tag:blogger.com,1999:blog-4425878502991016229.post1305568612691801804..comments2024-01-05T21:16:21.892+08:00Comments on Bittermelon 苦中作樂: Process-based Audit 對 Risk-based Auditbittermelonhttp://www.blogger.com/profile/15057938126377984688noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4425878502991016229.post-28318171524994311842009-11-12T14:01:06.473+08:002009-11-12T14:01:06.473+08:00無留意潻,等我番去睇睇^^無留意潻,等我番去睇睇^^bittermelonhttps://www.blogger.com/profile/15057938126377984688noreply@blogger.comtag:blogger.com,1999:blog-4425878502991016229.post-62773393635340748402009-11-11T10:08:37.018+08:002009-11-11T10:08:37.018+08:00關於Control Matrix,我發現在 Internal Auditor Feb 09(IIA ...關於Control Matrix,我發現在 Internal Auditor Feb 09(IIA 雙月刊)有篇article: A Risk-Centric Approach that works 寫得也很好。<br /><br />回正題,我也同意process-based approach 雖然開始不流行,但仍然好有價值,例如第一次review時用process-base,做足system doc,特別是Process/Document/Data flow chart,對下次audit時做audit planning 及risk assessment時,事半功倍。Ebenezerhttps://www.blogger.com/profile/07613587789395091487noreply@blogger.comtag:blogger.com,1999:blog-4425878502991016229.post-33312286734055636072009-11-10T22:06:29.047+08:002009-11-10T22:06:29.047+08:00有點不明白, 讓我先看點書.有點不明白, 讓我先看點書.richmapoor mahttps://www.blogger.com/profile/03662668275399229471noreply@blogger.comtag:blogger.com,1999:blog-4425878502991016229.post-28572482078606085962009-11-10T11:28:41.963+08:002009-11-10T11:28:41.963+08:00Hi Anonymous,
No problem. I will write an article ...Hi Anonymous,<br />No problem. I will write an article for risk-control matrix later. In general, if we are adopting Risk-based audit, we will list the risk first and match the relevant controls. If process-based, it will be vice versa. There are many types of risk-control matrix in practice. Please allow me to discuss this topic later as more time is needed for preparation and composition.bittermelonhttps://www.blogger.com/profile/15057938126377984688noreply@blogger.comtag:blogger.com,1999:blog-4425878502991016229.post-9872806044249759712009-11-10T11:09:48.673+08:002009-11-10T11:09:48.673+08:00Hi Bittermelon,
Is it possible for you to discuss...Hi Bittermelon,<br /><br />Is it possible for you to discuss further the risk chart and risk/control matrix?<br /><br />From the net, I came across articles that mentioning many – many relations between risks and controls. Whether I should have the risks first and figure out the controls or vice versa? Do you have any recommendation as to how the risk chart should be constructed? <br /><br />Thank you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4425878502991016229.post-9288580403218877262009-11-09T10:01:30.468+08:002009-11-09T10:01:30.468+08:00劍虹兄:
我只認識ISO9001及ISO14001,你說得對,我也認為前者是process-base...劍虹兄:<br />我只認識ISO9001及ISO14001,你說得對,我也認為前者是process-based,後者是risk-based.bittermelonhttps://www.blogger.com/profile/15057938126377984688noreply@blogger.comtag:blogger.com,1999:blog-4425878502991016229.post-1633519872539135812009-11-09T09:50:51.270+08:002009-11-09T09:50:51.270+08:00My observations:
Process-based audit -
ISO 9001 QM...My observations:<br />Process-based audit -<br />ISO 9001 QMS<br /><br />Risk-based audit - <br />OHSAS 18001 Safety MS<br />ISO 14001 Env MS<br />ISO 27001 Info Security MS<br /><br />Many cases are hybrid audit.Quality Alchemisthttps://www.blogger.com/profile/15897649108440475806noreply@blogger.com