What is a Mock Audit?
The purpose of a mock audit is to determine how well prepared an organization is for a full Stage II audit against a specified standard by a 3rd party Certified Body (CB).
Unlike our initial "readiness assessment" which has a compliance/certification roadmap as the final deliverable a Mock Audit is an "audit" with a specific objective related to the verification of an implemented system. It's a trial run in order to see if the organization is "ready" for a 3rd party registration audit. In addition, this will also serve as a rehearsal for the actual 3rd party audit.
Why do you need a Mock Audit?
This mock audit ensures that your company is prepared for an actual formal audit engagement. It ensures that your organization continually operates in accordance with the specified policies, procedures and external requirements in meeting company goals and objectives to and to ensure that improvements to the management system are identified, implemented and suitable to achieve objectives.
How can eFortresses assist?
eFortresses engagement will include planning any interviews of key contacts, and review of applicable controls. During the Mock Audit, the auditor evaluates all applicable management systems elements for approach, implementation, effectiveness and the amount of evidence available. These are described in a written audit report. There will be formal internal corrective actions issued as an outcome, if applicable. The audit team reviews all of their findings whether they are to be reported as non-conformities (NC) or as opportunities for improvement (OFI). Audit findings will likewise be supported by objective evidence.
eFortresses Mock Audit Methodology
During this phase, the auditor determines the main area/s of focus for the audit and any areas that are explicitly out-of-scope, based normally on an initial risk-based assessment plus discussion with appropriate stakeholders and management.
The overall ISMS scope is broken down into greater detail, typically by generating an audit work plan.
During the fieldwork phase, audit evidence is gathered by the auditor/s working methodically through the audit plan providing insight to an actual ISO Stage II audit, for example interviewing staff, managers and other stakeholders, reviewing relevant documents, printouts and data (including records of activities such as security log reviews), observing ISMS processes in action and checking system security configurations etc. Audit tests are performed to validate the evidence as it is gathered. Audit work papers are prepared, documenting the tests performed.
The accumulated audit evidence is sorted out and filed, reviewed and examined in relation to the risks and control objectives. Sometimes additional analysis identifies gaps in the evidence or indicates the need for additional audit tests, in which case further analysis may be performed unless scheduled time and resources have been exhausted. However, we prioritize audit activities by risk, which implies that the most important areas should have been covered already. Detailed audit findings and analysis, sometimes with extracts from the supporting evidence in the audit files where this aides comprehension.
The audit conclusions and recommendations, perhaps initially presented as tentative proposals to be discussed with management and eventually incorporated as agreed action plans depending on standard practices. A formal statement by the auditors of any reservations, qualifications, scope limitations or other caveats with respect to the audit.
We ensure that there is sufficient, appropriate audit evidence to support the results reported. Therefore ensuring that everything reportable is reported and everything reported is potentially reportable by the 3rd party certified body as well.
For more information, please contact us by filling out this form