ISO 19011:2018 Clause 6.4.7 Collecting and verifying information

ISO 19011:2018 11 Minutes

During the audit, information relevant to the audit objectives, scope and criteria, including information relating to interfaces between functions, activities and processes should be collected by means of appropriate sampling and should be verified, as far as practicable.
Only information that can be subject to some degree of verification should be accepted as audit evidence. Where the degree of verification is low the auditor should use their professional judgement to determine the degree of reliance that can be placed on it as evidence. Audit evidence leading to audit findings should be recorded. If, during the collection of objective evidence, the audit team becomes aware of any new or changed circumstances, or risks or opportunities, these should be addressed by the team accordingly.
The Figure below provides an overview of a typical process, from collecting information to reaching audit conclusions.

Overview of a typical process of collecting and verifying information

Methods of collecting information include, but are not limited to the following:

  • interviews;
  • observations;
  • review of documented information.

During the audit, information relevant to the audit objectives, scope and criteria, including information relating to interfaces between functions, activities and processes should be collected by means of appropriate sampling and should be verified, as far as practicable. Collecting relevant information during the audit is essential to achieving the audit objectives and ensuring a comprehensive assessment of the audited system. Here are key considerations when collecting information during the audit:

  1. Relevance to Audit Objectives, Scope, and Criteria: Ensure that the information collected directly aligns with the established audit objectives, scope, and criteria. This ensures that the audit stays focused on the key areas of interest and provides meaningful insights.
  2. Identification of Interfaces: Pay particular attention to information related to interfaces between functions, activities, and processes. Understanding how different elements within the audited system interact is crucial for assessing overall efficiency, effectiveness, and compliance.
  3. Appropriate Sampling Methods: Use appropriate sampling methods to collect information. Sampling allows auditors to assess a subset of data or activities that are representative of the larger population. The selection of samples should be systematic and risk-based.
  4. Verification of Information: Verify the collected information to ensure its accuracy, completeness, and reliability. Verification methods may include cross-referencing with documented information, conducting interviews, and performing on-site observations.
  5. Practicability of Verification: Recognize that verification may have practical limitations. While efforts should be made to verify information as far as practicable, auditors should be mindful of constraints such as time, resources, and the availability of data.
  6. Documentation of Collection Methods: Document the methods used to collect information, including the sampling approach and verification processes. This documentation contributes to the transparency and traceability of the audit process.
  7. Risk-Based Approach: Adopt a risk-based approach to information collection. Focus on areas of higher risk or significance to the audit objectives, and allocate resources accordingly to gather in-depth information in critical areas.
  8. Consideration of Interdependencies: Consider how functions, activities, and processes interrelate and depend on each other within the audited system. Understanding these interdependencies provides insights into potential risks and areas for improvement.
  9. Structured Interviews: Conduct structured interviews with relevant personnel to gather information. Interviews are valuable for obtaining context, clarifications, and additional insights that may not be evident from documentation alone.
  10. Observations and Walkthroughs: Perform on-site observations and walkthroughs of processes. This hands-on approach allows auditors to see how activities are carried out in practice and provides a direct view of interfaces between different functions.
  11. Use of Technology: Leverage technology tools for data collection and analysis. Data analytics, process mining, and other technological solutions can enhance the efficiency and depth of information gathering, especially in complex systems.
  12. Continuous Monitoring: Implement continuous monitoring throughout the audit. Regularly reassess the relevance and sufficiency of the information collected, and adjust the approach as needed to address emerging issues or insights.
  13. Feedback from Auditee: Seek feedback from the auditee on the information collected. Collaborative communication ensures that the auditee’s perspective is considered, and any discrepancies or misunderstandings can be addressed promptly.

By adopting these considerations, the audit team can systematically collect and verify information that is directly aligned with the audit’s goals. This approach enhances the reliability and validity of audit findings, providing a solid foundation for drawing conclusions and making recommendations.

Only information that can be subject to some degree of verification should be accepted as audit evidence. Where the degree of verification is low the auditor should use their professional judgement to determine the degree of reliance that can be placed on it as evidence.

  1. Verifiability of Information: Audit evidence should be verifiable, meaning that it can be subjected to some degree of corroboration or confirmation. Verifiability enhances the reliability of the evidence and contributes to the overall credibility of the audit process.
  2. Professional Judgment: Auditors are required to exercise professional judgment in evaluating the verifiability and reliability of audit evidence. This involves considering the nature of the information, the source from which it is obtained, and the methods used to gather and corroborate the evidence.
  3. Degree of Reliance: The auditor’s professional judgment is crucial in determining the degree of reliance that can be placed on evidence with a lower degree of verification. Not all evidence carries the same weight, and auditors must assess the limitations and risks associated with less verifiable evidence.
  4. Corroboration of Evidence: When possible, auditors should seek corroborating evidence from independent sources. Corroboration adds strength to the overall evidence base and helps mitigate the risk associated with information that may be less verifiable.
  5. Audit Procedures and Techniques: Auditors employ various procedures and techniques to verify evidence. These may include physical inspection, confirmation with third parties, analytical procedures, observation, and inquiry. The choice of methods depends on the nature of the information being examined.
  6. Documentation of Judgments: It is essential for auditors to document their professional judgments regarding the verifiability and reliability of audit evidence. This documentation serves as a record of the basis for the auditor’s conclusions and provides transparency to external parties.
  7. Risk Assessment: Consideration of the degree of verification is closely tied to the risk assessment process. Higher-risk areas may require more rigorous verification procedures, while lower-risk areas may allow for a more flexible approach.
  8. Materiality Considerations: Materiality is another factor that may influence the level of verification required. Material items or transactions may warrant more extensive testing and corroboration to ensure the accuracy and completeness of financial statements.
  9. Communication with Management: Open communication with management is important. If there are limitations or challenges in verifying certain information, auditors should discuss these issues with management and seek additional explanations or alternative evidence where possible.
  10. Continuous Monitoring: Throughout the audit, auditors should continuously monitor the sufficiency and reliability of evidence. If unexpected issues arise, adjustments to the audit approach may be necessary.
  11. Independence and Objectivity: Auditors must maintain independence and objectivity when evaluating evidence. Any potential bias or conflicts of interest should be carefully considered to ensure the integrity of the audit process.

Audit evidence leading to audit findings should be recorded. Recording audit evidence is a critical component of the audit process. Proper documentation of audit evidence serves several important purposes, including transparency, accountability, and the ability to support audit findings. Here are key reasons why recording audit evidence is essential:

  1. Transparency: Documentation of audit evidence provides transparency into the audit process. It allows external parties, such as regulators, stakeholders, and other interested parties, to understand how the audit was conducted and the basis for the audit findings.
  2. Support for Findings: Recorded audit evidence serves as the foundation for audit findings. It provides a clear link between the information gathered during the audit and the conclusions drawn by the audit team. This documentation is essential for demonstrating the rationale behind audit findings.
  3. Accountability: Proper documentation holds auditors accountable for their work. It allows for a review of the audit process and provides a basis for internal and external oversight. Clear records enable auditors to justify their decisions and actions during the audit.
  4. Quality Control: Documentation supports quality control within the audit process. It allows for internal and external reviews to assess the adequacy and appropriateness of audit procedures, ensuring that the audit meets professional standards and regulatory requirements.
  5. Communication with Stakeholders: Recorded audit evidence facilitates communication with stakeholders. It enables auditors to share relevant information with management, audit committees, and other stakeholders, fostering a shared understanding of the audit outcomes.
  6. Future Reference: Well-documented audit evidence provides a basis for future reference. This is valuable for follow-up audits, continuous improvement efforts, and for addressing inquiries or challenges that may arise after the completion of the initial audit.
  7. Risk Management: Documentation supports effective risk management. In the event of disputes or legal challenges, thorough records of audit evidence can be crucial in demonstrating that the audit was conducted in accordance with applicable standards and ethical principles.
  8. Consistency and Continuity: Proper documentation ensures consistency and continuity in the audit process. If multiple auditors are involved or if the audit is conducted over a period of time, well-maintained records help maintain a cohesive and standardized approach.
  9. Demonstration of Due Professional Care: Recording audit evidence is a demonstration of due professional care. It aligns with the principles of professional skepticism and diligence, showing that auditors have systematically gathered and assessed information to form their conclusions.
  10. Legal and Regulatory Compliance: Documentation of audit evidence is often a legal and regulatory requirement. It helps auditors comply with professional standards, regulatory expectations, and legal obligations, providing a defensible position in case of legal challenges.
  11. Facilitation of Peer Reviews: Clear and comprehensive documentation supports peer reviews and quality assurance processes. Peer reviews involve the examination of audit documentation to ensure that audit work meets established standards and requirements.
  12. Ethical Considerations: Recording audit evidence supports ethical considerations in auditing, including independence and objectivity. It reinforces the commitment to impartiality and the pursuit of truth in the audit process.

Auditors typically maintain working papers, which are organized files containing the documentation of audit evidence. These working papers provide a structured and systematic record of the audit process, from planning through to reporting. Thorough and well-organized documentation enhances the credibility and reliability of the audit and is a hallmark of professional audit practice.

If, during the collection of objective evidence, the audit team becomes aware of any new or changed circumstances, or risks or opportunities, these should be addressed by the team accordingly. Addressing new or changed circumstances, risks, or opportunities during the audit is a crucial aspect of maintaining the relevance and effectiveness of the audit process. Auditors need to be responsive to dynamic environments and be prepared to adapt their approach as necessary. Here are key considerations in addressing new or changed circumstances during the collection of objective evidence:

  1. Continuous Monitoring: Implement continuous monitoring throughout the audit process. Regularly assess the audit environment for any changes in circumstances, risks, or opportunities that may impact the audit objectives, scope, or findings.
  2. Real-Time Assessment: As the audit team collects objective evidence, be attentive to any indications of new or changed circumstances. Assess the potential implications of these developments on the audit process and outcomes in real time.
  3. Communication within the Audit Team: Foster open communication within the audit team. Encourage team members to promptly report any new information or changes they become aware of during the evidence collection process. This promotes a collaborative and informed approach.
  4. Risk Assessment and Mitigation: Reassess the risk landscape if new risks or opportunities emerge. Consider the potential impact on the audit objectives and develop mitigation strategies to address these factors effectively.
  5. Adaptation of Audit Procedures: Modify audit procedures as needed to account for new or changed circumstances. This may involve adjusting the scope of testing, incorporating additional audit procedures, or revising the audit plan to address emerging issues.
  6. Documentation of Changes: Document any changes made to the audit plan or procedures due to new circumstances. Clear documentation ensures transparency, provides a rationale for decision-making, and facilitates the review process by internal and external stakeholders.
  7. Communication with Stakeholders: Communicate with relevant stakeholders, including the auditee and audit client, about any significant changes or emerging issues. Transparency in communication builds trust and ensures that all parties are aware of the evolving audit landscape.
  8. Consultation with Audit Program Management: Consult with the individual(s) managing the audit program. Seek guidance and input on how to address new circumstances or risks, and ensure alignment with the overall audit strategy and objectives.
  9. Reassessment of Materiality: Reassess materiality considerations in light of new circumstances. Changes in the business environment may impact the significance of certain items, necessitating a reevaluation of materiality thresholds.
  10. Flexibility in Audit Approach: Maintain flexibility in the audit approach. Recognize that unforeseen developments may require agility in adjusting audit procedures, timelines, or focus areas to effectively address emerging issues.
  11. Ethical Considerations: Consider any ethical implications associated with new circumstances. Ensure that the audit team maintains objectivity, independence, and integrity in responding to changes and avoids any potential conflicts of interest.
  12. Feedback Loop with Auditee: Engage in a feedback loop with the auditee. Seek input and clarification on any new information that may impact the audit, and work collaboratively to address emerging issues.

By proactively addressing new or changed circumstances during the evidence collection process, the audit team can enhance the agility and responsiveness of the audit. This approach ensures that the audit remains effective in achieving its objectives and that audit findings accurately reflect the current state of the audited system.

Methods of collecting information include interviews; observations; and review of documented information. Interviews, observations, and the review of documented information are fundamental methods employed by auditors to collect information during the audit process. Each method serves a distinct purpose and contributes to a comprehensive understanding of the audited system. Here’s an overview of each method:

  1. Interviews:
    • Purpose: Interviews involve direct communication between auditors and individuals within the auditee’s organization. The aim is to gather information, insights, and perspectives on various aspects of the audited system.
    • Process:
      • Conduct structured or unstructured interviews with key personnel, management, and other relevant individuals.
      • Pose specific questions related to the audit objectives, processes, controls, and compliance.
      • Encourage open communication to uncover nuances, challenges, and opportunities.
    • Benefits:
      • Provides firsthand information and insights.
      • Allows for clarification on ambiguous or complex issues.
      • Facilitates dialogue and collaboration.
  2. Observations:
    • Purpose: Observations involve direct, firsthand viewing of processes, activities, and conditions within the auditee’s organization. This method aims to verify the actual implementation of documented procedures and assess the effectiveness of controls.
    • Process:
      • Physically observe work processes, practices, and interactions.
      • Assess adherence to documented procedures and policies.
      • Note any deviations, variations, or areas of improvement.
    • Benefits:
      • Validates the practical implementation of documented processes.
      • Provides insight into the day-to-day operations and workplace culture.
      • Identifies potential discrepancies between documentation and actual practices.
  3. Review of Documented Information:
    • Purpose: The review of documented information involves the examination of policies, procedures, manuals, records, and other written materials. This method helps auditors assess compliance, consistency, and the effectiveness of the management system.
    • Process:
      • Analyze documented information such as policies, procedures, and manuals.
      • Examine records to verify the completion of specific activities.
      • Cross-reference documented information with observed practices and interview responses.
    • Benefits:
      • Assesses conformity with established criteria and standards.
      • Provides a historical perspective and evidence of compliance.
      • Supports the identification of areas for improvement.
  4. Combination of Methods:
    • Purpose: Often, auditors use a combination of methods to enhance the depth and reliability of information collected. The synergistic use of interviews, observations, and document reviews allows for a more holistic understanding of the audited system.
    • Process:
      • Integrate findings from interviews, observations, and document reviews to form a comprehensive assessment.
      • Corroborate information obtained through one method with data from another method.
      • Adjust the emphasis on each method based on the audit objectives and the nature of the audited system.
    • Benefits:
      • Strengthens the validity and reliability of audit evidence.
      • Offers a more nuanced and balanced view of the audited system.
      • Enhances the audit team’s ability to draw well-founded conclusions.

The effectiveness of the audit often relies on the judicious use of these methods, adapting them to the specific context and objectives of the audit. By combining these methods, auditors can gain a multidimensional view of the audited organization, promoting thoroughness and accuracy in the audit process.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply