MegaSack DRAW - This year's winner is user - rgwb
We will be in touch
Example - Audited against a Standard and Procedure which guides "Should be aware of performance of xxx". Does not detail, What, How, When, Who, etc
We collate a myriad of data about xxx from a number of sources using manual processes (core systems, manual data collation to excel then report from that).
One - proposed - audit Finding is 'Reporting Is Manually intensive. This may risk incorrect data being presented and incorrect business decisions being made'.
There is no evidence to support this as being a real risk.
I would have thought an Observation rather than a Finding?
Thanks.
I would have thought that this would be an Observation or Opportunity for Improvement but it would depend on the clause it was raised against.
If it was against the clause asking for you to be aware of the performance of XXX then I'd appeal. If it was against a risk assessment clause and you hadn't considered the risk from the data reporting being manually intensive then fair enough i'd accept it as a non-conformity
Does the standard or procedure state " Should be aware of performance of xxx"?
If it's the standard then it is up to you to determine the best way to do it. If it is your own procedure then it should also detail the how, when and who.
If it's not an NC or AoC I wouldn't worry about it. Just tell the auditor that at present it is the best method you have but will look at options to improve it.
Thanks.
We did recognise the manually intensive nature and potential risk and have a long-standing request in for tools to extract from core systems and report without intervention - which is in progress and out-with our direct control. The auditors are aware of this and we did note we were not aware of any evidence to suggest data ultimately presented was incorrect.
The standard and procedure are basically silent in this area.
How good the source data is, then who knows...
If it’s your formal accounts audit anything after the true and fair sign off statement is just fee justification. They have to find something to write about
Our auditors always waste the first 20 minutes of an audit explaining the difference between minor, major, non-conformance and opportunity for improvement etc. We are not required to response to opportunities for improvement. We insist that any non-conformance clearly identifies the relevant clause of the standard that it applies to and the specific sections of any SOP etc not being met - because sometimes auditors actually mean "thats not how I would do it" or "that not how other people do it" rather than checking what is actually required.
Internal Audit or an externally facing one ? If internal, this sort of stuff is fairly common.
Ps, hate internal auditors (I'm a chartered accountant).
Doesnt feel like a finding to me.
It is a risk, but without evidence of an issue then not a finding.
As above it is an opportunity for improvement.
Ignore the number monkeys (accountants), the vast majority of internal auditors just want to help improve.
The number monkeys get upset when someone tells them they got a calculation wrong and tend to hold on to their resentment like gollum
This reads like an OFI, as it's about the risk of what might happen, rather than showing objective evidence that something IS wrong. The word SHOULD cannot be nonconforming in ISO land (if that's where you are), only SHALL.
If you don't like the report when you get it, I have a 100% record of overturning Major NCRs in ISO reports, so get in touch.