genuine dialogue with and providing insights to stakeholders and the market.

Accountability – ensuring that there is clarity of decision-making within the company; with processes in place to ensure that the right people have the right authority to make effective and efficient decisions; with appropriate consequences delivered for failures to follow those processes.

Stewardship – developing and maintaining a company-wide recognition that the organisation is managed for the benefit of its shareholders, taking into account the interests of other stakeholders.

Integrity – developing and maintaining a corporate culture committed to ethical behaviour and compliance with the law.


Almost all organisations have faced adversity at some point in their history. Those that prosper over long periods of time display a remarkable ability to bounce back from adversity time and time again and to create value in changing circumstances.

Business turbulence and disruptions need to be addressed in the same manner as any other material business risk. Directors have a duty to ensure that the organisations which they govern are sustainable through disruptive events and create a culture in which business opportunities are chosen wisely.

A sustainable organisation is able to quickly adapt and align its strategy, operations, management systems, governance structure, and supply chain to meet the challenges of significantly changing environments. It is also able to create competitive advantage by maximising opportunities in an informed manner.

Sustainability is not only about being able to respond to a single crisis or setback but about continuously anticipating and adjusting to trends that can permanently alter the viability of a business. Traits of sustainable organisations include:

A culture of sustainability – a clear purpose and a core set of values which are more than just platitudes. Leaders of sustainable organisations strive to make the purpose and value a compelling reality at all levels of the organisations. The measure of success of a culture of sustainability is the degree to which the organisation’s people, from the board down, are active participants in understanding and addressing the opportunities and risks associated with the achievement of the organisation’s objectives.

A strong understanding of risks aligned to business strategy – all strategies and all opportunities worth pursuing involve risks that must be monitored and managed. Risk management is about both protecting value and creating value.

Accurate monitoring and detection with relevant reporting to management and the board – reporting mechanisms to raise alerts about risks may also be used to identify opportunities.

Reliable and sustainable processes and infrastructure which balance efficiency with flexibility – contingency and recovery planning and competitive advantage are founded on risk-based analysis and are embedded in operational plans encompassing people, processes, systems and data.


The ISO 31000:2018 Risk Management standard provides principles and generic guidelines on risk management. The framework seeks to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters, and regions. It assists organisations to gain better control and visibility into the risks within their operations.

Cross-functional involvement and collaboration are the keys to a successful risk management and risk mitigation program and these are focus areas in the latest version of the ISO 31000:2018 Risk Management standard.

In a risk environment that is growing more perilous and costly, boards and business owners need to help steer their enterprises toward resilience and value by embedding strategic risk capabilities throughout the organisation. But how do you achieve this? Learn more! Download our FREE guide on How to Achieve A Best-In-Class Risk Management System.


Risks ZA works with organisations in numerous ways to help you understand and manage your risks.

Don’t miss our ISO 31000:2018 Introduction to Risk Management Public Training Event which aims to deliver better solutions for managing complex risks and identifying competitive advantages in an ever-changing business environment.

Gain invaluable insights into Risk Management principles and be in a position to establish best-in-class Risk Management practices. Visit our Training Schedule page to view when the next course is running in your area!

To book your seat, call our team on +27 (0) 31 569 5900, email info@riskza.com or complete our Online Booking Form.

You can share this blog post on your preferred social media platform:

Share on facebook
Share on email
Share on twitter
Share on linkedin

ISO 31000:2018 Risk Management – Accelerate Business Performance

Share on facebook
Share on email
Share on twitter
Share on linkedin

The World Economic Forum describes the current competitive business landscape in a word: disruptive. How well an organisation approaches risk management in a climate of volatility can affect its ability to make robust and informed strategic decisions and achieve its objectives.

Download our FREE GUIDE ISO 31000:2018 How do I get started? where we investigate the 8 Principles that set out the requirements for a risk management initiative.

Traditionally, risk management played a supporting role at board level. However, over the past decade, organisations have adopted the view that risk management must be embedded in the general management of an organisation, and fully integrated across an enterprise with functions such as finance, strategy, internal control, procurement, continuity planning, human resources, and compliance.

Voices of stakeholders have become louder in their demand for transparency and accountability in managing the impact of risk, and evaluating the ability of leadership to embrace opportunities. The use of technology and economic globalisation have made risks increasingly entwined, placing even more emphasis on sound risk management within any organisation.

To keep pace with a rapidly evolving world and future threats, the International Organization for Standardization published a revised version of its Risk Management Standard in February 2018. Essentially, ISO 31000:2018 reflects the evolution of risk management thinking from a separate ‘siloed’ activity to an integrated management function. The overarching strategy of the standard is to embed risk management best practices on a micro-level within organisations so as to manage threats that stand in the way of enterprises achieving their objectives, and create value by finding and exploiting opportunity. This should grab the attention of anyone looking to gain competitive advantage, improve operations, or reduce costs within their organisation.

ISO 31000:2018 - Five Things to Know

1. It is clear and concise

The standard delivers a clear and concise guide to help all organisations manage risks. Risk management concepts are simply explained, giving diverse organisations and people the ability to access the tools that can drive change in order to protect and create value. ISO 31000:2018 is supplemented by ISO Guide 73:2009, a vocabulary index used to support ISO 31000:2018, and ISO 31010:2009 that focuses on risk assessment concepts, processes and the selection of risk assessment techniques.  ISO 31000:2018 has been trimmed down to just 15 pages, and risk management principles reduced from 11 to 8, which streamlines the process for implementation.

2. It is easy to implement

All organisations make decisions that shape their future every day. ISO 31000:2018 provides guidance on how to manage uncertainty to meet objectives, and how to implement risk management to support strategic decision making. This promotes intelligent risk taking at all levels of a business. Risk management best practices promote critical thinking about the role of uncertainty in decision making, and encourage the identification, assessment, and treatment of uncertainty that can impact daily business activities. Small organisations with limited room for exposure to adverse internal and external risks now have the ability to access invaluable tools to create a tolerable risk environment and protect value.

3. It creates and protects value

Creating and protecting value is the central tenant of ISO 31000:2018. If processes are not adding value, they are simply adding costs. The standard helps enterprises improve performance by embedding risk management into all business decision-making processes and making risk-based thinking a daily activity.

4. It reinforces integration

Integration is mentioned throughout the standard. Here are a few examples:

  • Risk management should be part of the organisational purpose, governance, leadership and commitment, strategy, objectives and operations.
  • Properly designed and implemented, the risk management framework ensures that the risk management process is a part of all activities throughout the organisation.
  • The organisation should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.
  • The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations and processes of the organisation.

5. It focuses on leadership

Support from top management is essential for successful implementation of the risk management framework and processes. Leadership support for risk management becoming a strategic planning and decision-making tool creates a risk aware culture at all levels of the organisation.


ISO 31000:2018 can help create and protect value for any organisation by providing a flexible framework. If individuals are given the tools to promote critical thinking on how uncertainty can impact meeting objectives then the organisation should see an increase in value from an integrated risk management framework.

Ready to get started?

Risk ZA is a leading provider of enterprise risk management training programmes, which aim to improve your business performance. Contact us on +27 (0) 31 569 5900, email info@riskza.com or visit www.riskza.com.

PLUS! Download our FREE GUIDE ISO 31000:2018 How do I get started? where we investigate the 8 Principles that set out the requirements for a risk management initiative.

For more information or guidance on which ISO standard(s) and services would best suit the needs of your organisation, please email Risk ZA at info@riskza.com or contact us on 0861 Risk ZA / +27 (0) 31 569 5900.

You can share this blog on your preferred social media platform:

Share on facebook
Share on twitter
Share on linkedin
Share on email