The IAF just released an update to its Mandatory Document # 4 (“MD4”), entitled “The Use of Information and Communication Technology (ICT) For Auditing / Assessment Purposes.” You can download that mouthful here.
Essentially, the IAF’s “MD” documents contain requirements which any IAF member Accreditation Body must follow and then flow down to their various accredited registrars. The MD4 document, in particular, defines how accredited registrars can use IT solutions to credibly audit clients through “virtual” means other than face-to-face, sitting-in-the-conference-room audits.
Now let me be clear: the IAF isn’t advocating or endorsing bullshit certificate mill practices like Stephen Keneally’s “Virtual Certs” sold through his
clown car company American Global Standards, or Daryl Guberman’s “sure, I will sell you a cert without conducting an actual audit” garbage from G-PMC Registrars. (Both these monsters sell these certs for medical device manufacturers, too, meaning they really, really belong in prison, preferably housed together.) The self-accredited, non-IAF mills love to push these “virtual” methods, which give the entire auditing field a bad name, but IAF is trying to lay down some ground rules for what a valid, trusted audit might look like in a modern workplace, which often relies on remote work, such as that done by telecommuters.
So the IAF is to be commended for attempting this, even if their final work product isn’t the best. That’s to be expected, since the IAF is the closest mankind has come to mimicking the industry’s intended high water mark of a thousand monkeys at a thousand typewriters.
Anyway, the new IAF MD 4 document is an update to prior editions of the same ruleset, and a heavy update at that. I only have the prior 2008 version to compare it to, and if there were additional versions in between, I never read them. So my comments here are based on a comparison of the latest version vs. its 10-year old predecessor.
The main problem I have with MD4 is that the language used by the IAF monkey-people is too generic and vague to be very useful for anything, and as a result even the Guberman/Keneally operations could claim they comply with it (and they probably do.) The 9-page document actually only contains about 1-and-a-quarter pages of requirements, with the rest being filler like a table of contents, introductory material and a giant logo on the otherwise meaningless cover page.
Essentially the requirements break down as follows:
- The CB must have proper security tools implemented to ensure the security and data protection of any electronic information used during the audit.
- The CB must conduct a risk assessment on their planned remote auditing methods before they actually do them.
- The CB may have to utilize special technical experts to conduct remote auditing, and the MD4 calls out “drone pilots” so I’m not sure what the hell they think CBs are auditing these days. Afghan bomb sites?
- Throwing a bone to the CBs, the IAF hints that remote auditing may require an increase in audit time, which defies the obvious main benefit of such audits, in that is should be used to decrease audit time. Since the IAF is a dutiful, chin-drooling slave to their CB users, this makes total sense even if it’s yet another middle finger to the users who pay for this mess.
- Finally, the CB needs to document that remote auditing was used. This has to go in the report, but another clause seems to hint that this must also be in the certificate scope, which is never going to happen since no CB is about to list the home addresses of employees audited while telecommuting. But that last part is murky enough that CBs can probably ignore it and still comply with MD4.
A few takeaways when comparing the 2008 and 2018 versions:
- New version replaces prior one’s use of “should” with the more ominous sounding “shall,” even if the IAF is utterly powerless to enforce the MDs anyway.
- New version now calls out “ICT” (“information and communication technology”), replacing the old term “CAAT” computer-aided assessment techniques”)
- New version removes the requirement to physically audit the client at least once annually; now, presumably, entire audits can be done over the internet or on Facebook Messenger.
- New version now adds requirements to ensure the CB, not just the client, has the necessary infrastructure to support remote auditing.
- New version allows clients to email or fax donuts to registrar auditors, to ensure they don’t get too confused.
OK, that last one I made up.
The problem with the IAF MD is that it’s simply too open-ended and vague. For example, the document says that when a CB can’t ensure the security of the data, it “shall use other methods to conduct the audit/assessment.” That’s not much guidance, and it shows the IAF pseudo-simians really just publish these “Mandatory Documents” not to define any hard and fast rules, but instead to prove to their mothers that those typing classes weren’t taken for naught.
Like its 2008 predecessor, the likelihood of any CB actually offering remote auditing is nearly nil. Past attempts by Oxebridge to get a CB and ANAB to agree to offer clients a mixed physical/virtual audit of IT clients with large numbers of telecommuting employees proved fruitless, as neither the CB nor ANAB could ever get their act together. ANAB eventually pulled its guidance documents on remote auditing entirely, citing a lack of interest. Well, I showed interest, dammit!
The result has been that CBs continue to audit Oxebridge clients remotely by having the telecommuting clients dial into the physical conference room and display records via GoToMeeting or WebEx, and the CB never says boo to ANAB, and it never gets recorded as “remote auditing” at all. Per the IAF, that’s a violation, but it’s not like they’re going to do anything about it.
Again, you can grab the updated MD4 document here.
Related article: Nearly Half of All IAF Money Goes to A Single Consultant.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.