Skip Navigation Links
TrainingExpand Training
9001:2015Expand 9001:2015
14001:2015Expand 14001:2015
22000:2018Expand 22000:2018
45001:2018Expand 45001:2018
50001:2018Expand 50001:2018
ResourcesExpand Resources
Skip Navigation Links2012 (5) / January 2012: Three concepts that outline the future of auditing

Three concepts that outline the future of auditing

< Prev Post  Next Post >
Natalia Scriabina Auditing Remotely
Modern technologies have changed the way we communicate and collaborate with each other over the last five years (2007 - 2012) much more than it had done so over the previous twenty years (1987-2007) and even more than the previous 110 years (1877-1987). New ways to collaborate that became available over the last several years include: social networking, tele-presence, virtual group meetings, instant sharing of text, video and audio, as well as virtual content creation. New information technologies pushed the boundaries of what seemed to be impossible in the last century allowing real-time collaboration of people from remote locations.
Companies that offer certification, registration, and consulting services increasingly prefer virtual sessions over in-person visits. These technologies open a world of new possibilities for organizations but also introduce a number of challenges.
Risk-based Auditing
Risk-based audits have been established in different areas including accounting and finance for quite a long time. The concept of risk-based audits was introduced to the area of management system auditing by the standard ISO 19011:2011 Guidelines for Auditing Management Systems. The standard recognizes that organizations need to focus auditing efforts on matters of significance to the management system. Risk management process, as defined by the International Standard ISO 31000:2009 Risk management Risk management — Principles and Guidelines, includes such elements as risk evaluation and analysis. These principles can be incorporated into the auditing process and help prioritize conclusions and results based on strategic goals. The ISO 19011:2011 standard also suggests how the risk management approach can be adapted to the auditing process to evaluate the risk of the process not achieving its objectives and the risk to the potential of interfering with the audited activities and processes.
Handling Confidentiality
The complexity of maintaining confidentiality is constantly increasing with the development of new information technologies. What information should and should not be shared via emails and messages? What levels of information security are provided by different types of software applications for screen sharing and virtual sessions? How to ensure the security of information when large files are shared over the internet? What information security risks are assessed and controlled prior to the beginning of an audit or a consulting engagement? Every new technology that becomes available raises a new set of security questions that should be addressed by both parties, auditors or consultants and their clients. ISO 19011:2011 states that “auditors should exercise discretion in the use and protection of information acquired in the course of their duties”. Since the information from the client is mostly acquired in an electronic form through the use of information technologies, it prompts auditors and consultants to become technically savvy with proper handling this information.
Share this article! Share on LinkedIn Share on Facebook Tweet about it! Download article in .PDF Share via email

Natalia Scriabina is Centauri Business Group, Inc. Vice-President responsible for overseeing the portfolio of training courses and strategic partnerships.
Please share your experiences and thoughts on the topics discussed in the comments box below.
Older comments thread
Guest Tuesday, June 05, 2012,8:38:53 PM
Thank you Natalia, I did like your point about handling confidentiality which is the responsibility of each and every auditor. Well presented.
Christian Lupo Sun, 03 Jun 2012 02:37:01
Good insight Natalia.Anyone that does not recognize that more and more audits, whether by choice or necessity, will be done remotely will be left behind. "Experts" told me that the hardware, bandwidth, and cost would be elusive to small businesses. Free programs like Skype are available with powerful features like screen sharing that aid in document / management review. More is needed but the point is technology is moving faster than most realize. In case we need more evidence the mandatory documents to ISO 19011 currently allow 30% of audit time to be conducted remotely. Registrars are already working on remote systems, and combining risk management with ISO 9001 or ISO based standards. Good Post Natalia.
Peter Mcgoff
Wed, 08 Feb 2012 07:52:06
Risk based auditing is a concept we use on major projects here in West Africa. Through Quality trending and analysis of project management including engineering, supply chain, construction, commissioning and start up it possible to focus on areas of concernwith obvious benifits.
Ghanem Aldoussary
Thu, 09 Feb 2012 08:08:31
I think it is difficult task to be controlled and as mentioned will be a number of challenges to be studied , in person visits you will deal &amp; depend more on the people , hard and soft copies , opservations you met &amp; select while by auditing remotely more than that BUT HOW. It is need 100% software work and audi and a way of cross checking the information , all suplliers &amp;customers must be under the same system , and this require all certification, registration, and consulting services and the accreditation bodies exchange the nessecary information . And here Handling Confidentiality is very critical and challengable . Risk-based Auditing is very important to be improved in any kind of auditing (Remotely or Person visits) by identifying/putting the objectives and evalate the achievement .
Carmine Liuzzi
Mon, 13 Feb 2012 03:05:43
I hope you are doing well today. The blast email message that was sent out is somewhat misleading. While the new revision of ISO 19011 by definition introduces the concept risk to management system auditing, the standard says, “The approach adopted relates both to the risk of the audit process not achieving its objectives and to the potential of the audit to interfere with the auditee’s activities and processes. It does not provide specific guidance on the organization’s risk management process, but recognizes that organizations can focus audit effort on matters of significance to the management system.” It does not specify how this can be accomplished. These concepts have yet to be included in the competency units for auditing of management systems for the RABQSA.
Centauri Business Group, Inc.
Mon, 13 Feb 2012 19:35:54
Thank you for your comments! ISO 19011:2011 introduces principles of risk management and references the following standards on risk management:
  ISO 31000:2009 Risk management Principles and guidelines (issued in Nov 2009)
  ISO Guide 73:2009 Risk management Vocabulary (issued in Nov 2009)

Auditors of management systems should became familiar with the standards ISO series 31000 as an essential part of their continual professional development. As defined by 31000:2009, Risk Management:
a) “creates and protects value;
b) is an integral part of all organizational processes;
c) is part of decision making;
d) explicitly addresses uncertainty;
e) is systematic, structured and timely;
f) is based on the best available information;
g) is tailored;
h) takes human and cultural factors into account;
i) is transparent and inclusive.
j) is dynamic, iterative and responsive to change.
k) facilitates continual improvement of the organization”.

When the risk management “is an integral part of all organizational processes”, how it can be outside of the competency for auditing of process-based management systems? We encourage you to: - read our interview with John Shortreed, PhD, who served as the Canadian representative to ISO Risk Terminology (Guide 73), and ISO 31000 a standard for risk management : ; - consider taking training on risk management
Bill Tate Thu, 16 Feb 2012 23:47:22
Now having been a Certified Audit Interntionally for over 39Plus years, and having read the latest current revision of the Std. I guess, I really just need to vent a liitle. First of all the Standard has been developed in a very professional manner, And I take my hat off to the Revision committe. However, Some how I would like to see if there is a way to cross train Audit staff's for Municipalities, ICC-ES, IAS, etc. As somehow, when they read the standards, to create their own criteria, it so bad sometimes, a cross reference matrix couldn't help. Agencies Like ICC have now taken the words Quality manual out of their criterias, and replaced with Systems, and other changes in the ISO referenced standards, that makes it hard for an auditor to complete his task.

For example ICC-ES Criteria AC-10 for Quality manual has been revised 7 or 8 times in the past few years, thus eliminating most or the original ISO guide Lines from 17020 and 17025 and replacing them with their own verbage. I would say this would be fine if they made some sort of disclaimer statement indicating only portions of the ISO are included, but they just reference the standard, and its up to the reader to find the difference. If they just want to use the standard as a guide, this is OK but they need to Blod out a statement to this affect. My thought is Simple! Put a usage/Reference comment on each ISO standard on how they can or can not be referenced in a Non-ISO document.

Thanks for listing
Fred Krymis Sun, 04 Mar 2012 17:53:05
I doubt remote auditing will work. I once tried sending out audit questionnaires and then followed up with an actual audit. I found the answers to the questionnaire lacking. Seems many people are not able to answer "no" an a questionnaire.
Receive esclusive email offers and free downloads!
Subscribe for newsletter! Follow by Email!
© 2010-2018 Centauri Business Group, Inc. All Rights Reserved.