Auditing plays a critical role in ensuring that an organisation’s management system (including policies, processes, procedures and controls) is operating effectively. Without auditing, performance management and hence continuous improvement cannot be achieved. It is also not possible to provide assurances (on issues such as information security and business continuity) to the various interested parties. Interested parties also need to know that the people who perform the auditing processes are armed with the required knowledge, skills and neutrality.
Challenges of Auditing
One of the biggest auditing challenge faced by most organisations is the availability of sufficiently competent resources to cover all auditing needs. Not only do auditors have to be skilled and knowledgeable in audit techniques, but also in the subject of the audit, whilst at the same time demonstrating independence from the area being audited. This can be particularly challenging for organisations which have multiple locations and multiple specialist areas that need to be audited (e.g. IT, legal, production areas). In addition, with increasing supply chain pressures there is a growing requirement to also audit third parties.
What’s the Answer?
One solution is to outsource the auditing process. Naturally, if you are involved in outsourcing audits, you need to ensure the conduct of the audit and the output from the audit will be fit for purpose and will fully meet your expectations and requirements of those of your various interested parties. This is where URM can assist. We have extensive audit experience and offer a flexible range of audit services to support your audit approach. We are able to conduct a full audit programme or individual audits against key management system standards, as well as processes or specific controls from standards such as ISO 27001 (Information Security), ISO 22301, (Business Continuity), ISO 20000 (IT Service Management) and ISO 9001 (Quality).
URM is also a registered Payment Card Industry (PCI) Qualified Security Assessor (QSA) and is qualified to assess and audit merchants and service providers. In addition, we have expertise and experience in:
- Assessing your compliance with current data protection legislation
- Conducting a full range of IT audits, including process driven and hardware and system specific
- Providing an independent and informed assessment of third parties (e.g. key suppliers)
- Delivering integrated management system audits.
Our Auditing Approach
Our established and proven audit methodology is based on analysing your requirements and ensuring that the results produced from audits are accurate and repeatable. The methodology, which adopts a sampling approach, follows these steps:
- Defining and detailing the scope of the audit or audit programme
- Planning and managing the programme of work
- Interviewing identified individuals
- Creating and implementing test plans
- Reviewing and auditing processes
- Agreeing actions with auditees
- Producing a detailed report of findings
- Following up on agreed actions
- Reporting audit attestation to governing bodies.
The extent of the audit and the evidence sought is based on your requirements and is agreed at the outset. We provide recommendations on audit approaches based on our experience, good practice and in the case of documented standards, the defined requirements. Alternatively, we can offer the flexibility of adopting your internal methodology, with our auditor(s) acting as a member of your internal audit function. One of URM’s underlying goals in any customer engagement is to maximise knowledge and skills transfer and we encourage, if desired, your staff to shadow our auditors. For more detailed training and insights, you can also attend our Practitioner Certificate in Information Security Auditing course.
We have a team of qualified auditors who bring with them a vast range of expertise and experience. This expertise incorporates a combination of auditing skills (e.g. CISA qualified), knowledge of Standards (e.g. ISO 27001, ISO 22301, ISO 9001 and PCI-DSS), IT technical knowledge (e.g. databases, networking, operating systems and applications) and the interpersonal skills necessary to extract the maximum information from interviewees. Our auditors are also able to apply a pragmatic business-based approach to audit requirements.