Article Directory
Welcome to the TRECCERT article directory, where we feature news and insights on information security, data protection, business continuity, risk management and more. The information provided is based on research and acts as a valuable platform for ICT professionals to keep up with current developments, trends and more. To stay up to date and informed, check out the latest articles below.
Building the Right Team for a Management System Audit
The International Organization for Standardization (ISO) defines management system as “a set of interrelated elements of an organization to establish policies and objectives, and processes to achieve its objectives”. Organizations conduct management system audits for various reasons, but mainly to ensure conformance to one or more management system standards, and compliance to applicable legislative, regulatory and contractual requirements.
The International Organization for Standardization (ISO) defines management system as “a set of interrelated elements of an organization to establish policies and objectives, and processes to achieve its objectives”. Organizations conduct management system audits for various reasons, but mainly to ensure conformance to one or more management system standards, and compliance to applicable legislative, regulatory and contractual requirements.
ISO has developed a guideline standard known as ISO 19011, which provides guidance on management system auditing. The current version of the standard can be used for both internal and external audits of management systems in different disciplines (e.g. information security, business continuity, IT service management etc.).
Depending on the size and type of organizations, management system audits are conducted by single auditors or large audit teams. Usually, a management system audit team is compromised of the lead auditor and other team members. The lead auditor is in charge to manage the audit team through all phases of the management system audit.
The number of audit team members depends on the objectives, scope and complexity of the management system audit. ISO 19011 divides the audit team members into two categories, members who can act as an auditor and members who can be present during the audit but cannot act as an auditor. Members who can act as an auditor include additional auditors, technical experts and auditors-in-training. Whereas, members who cannot act as an auditor include observers, guides and interpreters.
The first and most important task of a lead auditor is to build an audit team that will provide support during any audit engagement. The effectiveness of an audit team depends on their knowledge, skillset and experience in a particular management system audit. ISO 19011 states that “confidence in the audit process and the ability to achieve its objectives depends on the competence of those individuals who are involved in performing audit”. Here are a few recommendations on how to assemble and maintain the right team for management systems audits:
Identify the Core Competencies
Identification of the required educational background, skillset, abilities and audit experience of the audit team is key in recruiting the right team. The lead auditor is responsible to define these competencies needed for specific roles within the audit team. The ISO 19011 provides guidance in deciding the necessary competence of the audit team, which includes personal attributes, generic audit knowledge and skills, and discipline and sector-specific competence of management system auditors. Candidates for the audit team are assessed against the defined competencies during the application, interview and selection process.
Establish Clear Objectives and Goals
Is a known fact that employees perform better when they have a clear understanding of the company objectives and goals, which also may be related to conducting a management system audit. It is the responsibility of the lead auditor to determine the goal(s) of the management system audit in order to define the specific objectives. Objectives are crucial in achieving the audit goals. Clear objectives help the team members to understand what is expected from them during an audit. Ultimately, objectives related to an audit goal are a set of audit activities to be conducted by the audit team members.
Build Trust
The bond between the lead auditor and team members is crucial for the success and quality of the management system audit. What does create such a bond? Building a trusted environment where mistakes are accepted. Acceptance of mistakes by the team members, including the lead auditor, helps the audit team to create a learning culture to improve themselves and the team. Honesty builds trust among the audit team members. Trust comes from sharing the same team values, being free to address issues, encouraged to ask questions, and sharing individual perspectives and ideas.
Maintain and Improve Competence
The successful work of the audit team depends on retaining highly-skilled management system auditors. One of the main factors to retain employees, including audit team members, is to provide professional development in the workplace. The lead auditor is responsible to anticipate the needs and requirements of the team members in order to perform their duties. The ISO 19011 mandates how an audit team can maintain and improve their competence. Fostering professional development can be achieved through participating in management system audits, trainings, seminars, conferences and other events related to a specific management system discipline.