20 Mar, 2017 | Auditing

As a newly IRCA certified auditor with my original qualification in Mechanical Engineering I thought nothing of updating my knowledge and undertaking continuing professional development (CPD) of my auditing capability to include an understanding of electronics. To this day I remember the difference between my ROM and my RAM and of what is needed to ensure product design and assembly consider key elements of managing electronic components including those with embedded software. This doesn’t mean Apple or Google will be headhunting me to lead them into the future of smartphones or driverless cars, far from it. Technology has moved on and auditing in this field is specialized. In slightly lower tech surroundings I can hold my own and, understanding my personal level of competence, will know when to bring in additional expertise, leaving me to audit other areas of engineering and, more likely, quality strategy and support functions.

The same understanding to support quality auditing is now true of information security. All organisations deal with information (as they always have done), what has changed in recent years is the volume, speed and number of ways of handling that information and the consequences of not doing this well. This mushrooming in use has led to opportunities for people in our systems to misuse, lose and steal information and for those outside our systems and who recognize the value of that information to go to great lengths to get hold of it for their own use or somehow to restrict our access and hold us to ransom to regain use. The latest government report on information data breaches indicates there are huge issues with information security and the latest ICO data indicates breaches are not all high tech but that the most frequent failing remains loss of physical data in the form of paperwork. Headline events, however, often involve a little more than someone posting a letter to the wrong recipient; for example Yahoo’s 2016 admission that a billion user accounts had been hacked has knocked an estimated $350 Million from the price Verizon was prepared to pay for Yahoo and, at one stage put the $4.8 Billion takeover deal at risk.

This brings us back to the original premise; whether I am a first, second or third party auditor data is complex and critical to the reputation and successful operation of all organisations. To audit thoroughly I need to be able to assess how effective the processes are at managing data and information that:

  • Is provided by or presented to customers or suppliers;
  • is needed to help transform the input to the output, and;
  • is required as a record for governance and traceability proposes.

With the importance of information to the quality of both product and service provision all auditors at least need to have an awareness of information security issues and, in the same way my CPD in electronics gave me the basic competence to continue to audit companies designing and manufacturing products, an understanding of necessary controls for managing physical and cyber access to data and information will ensure that my quality audits remain relevant to the sectors I operate in which isn’t stretching the scope of ISO 9001 or stepping on my ISO 27001 auditor colleague’s toes. Just taking one high profile example: The World Anti-Doping Agency are charged with monitoring the cleanliness of athletes across a range of sports and the service they provide to International Olympic Committee and a range of other sports has to be independent, impartial and confidential, so the hacking of results by the Russian Fancy Bears hackers calls into question all ‘quality’ aspects of the service they provide.

Paul Simpson
Bywater Associate
Providing consultancy and training on quality strategy and implementation.