How does an Internal Auditor document non-ethical or illegal practices

K

Ka Pilo

#1
Though internal auditors' objective is to measure the effectiveness of an organization's quality management system, it is possible for them to discover non-ethical practices. If this arises, I feel that it is difficult to document findings which may divulge proprietary information or indicate fraud or other criminal or unethical activity of an auditee.

As an auditor how will you handle this?
Do you consider it as a fair and effective tool for improving individual and/or protecting the company?
Are you worried about letting the auditee down?


It is interesting to see what Auditors have to say on this.
 
Elsmar Forum Sponsor

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#2
Re: How does an auditor document non-ethical or illegal practices

To be specific, you are referring to Internal Auditors, correct?
 

qusys

Trusted Information Resource
#4
Though internal auditors' objective is to measure the effectiveness of an organization's quality management system, it is possible for them to discover non-ethical practices. If this arises, I feel that it is difficult to document findings which may divulge proprietary information or indicate fraud or other criminal or unethical activity of an auditee.

As an auditor how will you handle this?
Do you consider it as a fair and effective tool for improving individual and/or protecting the company?
Are you worried about letting the auditee down?


It is interesting to see what Auditors have to say on this.
Whatever audit, internal and external, shall be conducted versus established criteria and scope.
It may happen that during an internal audit on Quality, the internal auditor could have evidence of a finding on a different system (Environment or Safety). Clearly he should be competent to reveal it and the the organization should also follow specific standards. On that occasion, he/she could treat this issue, writing apart to the management responsible representatives ( I mean the direction of the company) to highlight the finding.
In any case, I would suggest to act with attention to trat this kind of issue.
Repeat, someone shall be sure and competent to see a ncn in a field different than the internal audit scope and understand if it is really a ncn.
The same thing about fraud and the other matters you said. This topics fall under a different scope of Quality internal audit, the internal auditor should have also a knowledge of all the laws, pertinent regulatory and statutory documents, this is very difficult for an auditor to possess all this background.
In my experience thera are specific audit ( for example SOX audit etc..) to cover the aspects you said and the report and non conformities are treated in a specific manner.:bigwave:
 
#5
Hi

An audit is about

1. Collecting evidence objectively
2. Evaluating the evidence objectively
3. Concluding the conformance to the audit criteria objectively
4. Reporting the findings to the client

If in the course of an audit you find something unethical or something that violates the stated code of conduct of the organization and if that subject falls within the audit criteria agreed upon, then you can report the same as a non-conformance.

If your observation is beyond the audit criteria agreed, it is your DUTY to inform the client (in the case of internal audit, the Management Representative or the top management) the deviation observed immediately.

In audits like the EICC audits, such deviations fall within the criteria of the audit (Ethical Behaviour).

With kind regards,

Ramakrishnan
 
P

pldey42

#6
This is a real question for organizations that do ISO 27001 (information security) because surveys consistently report that most breaches of confidentiality are committed, accidentally or deliberately, by disgruntled employees. It must also be borne in mind that computer evidence is easily deleted or tampered with, and must be protected according to rules of evidence (which vary from one jurisdiction to another) if it is to stand up in Court.

The auditor will almost certainly be under a duty of care to report unethical or illegal behaviour. The question is, how?

If the organization operates an all-too-common audit reporting process, the report of such behaviour will languish for some time before getting attention. Further, its distribution will likely not be confidential. If the accused person (or someone with a vested interest in hiding the breach) gets sight of it, they may be able to destroy vital evidence and computer records, escape arrest -- or worse, coerce the auditor.

Further, once a breach is clear, confidentiality may be required to avoid copy-cat breaches, preserve staff morale, maintain the confidentiality of detection and prevention methods, and so forth.

Also, once illegal or unethical behaviour has been formally reported to the organization, it may face legal responsibilities and liabilities, some concerned with its speed of response, care of evidence, action on containing and managing consequences. Furthermore, legal and policing matters are not generally the competence of the quality department.

There is also the possibility that the auditor has misunderstood the situation.

Therefore, the auditor must find an appropriately speedy and confidential method of reporting the situation, and if necessary take care of his or her personal safety. This will typically be the Compliance Director, Legal Affairs Director, Head of Security, HR Director, etc.

Certification Body auditors have an additional challenge: the Confidentiality Agreement signed by the Client, the CB, and the CB auditors. My understanding is that CB auditors will report the situation to the CB's Compliance Director, and CB action will then be guided by the laws applicable in the country or state where the audit is being conducted. In certain serious circumstances the situation will be reported to local law enforcement, and the client will be notified through senior channels if the law allows. (In the case of money laundering, for example, it may not allow for fear that evidence will be tampered with if perpetrators are given fore-warning.) If the auditor's personal safety is at risk (for example, if organized crime may be involved) that too will be a consideration.

In other words, the management systems audit reporting mechanisms were not designed for criminal or unethical situations, and that's one reason that ISO 27001 has separate mechanisms for reporting and managing security incidents and weaknesses.

Hope this helps,
Pat
 

somashekar

Staff member
Super Moderator
#7
Though internal auditors' objective is to measure the effectiveness of an organization's quality management system, it is possible for them to discover non-ethical practices. If this arises, I feel that it is difficult to document findings which may divulge proprietary information or indicate fraud or other criminal or unethical activity of an auditee.

As an auditor how will you handle this?
Do you consider it as a fair and effective tool for improving individual and/or protecting the company?
Are you worried about letting the auditee down?


It is interesting to see what Auditors have to say on this.
There are every chances of such acts being exposed, and this can happen also outside the internal audit process. In many well established organizations there are ombudsmen appointed and it is the duty of anyone to report to that person any such act noticed or discovered and these are to be investigated rather than addressed through the correction, rootcause analysis and CAPA process. The scope and audit criteria of the internal audit must be respected and only the appropriate complaince and non-compliance must be reported.
Addressing any non-ethical or illegal practices is certainly not the purpose of the internal audit process.
 
Last edited:
#8
Though internal auditors' objective is to measure the effectiveness of an organization's quality management system, it is possible for them to discover non-ethical practices. If this arises, I feel that it is difficult to document findings which may divulge proprietary information or indicate fraud or other criminal or unethical activity of an auditee.

As an auditor how will you handle this?
Do you consider it as a fair and effective tool for improving individual and/or protecting the company?
Are you worried about letting the auditee down?


It is interesting to see what Auditors have to say on this.
It has nothing to do with audit, per se. If anyone finds such practices there are usually channels for employees to report such issues, outside of any audit. That should be the way.
 

Ajit Basrur

Staff member
Admin
#9
I agree with Andy. Handling ethical issues is a seperate issue.

Ka Pilo - it would be interesting to hear what you feel about this issue and how would you handle if you see it during your audit ?
 

Wes Bucey

Quite Involved in Discussions
#10
It has nothing to do with audit, per se. If anyone finds such practices there are usually channels for employees to report such issues, outside of any audit. That should be the way.
I agree with Andy. I wrote on this topic extensively in Ethics - Moral law vs. Criminal law Perhaps reviewing that thread may give you some tips in how to handle any situation you think involves ethics.

My major premise is that:
often observers "think" what they observe is unethical or illegal, but they may not be in possession of ALL the facts to enable an accurate judgment. A major consideration is to examine one's own motives in pursuing an issue thought to be either illegal or unethical.

I DO think it is a good idea to have a "playbook" (actual or mental) for how to act/react at those times one encounters events outside the expected norm. Old hands (those who have survived!) have learned from experience, but newbies shouldn't have to face a crisis of conscience each time they encounter something new.
 
Thread starter Similar threads Forum Replies Date
S Does anyone have any pointers on TS 16949 Internal Auditor Training IATF 16949 - Automotive Quality Systems Standard 4
K Lead Internal Auditor Training - Does the lead auditor require additional training? Internal Auditing 6
I Internal Auditor Training - Does TS 16949 Require Formal Training or Certification? Internal Auditing 19
M Internal Quality Auditor vs. QMS Lead Auditor - How much $ does each make? Career and Occupation Discussions 6
N Small Company - Internal audit process - Who does the audit? Internal Auditing 16
J Does anyone have an excel IATF 16949 Internal Audit checklist I could use? IATF 16949 - Automotive Quality Systems Standard 7
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
Tagin Does ISO 9001:2015 require a full internal audit annually? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 21
Marc Does ISO 9001 *require* that Internal Audits be Process Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
V What does your Internal Audit Reveal? Internal Auditing 10
K Does an Internal Audit provide Objective or Subjective Verification? Internal Auditing 14
K Does this qualify as an Internal Audit? Internal Auditing 8
D Internal Audit Frequency - What does "at Planned Intervals" mean? Internal Auditing 14
C Does anyone have an example of an ISO 14001 Internal Audit Schedule ISO 14001:2015 Specific Discussions 2
S What does "Operational Review" mean as tool - Effectiveness of Internal Control Risk Management Review Meetings and related Processes 3
6 Management Review does not highlight Internal Audit Finding - Root Cause Analysis General Auditing Discussions 11
H Does internal ppm include defects produced while adjusting the machine? Records and Data - Quality, Legal and Other Evidence 22
M Does Anybody have an ISO 22000 internal audit checklist for sharing? Internal Auditing 11
D Does TS 16949 require us to have an internal laboratory? IATF 16949 - Automotive Quality Systems Standard 7
G Does ISO 9001 Audit fit in within the Corporate Internal Audit department? Internal Auditing 31
A Does Your Organization Really Benefit from Internal Audits? Time for a Change? Internal Auditing 149
Howard Atkins What does the internal audit procedure for TS 16949 need to include? Clause 8.2.2 General Auditing Discussions 7
A Does anyone conduct opening & closing meetings for their internal audits? Internal Auditing 19
Q Internal Audit Questions - Does anyone have sample questions for Management Internal Auditing 16
Stuart Andrews Does ISO 9001:2000 require Internal Auditors to take a Lead Auditors course? Internal Auditing 2
V Does an internal calibration laboratory need to be certified on ISO 17025? ISO 17025 related Discussions 3
R Internal audit schedules - Where does it say that I need an annual schedule? Internal Auditing 13
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
0 To which part of 13485 does this refer? ISO 13485:2016 - Medical Device Quality Management Systems 3
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Records Control - Does each individual record need to be numbered? Records and Data - Quality, Legal and Other Evidence 2
lanley liao Does the customer`s trademark belong to customer-supplied property? Oil and Gas Industry Standards and Regulations 2
H How does a gas turbine work on diesel fuel? Oil and Gas Industry Standards and Regulations 12
G What does performance specification include? US Food and Drug Administration (FDA) 1
W Where does a coatings and paint company fall in IATF? IATF 16949 - Automotive Quality Systems Standard 5
A How much does a complete biocompatibility test package cost? Other ISO and International Standards and European Regulations 1
B Does anybody know how to get older versions of Minitab to work in Windows 10? Quality Tools, Improvement and Analysis 9
M Does the ISO 9001:2015 standard require a disaster recovery plan or emergency response plan ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
C Does an accessory need an IFU if it use is discussed in the Parent device IFU? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
S How long does it take to register a product with MHRA? UK Medical Device Regulations 3
M Quality Manual - Where does Revision History Section go? Document Control Systems, Procedures, Forms and Templates 8
U Does *anyone* know a lab that will test to EN 455-4 Medical Gloves shelf life determination? EU Medical Device Regulations 1
A Brexit When does the UK responsible person need to be in place? UK Medical Device Regulations 10
M How does IEC-60601-1 apply to a non-medical device in the patient vicinity? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
N Does anyone have experience of GB/T 34986-2017? China Medical Device Regulations 1
Z Does anyone have experience with EN ISO 17664 ? IEC 62366 - Medical Device Usability Engineering 9
F Does anyone have an ESD quality/cooler talk to share? Training - Internal, External, Online and Distance Learning 4
A What does this line from MDCG 2020-3 (MDR art. 120 substantial change) mean to you? EU Medical Device Regulations 4
D Change Approval Requirements - Does every change need formal customer approval? Design and Development of Products and Processes 17

Similar threads

Top Bottom