SBS - The Best Value in QMS software

How does an Internal Auditor document non-ethical or illegal practices

K

Ka Pilo

#1
Though internal auditors' objective is to measure the effectiveness of an organization's quality management system, it is possible for them to discover non-ethical practices. If this arises, I feel that it is difficult to document findings which may divulge proprietary information or indicate fraud or other criminal or unethical activity of an auditee.

As an auditor how will you handle this?
Do you consider it as a fair and effective tool for improving individual and/or protecting the company?
Are you worried about letting the auditee down?


It is interesting to see what Auditors have to say on this.
 
Elsmar Forum Sponsor

Marc

Fully vaccinated are you?
Staff member
Admin
#2
Re: How does an auditor document non-ethical or illegal practices

To be specific, you are referring to Internal Auditors, correct?
 

qusys

Trusted Information Resource
#4
Though internal auditors' objective is to measure the effectiveness of an organization's quality management system, it is possible for them to discover non-ethical practices. If this arises, I feel that it is difficult to document findings which may divulge proprietary information or indicate fraud or other criminal or unethical activity of an auditee.

As an auditor how will you handle this?
Do you consider it as a fair and effective tool for improving individual and/or protecting the company?
Are you worried about letting the auditee down?


It is interesting to see what Auditors have to say on this.
Whatever audit, internal and external, shall be conducted versus established criteria and scope.
It may happen that during an internal audit on Quality, the internal auditor could have evidence of a finding on a different system (Environment or Safety). Clearly he should be competent to reveal it and the the organization should also follow specific standards. On that occasion, he/she could treat this issue, writing apart to the management responsible representatives ( I mean the direction of the company) to highlight the finding.
In any case, I would suggest to act with attention to trat this kind of issue.
Repeat, someone shall be sure and competent to see a ncn in a field different than the internal audit scope and understand if it is really a ncn.
The same thing about fraud and the other matters you said. This topics fall under a different scope of Quality internal audit, the internal auditor should have also a knowledge of all the laws, pertinent regulatory and statutory documents, this is very difficult for an auditor to possess all this background.
In my experience thera are specific audit ( for example SOX audit etc..) to cover the aspects you said and the report and non conformities are treated in a specific manner.:bigwave:
 
#5
Hi

An audit is about

1. Collecting evidence objectively
2. Evaluating the evidence objectively
3. Concluding the conformance to the audit criteria objectively
4. Reporting the findings to the client

If in the course of an audit you find something unethical or something that violates the stated code of conduct of the organization and if that subject falls within the audit criteria agreed upon, then you can report the same as a non-conformance.

If your observation is beyond the audit criteria agreed, it is your DUTY to inform the client (in the case of internal audit, the Management Representative or the top management) the deviation observed immediately.

In audits like the EICC audits, such deviations fall within the criteria of the audit (Ethical Behaviour).

With kind regards,

Ramakrishnan
 
P

pldey42

#6
This is a real question for organizations that do ISO 27001 (information security) because surveys consistently report that most breaches of confidentiality are committed, accidentally or deliberately, by disgruntled employees. It must also be borne in mind that computer evidence is easily deleted or tampered with, and must be protected according to rules of evidence (which vary from one jurisdiction to another) if it is to stand up in Court.

The auditor will almost certainly be under a duty of care to report unethical or illegal behaviour. The question is, how?

If the organization operates an all-too-common audit reporting process, the report of such behaviour will languish for some time before getting attention. Further, its distribution will likely not be confidential. If the accused person (or someone with a vested interest in hiding the breach) gets sight of it, they may be able to destroy vital evidence and computer records, escape arrest -- or worse, coerce the auditor.

Further, once a breach is clear, confidentiality may be required to avoid copy-cat breaches, preserve staff morale, maintain the confidentiality of detection and prevention methods, and so forth.

Also, once illegal or unethical behaviour has been formally reported to the organization, it may face legal responsibilities and liabilities, some concerned with its speed of response, care of evidence, action on containing and managing consequences. Furthermore, legal and policing matters are not generally the competence of the quality department.

There is also the possibility that the auditor has misunderstood the situation.

Therefore, the auditor must find an appropriately speedy and confidential method of reporting the situation, and if necessary take care of his or her personal safety. This will typically be the Compliance Director, Legal Affairs Director, Head of Security, HR Director, etc.

Certification Body auditors have an additional challenge: the Confidentiality Agreement signed by the Client, the CB, and the CB auditors. My understanding is that CB auditors will report the situation to the CB's Compliance Director, and CB action will then be guided by the laws applicable in the country or state where the audit is being conducted. In certain serious circumstances the situation will be reported to local law enforcement, and the client will be notified through senior channels if the law allows. (In the case of money laundering, for example, it may not allow for fear that evidence will be tampered with if perpetrators are given fore-warning.) If the auditor's personal safety is at risk (for example, if organized crime may be involved) that too will be a consideration.

In other words, the management systems audit reporting mechanisms were not designed for criminal or unethical situations, and that's one reason that ISO 27001 has separate mechanisms for reporting and managing security incidents and weaknesses.

Hope this helps,
Pat
 

somashekar

Staff member
Super Moderator
#7
Though internal auditors' objective is to measure the effectiveness of an organization's quality management system, it is possible for them to discover non-ethical practices. If this arises, I feel that it is difficult to document findings which may divulge proprietary information or indicate fraud or other criminal or unethical activity of an auditee.

As an auditor how will you handle this?
Do you consider it as a fair and effective tool for improving individual and/or protecting the company?
Are you worried about letting the auditee down?


It is interesting to see what Auditors have to say on this.
There are every chances of such acts being exposed, and this can happen also outside the internal audit process. In many well established organizations there are ombudsmen appointed and it is the duty of anyone to report to that person any such act noticed or discovered and these are to be investigated rather than addressed through the correction, rootcause analysis and CAPA process. The scope and audit criteria of the internal audit must be respected and only the appropriate complaince and non-compliance must be reported.
Addressing any non-ethical or illegal practices is certainly not the purpose of the internal audit process.
 
Last edited:
#8
Though internal auditors' objective is to measure the effectiveness of an organization's quality management system, it is possible for them to discover non-ethical practices. If this arises, I feel that it is difficult to document findings which may divulge proprietary information or indicate fraud or other criminal or unethical activity of an auditee.

As an auditor how will you handle this?
Do you consider it as a fair and effective tool for improving individual and/or protecting the company?
Are you worried about letting the auditee down?


It is interesting to see what Auditors have to say on this.
It has nothing to do with audit, per se. If anyone finds such practices there are usually channels for employees to report such issues, outside of any audit. That should be the way.
 

Ajit Basrur

Staff member
Admin
#9
I agree with Andy. Handling ethical issues is a seperate issue.

Ka Pilo - it would be interesting to hear what you feel about this issue and how would you handle if you see it during your audit ?
 

Wes Bucey

Prophet of Profit
#10
It has nothing to do with audit, per se. If anyone finds such practices there are usually channels for employees to report such issues, outside of any audit. That should be the way.
I agree with Andy. I wrote on this topic extensively in Ethics - Moral law vs. Criminal law Perhaps reviewing that thread may give you some tips in how to handle any situation you think involves ethics.

My major premise is that:
often observers "think" what they observe is unethical or illegal, but they may not be in possession of ALL the facts to enable an accurate judgment. A major consideration is to examine one's own motives in pursuing an issue thought to be either illegal or unethical.

I DO think it is a good idea to have a "playbook" (actual or mental) for how to act/react at those times one encounters events outside the expected norm. Old hands (those who have survived!) have learned from experience, but newbies shouldn't have to face a crisis of conscience each time they encounter something new.
 
Thread starter Similar threads Forum Replies Date
S Does anyone have any pointers on TS 16949 Internal Auditor Training IATF 16949 - Automotive Quality Systems Standard 4
K Lead Internal Auditor Training - Does the lead auditor require additional training? Internal Auditing 6
I Internal Auditor Training - Does TS 16949 Require Formal Training or Certification? Internal Auditing 19
M Internal Quality Auditor vs. QMS Lead Auditor - How much $ does each make? Career and Occupation Discussions 6
N Small Company - Internal audit process - Who does the audit? Internal Auditing 16
J Does anyone have an excel IATF 16949 Internal Audit checklist I could use? IATF 16949 - Automotive Quality Systems Standard 7
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
Tagin Does ISO 9001:2015 require a full internal audit annually? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 21
Marc Does ISO 9001 *require* that Internal Audits be Process Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
V What does your Internal Audit Reveal? Internal Auditing 10
K Does an Internal Audit provide Objective or Subjective Verification? Internal Auditing 14
K Does this qualify as an Internal Audit? Internal Auditing 8
D Internal Audit Frequency - What does "at Planned Intervals" mean? Internal Auditing 14
C Does anyone have an example of an ISO 14001 Internal Audit Schedule ISO 14001:2015 Specific Discussions 2
S What does "Operational Review" mean as tool - Effectiveness of Internal Control Risk Management Review Meetings and related Processes 3
6 Management Review does not highlight Internal Audit Finding - Root Cause Analysis General Auditing Discussions 11
H Does internal ppm include defects produced while adjusting the machine? Records and Data - Quality, Legal and Other Evidence 22
M Does Anybody have an ISO 22000 internal audit checklist for sharing? Internal Auditing 11
D Does TS 16949 require us to have an internal laboratory? IATF 16949 - Automotive Quality Systems Standard 7
G Does ISO 9001 Audit fit in within the Corporate Internal Audit department? Internal Auditing 31
A Does Your Organization Really Benefit from Internal Audits? Time for a Change? Internal Auditing 149
Howard Atkins What does the internal audit procedure for TS 16949 need to include? Clause 8.2.2 General Auditing Discussions 7
A Does anyone conduct opening & closing meetings for their internal audits? Internal Auditing 19
Q Internal Audit Questions - Does anyone have sample questions for Management Internal Auditing 16
Stuart Andrews Does ISO 9001:2000 require Internal Auditors to take a Lead Auditors course? Internal Auditing 2
V Does an internal calibration laboratory need to be certified on ISO 17025? ISO 17025 related Discussions 3
R Internal audit schedules - Where does it say that I need an annual schedule? Internal Auditing 13
M Does the scope of ISO 9001:2015 applies to tenders, pricing and sales department of a medical devices distributor? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
K Why does load cell supplier requires force verification General Measurement Device and Calibration Topics 3
M Does C=0 strictly mean 1 bad, all bad, all the time? ISO 13485:2016 - Medical Device Quality Management Systems 6
C Does a medical device active (zinc oxide) needs BPR registration in EU? Other ISO and International Standards and European Regulations 1
D Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
Ed Panek Does this FDA Requirement Apply to international (not USA) distributors for USA based manufacturing companies? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
S Does anyone have a checklist to prepare for ISO 13485, Stage I audit? ISO 13485:2016 - Medical Device Quality Management Systems 1
S Does a refurbished product required a new UDI? US Food and Drug Administration (FDA) 3
D Change to labelling - does it require a new 510(k)? US Food and Drug Administration (FDA) 5
M What does "constantly" mean ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
N Does anyone use SGS for ISO 13485 / CE certification Registrars and Notified Bodies 0
G Does FDA allows remote approvals of quality documentation. Is there any specific guidance on signing any quality records remotely? Document Control Systems, Procedures, Forms and Templates 1
B Does FDA Registration QSR need to cover non-medical devices for contract repackager? US Food and Drug Administration (FDA) 1
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
0 To which part of 13485 does this refer? ISO 13485:2016 - Medical Device Quality Management Systems 3
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Records Control - Does each individual record need to be numbered? Records and Data - Quality, Legal and Other Evidence 2
lanley liao Does the customer`s trademark belong to customer-supplied property? Oil and Gas Industry Standards and Regulations 2
H How does a gas turbine work on diesel fuel? Oil and Gas Industry Standards and Regulations 12
G What does performance specification include? US Food and Drug Administration (FDA) 1
W Where does a coatings and paint company fall in IATF? IATF 16949 - Automotive Quality Systems Standard 5
A How much does a complete biocompatibility test package cost? Other ISO and International Standards and European Regulations 1

Similar threads

Top Bottom