Sidney Vianna said:
BIG disagreement here. Third party auditors (at least the serious ones) will demand to see the contents of the management review records, in order to ensure that the minimum requirements for input and output are being satisfied. Your proposal is not supported by the Standard since you are not required to have a procedure for management reviews, nor you are required to have hard copies of such records. For a company that has only electronic copies of the management review records, what would they do? Point a computer to the auditor and tell: Trust me we have records of management reviews in the hard disk drive of this computer. This is a ludicrous suggestion....
Further, such records will determine if action items from previous reviews have been dealt with or not. Any 3rd party auditor worth his/her salt would not accept not having access to such records.
All of the records are protected by confidentiality clauses and, I can guarantee to you that it happens hundreds of time every day, around the World and, still, you will never see that (leaked information) on the front page of the NY Times, Wall Street Journal, or any other newspaper anywhere. The Regulatory Auditors approach to review of records is different.
Waiting for the return fire....
Not to pick a fight, but could you cite chapter and verse in the requirements for 3rd party auditors that they have to see the CONTENT of the management review versus the fact the management review process exists?
It seems to me the methodology you describe treads dangerously close on the auditor making a DECISION about the
efficacy of the management review versus the
presence of a management review.
Determining the presence seems a viable audit function. Determining whether the content meets the auditor's concept of "
minimum requirements for input and output are being satisfied" seems more like an advising or consulting function than auditing.
One of the major complaints I hear about third party auditors is
"they tried to tell me how to run my business."
Next, the auditor will be determining whether the method of training an employee to perform a task is sufficient. Following that, the auditor will reinspect product and determine the inspection process is inadequate and that there is insufficient attention to transferring information to a continuous improvement program.
After that, the auditor will determine whether the Contract Review process is adequate and whether the auditee is charging too much or not enough money for a product or service.
Perhaps the auditor will take biological samples from surfaces in the lavatory and determine the infrastructure does not meet the auditor's concept of hygiene.
All of these items, of course, are spelled out specifically in EVERY third party registrar contract that the auditee will comply with any request by an auditor, no matter whether the auditor can cite a Standard clause to justify the request.
Although I, personally, argue for open disclosure by management, I recognize and respect the right (even necessity) for some managements to keep things VERY CLOSE to their vests. Coming from a background of dealing with mergers and acquisitions and public offerings of debt and equities, I can see where some managements may be very loathe to disclose information for fear of regulators pawing through back history to see who might have garnered inside information on a pending transaction.
The option, of course, is for managements to keep TWO sets of management review minutes - one for their own personal use and one for the auditor (smell kind of like Enron to anyone?)
If anyone senses a strong odor of irony here, it is all intended.