Table of Contents
What is Evidence-Based Auditing?
If we are looking for definitions, evidence-based auditing refers to records – or statements of facts – that can be verifiable. These records have to be relevant to the requirements of the standard. With that, we can start looking into the persuasiveness and reliability of the different types of audit evidence found in ISO.
How do we Measure the Reliability of Evidence?
There are a number of factors that influence the reliability of evidence. A level of professional judgment is needed. Is the evidence:
- Appropriate – Is it relevant to what I am auditing? Let’s say looking at the job description of a person. If you give me the job description of someone else, it is not appropriate to the question that I am asking.
- Objective – I’ve seen it myself, not someone confident enough for me to believe it
- Timing – how recent is the evidence, and what period of time does it cover? If I see records from 2 years ago, they might not be relevant to how the process is running right now
- Independence of the source – who has generated this evidence? For example, if an independent organization generated the evidence is very believable. Organization within the organization can also be equally believed, if presented in a certain way, the auditor can have more evidence
- Process for generating evidence – if for example, I am showing records of how in-process testing is done in a manufacturing plant, that carries some weight. But if I am on the manufacturing line, and see operators perform in-process testing and filling in the form, that is different. Being involved in the collection of the evidence, the auditor can feel more confident in the data – for example seeing the auditee extract a report from a CRM, or an ERP.
Types of Audit Evidence in an ISO Audit
There are 7 types of audit evidence in a typical ISO audit. And they are in descending order or reliability. Physical evidence is the most reliable, and verbal evidence is the least reliable.
This type of evidence is tangible and as a result, it is the most reliable and persuasive form of evidence that can be used in any internal and external audit. Such evidence can be:
Due to its properties, physical evidence is highly sought in an audit. As an ISO consultant, my only suggestion for companies is to make use of processes that enable the easy extraction of physical evidence. This will go a long way in any audit! Examples of physical evidence include:
- Seeing fire protection devices
- Seeing labels on products as a means of traceability
I hope you like numbers because mathematical evidence is evidence that can be calculated by the auditor. This is another form of highly reliable type of evidence. Numbers and data provide a clear image of what is happening in any organisation.
For example, answering clients’ tickets within 2 hours. If the auditor takes all response times for all your tickets and calculates the average – that would be mathematical evidence.
Evidence based on mathematical evidence stands quite well when subjected to scrutiny. That is provided that the calculations are done well. So dear companies, take note!
Confirmative evidence is a type of evidence which is created by a 3rd party who has no bias in the result. For example, having an independent penetration test done on the IT architecture of an organization. This is very reliable information if it has come from a credible source. Or if the legal requirements pertaining to the organization have been verified by a specialized lawyer. This is tangible proof that the evidence being provided is reliable.
This type of evidence revolves around the actions of checking for technical configurations. For example seeing the configuration of a firewall, or how the MDM (mobile device management) system has been configured. ISO auditors should not engage in technical evidence auditing. Rather, we should ask the technician to show us the configuration, and we take the relevant evidence as needed to cover ISO standard requirements.
Although this type of evidence is not found high up in the list, analytical evidence can be said to be a good source of evidence. Sampling is essentially where we study the population by examining the parts. For example access control. We cannot check access control for all employees if there are 1000 employees, but an auditor would take a sample, for example, 10, 20, or perhaps 50 people.
The penultimate type of evidence, as the name suggests, is where documents are analyzed for evidence. Some may argue that since we are actually utilising the documents and policies that are used by the company itself, this type of evidence can be deemed reliable. However, one must take into consideration the possibility that these policies and reports do not portray the actual operations that are occurring in the day-to-day operations of a company. These can be:
- Policies or procedures
- Meeting minutes
- Software records
The last and least reliable and persuasive type of evidence is verbal evidence. This essentially involves people explaining processes and actions to the auditor. Verbal evidence on its own is surely not the way to conduct an audit. Albeit being the least reliable of all, verbal evidence is the starting point towards finding which type of evidence applies to the particular requirement that is being audited.
Summary of the Types of Audit Evidence in ISO Audits
An organization can depict a beautiful picture on its documentation and now have a strong management system implemented in practice. When doing an audit, it is important to consider multiple types of audit evidence.
The quality of the evidence needed is determined by the quality of the evidence presented. When the evidence is not reliable enough, auditors would require more information to ensure compliance to the standard.
That is why when implementing an ISO standard you should not focus on having as much documentation as possible, but rather creating management systems that are tailored to the needs of your organisation. A system that can be implemented by everyone within your organization.
Want to learn more about the Types of Audit Evidence in ISO?
As an ISO management system consultant Luke Desira promises that your business will be cared for by himself, from the sales process to the actual implementation of the ISO standard and certification! It’s fantastic, no? Go ahead and read more about how to get ISO certified with Luke Desira here. Otherwise, you can also read about the difference between implementing ISO in a large company versus implementing ISO in a small firm.
If you are seeking knowledge regarding the different types of ISO certification, go ahead and explore! Find out about the 10 pitfalls that you may encounter during the implementation process of different types of ISO certification, and much, much more!
Which of the types of audit evidence is the most persuasive?
The most persuasive and reliable of all types of audit evidence is physical evidence. It can be counted, inspected, examined and observed and due to its tangible qualities, auditors regard physical evidence as the best form of evidence.
Which of the types of audit evidence is the least reliable?
No doubt, verbal evidence is the least reliable. It is the starting point for all other types of audit evidence. However, verbal evidence is not tangible and as such, auditors do not regard it as being highly rleiable.