Can an auditor freely conduct confidential interviews with employees without any influence of the company? Or there should be a written consent prior to audit?
My questions are applicable to both external and internal audits. The consent I am saying could come from, for example, the company/management, department, or process owner.
I can offer a couple of practical examples of confidential audit interviews.
But before that, a simple clarification. There's always a confidentiality agreement between clients and CBs, and CBs and their auditors, that safeguards the client's confidential information. Similar for internal auditors.
While openness is generally healthy for audits, in Information Security (ISO 27001) and Business Continuity (BS 25999) it's sometimes necessary for the auditor to use discretion about whom to tell what.
For example, if it becomes apparent that too many people have access to data in an uncontrolled fashion, the auditor will only tell the Information Security management team because if the security weakness becomes generally known in the organization, and the subject of gossip, a disgruntled employee might send something indiscreet to Wikileaks. InfoSec auditors don't want to provoke the very attacks they're trying to prevent!
Or if it becomes apparent in a BS 25999 audit that the organization's preparations - developed at vast expense - for extreme weather are fatally flawed, this is news that the BC management team might want to manage: they'd be annoyed with an auditor who disclosed it to the office gossip and unwittingly provoked the kind of management knee-jerk that makes everyone look stupid.
My second practical example is to do with auditing in management cultures of bullying and intimidation, sadly too common in the software industry and perhaps other sectors too.
The SEI's CMM assessment methodology for software organizations (which is like ISO 9001 or TickIT audits but deeper and more expensive in time) is designed for large software organizations where bullying and intimidation (psychological, not physical) is the order of the day.
In order to promote frankness in interviews, the assessment team agree with senior management ahead of time that interviews will be confidential, that findings will not be attributable to individuals, and that management will not conduct witch-hunts after the assessment report has been delivered. (Their terminology is more formal, but you get the idea.)
One reason these assessments are more expensive is they interview more people than perhaps is necessary so that, for example, management would have to fire the entire test team if they did not like what had been said in the test department. Further, they're more expensive again to allow time for the extra formal reviews of findings and evidence that are necessary to make sure that confidentiality does not become a smoke-screen for continued political in-fighting, disinformation and manipulation.
Such audits can be quite uncomfortable and adversarial, so proper training. integrity of auditors, leadership and executive sponsorship is essential. But they recognize that management intimidation can suppress open communications and distort audit findings. A confidentiality agreement, that everyone can see management have signed, can begin to cut through years of mismanagement and slowly bring open communications to the organization, as home truths are exposed and no longer suppressed in an atmosphere of blame games and one-upmanship.
In one such organization I was responsible for internal audits. Our audit procedure promised department managers that audit findings would be confidential so that they could not be used as ammunition by other department managers in their interminable political fights. (But the audit findings would be escalated to senior management if they did not fix them.) Not ideal, but it was either that or no audit programme.
We used the introduction of formal processes to - slowly, carefully, and not without some tough management sponsorship - defeat the politics with data and objective evidence, and documented processes which essentially were agreements amongst managers about whom was responsible for what, and the criteria for handoffs amongst teams. Written processes and hard data reduced the space available for blame games.
Edited to add: Prior consent is always necessary. One manages confidentiality in an open fashion in order to avoid misunderstandings and the appearance of pursuing a hidden agenda.
Hope this helps,
Pat
Since you have decided to take this "Off Topic", I feel I should respond.
