ISO Management Systems Auditing

in the New Era (Year 2020 and

Beyond)
By
Innocent Atasie1 Dr. Michael C. Redmond2 Rinske Geerlings3

Statement of the Problem

All over the world, travel restriction, pandemic fright, high cost of transport, legislative
pressures, political upheavals, currency devaluation, insecurity and hunger has affected us in
ways never imagined.
Two years ago, it was almost difficult to discuss the possibilities of remote auditing at any
fora. ISO 17021 and 19011 standards did not capture sufficient information on guidelines or
requirements for remote auditing as it would have been quite a challenge conceptualizing
present day realities.
It is quite interesting to note that many auditors across the globe have embraced virtual
auditing approach; as it will not be fair to neglect an already existing certified management
system or deny new entrants to opportunity to have their systems certified.
Certification bodies, corporate organisations and even government organs have been faced
with high risks associated with remote auditing. Issues such as disclosure of staff personal
information in an online gathering, disclosure of company’s financials to all staff connected
to the platform including observers, nonconformity detection risk, compromise in the
quality of audit results. These and many more issues have been on the increase! How do we
minimize classified information leakage? How do we ensure that the integrity of
management systems is maintained as we conduct audits on various platforms?
Some top executives have expressed concern as many have been audited in the midst of
junior employees and as such has prevented them from providing certain reliable
information.
A few other organisations have not switched from physical audit to virtual, hoping to
continue to latch onto concessions from certification bodies.
The challenge of retrieving document is also imminent as personnel who work from home
may claim that they have limited access to critical files. Here are a few other questions we
need to answer: should a teleworking policy be considered before a remote audit work can
be performed? Is the sample size for evidence collection same or different for physical and
remote audits, any compromise?
There is an urgent need for harmonization of ISO management system remote audit
practice.

1. Introduction
Audit is defined according to ISO 19011 standard as a systematic, independent and
documented process for obtaining audit evidence and evaluating it objectively to determine
the extent to which the audit criteria are fulfilled. In other for an audit to be effective, it has
to be well planned, free from bias or prejudice and records maintained. Also, audit criteria
have to be defined, generally accepted, traceable to an authority and unambiguous.
ISO 17021 and 19011 mandates auditors to draw sufficient evidence or samples
representative of the activity or process, taking into consideration the time allocated.
Audit planning is an important aspect in the audit life cycle most especially at this time
when remote auditing has become almost inevitable. Planning will not yield desired results
when the following are not considered:
- Approval from certification body
- Effective communication with auditee organisation
- Upgrade of IT skill and infrastructure
- Selection and testing of IT platforms to be deployed for audits to ensure mic and
video capabilities
- Data subscription (ISP choice, especially in Africa)
- Implemented teleworking policy (although other non-IT standards did not consider
this aspect)
- Assurance of availability of document and records
- Time zone differences
- Aspects that can only be audited with at least one competent personnel onsite (as in
the case of OHS audits)
- Agreements – non disclosure, privacy, confidentiality across and within the
organisation
- Audit risk assessment.

2. Methodology
In ISO 27001 standard, audit methodology was mentioned. They include: observation,
document review and interview. How do we ensure effective deployment of these
methodologies including technical verification while conducting virtual audit?
i. Observation – what do you see, what have you noticed? Some clients decide to
turn off their videos during the audit, what’s your take on this? Do you observe
work processes, staff responsiveness, display of good conduct? How do you
manage retrieval response time? There is a risk of delay in retrieval of documents
in good time.
 ii. Document review – do you have sufficient time to review documents on the
platform during the audit? Some clients do not give or share documents with
auditors before the audit. How do you minimize the risk of cloning of documents
while an audit is ongoing? Staff payroll, background check records and medical
history forms have to be reviewed by the auditor, the client would have to
decide who leaves the platform while such review takes place.

iii. Interview – this has to be conversational and not confrontational. The client has
to be give reasonable time to respond to questions. The auditor has to be able to
compare verbal response with documented evidence, also should take into
consideration facial expression and body language.

iv. Technical verification – how to we check for functionality or veracity of an

equipment, plant, software or process remotely? Time should be allocated to
verify conformance. The auditee is to perform verification while you observe and
ask further questions.

3. Results
Remote auditing is fast becoming the de-facto method for conformity assessment in the
business assurance industry. It has yielded several benefits, they include: cost minimization,
waste time elimination, improved performance, improved IT awareness and infrastructure,
work flexibility and effective performance monitoring.

4. Conclusion
Remote auditing techniques can be standardized for ease of reference and to minimize risk
of unauthorized disclosure, leaks, sanctions, litigations and staff conflicts. A body of
knowledge for auditors is essential to drive accountability and competence.

References
ISO 19011: Guidelines for auditing management systems. International organisation for
standardization, Switzerland, July 2018.
ISO/IEC 17021-1: Conformity assessment – requirements for bodies providing audit and
certification of management systems. International organisation for standardization and
International electro-technical commission, Switzerland, June 2015.

Authors
1. Innocent Atasie
Innocent Atasie is the Managing Director and Chief Executive of G2GFM
Management Solutions Limited based in Lagos, Nigeria. He has audited over 50
companies in West and East Africa. He is also an ISO 9001, 27001, 14001 and 22301
 certified lead auditor and trainer, a fellow of the Institute of Management
Consultants (IMC), Nigeria and a fellow of the Chartered Institute of Management
and Leadership (CIML), USA.

2. Dr. Michael C. Redmond

3. Rinske Geerlings