iso 27001-2005 internal audit course

Information Security Management SystemISO/IEC 27001:2005

Internal Audit

1

2

MANAGEMENT SYSTEMINTERNAL AUDIT FORISO/IEC 27001:2005

3

Topics

ISO/IEC 27007:2011 and 27008:2011

What is Audit?

Why Audit is Important?

What Makes Meaningful Audit?

What Types of Audit are there?

Outcome of Internal Audit Reports

Auditor Attributes

Auditor Responsibilities

The Audit Planning Process

Initiating the Audit

4

Topics

(Cont.)

Planning Output

Guidance When Conducting an Audit

Conducting Audit

How to Conduct an Audit

Why Checklist?

Questioning Techniques

Audit Evidence

Taking Notes

5

Topics

(Cont.)

Effective Communication

Audit Reporting and Follow-up

Conformity vs. Non-Conformity

What key things to look for and where?

Audit Report

Items shouldn’t be included in the report

Following Up

ISO/IEC 19011:2011

6

ISO/IEC 27007:2011

ISO/IEC 27007 is part of a growing family of ISO/IEC Information Security Management System (ISMS) standards, the 'ISO/IEC 27000 series'.

Its current title is “Information technology -- Security techniques -- Guidelines for Information security management systems auditing”.

ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO standard for auditing quality and environmental management systems - “management systems” of course being the common factor linking it to the ISO27k standards. It provides additional ISMS-specific guidance.

7

ISO/IEC 27007:2011

ISO/IEC 27007 will provide guidance for those auditing ISMSs for various purposes other than certified compliance with ISO/IEC 27001 (which is covered by ISO/IEC 27006), purposes such as:

Internal auditing, for example for IT auditors to confirm that an organization's information security controls adequately mitigate its information security risks

External auditing, including IT audits conducted as part of financial audits

8

ISO/IEC 27007:2011 Structure

The standard covers the ISMS-specific aspects of compliance auditing:

Managing the ISMS audit program (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement)

Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups)

Managing ISMS auditors (competencies, skills, attributes, evaluation)

9

ISO/IEC 27008:2011

This standard (actually a “technical report”) on “technical auditing” complements ISO/IEC 27007. It concentrates on auditing the information security controls, whereas ’27007 concentrates on auditing the management system elements of the ISMS.

Its current title is “Information technology — Security techniques — Guidelines for auditors on information security management systems controls”

10

ISO/IEC 27008:2011

This standard provides guidance for all auditors regarding “information security management systems controls” selected through a risk-based approach (e.g. as presented in a statement of applicability) for information security management. It supports the information security risk management process and internal, external and third-party audits of an ISMS by explaining the relationship between the ISMS and its supporting controls. It provides guidance on how to verify the extent to which required “ISMS controls” are implemented. Furthermore, it supports any organization using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and as a strategic platform for information security governance.

11

ISO/IEC 27008:2011

The standard:

Is applicable to all organizations, including public and private companies, government entities and not-for-profit organizations and organizations of all sizes regardless of the extent of their reliance on information

Supports planning and execution of ISMS audits and the information security risk management process

12

ISO/IEC 27008:2011

(Cont.)

Further adds value and enhances the quality and benefit of the ISO27k standards by closing the gap between reviewing the ISMS in theory and, when needed, verifying evidence of implemented ISMS controls (e.g. in the ISO27k user organizations, assessing security elements of business processes, IT systems and IT operating environments)

Provides guidance for auditing information security controls based on the controls guidance in ISO/IEC 27002

13

ISO/IEC 27008:2011

(Cont.)

Improves ISMS audits by optimizing the relationships between the ISMS processes and required controls

Supports an ISMS-based assurance and information security governance approach and audit thereof

Ensures effective and efficient use of audit resources.

14

ISO/IEC 27008:2011 vs. ISO/IEC 27007:2011

Whereas ISO/IEC 27007 focuses on auditing the management system elements of an ISMS as described in ISO/IEC 27001, ISO/IEC 27008 focuses on checking some of the information security controls themselves, such as (for example) those as described in ISO/IEC 27002 and outlined in Annex A of ISO/IEC 27001.

ISO/IEC 27008 “focuses on reviews of information security controls, including checking of technical compliance, against an information security implementation standard, which is established by the organization. It does not intend to provide any specific guidance on compliance checking regarding measurement, risk assessment or audit of an ISMS as specified in ISO/IEC 27004, 27005 or 27007 respectively.”

15

ISO/IEC 27008:2011 vs. ISO/IEC 27007:2011

Technical compliance checking/auditing is explained as a process of examining “technical” security controls, interviewing those associated with the controls (managers, technicians, users etc.), and testing the controls. The methods should be familiar to experienced IT auditors.

“Technical controls”, while not explicitly defined in the standard, appear to be what are commonly known as IT security controls, in other words a subset of the information security controls described in ISO/IEC 27001 and especially 27002.

16

What is Audit?

Definition:

“A Systematic, independent and documented process for obtaining audit evidence and evaluating it to determine the extent to which the management system audit criteria set by the organization are fulfilled."

17

Why Audit is Important?

To ensure conformance with requirements

To determine the effectiveness of Management System

To detect and correct non-conformities

To identify training needs

To highlight strengths as well as weaknesses

18

What Makes Meaningful Audit?

Good planning.

Cooperation and honest answers.

Full report of auditing.

Competence of the auditor.

Communicational skills.

Time management.

Follow up.

19


3

Third party/external audit

2Second party audit

1First party audit

20


First Party: An audit by the organization of its own systems and procedures. (Internal Audit/Self inspection)

Second Party: An audit conducted by its supplier/customer or an audit/consultant agency.

Third Party/External: An audit by a certification body which is commercially and contractually independent of the organization, its suppliers and customers.

21

Outcome of Internal Audit Reports

Non conformity : Non fulfillment of a requirement

Corrective action: Action to eliminate the cause of detected nonconformity

Preventive action: Action to eliminate the cause of potential nonconformity

22Audit Criteria : Set of policies, procedures or requirements used as a reference against which audit evidence is compared.

Audit Evidence :Records, statements of fact or other information, which are relevant to the audit criteria and verifiable.

Audit findings :results of the evaluation of the collected audit evidence against audit criteria

Auditor :person with competence to conduct an audit

Audit Scope :extent and boundaries of an audit; generally includes a description of the physical locations, organizational units, activities and processes, as well as the time period covered.

Audit Plan:description of the activities and arrangements for an audit

Auditee:organization being audited

24

Auditor Attributes

Open minded.

Diplomacy.

Decisive.

Firm.

Fair.

Patient.

Cooperating.

Able to analyze complex situations.

25

Auditor Attributes

Auditor should remain polite, calm and professional at all time.

Familiar with the purpose/scope

Listen to others

Speak clearly and carefully

Stay within the audit scope.

Communicate the audit requirements.

Collect evidence (for and against)

Document non-compliances.

Verify the corrective actions/compliances

Give compliments/Appreciate for good things

26

Auditor Responsibilities

Complying with the audit requirement (e.g. remaining in scope, time management).

Planning and performing audit activities.

Reporting audit findings.

Verifying the effectiveness of corrective action .

27

Auditee Responsibilities

Informing employees about the objectives and scope of the audit.

Providing facilities needed by the audit team.

Appointing responsible staff to accompany members of the audit team to act as guides.

Co-operating with the auditor.

Ensuring auditors are aware of health and safety requirement.

29

The Audit Planning Process

Initiate Prepare planResearch Communicate

30

Initiating the Audit

Define the audit objectives, scope and criteria.

Determine the time scale for the audit.

Initial contact with the auditee- establish communication, timing, request access to any documentation, confirm plan.

Research, particularly if the site has not been visited before.

Review the processes associated with the site .

31

Planning Output

Information about auditee.

Checklist.

Audit Plan.

Understanding of the audit criteria.

32

Guidance When Conducting an Audit

Auditing should be seen as a positive process not a fault finding.

Audits need to be documented.

Prior to the audit date, an auditor needs to review the system documentation, corrective and preventive actions, and develop a checklist.

During an audit, an auditor need to see evidence that the processes are being done in accordance to procedures and policies.

33

Conducting Audit

Obtaining Information by:

Interviewing people

Examining documents and records

Observing activities and conditions

34

How to Conduct an Audit

Refer to check list

Ask open ended

question (how, when, where, what, who).

Examine evidence.

Take notes.

35

Why Checklist?

Focus the auditor.

Ensure issues are not forgotten.

Assist with reporting.

Help with time keeping.

Now prepare a checklist as an exercise!

36

Questioning Techniques

The funnel technique:

i. Open Questions

ii. Probing Questions

iii. Closed Questions

37

Audit Evidence

Record or Document

Physical Entity

Condition

Verbal Statement

38

Taking Notes

Record objective evidence for reporting. All necessary facts should be recorded.

If there is a need to follow-up an another issue later during the audit.

To record the details of the samples taken, including references to procedures.

To record that an area has been covered.

39


Effective communication is vital in an audit scenario. Verbal and non-verbal communication must be considered(it is not logical- it is psychological- it is what we do to give and get understanding)

Rapport:Voice, language, appearance/clothing, gesture, posture and expression

40


(Cont.)

Active listening (means showing you are listening)

Keep eye-contact, show open body language (the impact of the spoken message is 7% verbal, 30% vocal and 55% facial)

Use commenting words

41

Audit Reporting and Follow-up

Audit findings:

Nonconformities

Observations:

Potential problem, ineffectiveness, inefficiencies

Noteworthy efforts:

High level of commitment and motivation

Adoption of best practice.

42

What is Non-Conformity?

Non-Conformity is the non-fulfilment of a requirement

Conditions of a contract

ISMS Standard

ISMS Control

Legal or regulatory requirement

43

Non-Conformity explained

There will be a non-conformity for one three reasons:

a) the process does not comply with the requirements of the standard;

b) the process has not been put into practice is the way the procedure describes;

c) the practice (what is actually being done) is not effective, i.e. the required objective is not achieved.

44

Magnitude of Non-Conformity

Conformity:What exists, is what should be.

(Major) Non-Conformity:What exists, is significantly different than what should be.

Minor Non-Conformity:There are minor differences between what exists and what should be.

45

Major vs. Minor Non-Conformity

Major and minor nonconformities (as separate categories) are generally used only in certification audits (not so often in internal audits), and the main purpose is the following: if the auditor raises a major nonconformity, a company cannot get certified.

What is considered to be a major nonconformity?

If a company completely failed to fulfill a certain requirement – e.g., it didn’t perform management review at all, although this was required by the standard.

46


If your process has completely fallen apart – e.g., your procedure required you to perform backup once a day, whereas the backup was performed only a couple of times per month, randomly.

If a certification mark is misused – e.g., you claim to your customers that your product is ISO certified (certification of ISO management standards covers only the processes and management systems, not the products themselves).

47


If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

If you have several minor nonconformities that are related to the same process or to the same element of your management system – e.g., you have several minor nonconformities related to your Human resources department: some of the training records are missing, not all employees are trained as they should be, some of the employment records are missing, etc. – this becomes a major nonconformity because there is obviously something very wrong with this department.

48

Nonconformity exists only if there is

Requirement

EvidenceFailure NC=R+F+E

49

What key things to look for and where?

Tasks: work methods defined, efficiency

People: training, skills, competence and motivation

Equipment, Work Environment:identification, capability, condition, safety, sanitation

Documents / Records:identification, issue, content, correctness and distributionretention, preservation, legibility, accessibility

50

Audit Report

Objectives

Audit scope

Identification of audit team

Date and place where the on-site audit activities were conducted

Audit criteria as findings

Reference documents against which the audit performed

Conclusions

51

Items shouldn’t be included in the report

Politically sensitive issues that bear no relevance to conclusions of the audit

Items not in the scope of the audit

Items not mentioned or discussed during the audit

52

Following Up

“FOLLOW UP” is the term given to the actions of verifying and assessing the effectiveness of corrective and preventive actions resulting from an audit.

53

ISO/IEC 19011:2011GUIDELINES FOR AUDITING MANAGEMENT SYSTEMS

54

ISO 19011:2011

Is a management system auditing standard.

To carry out first or second party audits.

Can be used to:

establish an audit program.

to enhance the effectiveness of an existing program

to improve auditing practices and processes

Primarily proposed for auditing management systems based on ISO/IEC 9000 and ISO/IEC 14000 group of standards, but later expanded to all management systems like ISO/IEC 27000

55

ISO 19011:2011 Explained: Audit Principles

A. Have integrity and be professional. Comply with all applicable legal requirements. Withstand the pressures that may be exerted and the

influences that may affect your professional judgment.

B. Present fair and truthful results. Make sure that audit results are fairly presented. Make sure that important concerns are reported.

C. Exercise due professional care. Perform auditing tasks with due care and diligence. Make reasoned judgments in all audit situations.

56

ISO 19011:2011 Explained: Audit Principles

D. Care about confidentiality. Care about confidentiality and information security. Handle information with due care and discretion. Protect information that is sensitive or confidential.

E. Be independent and impartial. Be independent of the activities being audited. Be impartial and always be free of bias.

F. Use an evidence-based approach. Use an evidence-based approach to reach reliable and

reproducible audit conclusions.

57

ISO 19011:2011 Explained: Audit Program

5.1. Create your audit program.

Establish a management system audit program.

Use your audit program to evaluate the overall effectiveness of your auditee’s management systems.

Monitor and measure the implementation of your management system audit program.

Review your management system audit program in order to identify possible improvements.

58


5.2. Set your program objectives.

Ensure that audit program objectives are established.

Make sure that your audit program objectives support and are consistent with management system objectives.

Consider all relevant information when you establish your audit program objectives.

Use program objectives to ensure that your audit program is implemented and applied effectively.

Use program objectives to direct audit planning.

Use program objectives to direct audit activities.

59


5.3. Establish your audit program.

5.3.1. Perform audit program management tasks.

Clarify the extent of your audit program. Define auditors’ roles and responsibilities. Develop procedures to manage audit program. Determine the resources that the program needs. Implement and apply your audit program. Establish records for your audit program. Monitor your management system audit program. Review your management system audit program. Improve your management system audit program. Discuss your audit program with top management.

60



5.3.2. Clarify manager’s competence requirements.

Make sure that your audit manager is competent.

Make sure that audit manager has the competence to manage the program efficiently and effectively.

Make sure that your audit manager has the appropriate specialized knowledge and skills.

Ensure that audit manager continues to be competent.

Ensure that audit manager continues to carry out appropriate professional development activities.

61



5.3.3. Specify the extent of your audit program.

Establish the extent of your management system audit program (its focus and reach).

Consider the nature of your audits. Consider the nature of your audit criteria. Consider the nature of the auditee organization. Consider the nature of the systems being audited. Consider the nature and results of previous reviews.

62



5.3.4. Consider potential audit program risks.

Consider the risks that could potentially affect the achievement of your audit program objectives.

Identify and evaluate program planning risks. Identify and evaluate program resource risks. Identify and evaluate program staffing risks. Identify and evaluate program implementation risks. Identify and evaluate program record keeping risks. Identify and evaluate program monitoring risks. Identify and evaluate program review risks.

63



5.3.5. Develop procedures to manage program.

Establish procedures to manage and control your management system audit program.

Use procedures to manage and control your management system audit program.

64



5.3.6. Identify program resource requirements.

Identify financial resource requirements. Identify methodological resource requirements. Identify technological resource requirements. Identify human resource requirements.

65


5.4. Implement your audit program.

5.4.1. Apply your unique audit program.

Communicate and share pertinent information about the audit program with all relevant parties.

Define objectives for each individual audit.

Coordinate and control audit program activities.

Appoint competent audit team members.

Provide needed resources to audit teams.

66



5.4.2. Define the focus of each individual audit.

Define and document the objectives that each individual audit should achieve.

Define and document the scope of each audit.

Define and document the criteria that individual audits use to assess conformity.

67



5.4.3. Select methods for each individual audit.

Select and determine the methods that should be used to conduct audits.

Make sure that all audit managers agree on audit methods whenever two or more auditing organizations need to conduct a joint audit of the same auditee.

68



5.4.4. Appoint personnel for each individual audit.

Appoint audit team members for each separate audit. Appoint an audit team leader for each separate audit. Appoint technical experts for each separate audit.

69



5.4.5. Assign responsibility for individual audits.

Assign responsibility for an individual audit to a specific audit team leader.

Give the audit team leader enough time to plan the audit whenever audit assignments are allocated.

Give the audit team leader the information that he or she needs in order to carry out the audit.

70



5.4.6. Manage your audit program outcomes.

Ensure that audit program outcomes are managed efficiently and effectively.

Ensure that audit findings are evaluated. Ensure that root cause analyses are reviewed. Ensure that remedial actions are reviewed. Ensure that audit reports are reviewed.

71



5.4.7. Establish and maintain audit records.

Ensure that audit program records are established and maintained.

Ensure that a record of each individual audit is established and maintained.

Ensure that audit personnel records are established and maintained.

72


5.5. Monitor and modify your program.

Monitor the implementation of your program.

Modify your audit program whenever evidence indicates that change is required.

73


5.6. Review and improve your program.

Review your management system audit program.

Summarize your results and report to top management.

Improve your management system audit program.

74

ISO 19011:2011 Explained: Audit Activities

6.1. Manage your audit activities.

Perform audit activities that comply with your management system audit program.

6.2. Initiate your audit activities.

6.2.1. Conduct and control audit activities.

Make sure that an audit team leader is appointed for each individual audit.

Make sure that audit team leaders initiate management system audits.

75


6.2. Initiate your audit activities.

6.2.2. Establish initial contact with auditee.

Establish communications with the auditee. Confirm your agreement with the auditee. Share information with the auditee. Gather information about the auditee. Request access to documents and records. Make arrangements to conduct the audit.

76


6.3. Get ready for your audit.

6.3.1. Perform document review.

Select management system documentation for review. Review auditee’s management system documents. Gather information to prepare for audit activities. Establish an overview of system documentation.

77



6.3.2. Develop your audit plan.

6.3.2.1 Study source documents.

Allocate audit planning responsibility to team leader. Consider how you plan to conduct your audit. Think about how you intend to use your audit plan.

6.3.2.2 Prepare official audit plan.

Prepare your management system audit plan. Discuss your audit plan with the audit client. Present your audit plan to the auditee.

78



6.3.3. Assign work to audit team members.

Consult with audit team members before assigning roles and responsibilities.

Assign roles and responsibilities to each auditor. Hold team meetings or briefings whenever work assignments need

to be changed or reallocated.

79



6.3.4. Prepare audit working papers.

Prepare appropriate audit working papers. Use working papers to collect audit information. Control your audit working papers and records. Review your audit working papers and records.

80


6.4. Carry out your audit.

6.4.1. Establish audit sequence.

Conduct your opening audit meeting. Review auditee’s documents during your audit. Communicate with participants during the audit. Assign responsibilities to guides and observers. Collect and verify information during the audit. Develop and document your audit findings. Discuss and prepare audit conclusions. Present audit findings and conclusions.

81



6.4.2. Conduct opening meeting.

Plan your opening meeting. Hold your opening meeting. Introduce all participants. Discuss communication channels. Describe how the audit will be conducted. Clarify your approach to risk management. Explain how audit findings will be reported. Confirm that support services will be available. Specify the conditions that could cause the premature termination of

the audit. Identify feedback systems that the auditee could use to file a

complaint or issue an appeal.

82



6.4.3. Perform document review.

Review relevant documents provided by the auditee. Decide whether or not documents are adequate. Use document review to gather relevant information. Consider reviewing documents throughout the audit.

6.4.4. Communicate during audit.

Consider establishing formal communication arrangements that can be used during the audit.

Communicate with audit team members. Communicate with the auditee and the audit client. Communicate with external agencies (as required).

83



6.4.5. Assign guides and observers.

Consider asking or allowing guides and observers to accompany your audit team.

Assign roles and responsibilities to your audit guides and observers.

6.4.6. Collect and verify information.

Select your information gathering methods. Collect information to support your audit findings. Record evidence used to establish audit findings. Address unusual evidence discovered during audit.

84



6.4.7. Generate your audit findings.

Establish audit findings by evaluating your audit evidence and comparing it with your audit criteria.

Discuss your audit findings with audit team members whenever necessary or appropriate.

6.4.8. Prepare your audit conclusions.

Review audit findings and other related information. Discuss and consider your audit conclusions. Formulate and document your audit conclusions. Prepare recommendations (if audit plan requires it). Consider audit follow-up (whenever this is applicable).

85



6.4.9. Present findings and conclusions.

Plan your closing meeting. Hold your closing meeting. Explain your audit methods. Present your audit findings. Describe your audit conclusions. Make your recommendations (if appropriate). Discuss diverging opinions (if any). Develop a post-audit action plan.

86


6.5. Report your audit results.

6.5.1. Prepare your audit report.

Consider reporting options and plan your audit report. Prepare your management system audit report. Include or refer to your audit objectives. Specify or refer to the scope of your audit. Identify or refer to sponsors and participants. Mention or refer to your audit agenda. Discuss or reference your audit criteria. Present or refer to your audit findings. Document or refer to your audit conclusions.

87


6.5. Report your audit results.

6.5.2. Distribute your audit report.

Finalize your management system audit report in accordance with your audit program procedures.

Distribute your management system audit report in accordance with your audit procedures or audit plan.

6.6. Complete your audit.

Verify that your audit has been completed. Protect all audit documents and related information. Keep a record of lessons learned during the audit.

88


6.7. Follow-up on your audit.

Consider whether remedial actions should be taken. Ask auditee to provide remedial action status reports. Verify that remedial actions were actually taken.

89

ISO 19011:2011 Exp.: Auditor Competence

7.1. Establish an auditor evaluation process.

Develop a process to evaluate audit team members. Plan the evaluation of your audit team members. Evaluate the competence of audit team members. Maintain the competence of audit team members. Improve the competence of audit team members.

90


7.2. Define auditor competence requirements.

7.2.1. Consider the work that auditors need to do.

Consider the work your auditors are expected to do when you think about the knowledge and skill they should have.

Consider the nature of your audit program. Consider the organizations to be audited Consider the management systems to be audited. Consider the requirements that must be met.

91


7.2.2. Be a professional and have good character.

Behave in a professional manner and exhibit good character whenever you're acting as an auditor.

Be ethical (be truthful and honest). Be versatile (be adaptable and flexible). Be perceptive (be attentive and watchful). Be receptive (be willing to learn and improve). Be observant (be aware of your surroundings). Be collaborative (be capable of working with others). Be open-minded (be willing to consider alternatives). Be decisive (be able to draw timely conclusions). Be tenacious (be persistent and focused). Be self-reliant (be able to act independently). Be diplomatic (be tactful and try to be discreet). Be respectful (be sensitive to the auditee's culture).

92



7.2.3. Possess appropriate knowledge and skills.

7.2.3.1 Possess knowledge needed to achieve results.

Possess the knowledge and skill that you need in order to be able to achieve intended audit results.

Possess the knowledge and skill that you need in order to provide leadership to your audit team.

93




7.2.3.2 Possess necessary generic knowledge and skills.

A. Have generic auditing knowledge and skills.

Possess the knowledge and skill that you need in order to ensure that your audits are conducted in a systematic and consistent manner.

Be able to plan audits and organize work. Be able to collect appropriate information. Be able to prioritize and focus on important matters.

94


(Cont.)

Be able to understand and use auditing knowledge. Be able to understand and consider expert opinion. Be able to verify accuracy of information collected. Be able to use working papers to record activities. Be able to evaluate the adequacy of audit evidence. Be able to meet confidentiality and security needs. Be able to document findings and conclusions. Be able to communicate clearly and effectively. Be able to stay on schedule and finish on time. Be able to prepare appropriate audit reports. Be able to comprehend auditing risks.

95





B. Have management system knowledge and skills.

Possess the knowledge and skill that will ensure that you comprehend your audit scope and apply your audit criteria.

Understand and know how to use audit criteria. Understand how management system standards have been applied

by organizations in general. Understand management system components and how they interact

with one another. Understand all relevant reference documents.

96





C. Have organizational knowledge and skills.

Possess the knowledge and skill that will ensure that you comprehend the auditee organization's structure, business, and management practices.

Understand organizational types and functions. Understand general business concepts and terms. Understand cultural and social characteristics.

97





D. Have relevant legal knowledge and skills.

Possess the knowledge and skill that will ensure that you are aware of, and will comply with, the auditee organization's legal and contractual requirements.

Understand relevant legal jurisdictions. Understand relevant governing agencies. Understand relevant legal concepts. Understand relevant laws and regulations.

98




7.2.3.3 Possess specialized auditing knowledge and skills.

Possess the discipline-specific and sector-specific knowledge and skill that you need in order to be able to audit specialized management systems and sectors, to evaluate auditees' activities, processes, and products, and to generate appropriate audit findings and reach valid conclusions.

Understand management system concepts. Understand legal requirements and obligations. Understand the expectations of interested parties. Understand discipline-specific fundamentals. Understand risk management methodologies.

99




7.2.3.4 Possess team leadership knowledge and skills.

Possess the additional management and leadership knowledge and skill that is needed in order to be able to ensure that audit teams are efficient and effective.

Understand how to manage the audit process. Understand how to communicate with people. Understand how to balance the strengths and weaknesses of

individual audit team members.

100


(Cont.)

Understand how to develop harmonious working relationships amongst audit team members.

Understand how to help audit team members reach reliable audit conclusions.

Understand how to prepare and complete accurate, clear, and concise audit reports.

101




7.2.3.5 Possess multidisciplinary knowledge and skills.

Possess the discipline-specific competence that you need in order to be able to audit multiple management systems that involve multiple disciplines.

Possess the competence needed to audit at least one of the management systems and understand how the various management systems interact.

102




7.2.4. Get appropriate auditing knowledge and skills.

Use formal education to acquire needed sector-specific and discipline-specific management system knowledge and skill.

Use practical training services to acquire the appropriate auditing knowledge and skill.

Use work experience to acquire general technical, managerial, and professional knowledge and skill.

103




7.2.5. Encourage team leaders to get experience.

Acquire additional audit experience by working under the direction and guidance of other knowledgeable audit team leaders.

104


7.3. Develop auditor evaluation criteria.

Select qualitative auditor evaluation criteria. Select behavioral and character based criteria. Select knowledge and skill based criteria. Select quantitative auditor evaluation criteria.

105


7.4. Select auditor evaluation methods.

Select two or more auditor evaluation methods. Consider using record reviews to evaluate auditors. Consider using feedback to evaluate auditors. Consider using interviews to evaluate auditors. Consider using observation to evaluate auditors. Consider using audit reviews to evaluate auditors. Consider using testing to evaluate auditors.

106


7.5. Evaluate the competence of auditors.

Evaluate your management system auditors. Compare the information collected about the auditor against your

particular auditor evaluation criteria. Help auditors to improve whenever they fail to meet your audit

program's evaluation criteria. Encourage auditors to get more training. Encourage auditors to get more experience.

107


7.6. Maintain and improve auditor competence.

Maintain and continually improve the competence of both auditors and audit team leaders.

Update your professional development activities whenever relevant requirements change.

Establish suitable evaluation mechanisms that you can use to continually evaluate the performance of both auditors and audit team leaders.

109

Any questions?