An Insight into the Importance of Audit Evidence
During an audit, objective audit evidence must be obtained and verified. This could include strategy, policy statements, internal documents, visual observations, emails or other types of evidence. The auditor uses such evidence to assess how well the organisation is adhering to the QMS and fulfilling requirements and expectations of customers and other key stakeholders.
Internal audits are valuable for identifying issues before an external audit to reduce the risk of the external auditor finding a significant nonconformity. A 3rd party certification auditor uncovering an issue has the potential to put certification at risk, cause brand damage or cost the organisation business, often costing more to fix than to prevent.
In addition to 3rd Party Certification, organisations choose to do internal audits for the ongoing monitoring, evaluation and improvement of their Management System and its processes. This cannot be achieved without the auditor successfully seeking to and obtain and verify, often substantial amounts of objective evidence.
Whatever the motive, internal audits need reliable evidence if they are to add value.
Why is audit evidence important?
Auditor decisions need to be based on verified objective evidence. It is critical for an auditor to be able to substantiate their audit decisions and subsequently report their audit findings and conclusions with a high degree of trust and integrity.
How is audit evidence obtained?
Face to face interview - Auditors collect evidence by asking a wide range of open, targeted, closed and other suitable types of questions. Each follow-on question (i.e. deep diving) will depend on previous question responses and evidences obtained. The interview will continue until critical process steps and controls have been checked to the auditor’s satisfaction.
Visual observation - Auditors observe the client’s business processes and operations to verify effective controls and performance or to identify deficiencies where controls and/or performance are non-existent or ineffective.
Analysis of data and information - Auditors analyse the client’s reports, databases, records, test results, etc, to verify conformance, compliance and effectiveness of processes. Choosing a suitable sample of data to analyse is important – you can’t look at everything!
Is the audit evidence good enough?
In the world of regulatory financial auditing, it is required that audit evidence must be sufficient and appropriate. Sufficiency measures and verifies the quantity of the audit evidence, while appropriateness refers to the quality of the audit evidence gathered and reported. Audit evidence for ISO Management Systems is no different. As an auditor gains in experience they will, like all professional auditors, develop that well known instinct or gut feel as well as using statistics, percentages etc to decide when their evidence is sufficient and appropriate.
Types of audit evidence?
There are several types of potential audit evidence. Whichever type is obtained purpose is to support verification of conformance, compliance and effectiveness of the management system with an aim to drive continual improvement.
Physical examination - Auditors gather physical evidence to verify whether the infrastructure being used in the organisation is suitable and appropriate for the intended purpose.
Documentary evidence - Auditors will gather documented information such as internal process documents, procedures, specifications, drawings, emails etc., which form the objective evidence to support their decisions/findings.
Oral evidence - It is critical to gather oral evidence. Any documented process or procedure relies on people following it so they should be able to tell you how things are done. Often there will be no requirement for documentation and oral evidence may be the only method of gaining evidence of conformance.
Conclusion
Management systems auditing is a profession and not just amongst 3rd party certification auditors. Audits, 1st, 2nd and 3rd party, should be planned, conducted and reported with the diligence that a profession demands and only then can we expect respect for our outputs.
The client also has the expectation that an auditor’s words are to be relied upon as professional judgments based on reality and not supposition.
The house of cards collapses when corners are cut in gathering audit evidence.
And when trust is lost it’s very hard to get back.
iqms Learning have a range of auditor training courses available, to view these please click here.