|
|
Modern technologies have changed the way we communicate and collaborate with each
other over the last five years (2007 - 2012) much more than it
had done so over the previous twenty years (1987-2007) and even
more than the previous 110 years (1877-1987). New ways to collaborate
that became available over the last several years include: social networking, tele-presence,
virtual group meetings, instant sharing of text, video and audio, as well as virtual
content creation. New information technologies pushed the boundaries of what seemed
to be impossible in the last century allowing real-time collaboration of people
from remote locations.
|
|
Companies that offer certification, registration, and consulting services increasingly
prefer virtual sessions over in-person visits. These technologies open a world of
new possibilities for organizations but also introduce a number of challenges.
|
|
Risk-based audits have been established in different areas including accounting
and finance for quite a long time. The concept of risk-based audits was introduced
to the area of management system auditing by the standard ISO 19011:2011 Guidelines
for Auditing Management Systems. The standard recognizes that organizations need
to focus auditing efforts on matters of significance to the management system. Risk
management process, as defined by the International Standard ISO 31000:2009 Risk
management Risk management — Principles and Guidelines, includes such elements as
risk evaluation and analysis. These principles can be incorporated into the auditing
process and help prioritize conclusions and results based on strategic goals. The
ISO 19011:2011 standard also suggests how the risk management approach can be adapted
to the auditing process to evaluate the risk of the process not achieving its objectives
and the risk to the potential of interfering with the audited activities and processes.
|
|
The complexity of maintaining confidentiality is constantly increasing with the
development of new information technologies. What information should and should
not be shared via emails and messages? What levels of information security are provided
by different types of software applications for screen sharing and virtual sessions?
How to ensure the security of information when large files are shared over the internet?
What information security risks are assessed and controlled prior to the beginning
of an audit or a consulting engagement? Every new technology that becomes available
raises a new set of security questions that should be addressed by both parties,
auditors or consultants and their clients. ISO 19011:2011 states that “auditors
should exercise discretion in the use and protection of information acquired in
the course of their duties”. Since the information from the client is mostly acquired
in an electronic form through the use of information technologies, it prompts auditors
and consultants to become technically savvy with proper handling this information.
|
|
|
Natalia Scriabina
is Centauri Business Group, Inc. Vice-President responsible for overseeing the portfolio
of training courses and strategic partnerships.
|
|
|
Tuesday, June 05, 2012,8:38:53 PM
|
|
Thank you Natalia, I did like your point about handling confidentiality which is
the responsibility of each and every auditor. Well presented.
|
|
|
Sun, 03 Jun 2012 02:37:01
|
|
Good insight Natalia.Anyone that does not recognize that more and more audits, whether
by choice or necessity, will be done remotely will be left behind. "Experts" told
me that the hardware, bandwidth, and cost would be elusive to small businesses.
Free programs like Skype are available with powerful features like screen sharing
that aid in document / management review. More is needed but the point is technology
is moving faster than most realize. In case we need more evidence the mandatory
documents to ISO 19011 currently allow 30% of audit time to be conducted remotely.
Registrars are already working on remote systems, and combining risk management
with ISO 9001 or ISO based standards. Good Post Natalia.
|
|
Wed, 08 Feb 2012 07:52:06
|
|
Risk based auditing is a concept we use on major projects here in West Africa. Through
Quality trending and analysis of project management including engineering, supply
chain, construction, commissioning and start up it possible to focus on areas of
concernwith obvious benifits.
|
|
Thu, 09 Feb 2012 08:08:31
|
|
I think it is difficult task to be controlled and as mentioned will be a number
of challenges to be studied , in person visits you will deal & depend more
on the people , hard and soft copies , opservations you met & select while
by auditing remotely more than that BUT HOW. It is need 100% software work and audi
and a way of cross checking the information , all suplliers &customers must
be under the same system , and this require all certification, registration, and
consulting services and the accreditation bodies exchange the nessecary information
. And here Handling Confidentiality is very critical and challengable . Risk-based
Auditing is very important to be improved in any kind of auditing (Remotely or Person
visits) by identifying/putting the objectives and evalate the achievement .
|
|
Mon, 13 Feb 2012 03:05:43
|
|
I hope you are doing well today. The blast email message that was sent out is somewhat
misleading. While the new revision of ISO 19011 by definition introduces the concept
risk to management system auditing, the standard says, “The approach adopted relates
both to the risk of the audit process not achieving its objectives and to the potential
of the audit to interfere with the auditee’s activities and processes. It does not
provide specific guidance on the organization’s risk management process, but recognizes
that organizations can focus audit effort on matters of significance to the management
system.” It does not specify how this can be accomplished. These concepts have yet
to be included in the competency units for auditing of management systems for the
RABQSA.
|
|
Mon, 13 Feb 2012 19:35:54
|
Thank you for your comments! ISO 19011:2011 introduces principles of risk management
and references the following standards on risk management:
ISO 31000:2009 Risk management Principles and guidelines (issued in Nov
2009)
ISO Guide 73:2009 Risk management Vocabulary (issued in Nov 2009)
Auditors of management systems should became familiar with the standards ISO series
31000 as an essential part of their continual professional development. As defined
by 31000:2009, Risk Management:
a) “creates and protects value;
b) is an integral part of all organizational processes;
c) is part of decision making;
d) explicitly addresses uncertainty;
e) is systematic, structured and timely;
f) is based on the best available information;
g) is tailored;
h) takes human and cultural factors into account;
i) is transparent and inclusive.
j) is dynamic, iterative and responsive to change.
k) facilitates continual improvement of the organization”.
When the risk management “is an integral part of all organizational processes”,
how it can be outside of the competency for auditing of process-based management
systems? We encourage you to: - read our interview with John Shortreed, PhD, who
served as the Canadian representative to ISO Risk Terminology (Guide 73), and ISO
31000 a standard for risk management : http://c-bg.com/Blog/1012.aspx
; - consider taking training on risk management
http://c-bg.com/training/CAR92.aspx.
|
|
|
Thu, 16 Feb 2012 23:47:22
|
Now having been a Certified Audit Interntionally for over 39Plus years, and having
read the latest current revision of the Std. I guess, I really just need to vent
a liitle. First of all the Standard has been developed in a very professional manner,
And I take my hat off to the Revision committe. However, Some how I would like to
see if there is a way to cross train Audit staff's for Municipalities, ICC-ES,
IAS, etc. As somehow, when they read the standards, to create their own criteria,
it so bad sometimes, a cross reference matrix couldn't help. Agencies Like ICC
have now taken the words Quality manual out of their criterias, and replaced with
Systems, and other changes in the ISO referenced standards, that makes it hard for
an auditor to complete his task.
For example ICC-ES Criteria AC-10 for Quality manual has been revised 7 or 8 times
in the past few years, thus eliminating most or the original ISO guide Lines from
17020 and 17025 and replacing them with their own verbage. I would say this would
be fine if they made some sort of disclaimer statement indicating only portions
of the ISO are included, but they just reference the standard, and its up to the
reader to find the difference. If they just want to use the standard as a guide,
this is OK but they need to Blod out a statement to this affect. My thought is Simple!
Put a usage/Reference comment on each ISO standard on how they can or can not be
referenced in a Non-ISO document.
Thanks for listing
Bill
|
|
|
Sun, 04 Mar 2012 17:53:05
|
|
I doubt remote auditing will work. I once tried sending out audit questionnaires
and then followed up with an actual audit. I found the answers to the questionnaire
lacking. Seems many people are not able to answer "no" an a questionnaire.
|