In a world of compliance with laws, regulations and standards, it can be difficult to know whether or not to trust an auditor’s report.
Trust is an important value in all business contexts. The Russian proverb “Trust, but verify” takes on its full meaning. Your trust rests on the work of auditors who verify and confirm compliance with the clauses of your contracts or obligations.
What would you think of a report “adapted” to systematically include recommendations for the purchase of additional equipment?
In a context where some people call themselves auditors without having the skills, expertise or depth to make such an assessment, how do you evaluate an auditor’s report?
How do you evaluate a supplier’s report showing that it is meeting its commitments?
Basically, the auditor and his or her report must be impartial and objective. However, there are a few things you can do to determine whether or not the auditor’s report is trustworthy.
Don’t take the quality of a report for granted, evaluate it.
source: https://www.pexels.com
Validate auditor independence
First and foremost, the auditor’s independence must be determined. This is essential in order to assess whether the audit opinion is objective and impartial.
What are the auditor’s interests? Is it of interest if a non-compliant item is discovered during the audit?
Evaluating the auditor’s relationships
Identify business relationships and ties. Does the auditor have a duty of loyalty that could compromise his neutrality or even his independence?
For example, if he works for a firm that resells equipment? Or offers other related services, there may be an advantage inupselling, promoting other products or services. The value of his report should be in the document itself, not in what else he can accomplish.
In another scenario, is the auditee the auditor’s biggest client? The auditor won’t have a free hand to contradict, or tell the inconvenient truths to his client.
Auditor’s competence and reputation
There are a number of ways to assess an auditor’s reputation and skills. For example, it’s possible to assess his or her CV directly, if it matches public information (such as LinkedIn).
Evaluate your experience, knowledge, diplomas and the relevance of your professional certifications (CISA, CISSP, Lead Auditors, CPA).
Take a closer look at previous work to get a better idea of the auditor’s capabilities.
Finally, obtain references and feedback from other organizations that have used the auditor’s services. In this way, it will be possible to assess the auditor’s competence and make a better decision for the organization.
Don’t forget to assess the skills of the hiring firm as well.
Determine the review process
We need to ask ourselves what the process is for reviewing the report itself. What is the path taken in terms of document quality assurance?
More importantly, who does the quality assurance, the auditor’s employer or a third party?
We need to review the content of the report in terms of technical content and reliability of information, as well as the container, its presentation and whether the choice of words is appropriate.
In the case of an ISO-type external audit, the auditor’s report is reviewed by the certification firm first to determine whether all the information and evidence is included in the report and in the auditor’s notes.
This report is then cross-checked by the certification body in the country to which the company belongs. Example (ANAB or UKAS, in Canada it’s the Standards Council of Canada). If there is a problem with the auditor’s report, the company receives a notice of non-conformity of the report, and the end customer cannot receive his certificate of conformity to the ISO standard audited.
Review the type of framing
What is the auditor’s working environment? For example, is the audit being carried out against a specific standard or framework? This type of approach determines whether the work will be exhaustive or merely superficial.
If the auditor doesn’t use a frame of reference, his work may not depend on his competence or incompetence.
Calling process?
If the auditor, despite all his goodwill and skills, makes a mistake, is there a process for reviewing his report?
In some cases, it is only the supervisor who reviews the complaint and makes the final decision. This model is not ideal, given that it is usually the supervisor who does the quality assurance on the report, in which the supervisor is not independent to judge the error and make corrections if necessary.
Evaluating the report itself
Finally, reviewing the document itself provides clues as to its depth and the level of assurance we can have of its quality.
- By checking whether the report is of a standard size, and whether it complies with the audited norms/standards.
- Then whether the descriptions are full of documentation or just a few superficial descriptions.
- One point that came up again and again during my experience was whether the audited security measures were relevant to the company being audited.
- Is the auditor identified in the report, with his contact details, and does he have an auditor’s license number?
- What is the auditor’s assessment procedure?
- Whether scope and exceptions have been properly documented.
What are the risks of a bad report?
You may well ask yourself what the risks are of doing business with just any auditor, since the aim is basically to obtain a SOC2 report or an ISO certificate.
These days, the impact is not so great for the company, I grant you, but it is the Achilles’ heel of compliance work. Your customers and suppliers could lose confidence in your approach and demand more auditing and validation on your part. And lose all the benefits associated with the compliance work you’ve done to date.
I invite you to click on “Follow” to continue learning more about the field of information security.