7 Critical Steps to Pass Audits

There are 7 Critical Steps to Pass Audits. Carina takes your through these steps.

Table of Contents

Enquire Now

Got questions? Let's help you find the answers.
By clicking "Submit" you agree to have read the Privacy Policy and agree to the terms. You can unsubscribe at any time by clicking the link in the footer of our emails.
7 Critical Steps to Pass Audits

Introduction

7 Critical Steps to Pass Audits - During the past 15 years of my career, I was fortunate to be in various assurance positions to provide surety to boards and executive teams about global projects and the performance of these projects. I managed enormous budgets and had to account for every dollar, pound, euro etcetera spend on each project. These projects were always under scrutiny from the project sponsors, and this required an evidence trail to support the internal and external reporting on these projects as well as payment milestones to be signed off by the clients.

As an international ISO standards trainer, advisor, and auditor, I have seen many companies struggling with the connection between the operationalisation of projects and keeping a current and valid evidence trail to ensure the success of management system implementation.

The article I am writing here will give you a short synopsis of the basic requirements to succeed with any combined assurance audit you will face in your career. Please use this article and template as part of your management system toolbox to ensure success for your business, your team and you.

Criticality of Documentary Evidence

To assist me in my preparations for audits I have adopted two methodologies to assist me in my analytical thinking as well as to structure evidence gathering into 7 critical steps to pass audits. These two methodologies are:

  • P2ST2
  • Audit Evidence Reliability Model (AERM)

Each one of these methodologies will be explained below.

P2ST2 Methodology

This methodology addresses five categories of resources to generate audit evidence.

These five resources are documented in the table below:

Control TypeDescription
PeopleRefers to human resources
ProcessesRefers to administrative controls i.e., policies, procedures, etc
SystemsRefers to systems that rely on the manual input of data by a user
ToolsRefers to physical tools required i.e., vehicles, buildings, equipment, etc
TechnologiesRefers to technologies that do not require the manual input of data, and rather make use of artificial intelligence or machine learning technologies i.e., facial recognition on CCTV, speed cameras, etc.

Audit Evidence Reliability Model (AERM)

This model addresses the reliability of audit evidence.  See the diagram below:

Audit Evidence Reliability Model - AERM
Audit Evidence Reliability Model - AERM

7 Critical Steps to Pass Audits - Structure Documents

The sections below will describe what is critical to provide as evidence in an audit.

Context of Organisation

To understand the context of the organisation it is crucial to understand the environment that the organisation functions in.

The following five documents are mandatory requirements as evidence:

  • Internal context analysis
  • External context analysis
  • Risk criteria
  • Stakeholder analysis
  • Scope document

Leadership and Commitment

Leadership support is demonstrated by visible leading and setting the tone for governance in any organisation.

The following three documents are mandatory requirements as evidence:

  • Policy
  • Roles and Responsibilities
  • Delegation of authorities

Planning

Planning actions to address risks and opportunities in the organization.

The following three documents are mandatory requirements as evidence:

  • Risk register
  • Objectives
  • Quality Manual

Support

An organisation supports a management system by making resources available with the necessary competencies and training as required.

The following seven documents are mandatory requirements as evidence:

  • List of Resources (P2ST2)
  • Training Plan
  • Competency certificates
  • Awareness plan
  • Communication plan
  • Document management plan
  • Master List of Documents (MLoD)

Operations

The organisation’s planned actions to implement/achieve objectives. This is the most critical clause in any standard and it changes from standard to standard.

The following three documents are mandatory requirements as evidence:

  • Operational plans
  • Results of risk assessments
  • Results of risk treatments

We are busy developing a unique Master List of Documents for the following standards:

  • ISO 9001 Quality Management System
  • ISO 18788 Security Operations Management System
  • ISO 22301 Business Continuity Management System
  • ISO/IEC 27001 Information Security, Cyber Security, Protection of Information Management System
  • ISO/IEC 27032 Cyber Security Management
  • ISO/IEC 27701 Privacy Information Management System
  • ISO 31000 Risk Management
  • ISO 37001 Anti-Bribery Management System
  • ISO 37301 Compliance Management System

Performance

Performance management drives the achievement of objectives. This is where performance links to the context of the organisation, the risk management, the planning, and the operations.

The following twelve documents are mandatory requirements as evidence:

  • Monitoring procedure
  • Measurement procedure
  • Analysis procedure
  • Evaluation procedure
  • Results of monitoring, measurement, analysis, and evaluation
  • Internal audit programme
  • Internal audit plan
  • Internal audit reports
  • Management review procedure
  • Management review agenda
  • Management reviews attendance
  • Management review report/minutes

Improvement

Continual improvement drives a future-proof organisation. This builds resilience to ensure that every organisation can deliver the products and services to its customers.

The following three documents are mandatory requirements as evidence:

  • Nonconformity and Corrective Actions Procedure
  • Nonconformity and Corrective Action Forms
  • Nonconformity register

Free Template Download

Complete the form on this page and we will send you a FREE Generic Master List of Documents Template as part of our 7 Critical Steps to Pass Audits. You can also Contact Us through our other channels.

Summary

Over my career of 35 years plus I have been audited and I have conducted audits across the globe.  I have seen the stress and challenges that organisations are in when I arrive as the 3rd party auditor, and my question is always Why do they stress so much? Aren't they organised? Aren't they structured? Don't they have a strategy? Don't they know about the 7 Critical Steps to Pass Audits?

If they have this and they follow the simple steps, I have explained in this article you should not be in stress. You should be looking forward to using this as a bragging opportunity to demonstrate your drive to succeed and to provide your various teams in your organisation with to demonstrate their drive for the objectives of the company.

Being audited can seem daunting but passing an audit can be a breeze with the "correct" documented information as evidence.

Be on the lookout for the next articles we will send out with a Master List of Documents (MLoD) for specific standards.

Comments

3 Responses

Leave a Reply

More Quality Articles

Strategic Risk Assessment: Navigating ISO/IEC 27001:2022 and ISO 31000:2018

Strategic risk assessment is a critical component of an organization’s risk management framework.

What is a Combined Assurance Matrix?

Unlock the power of effective risk management with a Combined Assurance Matrix (CAM)!

10 Reasons to Acquiring the ISOLTX GRC-A Software System

Discover how the ISOLTX GRC-A Software System can enhance operational efficiency, streamline compliance, and foster collaboration among your…

Unlocking Success: How Internal Audit Strengthens Risk Management for Strategic Goals

Internal Audit verifies and enhances Risk Management’s role in achieving strategic objectives.

Conducting Internal Context Analysis: A Guide to ISO/IEC 27001 and ISO 31000 Integration

Internal context analysis is crucial for effective risk management and information security in organizations.

Continuous Evolution: Implementing Continual Improvement in Your ISMS

Continual improvement is a fundamental principle of effective Information Security Management Systems (ISMS).

Driving Continuous Improvement: Implementing Management Review for Effective ISMS Performance

Management review is a critical process within the performance phase of an Information Security Management System (ISMS).

Ensuring Compliance and Continuous Improvement: Implementing Internal Audits in ISMS Performance

Internal audits are a critical component of the performance phase in the management of an Information Security Management System (ISMS).
Receive our latest news

Subscribe To Our Newsletter

Get notified about GRC-A training, advisory, auditing and software.