Professional Documents
Culture Documents
1. Introduction
Audit is defined according to ISO 19011 standard as a systematic, independent and
documented process for obtaining audit evidence and evaluating it objectively to determine
the extent to which the audit criteria are fulfilled. In other for an audit to be effective, it has
to be well planned, free from bias or prejudice and records maintained. Also, audit criteria
have to be defined, generally accepted, traceable to an authority and unambiguous.
ISO 17021 and 19011 mandates auditors to draw sufficient evidence or samples
representative of the activity or process, taking into consideration the time allocated.
Audit planning is an important aspect in the audit life cycle most especially at this time
when remote auditing has become almost inevitable. Planning will not yield desired results
when the following are not considered:
- Approval from certification body
- Effective communication with auditee organisation
- Upgrade of IT skill and infrastructure
- Selection and testing of IT platforms to be deployed for audits to ensure mic and
video capabilities
- Data subscription (ISP choice, especially in Africa)
- Implemented teleworking policy (although other non-IT standards did not consider
this aspect)
- Assurance of availability of document and records
- Time zone differences
- Aspects that can only be audited with at least one competent personnel onsite (as in
the case of OHS audits)
- Agreements – non disclosure, privacy, confidentiality across and within the
organisation
- Audit risk assessment.
2. Methodology
In ISO 27001 standard, audit methodology was mentioned. They include: observation,
document review and interview. How do we ensure effective deployment of these
methodologies including technical verification while conducting virtual audit?
i. Observation – what do you see, what have you noticed? Some clients decide to
turn off their videos during the audit, what’s your take on this? Do you observe
work processes, staff responsiveness, display of good conduct? How do you
manage retrieval response time? There is a risk of delay in retrieval of documents
in good time.
ii. Document review – do you have sufficient time to review documents on the
platform during the audit? Some clients do not give or share documents with
auditors before the audit. How do you minimize the risk of cloning of documents
while an audit is ongoing? Staff payroll, background check records and medical
history forms have to be reviewed by the auditor, the client would have to
decide who leaves the platform while such review takes place.
iii. Interview – this has to be conversational and not confrontational. The client has
to be give reasonable time to respond to questions. The auditor has to be able to
compare verbal response with documented evidence, also should take into
consideration facial expression and body language.
3. Results
Remote auditing is fast becoming the de-facto method for conformity assessment in the
business assurance industry. It has yielded several benefits, they include: cost minimization,
waste time elimination, improved performance, improved IT awareness and infrastructure,
work flexibility and effective performance monitoring.
4. Conclusion
Remote auditing techniques can be standardized for ease of reference and to minimize risk
of unauthorized disclosure, leaks, sanctions, litigations and staff conflicts. A body of
knowledge for auditors is essential to drive accountability and competence.
References
ISO 19011: Guidelines for auditing management systems. International organisation for
standardization, Switzerland, July 2018.
ISO/IEC 17021-1: Conformity assessment – requirements for bodies providing audit and
certification of management systems. International organisation for standardization and
International electro-technical commission, Switzerland, June 2015.
Authors
1. Innocent Atasie
Innocent Atasie is the Managing Director and Chief Executive of G2GFM
Management Solutions Limited based in Lagos, Nigeria. He has audited over 50
companies in West and East Africa. He is also an ISO 9001, 27001, 14001 and 22301
certified lead auditor and trainer, a fellow of the Institute of Management
Consultants (IMC), Nigeria and a fellow of the Chartered Institute of Management
and Leadership (CIML), USA.
3. Rinske Geerlings