We are audited by SGS and one of the findings is about the frequency of internal audit. We conduct our internal audit annually for each department against all clause applicable to the function of the departments. Once a department failed the internal audit, a reaudit will commence after 3 months to ensure the effectiveness of the department in implementing the organization's FSMS. Now, one of the non-conformity is for internal audit saying
"It was not evidenced that frequency of internal audit was determined based on risk with consideration to importance of processes concerned, changes in FSMS, results of monitoring, measurement and previous audits."
Can somebody give light to me in regard to the SGS finding? I have trouble in making a criteria as to what criteria I will develop, what does it include, and how I will schedule the internal audit throughout these criteria.