ISO Internal Audit Techniques - Assent Risk Management

Our ISO Auditors will use a variety of audit techniques to obtain the required objective evidence and achieve the objectives of each internal audit session. This blog explains those audit techniques in a little more detail, so you know what to expect.

Sampling

Using a representative sampling technique is one of the most effective ways to achieve the objectives of an audit.

This may include sampling of: data generated by a procedure, a product of a process or the occurrence of a policy.

In addition to this, sampling can be approached in two ways:

Judgement-Based Sampling

This is the most common form of sampling that our ISO auditors will undertake. It uses the knowledge, skills and experience of our team to determine ‘what’ should be sampled and the ‘size’ of a representative sample.

Statistical Sampling

A more technical approach is statistical sampling. This depends on the characteristics of the data-set, the size of the company, time allocated for the audit, frequency of audits and any other relevant factors which could influence the sample.

Statistical sampling requires more time at the audit planning stage, and will likely require additional input from the client in order to determine an effective statistical model.

Sample Risk

In both cases there is an element of ‘sample risk’, where a defect or non-conformity may not be captured in the representative sample. Or alternatively, the sample may capture a higher level of defect than exists in other areas of the system.

Observation

Our auditors may observe a work process in action or review a physical characteristic of the premises in order to determine whether a process is effective in achieving your intended outcomes.

This may be a passive observation while people carry on their work, or a guided walkthrough where the auditor will ask questions to gain a better understanding.

Testing

In some cases it may not be possible to sample or observe live data, for example if performing an activity creates unnecessary risk or disrupts the organisation too much.

For instance, this might apply to some business continuity processes.

In these cases a test of a procedure might be the most effective way to audit without affecting the organisation.

Interview

Since ISO’s Annex SL was introduced, demonstrating the commitment of the organisation’s leadership has been a core requirement, and one way to audit this is through interviews.

Our auditors may meet with people from across the organisation to ask them about different aspects of the management system. This is a good way to test awareness of key policies and procedures.

Data Analytics

Some processes may generate a large amount of data that can be analysed to determine if an intended outcome has been achieved.

While this is a more technical audit, it can be a useful technique for ISO Management Systems.

Document Review

Although most modern ISO Management System Standards have reduced the amount of mandatory documentation, most organisations will find that they generate some documents in order to operate the system more effectively, and become resilient to key staff leaving the business.

Particularly at the start of an auditor relationship, document reviews can be an unobtrusive way of understanding how you have built your management system.

It is also the method used during stage 1 of the external ISO certification audits.

Onsite vs Offsite

The majority of our audits are conducted Onsite, however with the emergence of video conferencing and other tools, it is increasingly becoming possible to execute some of the techniques above remotely.

The balance of Onsite and Offsite audits should be carefully considered at the audit programme planning stage, and it should be noted that some audit techniques can only be done Onsite.

Human Interaction Vs No Human Interaction

We believe that people are the most important asset to an organisation and therefore are the key to really understanding what is going on within a management system. Therefore most of our audit time will be spent working with members of your team.

However, as you’ve seen above, there are techniques that can be executed without disrupting your staff. Again, this should be carefully considered at the audit programme planning stage.

Managing Audit Risks

If not managed properly, audits can introduce risk in to the organisation, which of course we want to avoid.

There are times where the audit schedule may need to be adjusted, and our auditors will happily do that providing the audit objectives can still be met.

We also take the confidentiality of your organisation very seriously, and you can read about our Information Security controls here.

Do you need an ISO Internal Audit? Contact us to start your assurance programme.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.