How to deal with CONFIDENTIAL documents

R

Rochi

Hello companions.

As an auditor, I should like to know how do you deal with the situation where Personnel being audited does not want to show me a document because they say it is a Confidential one.
I signed a Non Disclosure - Confidentiality agreement, but at the assessing day, I could not acceed to it for that reason. It seems it had some sort of new know-how of the process being audited.
But I needed the document to get some evidence of compliance.

I think next time I'll take a fat black colour marker with me and I'll ask them to mask the confidential or know-how part.

I would like to listen to your expertise opinion.

Thank you very much.
 
Re: How to deal with CONFIDENTIAL docs

We have a slightly similar issue. We get audited by our customers, and typically much of the audit documentation includes information about our other customers and products as well. To avoid giving them material to use against their own competition, I keep full set of redacted documents covering everything that would be asked for as far as documentation goes, and put all this in a big binder, called my 'desk audit reference set'. When evidence of how we handle a CA or some such thing comes up, I can open the set, and show step by step, using real records, how we do it. All names and identifying information are removed so they are pretty sanitized. If they need more, I limit the documents to their own company. As far as HR training records go, they could supply you with the same thing, just removing any identifying information. I also keep a binder of blank forms as reference as well, just to show they exist.
 

Wes Bucey

Prophet of Profit
Just curious - internal, customer, or 3rd party auditor?

In my experience, even internal auditors are sometimes excluded from certain information for legitimate reasons.

Obviously, customer auditors have even more restrictions on what they can see, DESPITE "signed confidentiality agreements."

3rd party auditors are much more generic in what documents they review and rarely do they encounter docs with trade secrets, price disparities between customers and other types of information organizations would like to keep from competitors and/or customers. So such information should not be included on documents normally reviewed by 3rd party auditors.

Solutions include simple document creation: primarily, DO NOT PUT CONFIDENTIAL INFO IN ANY DOCUMENT WHICH IS SUBJECT TO REVIEW BY UNINTENDED EYES (in a routine inspection record, this means DO NOT INCLUDE PRICES, SECRET PROCESSES, OR CUSTOMER'S SECRETS!)

Do not leave documents with secret or confidential information in folders or locations which are subject to inspection by any unauthorized person.

Depending on the organization, some information may be kept within a very tight circle of employees (NEED TO KNOW) while, in another organization, very similar information may be freely distributed among all employees, but kept from suppliers and customers.

Almost always, the information most zealously guarded from unauthorized eyes are trade secrets, which, if disclosed, could put the organization at a competitive or economic disadvantage with suppliers, customers, and, especially, competitors. Most auditors do not need such information to perform a competent quality audit.

CAVEAT:
Sometimes, an organization or an individual within an organization will withhold information because it would give evidence of criminal or otherwise fraudulent activity. Auditors suspecting this kind of thing have zero power to compel disclosure and almost always have to escalate the situation to higher levels, who may then refer the case to criminal investigation which DOES have the power to compel disclosure.
 
Top Bottom