Mastering Internal Audits for ISO Standards | Interview with Carlos Cruz
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I am Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, guest is Carlos Cruz, and he is the founder of a consulting company called Metanoia based in Portugal and is also the main ISO 9,001 and ISO 14,001 expert in Advisera. And he's in the consulting business for thirty five years now and has performed more than a 100 consulting jobs, close to a 100 certification audits.
Dejan Kosutic:So he has really a lot of experience with not only various ISO standards, but as you will see in particular also with internal audits. Basically, this is our main topic today. What you'll learn in this podcast episode is what are the best practices to perform an internal audit, not only for ISO 9,001, but also for ISO 27,001, but also for any other cybersecurity framework like NIS2 and DORA. Welcome back to the show, Carlos.
Carlos Cruz:Thank you for having me, Dejan. Thank you.
Dejan Kosutic:Thanks for coming back. We already have a couple of episodes and the last one was about how to handle documents. I think this one was very, very well received from our audience. So I'm sure that this topic of internal audits will also be a very interesting one. So how many internal audits did you perform in your career?
Carlos Cruz:I don't know. I think I'm not lying if I say, I don't know, three fifty, 400. It's something like this. In the beginning, when I started to work as a consultant, I worked with several as a freelancer for several companies. And I prepared my audits very, very well.
Carlos Cruz:I was very demanding. And so my colleagues, my consultant colleagues wanted me to do audit in their projects before the certification audit, because they knew that if Carlos finds it, certification auditors will not find it. And so I did a lot of audits in the beginning. So that's why I say 300, 400, I don't know, many, many, many audits.
Dejan Kosutic:This is really a great number. And why do you think these internal audits are important?
Carlos Cruz:Internal audits are well, most of the time companies invite me to perform the internal audits because they need to comply with the standard. And the standard requires that the whole system must be audited at least once per year. They perform some audits, but not global audits, because the general auditors not their experience is not so big. And so they invite me to do those audits. Some companies for that, some other companies invite me to do the internal audits because they like my approach.
Carlos Cruz:I remember one company where I was working with them doing yearly internal audits and I said to the owner, one of the audits, I said I think I'm no longer the best person to continue doing audits for your company. Why? Because I didn't find any non conformities and he said and then they had the surveillance audit from the certification body, they had zero non conformities and he called me and said Carlos come on, you continue to work with us. No problem.
Dejan Kosutic:Okay, so what you're saying, okay, one reason could be that it's because of compliance, obviously, other one is some kind of a check before the certification audit, right? So that they actually don't have any problems with the certification audit.
Dejan Kosutic:Is there any other reason why a company would go for internal audit?
Carlos Cruz:Oh, yes, of course. You know, one of the things that I love a lot, so I consider this very important. And in the last days I've been reaching and looking for old books that I have the 90s about internal audits. And what I realized is that the topic of audit objective is not very well Almost no book speaks about audit objectives. And it's a topic that I consider very, very important.
Carlos Cruz:Because it's something like this. So auditors, we don't do audits because we want it or because we like it. We may like to do audits but it's not because of that it's because someone needs or wants an audit and they ask that task to you. So they give us the assignment And what an auditor should do for an internal audit is asking, why do you want me to do this audit? Because if the purpose is and if the management system is very young, it makes sense to do an implementation audit just to check if the rules are being followed, because the system is young.
Carlos Cruz:Okay, but if the system is more mature, if we do that kind of audit, after some years, if the company is disciplined, what's the value? Because they will not get any value. So it's important to discuss what do you want from the audit? Because if they tell me, for example, the audit objective may be about, we want you to check the effectiveness of process A or process B. When I do training about audits, I use an image that I draw an item, it's the Titanic going down sinking and some notes of music.
Carlos Cruz:Because Okay, in the film Titanic, we see that the ship is sinking and the musicians are playing. Okay. And the point is, what is the purpose of being very honest, complying with the procedures, but the system is not providing the result. So, yeah, and then just one more thing, because I really like this topic. In the 90s, I was searching for diesel, trying to learn as much as possible about audits and other stuff, but about audits and I find a document on the internet, you cannot believe where in the American IRS, the Internal Revenue Service about their internal audit.
Carlos Cruz:And it was fantastic document, fantastic about the audit objective. Okay, I'm losing myself because when I think about all these objectives, okay.
Dejan Kosutic:We may revisit this topic a little bit later on, but, you know, from my point of view, usually what I find that companies like about internal audits is also that they can actually improve things, not maybe at the first internal audit. Usually the first internal audit is basically a kind of a check before the certification audit, but then when you have, let's say, second or third or fifth, or I don't know, tenth internal audit, this is really on, you know, how to help all these various processes that you have improve just a little bit, you know, just some things that usually people are not seeing. Okay. From your experience, okay, you are working primarily with the nine thousand and one and fourteen thousand and one, but do you know actually if these requirements for internal audits are the same across ISO standards or are they unique or different?
Carlos Cruz:No, they are all the same across all standards or management system standard, because all are, let's say, the guidance is the same, the guidelines are the same. So, the ISO nineteen eleven twenty eighteen. Okay? And sometimes I do some kind of training where I have people from ISO 27,001, nine thousand and one, fourteen thousand and one and when we compare the standard, okay, it's exactly the same. The only difference is, instead they say information security management system, the other says, quality management system.
Carlos Cruz:But the rest is the same. Same requirements.
Dejan Kosutic:So the principles that we will, let's say, mention today applicable not only for quality, but also for information security management or AI management whatever. Whatever. Any other type of ISO standard. Okay, now one of the, let's say main requirements in any of these ISO standards is that you have to create or write an internal audit program. Now, what is the purpose of this internal audit program?
Carlos Cruz:So, the purpose is time management tool or a resources management. So, it's something that is interesting is that there is no requirement in ISO 9,001 or ISO 27,001. There's no requirement for auditing the whole management system in one year. But when you read the contract with a certification body, when an organization decides that wants to be certified, they assign a contract with a certification body. And there are two commitments there, more than two, okay, but two commitments are: one is to perform at least one management review per year and audit the whole management system at least once per year.
Carlos Cruz:And so the audit program is a tool in order to be sure that we will audit the whole management system in one year. To ensure that we will do that, the whole management system will be audited and distribute okay, we will do this in just one audit or are we going to do this in one, two, three, four audits throughout the year? So, when an organisation has auditors, internal auditors or can contract auditors from external auditors And they have a lot of experience. Okay, you can do, let's say, you can do one audit per year. When you want to use internal auditors and their experience is not so big, so what we do or what companies should do is to do smaller audits.
Carlos Cruz:The scope of the audit is smaller, because that way internal auditors can learn, can gain experience. And so, that's the purpose of the audit program. Okay.
Dejan Kosutic:Yeah. Okay. And with regards to these smaller audits, typically, let's say if you have, I don't know, five departments within the company, then you can say, okay, in January, we'll do department one, in March, we'll do department two and so on. So, basically, you can actually do this. This is mainly
Carlos Cruz:You work with 27,001 and let's say the foundation, let's say is a good risk analysis. Okay. And the one good way some companies what they do, I believe that today, unfortunately, companies do one audit, many companies do one audit per year. And that's it. In my view, to the intent of the standard, that's not good.
Carlos Cruz:The intent of the standard is okay at least once, but the areas where risks are higher should be audited more frequently. Perhaps you mentioned five departments, okay, there are three departments where things are normally under control, controls are okay, are good, so okay, once okay. Per But the other two, because the risks are higher, because people are more people joining the company, leaving the company, the good practice would be to audit more frequently.
Dejan Kosutic:But, I mean, realistically, a smaller company of, I don't know, five, maybe 10 employees is not going to do this twice a year or three times a year.
Dejan Kosutic:They are going to do this once a year and basically this is it, right?
Carlos Cruz:Yeah.
Dejan Kosutic:We have to be realistic here, I'm afraid.
Carlos Cruz:Yeah, yeah.
Dejan Kosutic:Okay, now the audit program, besides these definitions of, let's say, the timing and the scope for each individual audit, it should specify, let's say, the audit objectives and also the methods, right?
Carlos Cruz:Methodologies, yeah.
Dejan Kosutic:Can you say something a So, little bit about this?
Carlos Cruz:So when we draw or when we design audit program, what do, or what we normally do is, okay, one axis, we have the month of the year, okay? And on the other axis can be in vertical or horizontal, it's not relevant. We have the different departments of different clauses of the standard or different areas of the company. So when I started, I used to as a consultant, working for companies, would put there the different clauses of the standard, but then I realized most people in the company doesn't know the clauses of the standard, so that's not relevant, that's not okay. So, departments, it's what they understand or processes in the case of quality or in the environment also, I will also like to include their areas.
Carlos Cruz:So, something the waste warehouse or the wastewater treatment plant or something like that. So, and we also can include there. So, for example, my practice is I include there when I'm working as a consultant, I include there, for example, it's an OVY team with two members. And I put AA and a bar on bottom and BB and so I put in the legend AA with a bar or the bar below means that he or he is the lead auditor and BB is the auditor. So, the other one without the bar is the auditor.
Carlos Cruz:So, it's also a way of going to the internal auditors who will audit what, when.
Dejan Kosutic:Very good. Now, internal audit program is a mandatory document, right? This is obviously key document for planning, whereas internal audit plan is not a mandatory document. It's not required by ISO standards. Exactly.
Dejan Kosutic:However, people typically confused, you know, program and the plan. So, what is really the difference between program and a plan and why plan is not mandatory?
Carlos Cruz:Okay, so the program is that one. A document, so a kind of a calendar where we put there how many audits, what will be audited, so the audit throughout the year or when, so when. Now for each audit in the audit program we need to prepare the audit. We need to prepare the audit and one of the outputs of that preparation I would say that normally there are two outputs of that preparation. One is an audit checklist.
Carlos Cruz:So an audit checklist is not mandatory. But I think that I never performed an audit in more than thirty years without the checklist. So I believe that it's a way of showing respect for the auditees. I prepare the audit. Okay, so one thing is the audit checklist and the other one is the audit plan.
Carlos Cruz:And the audit plan is our proposal to the auditees saying that okay, our proposal is we will start at this time of the day. So, 8AM we will start, from 8AM to 9AM we will audit this topic. We would like to audit this person A, person B about this topic. From 9AM to 10AM we will audit that topic. So it's a kind of the schedule of the audit.
Carlos Cruz:So that's the audit plan. It's not mandatory, but a very important document. Why? Because auditees are not there waiting for us to be audited. For they it's a normal day and we want to minimize the disruption in their work.
Carlos Cruz:And also, when they accept, so I say there my proposal is from 9AM to 10AM I will audit department A. And if they accept, let me say something like this I can demand their attention from 9AM to 10AM because they accepted. Of course, sometimes there are emergencies and I understand that and we should try to be flexible. In my mind it's like this when they ask me to last minute changes. Is this change not allowing me to achieve the audit objectives?
Carlos Cruz:No problem. Okay, I accept. I try to make the changes to accept.
Dejan Kosutic:Okay, I find this internal plan also useful, but maybe for a mid size or larger company. So again, if this is a very small company of, I don't know, couple of employees, maybe 10 or 20 employees, you know, might be an overkill really to create an internal plan, right? I mean, for a company of a couple of 100 employees, yeah.
Carlos Cruz:I always create, even for smaller companies, I always create an audit plan. Always create, because as I said, it's a way of helping them to plan their day. And also I'm sure that they will be there with time for me.
Dejan Kosutic:Now you mentioned the checklist is also an important outcome even though it's also not mandatory. Now how do you actually create this checklist?
Carlos Cruz:So it's like this. So, everything starts for me. I receive the assignment to do an audit, there are three of documents, not documents, but three kinds of information that I receive. I receive the audit scope, I receive the audit criteria. So, an auditor is not a consultant, so an auditor should not use their experience as a benchmark.
Carlos Cruz:So the audit criteria can be a standard, can be ISO 27,001, can be the internal procedure of the organization, can be regulation, legislation, whatever, can be procedures of the organization. So I will see and we receive the audit objectives. And with the audit objectives, like to, because it's like this, imagine this, you receive that information and if you see yourself at the end of the audit, imagine do a time travel and go to the end of the audit. You are now preparing after the audit, you are writing the report. What kind of information do you need to include in the report in your audit conclusions?
Carlos Cruz:That information is kind of an answer to the audit objective. So when we look into the audit objective or objectives, we see what lines of inquiry are they asking us to follow. And so then what I do is with that information in my mind I go to the audit criteria and I translate that information into questions. So, questions and the questions that I write in the audit checklist are not the questions that I will ask the Oddity, they are questions for myself. So when I'm doing the audit, I'll look into the question and now based on what I know about the organization, because it's not the first interview that I'm doing, I customize so what's in the audit checklist to start a conversation with that person.
Dejan Kosutic:Okay, just to kind of clarify, can you give an example objective and how it translates into audit criteria and how those translate into a couple of questions for the checklist?
Carlos Cruz:So, an audit objective can be something like Are we losing customers? Okay, so this is more about the effectiveness. Are we handling our complaints in a way that minimizes losing customers? So, like that.
Carlos Cruz:So, what we do during that notice like that, we will check that we are complying with the procedure. Then, for example, I will go after...
Dejan Kosutic:This procedure is criteria then, right?
Carlos Cruz:It's a criteria. That part is conformity. But then we see, let's imagine, I go there and I check that we are complying with the procedure. We are following the procedure. No problem there.
Carlos Cruz:But how many customers after a complaint no longer work with us. And we realize that, for example, 10% of ...
Dejan Kosutic:Is this now a question that you would put in your checklist or what?
Carlos Cruz:What I do is how I see the audit objective is I translate the audit objective into kind of high level questions like this. And then to be able to answer to those high level questions, I need to prepare the checklist. So, something like the organization wants to know if they are losing customers after after handling complaints. And so, one of the things that I will do is okay, so let's take a sample. So, received 10 complaints last year, let me check eight, seven, six complaints.
Carlos Cruz:Let's see, okay, you follow the procedure yes or no and then is this customer still working with you? Are there any new orders after this? And so if you realize that you lost 7% or 6% or 8%, okay, that will depend on your internal objectives, but it's based on that.
Dejan Kosutic:So these are examples of what you would write down in your checklist. And after you write your checklist, do you actually then start preparing, sorry, do you actually start doing the main audit or is there some other preparation needed as well? So the first thing that I do is I write the checklist because after writing the checklist, in my mind is much easier.
Carlos Cruz:I know who do I want to interview, what kind of questions, where do I want to go, what do I want to see. And so after that, I draw, I develop the audit agenda or audit plan. Because it's easier. Now, what I do is I send the audit plan to the auditees. Please check if this is okay for you.
Carlos Cruz:If it's not possible to follow this, send me an alternative. So, we confirm the day, we confirm that the audit agenda, the audit plan was okay. So, if I'm doing an external audit, so for a company that I don't know, so I can ask things like, so if you go to my car and you will see that I have there safety helmet, my safety boots, I use my yellow jacket there, the sound suppressor, so I may ask so do I need any or do you provide or do I need this kind of things? Or, for example, some logistics, like, for example, sometimes there's a company that I audited once and they had two plants in the same town, about two kilometers away from one plant. So, how do I go from one plant to the other?
Carlos Cruz:Do I need a car? Do I need a taxi? Or do you transport me from one site to the other site? Okay, things like that.
Dejan Kosutic:Good. And then you start doing the main part of the right? And, well, the main part of the audit is really about finding evidence that, well, the company is compliant with, or that the company is doing, or basically finding anything that is related to the audit objective, right?
Carlos Cruz:Yeah, so normally there was a time when I was doing certification audits, of course, when I was doing external audits for bigger companies, yes, we start with the opening meeting. But at some point in my life as an auditor, I was not giving too many importance to the opening meeting with very small companies. But now I do that because it provides a kind of formality, but I think it's useful. I say it's like a game between two nations before the game they have this national anthem that provides some kind of formality and it's a kind of a cut before and after. Okay, before the audit and audit.
Carlos Cruz:Okay, so yeah, I like to do the opening meeting and then we start. So according to the audit plan, I say, okay, I would like to audit the purchasing department. So normally, not normally, it's mandatory for me it's mandatory. I always want someone escorting me. I always want a witness.
Carlos Cruz:Okay, even they may say, oh Carl, we trust you. You can go and no, no, but I want always someone that can witness what I see. Okay?
Dejan Kosutic:You're acting as an external person, right? You're doing the internal. And yet, I mean, though that you are an external consultant, but if someone is really from the company, an employee in the company doing the internal audit, do they also need someone to accompany them as well, if they were really from the company itself?
Carlos Cruz:I think it's a good practice. It's a good practice because it's like this. I will tell you my experience. So, you are in the closing meeting and you are presenting the non conformities, okay? And there's a big non conformity, a major non conformity, very important.
Carlos Cruz:I'm remembering one example in an internal audit performed by me for about the environment, about the environmental management system. And the general manager of the company said, no, that's impossible, not in my company. And the person that was with me said something like this. And the general manager looked at that person and said, okay, no more problems, okay? So, didn't say anything more.
Carlos Cruz:I think it's very useful.
Dejan Kosutic:Okay. And then when you perform this main audit, what kind of evidence are you typically looking for? So, is your preference, let's say?
Carlos Cruz:So, you know, I don't know if in your country there was that TV series Doctor. Okay? Doctor. House was saying something like everybody lies, okay? So, I follow the same approach, not because people are lying because they want to lie, but sometimes people are trying to be nice and are answering about things that it's not their main job and so they are not telling the real things.
Carlos Cruz:And so, what people say to me, what people tell me are not facts, are pseudo facts and an auditor must work with facts. So, they speak, they speak, they speak and I write, write, I write. So it's one thing that I like to say is elephants have a good memory, auditors take notes. Okay, so I take notes. But then I ask, can you show me?
Carlos Cruz:Can you provide evidence? Sometimes there are some things that there's no written evidence. But if I hear different people in different places at different times saying the same thing I can infer that it's a fact. But normally I try to show me the evidence in a record, a video, in whatever, some kind of paper trail or whatever. Want that.
Dejan Kosutic:But because, you know, especially in this cybersecurity area, you know, people, I mean, some auditors tend to focus mostly on written records, right? And, you know, sometimes even almost without speaking to employees, which in my view is wrong, right? Because of course you are looking for a written record, but, you know, I like to think of it in this way: records don't tell a story. A story you can actually hear from people, right? And these stories that these people say, they lead you as an auditor towards on a trail or towards something that the record itself wouldn't say.
Dejan Kosutic:If looking for backup records, you wouldn't hear anything about how the backup administrator was trained, right? Whereas if you speak to a backup administrator, you can ask both for backup records, but also how was this person trained for this job, right? So I think the combination of these interviews and written records are very important.
Carlos Cruz:Yeah, I was like this. As an auditor, I'm very, very, very diplomatic. Okay. In my mind, I'm very cynical. Okay.
Carlos Cruz:And so when people say I see that the records, say, okay, good, they provided this kind of fantastic training on paper, it's there. I don't say that training didn't occur. No, the training occurred, okay, it's there, the records. But then I speak with the person, I interview the person and the person doesn't apply what was transmitted during the training. The purpose is not to fill the record.
Carlos Cruz:The purpose is to know the message and apply the message of the training. So, yeah.
Dejan Kosutic:I mean, this is also a very common, let's say, problem or perception that these audits are simply a kind of a tick box exercise, right? That they are not really seeing the real picture. So, how do you actually overcome this problem? How do you actually understand fully, you know, if for 9001 the company has really a good quality management system or if for twenty seven thousand and one the company is really on the top level for security, how do we actually find the real picture of a company? So,
Carlos Cruz:like drawing with points. So one point can be, are the records are okay, the other can be the result of the interviews, but also the results of the performance. So the Clause nine, so the monitoring of performance of the system. So if everything somehow seems to fit, because as I said before, it can be the Titanic. People can be following the procedures, but the system may be not good.
Carlos Cruz:So you work with 27,001, so it's incredible. In the last days I've been, I always, every day I read one or two British newspapers. Okay. It's incredible. I think it was today or yesterday, one British newspaper, three different articles about acting so about systems down.
Carlos Cruz:Okay, something like the company that manufactured the Jaguar and those things. It's incredible. And I believe that they have a lot of brain. I believe that they have a lot of things. Yeah, but okay, if those things happen, so in quality, they may be following the procedure, they may be qualifying fantastic suppliers on paper, but if they are importing problems through their suppliers, okay, is not okay, something is not working okay.
Dejan Kosutic:And then you start feeling it, so to say, and then you can actually drill further wherever you see that some things are not quite right. Towards the end of the audit you do this or you might actually do a closing meeting even though it's not mandatory and you always have to write the internal audit report, which is mandatory. You tell me a little bit about these last steps?
Carlos Cruz:So I do about Yeah, preparing the report, what I do is I have some tricks that I use this. For example, if I'm doing an audit that takes two days, I use the checklist and different days I use different callers because that way I know when was the first day, then was the information collected on the second day. And then when I'm doing the taking notes, I use some kind of code. So if there's a problem or something that is like, so, for example, there was a time that I draw a skull, okay, like the unit jack, okay, like the pirates. Okay, so it's the major non conformist they put there or like the Ford Motor Company, that symbol of the Delta, inverted Delta for something that under, okay, something here that needs further investigation.
Carlos Cruz:So, when I'm doing the report, what I do is I have my bag and my bag is full of pens on the highlights, so I use different colors and I'm reading the report and I'm highlighting different colors. So now then what I do is I try to assemble topics that belong to the same thing. One thing that's interesting is in the beginning when I was doing more audits for companies that were starting, I only reported in the audit report, I only included the non conformities. But now I'm invited to do many audits for companies that have mature systems. And sometimes I cannot find any non conformity and I don't want that the certification auditor come and say, oh, this guy Carlos, okay, he was sleeping, he was not doing his job properly.
Carlos Cruz:So, to show my due diligence I write in the report all the conformities, okay, the conformities and okay, there are non conformities, non conformities, but everything is there. So, auditor that comes later can go there, do that order number from that client or that order to that supplier, everything is there. They can do my audit, repeat my audit with the evidence that I put there. So that's it. So I put there all the audit findings and I divide them by conformities, non conformities, major or minor and office, so opportunities for improvement.
Dejan Kosutic:But do we really need to distinguish between major and minor in internal audit?
Carlos Cruz:No, we don't need to distinguish major and minor. Okay. But it's my conscience, okay? Because it's like this, I don't know if this is the right topic to this conversation, it's like this: I say to my customers, so the audited organizations is, okay, certification auditors expect you to do the correction and corrective actions to all conformities, audit non conformities. But in my mind, I always remember the Deming Funnel experience and Mr.
Carlos Cruz:Deming showed up to all of us that sometimes the better thing to do is not to change a system, not to introduce more variation in a system. So if the non conformity is minor in my mind only correction and nothing more but it's only on my mind. But when I say to them but this is a major, so you need to go after the root cause and sometimes they ask me it's typical, classic oh what is the root cause? I don't know, I don't know. You need to go after.
Carlos Cruz:Okay, you need to go after. And I always say to them, so an auditor must keep his or her independence. If I tell you what is the root cause and you attack that root cause next year I come here and the problem is still there and you say, oh, but you did what you told us to do and I lose my independence. Okay, I'm part of the problem now. So what I say or I may say is something like, okay, in some companies I saw something like that, this kind of root causes.
Carlos Cruz:In another company I saw this and this. Okay, but you need to check. You need to check.
Dejan Kosutic:Yeah. Good. Now, let's change a little bit of the aspect and speak about consultants, right? And basically their role and their opportunity for internal auditing. So there are not many consultants actually that do internal audits.
Dejan Kosutic:They mainly focus on, let's say, implementation, maybe training, these kind of things, but not many internal auditing. So do you see this as a good opportunity, a business opportunity for consultants?
Carlos Cruz:I think so. Think so, because it's a way of knowing kind of intelligence about what other consultants are doing in the market, kind of ideas are now, because there are some fashion, some trends, from time to time people find this kind of, so I think I find it interesting. I find it a way of teachers that there are more than one way of looking into the requirements of the standard. So give us some kind of humility because, okay, our experience but that other experience is okay and for that kind of company perhaps it's better for that kind of experience. I think consultants should include that kind of service in their portfolio.
Dejan Kosutic:Definitely. Okay, it's a learning experience, but it's also, I would say from the revenue point of view, a great thing because it's recurring, right? So, if you are doing this, let's say, once a year, or maybe quite a couple of times a year, then this is something that is coming to you without actually having to sell it every time, right? So, there is no sale cost or sale effort there.
Carlos Cruz:I'm in a hotel today or tonight, because tomorrow I will do an audit and I'm doing one, sometimes two audits per year to this company in the last eight years. So next October, for example, I will do an audit. It will take two days, one day and a half. And I've been doing that same audit to that same company in the last twelve years, for example. So, in November, December again, same the kind.
Carlos Cruz:And a company that I'm doing working with them since 2013, I believe. And it's also a way of seeing what is the evolution of your work. So you work with them and see what is the evolution, what is really working and what's with this kind of people doesn't work with them. Maybe work with others, but this no, it's not the best approach for them. Yeah, and it's nice that the human side that once per year see people and they are almost friends now.
Dejan Kosutic:Now, many consultants actually want to do the implementation, but also the internal audit. And this is a conflict of interest, right? This is basically, at least in my view, something that the consultants should not be doing. So, how do you see actually a way to overcome this problem of conflict of interest when a consultant is doing the implementation and then internal audit?
Carlos Cruz:Okay, so let me tell you that when I'm doing sometimes I do that kind of audit, perhaps not the last audit before the certification audit but I'm doing that audit and I can assure you I'm much more demanding than any auditor because I want to find as much as possible before any others. But what we can do in situations where we are working with a certification body that doesn't like that the consultant that helped during the implementation also does the first audit is ask other consultant. And it's the kind of you ask the other consultant and the other consultant then will ask you to do audits for their company. So it works like that way.
Dejan Kosutic:This is a very good solution. Then you can actually do the next audit in one year. You can actually do the internal audit for this client because then at that point in time you're not going to do the implementation anymore. So it's a way to overcome this problem. Okay. Now, you mentioned also this standard ISO 19,011. So what is the standard and how is it relevant for internal auditing?
Carlos Cruz:So the standard, let's say, is not mandatory. Okay. The name is called a guideline so it provides some orientation for all internal audits or to management systems. And that's important because it's a kind of explain some concept provide so it's very detailed. It has a big flowchart about all the steps during an audit and provides what is happening.
Carlos Cruz:So what's happening before the audit, during the audit, after the audit. This very detail about, for example, composition of an audit report. Unfortunately, almost doesn't mention the audit checklist, but I don't know but it provides very detailed information. So, that wants to start working as an auditor, a good point is to look into that standard and read that standard because it provides good guidance about various steps in the audit and very detailed information about the composition of the audit report or how to act during the audit. It's very useful, not just telling pages by ISO.
Carlos Cruz:No, I think it's really useful.
Dejan Kosutic:Maybe we could call it a central standard that teaches you how to audit, right? So, besides going to an internal auditor course, you should also read 19.11 for details. Okay. I know many people are asking how to do a remote audit. And actually, know that you are doing also this webinar for Advisor about remote auditing.
Dejan Kosutic:So what is different and what is the same when doing remote audit versus let's say on-site audit?
Carlos Cruz:So there are two things that I find very weird about remote audits. Evidence, about the paper evidence, the records and paper grid, digital evidence. It's much easier. I don't know why, but it's much easier to look at that, to see information, perhaps because when you are doing an audit on-site, so there's a lot of stimulus, lot of information that you are receiving and while you are looking at it. But when you are looking to a screen it's just that.
Carlos Cruz:So, it's much easier to analyze the evidence, it's much more objective. Now, what it doesn't work so well is what we learn with the relationship that we develop with people during an audit. Because during an audit there may be a coffee break, maybe a lunch, maybe the small talk that we do while going from department A to department B. And that's a kind of a glue that is missing when I'm doing remote OLED. But I think after the Covid many people are leaving the remote audits and I think they are not doing a bad job because I think they are really, really useful.
Carlos Cruz:Okay, perhaps not 100% remote audits, but some kind of hybrid, okay, a program with hybrid audits or on-site and remote could be useful.
Dejan Kosutic:Yeah, definitely. And especially, I mean, for a cloud company, I mean, the IT companies that providing cloud services, if they are working remotely, right? If they don't have an office. Remote office is the only option to do this.
Carlos Cruz:Yeah, it's the only option. Also, for example, if you're a company with five or six sites, you don't need to have one good auditor in every site. That auditor doesn't need to go to China to do the audit in the plant of the company or to go to New Jersey or go to whatever, to Frankfurt. No, it can do the audit in one place, so it's the expert of the company and that audit made by that expert, the remote audit can conjugated with smaller audits in scope made by local internal auditors.
Dejan Kosutic:Are there some, let's say, situations or maybe some standards that actually do not allow remote audits?
Carlos Cruz:At least I know that TS16 69 for the automotive industry. They don't allow that. I already read something about why not, but now I don't know. I don't remember. Yeah, but we don't allow it.
Dejan Kosutic:Yeah, specific standards like this automotive one. Yeah, one is an exception, so to say. Yeah. Speaking about, let's say, if a company has several standards like, let's say, nine thousand and one and twenty seven thousand and one, can they actually do an internal audit for both of these standards at the same time?
Carlos Cruz:Yes, it's what is called an integrated audit. I think it's a good approach because when an organization is working it's not just doing quality or environment or information security or health and safety. No, it's doing its work. Okay, so what we should do is audit the company while they are doing their work and during that audit we have some lenses that are in quality, some lenses are in environment, some lenses are in information security, but it's less artificial, it's more natural.
Carlos Cruz:So, may be auditing people working in the shop floor and I'm asking questions about quality, ask questions about the waste or how they segregate waste. I may ask questions about how they manage the passwords, how they work with their passwords, the backups.
Dejan Kosutic:Doesn't it then require actually an auditor to know, let's say, both standards, both quality and information security? Because if it does, then it's hard to find people who actually know all of these different standards.
Carlos Cruz:Yeah but it's like this. There are two conditions to choose an auditor. Condition number one is an auditor must be independent. An auditor cannot work his own or her own work. First, independence.
Carlos Cruz:And second, an auditor have some kind of competence for doing the audit, know what are the good practices for doing an audit. And for doing that audit, we must know the must know the good standard, auditing practices and must know the standard. So, if he's doing an ISO 27,001, the auditor must know the standard, 27,001. So, that's that can be an obstacle for doing integrated.
Dejan Kosutic:But, you know, from my, I would say, experience, if you already know one standard very well, ISO standard, then it's, I would say, rather not, I would say easy, but it's easier to actually then move on to the next one if you already know the logic of the first one, right? So, it's and I've seen actually lots of consultants actually going this way and they specialize in the three, four, maybe five standards and this makes them competitive in the market, right? They know, I don't know, four standards, they will sell their services much more easily than if they only know only one. Yes. Okay, good.
Dejan Kosutic:So since you are dealing with AI as well and very interested in it, as well as me, What do you think? How will AI change internal auditing?
Carlos Cruz:So, AI will help auditors, for example, preparing their checklist. I don't say that they will help preparing better checklists, but much more efficient, so much faster. Because with AI, so, for example, week, last week I read a new directive, a new environmental directive from the European Union with more than 60 pages. And I asked AI about this for this kind of economic sector, about this for this economic sector and they provided me some sort of information where, what topics, what numbers, then I can go there check. So, it's much easier to do that.
Carlos Cruz:So, to do the checklist it can help us a lot. I believe that can be useful some years ago we spoke about that, we had a conversation about that can be fantastic for or will be fantastic for training auditors. For example, for role playing, so AI can do the part of the auditee or the auditor and so the auditor can do the part of the the trainee can do work as a participator's auditor or as auditee. So can be useful there too. Of course can be for writing the reports, the audit report or the standard call audit results.
Carlos Cruz:Okay, the audit report. So this way, you list all audit findings and to find trends in those audit patterns can help us. It's much easier to do that have 15 of its findings that have some negative connotation and it's not 15. I don't like to write them as 15 non conformities. So, if there are two or three of the same kind I like to add them and those three or four are evidence of a bigger problem and then okay II allow us to much easier, much faster.
Carlos Cruz:The topic is faster, it's being much faster.
Dejan Kosutic:Certainly. I mean, will become, I would say, one of the best friends of auditors, I would say, in the future. Yeah, exactly. I just hope that AI doesn't take the job of an auditor. This might happen.
Dejan Kosutic:Okay, we'll see what happens in the next couple of years.
Carlos Cruz:Yeah, okay. There are some companies I'm working with some companies or I work with some companies where big chunks of processes that in the past were done by people, now is the customer somewhere writes in a portal that transforms in an order and tech tech tech an ERP somewhere transforms that in an internal order. No human is acting until someone looks into a production plan and the human provides the human touch to to the proposal of the machine.
Dejan Kosutic:Yeah, we live in very interesting times, I would say. Okay, as a last question today, so what would be your, let's say, top recommendations for internal auditors?
Carlos Cruz:I would say, what I say to auditors when I'm training auditors, one of the things that I say to them constantly is, I know that some people are obligated, their boss, their company said you must be our internal auditor', then they don't want to be internal auditors, so it's a pain for them. But for those that want to be internal auditors, external auditors, certification auditors for those that want to do so think of yourself as a personal brand. Write reports that people read and say wow, people will trust and then word-of-mouth will work and other people will invite you. And by the way, one thing that I was missing, so when I started doing audits, my main problem was when I was writing the audit report, was oh, I'm not sure if I should consider this major or minor. So, be careful with the size of the sample of what you are going to audit, because that's important.
Carlos Cruz:One thing is you write, okay, this trading program that you have is not working because of this, this and this. And one thing is because of one issue, one topic you say doesn't work or seems not be working. Another thing is because of this topic, because of this topic, because of this topic, so of you present enough information that gives you some confidence, it's not 100%, that's always a risk, but provides you some confidence. So that I would say is that think about your sample and prepare your audit. Invest time in your audit, the preparation of your audit.
Dejan Kosutic:Great. Well, thank you for these insights, Carlos. I think this was very helpful.
Carlos Cruz:Thank you for the invitation.
Dejan Kosutic:Yeah, thank you. So thanks again for the participation and thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a Advisera. On Advisera website you can check out various tools that can help your business.
Dejan Kosutic:For example Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. White label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information.
Dejan Kosutic:If you like this podcast please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
