Evidence comprises records, statements of fact or other information relevant to the conformity assessment criteria and which are verifiable. Audit evidence may be qualitative or quantitative.
A typical audit process should consist of the following:
- Identification of sources of information
- Collecting the information by appropriate sampling and verifying
- Establishing audit evidence from the information
- Evaluating the information and evidence against audit criteria
- Identifying audit findings
- Reviewing the audit findings and evidence *Audit conclusion
The Client may provide as evidence
Any specific documentation that supports conformance criteria, including:
- Applicable policies, procedures and guidelines
- Approval processes by management including, where possible, management approval of specific documents.
- Plans that specify program resources (human or financial), including internal or contracted resources.
- Internal communications (emails, memos, etc.) relating to the importance of the program and conforming to program requirements.
- Program metrics and tracking progress, including reports, or as part of a management system.
- Any related documentation that illustrates management commitment
- A completed copy of questionnaire that has been provided by the auditor.
- Records of interviews conducted with senior level management and employees
- Records of discussion of meetings regarding the conformance criteria
Evaluation Criteria are used as a reference against which conformity is determined and may include:
- applicable policies, procedures, standards,
- laws and regulations,
- management system requirements,
- contractual requirements or
- industry/business sector codes of conduct
The Auditor may use as evaluation criteria
- Documentation has sufficient level of detail that is appropriate to the size of the organization.
- Levels of resourcing are reasonable and commensurate with the size of the organization.
- Communication products that have been reviewed with consideration and, if necessary, tailored to the client’s context.
- Program and metrics are suitable for the client’s context, business risk and business activities.
- Senior management and their employee’s overall knowledge and commitment to the program.
-
Depending on the size and maturity of the organization, the relevant evidence may be embedded or acknowledged in more generalized business policy and technical documents.
-
The auditor may need to document what exists as tacit knowledge or informal processes that exist with the organization. Documentation may come in the form of surveys, interviews, records. The client should have an opportunity to review and provide comment before it is finalized as evidence.