0 99
Big Data in Auditing -

Written by: Ken Lynch of Reciprocity Labs

Behind any pile of data is a story. Ideally, the data provides a well-outlined plot of the strengths, weaknesses, risks, and opportunities that your business faces. Unless your business can analyze this data, the story it tells remains hidden behind facts and figures.

Lucky for modern-day businesses, the conventional approach for auditing and data analytics has provided a baseline for firms to leverage the power of big data. Using these strategies, organizations can predict market patterns, investment opportunities, and business risks- all which influence the decision-making process.

Sadly, the precision at which these conventional strategies can predict the future isn’t enough. The good thing is that big data looks to fill the gaps that conventional approaches have, and revolutionize the entire auditing and analytics industry. As long as you can leverage big data, auditing for clients will be a walk in the park.

Read on to learn about the opportunities that big data presents your business and common challenges to its adoption:

The Perks Of Big Data

1.   Enhanced Audit Quality

Conventionally, auditors had to sample their client’s data to come up with useful insights. Though sampling has been effective for some time, it doesn’t provide enough precision. You typically have to ignore data anomalies a well as outliers, which can often help identify risks before they occur. Big data analytics systems will help you to analyze a wider scope of data, if not all the necessary data, to come up with more precise conclusions.

Also, it will allow you to analyze your client’s data early in the auditing process, making it easy to streamline the rest of the process. You can pick metrics for analysis early, identify problems, and know the kind of audit evidence to look for.

2.   Improving The Auditing Frequency

Other than being costly, data analysis can be quite time-consuming, especially if you lack the necessary analytics tools. This is why firms choose to analyze their data after every fiscal quarter or year- even though they know that frequent analysis will yield better results. Luckily big data streamlines the data analytics process, reducing auditing lead times.

As a result, businesses can enjoy more audits at a reduced cost. Not only does this continuous testing revolutionize risk identification, but it also paves the way for accurate control assessments as well as timely insights.

3.   Improved Client Service

As outlined above, big data helps shorten the auditing process as well as improve the results. Such factors can be quite helpful in the decision-making process by clients. Even better, this new approach to data analytics ensures that you can communicate time-sensitive threats and opportunities early enough, making the role of auditors in the business growth scene even more appreciated.

How Big Data Is Transforming The Audit

Auditors work in the interest of all stakeholders. They help with the quality assurance of businesses, from a financial to a security standpoint. They deliver insights that improve reporting, identify business risks, and even offer insights on tailored fields.

While conventional technology had played a significant role in supporting the task of the auditor, it limited their power. With big data and developments in the analytics field, everything changes for you as an auditor. You can now focus on an entire population of audit-relevant data instead of trying to fixate your judgment on a mere sample. It even allows you to tailor your auditing journey to deliver the right results.  

Algorithms For Data Analysis Make Big Data Even More Useful

Present-day auditing applications that are based on big data are designed with a series of algorithms. This provides a platform for both running checks for completeness and formatting analysis. At the very least, such algorithms help to streamlines a formerly manual process.

The applications will offer you, as an auditor, a dashboard-based information pool from which you can draw conclusions. It also becomes easy to check for anomalies and outliers, as well as pay attention to any red flags early. By combining them with the traditional approach to analysis and auditing, the extent to which such algorithms can change the business world is huge.

Auditors And Analysts Can Shift Their Focus Towards Risks

Ideally, data collection, processing, and checking are one of the most time-consuming tasks for auditors. These algorithms help reduce the role that you can play in the initial stages of data collection as well as the processing and checking the data. As the application does it all for you, you can shift your focus on the intricate details of auditing.

This allows for better performance benchmarking and the use of resources. The biggest benefit is that auditing and analysis oversight is enhanced. However, it will be essential to train people on the skills needed to use big data and related tools in auditing and analytics.

Threats To The Integration Of Big Data

There is a reason why big data hasn’t yet gained enough traction in the auditing field. The threats that slow down its integration are many, but they aren’t insurmountable. Here are some of them:

1.   Barriers To Capturing Company Data

As long as you can access client data, it can be pretty easy to use big data analytics in the auditing process. You could draw conclusions and even identify threats in a fraction of the time it would have taken you to do so if you were using conventional means. However, the fact that you have to access company data brings in the form of complexity.

Businesses spend years layering security tools to reduce the data security risks their data faces. To gain access to this data, auditors have to rely on a time-consuming approval process, with some businesses being reluctant in providing the data completely. Instead, they claim that they will be putting their data at risk, which is understandable.

2.   Data Extraction Isn’t An Auditing Competency

Businesses typically use a number of accounting systems to achieve their accounting needs. Since data extraction is not a core competency for auditors, and most businesses lack this competency, it adds a layer of complexity.

Ideally, you might have to go through a lot of back and forth between you and the organization you are auditing to capture the necessary data. Without enough insights into how data extraction works, this might seem like an uphill task.  

While conventional audits focused on the general ledger, you will need to obtain information from the sub-ledgers to truly enjoy the benefits of big data. Sadly, this also increases the complexity of integrating big data into auditing.

3.   Finding The Balance Between Auditor Judgment And Analytics

It is pretty easy to use descriptive analytics to pinpoint threats and opportunities that lie in the shadows. For instance, if a situation of fraud has been plaguing a business, you can easily point it out to your clients. Sadly, it is a little bit tougher to produce audit evidence trying to respond to the identified risks.

Big data mainly relies on the black box nature of analytics, whereby rules and algorithms are needed to transform the collected data into reports and visualizations. Once the data gets to this stage, auditors need to find a balance between relying on these analytics and using their judgment to make the necessary conclusions.

4.   Auditor Training Is Yet To Change

As outlined above, big data completely revolutionizes the auditing job. It requires you to have both analytics and IT skills as an auditor. This will allow you to know the kind of questions to ask the collected data and know how to use the analytical output to produce quality audit evidence. Simply put, the new skills make deriving business insights and drawing conclusions pretty easy.

However, the modern-day training for auditors hasn’t yet caught up with the demand for big data. The learning and development programs at the college level are mostly based on the conventional approach to auditing. This means that an auditor that comes from these levels will have a hard time adjusting to the new requirements.

Ideally, getting rid of this problem requires a ground-up approach to auditing training. Learning institutions need to incorporate the necessary big data skills into their training to arm auditors with the right skills.

The Changes That Big Data Brings Along

1.   Auditing And Analytics Standards Have To Adapt

Since time immemorial, the role of auditors has been governed by a specific set of standards. These standards have been governing what you can and cannot do as an auditor. They have control over how you communicate with clients and what tools you can use. However, they limit the use of big data tools in auditing and analytics.

The new tools disrupt data management, workflow management, as well as data interrogation. Without changes in these standards, some of these tools might never be used as effectively as they should be used. Ideally, the regulatory bodies that make such standards need to update them to pave the way for big data and related tools.

2.   Skillsets Need To Change

Ignorance can never be an excuse in the face of disruption. You need to be well versed with the latest analytics skills to remain competitive in the world of big data. Ideally, it starts at the college level. Sadly, a single issue has made it tough for the necessary skillsets in a world run by big data to gain traction.

Having not taught students about the recent developments in the different fields, learning institutions choose not to test such areas. On the other and, students fail to study those specific areas since they know they won’t be tested. The good thing is that institutions are slowly updating their courses to incorporate ad hoc changes, and online platforms are offering courses that can help arm you with these skills.

Regardless of whether you are working or a student, you need to access courses that can help you sharpen your skills for a world centered on big data. While training on the job is possible, go beyond this. The only way to be effectively competitive is to immerse yourself in the most recent developments. The good thing is that this will be straightforward as long as you have the conventional auditing practices as your baseline.

3.   Audits And Analysis Need To Dig Deeper

Big data provides more insights than before. It allows auditors to dig deeper into their client’s data environments and identify anomalies and risks that they previously couldn’t. Even better, it makes it easy to turn analytics and audits into a continuous process, offering businesses real-time insights throughout the year.

As an auditor, you need to have the necessary applications and tools to achieve both of these improvements. You should also change the way you describe your offering to clients to ensure that they understand that audit and analytics quality is better than before.

4.   Security Needs To Be Improved

Big data uses both structured and unstructured data to come up with business insights. Some of this data can range from communications with clients to financial data. The bad thing is that there is a looming threat of this data falling in the hands of cybercriminals. If this happens, not only could be the future of businesses in jeopardy, but their relationships with their clients and other stakeholders could also be at risk.

Ideally, businesses need to invest in security tools that fit right into their data environments without making big data analytics tough. On the other hand, you- as an auditor- should assess the tools you use for auditing with a lot of criticism. The last thing any auditor wants is to compromise the security of their client’s data when doing their job. This is why training in the latest developments in a world run by big data is essential.

Big data promises a lot of opportunities in the world of audits and analytics- from increasing analytics efficiency to improving the decision-making process. As long as the challenges behind the adoption of big data in analytics and auditing are eliminated, it will be much easier for businesses to grow and tackle risks. Be sure to up-skill and keep up with trends in the big data world to take advantage of it.

About the Author

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.  Learn more at

0 183
What is an ISO Management System -

The ISO 9001:2015 standard was designed by The International Organization for Standardization (ISO) to provide a framework for an effective system for organizations in any industry to demonstrate to their customers their commitment to quality and enhanced customer satisfaction. ISO 9001 was developed to facilitate international trade and allow organizations and consumers from all over the globe to understand that when they encounter an organization with an ISO 9001 certification, they can be confident in the quality of products and services they can expect. Subscribing to and becoming certified to an international standard like ISO 9001 means your system produces products and services of consistent and exceptional quality that consumers can rely on time and time again.

Before you can become certified to ISO 9001, you need to implement the management system effectively within your organization. The Standard includes base requirements like the needs and expectations of interested parties within the scope of the standard. The requirements are not industry-specific for ISO 9001, but certain industries like Aerospace do have a specific standard which includes ISO 9001 as the base model with specific industry requirements added for their industry needs.

The requirements of the standard must be met to fully implement an effective Quality Management System (QMS) that allows your organization to consistently produce products or provide services that not only meet your customers’ needs but also subscribe to its globally acclaimed regulatory requirements. If you are looking to become certified for the first time, give yourself adequate time to properly implement your system before you seek certification from a Certification Body, roughly 3 months should give your organization time to implement in house or with the help of a Consultant.

Find a Consultant in your area.

What is a Management System?
According to ISO, “A management system is the way in which an organization manages the inter-related parts of its business in order to achieve its objectives.”

In case that still sounds vague, a quality management system is just a detailed set of processes and policies that are incorporated in the core business area of an organization to ensure that it meets its organizational objectives like consistent service quality, environmental concerns, maximum operational efficiency, etc.

ISO 9001 is one of these Quality Management Systems, arguably the most comprehensive and acclaimed one, which can be applied to organizations in any industry.

What are the 7 Quality Management Principles?
ISO 9001:2015 is primarily guided by 7 principles, below we’ll give you a quick explanation on each of these and why there is focus on them specifically:

Customer focus: An organization can achieve sustained success when it focuses on customer needs and exceeding their expectations.
Leadership: Organizations maintain cohesiveness and internal engagement when they focus on establishing unity of purpose and direction in leaders at all levels.
Engagement of people: Enhanced capability to achieve set quality objectives is possible when employees at all levels are sufficiently informed and engaged.
Process approach: Consistency of quality services is achieved most efficiently when all activities and interrelated processes within the system are managed.
Improvement: Organizations can best maintain and surpass current performance levels by fostering an ongoing policy of continual improvement.
Evidence-based decision making: Organizations can make objectively better-informed decisions in regards to internal processes by analyzing and evaluating existing data and evidence.
Relationship management: Performance optimization is better achieved when organizations effectively manage relationships with supplier and partner networks that are existing/potential stakeholders towards sustained success.

Want to learn more about the 7 Quality Management Principles that Standards are Based on? Read the full article here.

ISO Certification

To fully reap the advantages of implementing an ISO standard you should investigate becoming certified to the standard by an accredited, third-party Certification Body (CB). What is involved in becoming certified to ISO 9001? You need to be able to demonstrate to a third-party auditor that your organization adheres to the requirements of the standard. The length and duration of your audit will depend on the size of your organization and the number of locations you have. When you contact a Certification Body for an estimate of cost, they will detail to you the number of days and auditors who will be present and explain to their rationale. Location of the auditor is also important as travel expenses, such as meals will be billable to your organization.

Certification audits happen in a 3-year cycle, year 1 being your first certification audit where the Certification Body auditor conducts a thorough audit of your system to determine if you are compliant with the requirements of the standard and meet the requirements for certification. Year 2 and 3 are “Surveillance Audits” where the CB auditor performs an audit of selected processes and requirements to ensure you are continuing to meet requirements and maintain your certification. By becoming ISO 9001 certified, you will be able to market your ISO certification to advertise your credibility and effective processes. Your company will become more credible to clients and offers you a substantial amount of competitive edge in the market which is especially beneficial when you’re on the lookout for business partners.

0 225
Choosing the Right ISO Consultant - ISO Update

The current competitive marketplace is demanding for quality products and services that deliver exceptional customer experience. Getting globally recognized as a “quality first” brand can be the key to achieving a competitive edge in today’s growing global marketplace. If you are considering certification, choosing the right ISO Consultant is a critical decision that will determine how efficiently and seamlessly your certification process will take place. The right consultant can also change how fast you achieve certification.

In the whole process of ISO certification, your ISO consultant plays a pivotal role in terms of providing solutions for problems you may not have even realized. Hence your consultant must be knowledgeable on the process flows, required optimizations and compliance parameters.

Important note: An ISO consultant cannot give you an ISO certificate, that is the role of a Certification Body (CB). Your consultant is responsible for setting you up to be ISO compliant and passing the external quality audit performed by a third-party auditor from a CB. It is only after passing your external audit that your organization is issued the ISO Certificate. Consider your ISO consultant an extension of your organization, not a third party.

Parameters you should be assessing while choosing your ISO Consultants:

Relevant Knowledge and Expertise

When selecting a consultant for the implementation of a standard in your organization, consider their knowledge on the fundamentals of ISO Standards, specific requirements, common mistakes they have seen in their history as a consultant, documentation support, etc., because you will need to rely on them to be the expert on ISO so you can remain the expert on your organization. You should also consider the consultant’s history and track record for the number of certifications issued for their clients and their current client base. Consider this your initial product review, you may even want to check references and/or reviews as this will illuminate the efficiency of the consultant you are interested in.

Client Reference

Your ISO Consultants should be responsible for providing support for organizations across multiple disciplines and stages. They should be experts in advisory, consulting, management and internal auditing. When considering a consultant, the success rates, past projects, client satisfaction, diverse industry experience, client testimonials and case studies will help you in determining their credibility. Be sure to obtain honest, reliable and credible client references as they are an effective means to choose the right partner to initiate your ISO Certification process.

When finding client references, look for organizations in similar industries or niches to your own who have successfully obtained an ISO certificate as it will give you added confidence that this consultant is comfortable and familiar with your industry and the unique challenges it faces.

Communication and Building Rapport

You will be meeting your consultant for regular reviews, discussions, strategy formulation, internal audits, and other activities deemed necessary, so it is important to build a rapport and trust your consultant. You will be working together for the successful implementation of ISO Complaint processes, final certifications and for renewals each cycle of the certification process. Trusting your consultant to properly advise you is paramount. Ensure you set yourself and your team up for success with proper communication lines – consult your organization to determine if this consultant fits well into your organizational culture. You might want to consider using similar practices as to that of hiring for your own team, as your consultant should be viewed as an extension of your organization.

Customized Services

The ISO Consultants must be competent enough to deliver customized services for their clients as every client should begin with a clean slate. Each organization is different, even within the same industry as their other clients, so it’s important that they tailor every item to your specific needs and listen to your actual practices. It is important to remember that your processes that are written down, should be what you do or will do. When it comes time for your certification audit, the auditor will be checking and double-checking your processes, and if your consultant copied previous examples from their clients and it’s not something you do, you will be written up for a non-conformance. The accuracy and specificity must be detailed by your consultant to ensure your organization is set up for success. Standard implementation should be flexible enough for your needs and must align with the organizational goals while still being compliant with the ISO requirements.

Result Oriented

Being result-oriented is extremely important in the ISO industry. Your ISO consultant will outline an implementation timeline including the process improvements, general dates for internal audits, recommend necessary training, and other important KPI’s (key performance indicators), within the timelines and budgets discussed to ensure your organization will achieve certification. Process improvements and implementations should be selected carefully and strategically to utilize time and resources effectively within your organization to maximize your organization’s potential for future business growth and ensure the standard is a value-added system.

Pricing and Timelines

Proper ISO implementation and certification is a long-term investment and highly result-oriented, therefore, we recommend considering all other factors before you evaluate the dollar value of each consultant you are considering. While price should be a factor in your decision, it is important to know what is associated with the price tag including quality, experience, knowledge and all the factors we’ve already covered in this article.

Hence, while deciding on the pricing, have a detailed meeting and go through the service offerings and capabilities of the ISO Consultants. The quote you receive from your consultant will consider numerous factors like the timelines and turnaround of your certification, your organization’s size, industry, complexity, and if you’ve ever been certified before. If you are brand new to ISO standards, it will be a much more in-depth process to implement your system than if your consultant is simply reviewing and improving your system.

Your consultant must provide clear timelines with milestones and an estimated completion time of the ISO Certification process from the start to getting certified and the renewals when they provide you with a quote. Understand that this might not be exactly accurate to what will happen. As hidden costs and altered timelines might occur during implementation.

Your Checklist for choosing the right ISO Consultant

  • Do they have the required knowledge and expertise on the specific standard you are looking to get certified to?
  • What is their history within your industry? Can they provide you with client reviews and their client history within your industry?
  • Do you trust this consultant and does your organizational culture match with this individual or consulting team?
  • Does this consultant customize their services to meet your requirements and unique challenges?
  • Are they results-oriented and willing to outline specific KPI’s that will ensure your certification is a value-added process?
  • Do you believe the cost of their services is fair for the benefits you will receive?

When considering your ISO consultant, it is important to look at the bigger picture. Consider the time involved with your consultant, your trust and confidence in their work, and the value you believe their work will have in improving your operations. This is a lengthy process depending on your current status with the standard you wish to be certified to, so choosing the best consultant for your specific needs will make your time and investment well worth it in the end if you choose the right consultant for your organization.

About the Author

John Wick is an ISO Consultant working with Aurion ISO Consultants in Dubai. John likes to write on ISO Training, ISO Consulting, latest changes in ISO Standards, industry-wise benefits from getting ISO Certified. Reach out for expert consultation on any ISO related queries.

About Aurion

Aurion ISO Consultants, Dubai offers world-class ISO Services such as Training, Consulting, Certification, Implementation, and Audits in Dubai, UAE and Worldwide.

Aurion ISO Consultants is an Award-Winning Consultant firm in Dubai, UAE and one of the fastest-growing ISO Service provider in the UAE and GCC region. We have assisted 1800 clients across several countries globally.

We provide you with a Single-Window Solution with ISO Consulting, ISO Training, and ISO Implementation and ISO Audit Services. With our ISO Certification, you can transform your business into quality first one.

Contact Us: Aurion ISO Consultants | 0097142504150 | |#213&214,6E-A Dubai Airport Freezone, Dubai |

While you are planning to implement ISO Certification Standards for your organizations, to know more about the ISO Certification standards and all ISO related services from Aurion ISO Consultants, you call us right away!

0 326
Developing an ISO 9001 Implementation Plan - ISO Update

Once companies have made the decision to implement a Quality Management System (QMS) like ISO 9001:2015, they are usually faced with a multitude of new considerations and issues to sort through. If you are currently running a successful business, chances are you are complying with a large percentage of the standard, it’s only a matter of being able to prove this to an auditor and document your processes effectively. By developing an implementation plan, you will give yourself goals and action points that will help you and your team efficiently tackle the objective of achieving certification. Working on a thorough implementation plan will not only help break the process down but will also give you a rough idea of the resources and time needed to start implementing the standard.

A bit of preplanning is also required. You will need to determine what your timeline and end goals are and whether they can reasonably be attained. Aim for realistic and practical goals and estimates and consider using generic checklists and “Gap Assessments” that will help you move in the right direction.

Team Approach

A supremely effective method of implementation of ISO 9001 for most companies, regardless of size or nature, happens to be the “Team Approach.” The sizes of these teams can vary from organization to organization, usually 1-2 people per team for smaller organizations vs 5-7 people per team for larger companies. The technique essentially utilizes the concepts of allocation of responsibility to more efficiently utilize resources like time and energy.

Amongst these teams there will be one Steering Team, this is the team chosen to lead the project. The make-up should consist of managers of relevant departments to ensure that the members have the appropriate knowledge and power to allocate further responsibilities within their respected departments. The steering team will be expected to meet regularly and discuss updates and plans. The steering team leader will be the project manager for the implementation and their responsibility will include scheduling meetings and preparing agendas etc.

The steering team will also be tasked with reviewing processes and monitoring the work of task teams. These task teams are expected to document required procedures, modify pre-existing processes and develop new ones according to the framework provided in the ISO standard. There is usually a task team for each system procedure that needs to be created and documented so that the work is efficiently allocated. If you are using a Gap Assessment checklist, it would be wise to indicate the responsible parties for each task on or beside each clause of the standard that they are responsible for. The steering team is also expected to choose a Certification Body for external audit purposes.

You can create any suitable number of task teams; just be sure they are well acquainted with already existing QMS procedures within the company and those outlined in ISO 9001. If this is not the case, consider looking into training courses specifically designed to give participants awareness into the specific standard you are looking to become certified to. Many organizations offer the option to bring their trainer into your office to have a whole team seminar or company-wide seminar to help your organization familiarize themselves with the standard and its purpose within your organization. It is important for your task teams to understand the standard because filling in any possible gaps and updating any outdated processes is a large part of their work. Some company processes will need to be tweaked or drastically changed in order to meet standard requirements; in addition to this, the task team will also be responsible for documenting these changes or any newly added procedures for the purpose of auditing for compliance.

Ideally, a task team will discuss any possible additions and changes during the first few meetings alongside the QMS procedure, any decisions will need to be recorded and sent for approval to the Steering Team.

Planning your ISO 9001 Planning Meetings

Overall, there are a few prime factors to consider before you start your meetings. The most important being to decide on desired procedure implementation according to project goals and setting time constraints for the entire process. Recall that the key to any effective meeting is preparation, this must be handled at both an individual and group level if you aim to see productive results.

0 235
ISO 27001 - ISO Update

ISO 27001, is a framework for information security management systems (ISMS). An ISMS is meant to manage sensitive company information to ensure that it remains secure. These are meant to be inclusive of all policies pertaining to legal, technical and physical controls within a company’s information risk management processes.

Developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system,”  ISO 27001 does this using an extensive 6 part approach or planning process. As the specification addresses a range of sections such as documentation, the need for internal audits, corrective action as well as stresses upon the universal ideal of continual improvement it inspires the need for a cooperative effort within an organization.

What are the requirements of ISO 27001?

According to IT Governance, the two most important activities when implementing ISO 27001 are:

  • Scoping your ISMS (clause 4.3), in which you define what information needs to be protected; and
  • Conducting a risk assessment and defining a risk treatment methodology (clause 6.1.3), in which you identify the threats to your information.

Organisations are also required to complete the following mandatory clauses:

  • Information security policy and objectives (clauses 5.2 and 6.2)
  • Information risk treatment process (clause 6.1.3)
  • Risk treatment plan (clauses 6.1.3 e and 6.2)
  • Risk assessment report (clause 8.2)
  • Records of training, skills, experience and qualifications (clause 7.2)
  • Monitoring and measurement of results (clause 9.1)
  • Internal audit programme (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)

In her article, Melanie Watson and IT Governance details the requirements for certification, check it out here.

What are the benefits of ISO 27001?

Implementing an effective information security management system as outlined in the standard, protects your organization and minimizes any potential risks of security breaches which could have large-scale implications by implementing a system of policies to ensure security regardless of the format. The benefits of this include increased customer and business confidence, improved information management processes, and increased business resilience.

The format of any ISO standard and the emphasis on continual improvement also works to ensure the security processes will be updated and constantly improved upon so as to dismiss the possibility of outdated security measures.

If you have made the decision to implement ISO 27001 into your organization and reap the rewards of a robust information security management system, you need to start considering certification. Certification is proof to your interested parties of your conformity to the standard and provides a third-party, impartial assessment of your organization that is meant to be a means of improvement to your inner system to ensure it is working at its peak capacity. Certification is also a great way to motivate your team to work towards a goal and set stringent deadlines for achievement and improvement and give your organization a purpose and end goal for the management of your information security.

Because certification requires the stringent implementation of the procedures outlined in the standard as well as the production of all the mandatory documents and records, the process can be made simpler by having a detailed guide to follow or a checklist to reference.

Find our favourite checklist here.

Recommended references for ISMS

  • ISO/IEC 27001:2013 Information security management systems – Requirements
  • ISO/IEC 27002:2013 Code of practice for information security management
  • ISO/IEC 27004: 2016 Information security management – Measurement
  • ISO/IEC 27005:2018 Information security risk management

Implementation of ISO 27001 allows you to reap numerous benefits and advantages, but to assess whether certification makes sense for your organization you need to investigate what your security goals are and if the integration of ISO 27001 allows you to cover them. Other factors to consider are the experience and qualifications of your team and whether they will be able to implement the standard appropriately. If you do not think your team is capable, you should consider hiring the help of a new internal team member for your quality team, or search for an external consultant. ISO Update has a directory of highly qualified consultants and auditors for you to hire within your region. LINK
A detailed evaluation of your goals and how closely they align with those of ISO 27001 will help your team or consultant help you properly implement the standard and effectively utilize it to ensure certification year after year and the safety of your system for your company’s future. If these are realistic, and you are certain you can incorporate the standard with reasonable efforts it is well worth the resources and work to seek certification to ISO 27001. Read more about ISO 27001 from IT Governance

Hire a Consultant or Auditor for Implementation of ISO 27001

Find a Certification Body

0 384
What is Quality in ISO 9001?

The Concept of Quality in ISO 9001

Quality can be defined as “fitness for use,” “customer satisfaction,” “doing things right the first time,” or “zero defects.” Webster’s dictionary defines quality as “a degree of excellence” and “superiority in kind”.

Within an organization, quality is controlled and measured using a quality system – a mechanism that coordinates and maintains the activities of the organization needed to ensure that the characteristics of products, processes or services are within certain bounds. A proper quality system considers all interested parties – everyone directly or indirectly affected by these activities and is typically documented in a quality manual. The quality manual dictates the associated processes and documents that specify procedures and standards to achieve and maintain quality of goods, services and outputs of the company.

Basic Elements in a Quality System

There are three basic elements in a quality system: Quality Management, Quality Control, and Quality Assurance.

  • Quality Management being the means of implementing and carrying out the quality policy.
  • Quality Control being all the techniques and activities of an organization that continuously monitor and improve the conformance of products, processes or services to specifications.
  • Quality Assurance being all the planned and systematic actions necessary to assure that a product or service will satisfy the specified requirements.

As stated in an ANSI/ASQ standard: “Quality control has to do with making quality what it should be, and quality assurance has to do with making sure quality is what it should be.”

Quality Audits

How can an organization determine if their Quality System is effective? This is done through a quality audit – an independent assessment comparing the various management and quality activities to a specific standard.

An independent assessment implies that the person performing the audit is not associated with the activity being audited. In the past, the specific standard to which a quality system was compared was up to the business owners themselves. Be it customer satisfaction, internal approval or whatever was deemed acceptable to leave the factory. It wasn’t until 1987 that an ISO technical committee developed and published the ISO 9000 family of standards – quality standards that set the benchmark for the minimum requirements for an adequate quality system. – Source

What are Quality Standards?

Quality Standards can be defined as “documents that provide requirements, specifications, guidelines, or characteristics that can be used consistently to ensure that materials, products, processes, and services are fit for their purpose”. – Source

Using standards, an organization can effectively share their goals, processes, procedures, and vocabulary needed to meet the expectations of their stakeholders. Standards provide organizations with an effective road map for the understanding, procedures, and vocabulary needed to meet the expectations of their stakeholders. Because standards provide descriptions and terminology, they allow for ease in international communication and help increase trust between international consumers, suppliers and trade.

One specific standard that is most well known and attributed to Quality is ISO 9001.

ISO 9001 is the internationally recognized QMS standard that was designed as a business improvement tool to help organizations of any size continually improve and streamline operations, reduce operating costs, satisfy more customers and win more business. 

Read more from ISO Update:

ISO 9001 helps organizations from the ground up, working to standardize their processes effectively to work towards the end goal of providing exceptional outputs to their customers. Your whole system should work in a way that it constantly measures and checks that you are working in such a way as to produce the highest quality output. This is not simply in measuring the weight or using the right material, but this also encompasses your hiring process, your training methods, and your day to day activities. ISO 9001 sets up the framework for how you can properly measure, monitor and improve your processes in such a way that sets you up for success in the short and long term. ISO 9001 is an internationally recognized and trusted standard, often required to do business internationally.

Want to learn more about ISO 9001? Are you considering certification? Ask an expert:

0 383
When Quality Fails - ISO Update

Standards function to provide the end-user with quality products and services, but they also protect the vitality and reputation of a business. Your system should be built in such a way that it is constantly putting measures and checkpoints in place that does not allow product to leave your hands until it is safe, and up to yours and your customers’ standards. So, how does a product of subpar quality leave your plant? Who is responsible? How did your management system allow this failure to happen? When your product fails, or worse, you must issue a recall and you want to assign blame. Who is to blame? Why did your system fail you?

Case Study – Toyota Unintended Acceleration Recall, 2009

If an auto manufacturer finds flaws in their cars and lists a product recall, the public’s perception of this company will suffer. No greater example of this exists than the 2009 recall of Toyota sedans.

Toyota issued a recall of 8.5 million of their sedans in 2009 due to unintended acceleration caused by floor mat issues, brake problems and “sticky” gas pedals. The recall was issued in response to accidental deaths and provides an example of the grave consequences that may arise from poor execution of a QMS. In this case study, findings suggest that Toyota ignored quality warnings when failures began to happen. This is not a problem that is exclusive to Toyota, but rather an industry, and worldwide, problem. Read the full case study here.

InfoTrend dives into the deteriorated public opinion of Toyota immediately following the recall from the period of 2009-2011 in the United States. They deeply investigated the effects the media had on the public’s opinion, and how the recall shaped their opinion of the brand, being pro-, con- or neutral about the brand.

In 2014, Simply Communicate discussed the strategy Toyota took to rebuild their company image, and their internal culture and morale after the damage took its toll on the company. The shift in the culture at Toyota was substantial, losing talent, working hard to keep talent, and striving to keep employees, even if it meant shifting their jobs, all without losing more profits.

The NHTSA has a handy recall check for those in North America to verify their VIN number against any product recall it may be involved in.

It’s not easy to bounce back from catastrophic product failure, and that is especially true for organizations without multi-millions of profits and bail-out opportunities. It is the goal of a properly implemented ISO 9001 QMS to prevent these failures from happening in the first place. How did my system allow this failure to happen?

How does Failure Occur, and who is to Blame for a Product Failure?

If, or when, a product failure occurs, your organization shouldn’t point fingers. The first question you need to ask is “how did my quality management system allow this failure to occur?”. A simple investigation tactic you may want to implement is “Root-Cause Analysis – 5 Whys”. This method prompts you to ask yourself and your organization “why” until you have a root-cause (this could take fewer or more than 5 “why’s”). The basic framework allows you to develop pathways for why a failure happened in the first place, and where you can identify areas for improvement.

Read more about the 5-Why’s Method and Root-Cause Analysis from ISixSigma

Failures should not be a cause for removal of your certification or attempted to be hidden from your auditor. Failures, especially those caught by your system, should be celebrated. Consider them an indication that your system is working if the problem is caught, and an area for improvement is identified. Feedback is essential for growth, and even negative feedback should be viewed in a positive light and mentality.

Why is Quality Important for My Business?

The aim of any business is to maintain quality to an acceptable standard and failure to do so can result in any number of serious consequences. Quality control is important to guarantee customer satisfaction and more importantly retention. Customers are only likely to be retained and return for another experience if previous services have lived up to their expectations of a certain quality. More importantly, quality also has an effect on company reputation which is paramount to attracting new customers and profits.

Perhaps to customers, the quality of goods or services is the most important aspect of your company, this role proves to be vitally important for the survival and growth of an organization. Maintaining consistent quality without incurring massive costs should then be a primary goal for any organization.

0 305
The Cost of Quality Equation - ISO Update

The Cost of Quality operates on the premise that companies need to invest in upfront quality and prevention rather than suffer the grave consequences of failed services or product recall. “CoQ” Cost of Quality Equation is a methodology used to determine and consequently measure the number of resources that an organization is using for prevention activities to maintain the consistent quality of a product. Mathematically speaking, the calculation can be showcased as a simple equation where the Cost of Good Quality and the Cost of Poor Quality equals the total Cost of Quality.

CoQ = CoGQ + CoPQ

Effective use of this methodology allows for companies to accurately measure the costs of each factor which aids in identifying problematic sectors. Companies can then allocate resources to improve product and process quality in said areas. According to estimation, the cost of quality amounts to around 15-40% of total business costs; therefore, the methodology provides key information to management in order to maximize the quality of the finished goods/services as well as minimize overall costs. Any analysis done on these factors ensures easy identification of problem areas where there is room for improvement. – Source

Cost of Good Quality (CoGQ)

The first part of the equation, “CoGQ”, includes all the various costs accumulated from prevention steps such as quality planning, developing a Quality Management System, employee training, etc. It also includes costs incurred to maintain an acceptable quality standard, or “Appraisal Costs” which include routine inspections, quality audits, process controls and supplier assessments.

Cost of Poor Quality

The second part of the equation, “CoPQ”, includes both internal failures as well as external failures. Internal Failure costs are associated with defects in a product or service that are identified before it reaches the customer such as machine breakdown due to maintenance failure, re-work on service/product, excessive scrap of waste due to poor process, etc. External Failures, however, are found after the product has already been supplied to the market or customer, these may include repair costs, shipping damage, product returns, warranty claims or customer complaints.

Using this methodology allows your organization to determine the extent of resources used that allow your products to maintain high quality and expectations and allows your organization to determine your potential savings gained from the implementation of your systems. Once established, your quality cost equation should be dynamic, constantly revised and updated to reflect the dynamic nature of your business and its needs. The overall outcome of this evaluation should be positive with its impact not just on your business expenses and quality system, but on your organization’s core mission, values and objectives.

1 474
ISO 26000 - ISO Update

What is ISO 26000?

ISO 26000 is an international standard that provides guidance and establishes the principles and guidelines of social responsibilities. Developed to aid organizations with both assessing and addressing social responsibilities such as customers and communities as well as environmental impacts of their processes. The standard offers thorough guidance and effective suggestions for organizations to operate in socially responsible ways, such as through implementation procedures to adopt the standard. You cannot become ISO 26000 certified, as this standard only offers guidance.
“ISO 26000:2010 provides guidance rather than requirements, so it cannot be certified to, unlike some other well-known ISO standards. Instead, it helps clarify what social responsibility is, helps businesses and organizations translate principles into effective actions and shares best practices relating to social responsibility, globally. It is aimed at all types of organizations regardless of their activity, size or location […] ISO 26000 was developed to respond to a growing world need for clear and harmonized best practice on how to ensure social equity, healthy ecosystems and good organizational governance, with the ultimate objective of contributing to sustainable development.” –

What are the guidelines?

The guidelines of the ISO 26000 standard revolve around 7 central points highlighted below:

  1. Organizational governance;
  2. Human rights;
  3. Labour practices;
  4. Environmental responsibility;
  5. The fairness of organizational practices;
  6. Consumer and consumer protection issues;
  7. Evolving and developing communities.

These 7 points are then further divided into several subsequent areas that may overlap. Depending on each issue, the standard provides appropriate guidelines and implementation strategies for organizations to self-assess their current status and set achievable goals for improvement.

What is social responsibility and why is it important?

Social responsibility dictates that companies have an inherent duty to act in the best interests of the environment and society. The primary goal of social responsibility is to contribute to sustainable development. Organizations, after all, play a critical role in relation to the society in which they operate, and they have a moral responsibility to operate in a manner that ensures they maintain healthy ecosystems and social equity.

ISO 26000 has emphasized that a critical factor in operating efficiently for a business is its ability to pursue economic performance whilst adhering to social and environmental laws. Organizations are becoming increasingly aware, due to social pressure, of the importance and need for socially responsible behaviour, in part because their activities depend on the health of the world’s ecosystems in the long term.

How does an organization benefit from being socially responsible?

Implementation of the policies and guidelines outlined in ISO 26000 provides companies with:

  • Better reputation;
  • Increased ability to attract and retain workers as well as customers and stakeholders;
  • Upkeep of employee morale, commitment and productivity;
  • Favourable public perception with investors, owners, donors and financial interests.
  • Improved external relationships with other companies, media and community.

ISO 26000 also offers guidance for companies to find a competitive advantage by adopting a sustainable position which distinguishes your company as the better option among your competitors. Social responsibility can easily be incorporated into brand building. You want to associate your company name with a positive image and a great way to do this is to implement socially responsible strategies into company policies that can be universally commended. You might even be opening the door for further marketing opportunities and co-brands as well.

ISO 26000 also offers an avenue for you to maintain employee morale. People want to feel like they’re making a significant difference in the world, something that gives them a purpose to work better and harder. Encouraging better and more socially responsible strategies allows employees to feel proud of the company they work for which in turn fosters a keen sense of loyalty and can aid in retaining good talent. Multiple studies have found employees to be considerably more satisfied with their job when belonging to companies that market themselves as socially responsible. – Source

For example, Bell Canada has released a 2019 Corporate Responsibility Report, covering the company’s performance in 2018 and how through strong corporate responsibility practices, they were able to recruit and retain talented team members, reduce risk, build customer loyalty and long-term shareholder value.

Find more reports from organizations like Pearson, Caterpillar and Canary Wharf Group on how they and others use Corporate Social Responsibly and standards like ISO 26000 to grow their business. has provided basic training materials for the standard to help your organization in the implementation of ISO 26000 including a PowerPoint presentation and Training Protocol Guidance PDF document. They, along with other supports, can be found here.

0 383
Setting Up an Effective QMS - ISO Update

The certification process for ISO 9001 requires an extensive external audit to ensure the requirements of the standard are being met and the company is conforming to the standard and their own Quality Management System (QMS). For an organization to succeed in these stages of audits, it is crucial to ensure they are implementing the system according to the standard and their businesses needs, not simply using blanket statements to satisfy the auditor. Your organization should strive to set up an effective management system that will help your business thrive.

What is the Purpose of an Effective QMS?

The overarching purpose of a quality management system is to ensure your business is operating effectively, and in a way that not only sustains itself using smart practices but produces goods and services of the highest quality.

For an example of how a QMS can help your business use better practices to achieve quality results, let’s explore ISO Standards and Training. Your business needs to be dynamic in nature, as processes and procedures are constantly changing alongside a changing market. Your team needs to be adaptive and so do your processes.

ISO 9001:2015 has an increased emphasis on Management Reviews, which should be a cause for celebration, not concern. This is where your staff members can demonstrate to their management better modes of operation that allow them to make superior products and present these to upper management. It is during these reviews that upper management should be reviewing the evidence and crunching numbers to determine if old practices or “the way it’s always been done” is truly the best course of action in this expanding global market. If it’s not, management needs to review their process and determine the best course of action for improvement.

This improvement can be provided through external learning as well as company training programs. These training activities could be development sessions or team-related activities and are great opportunities to communicate your organization’s commitment to employee growth and ideas and demonstrate what your company needs from each employee.

What to Consider When Setting Up Your QMS

No two quality manuals should ever be the same. This is because no two businesses are the same. Even within a multi-site operation, your two locations operate with different sets of shared experiences, successes and hardships that need to be considered when you set up your processes.

For example, if you run a multi-site operation with one location providing mostly warehouse operations, and the other providing office and administrative duties, you should not have the same manual dictating hiring needs. The training requirements for your warehouse could be far more extensive and may even be legally mandated compared to those who work in the administration buildings. You might also need different onboarding training to follow, as warehouse workers might need to be trained for ergonomics differently than those who spend 8 hours at a desk.

You don’t treat the hiring processes the same, so don’t assume your whole process manual can be the same.

It is here in the process that you may want the help of a consultant. Consultants should be seen as an important resource for your organization, even an extension of your own team, who take the time to learn about your unique situations and develop a plan alongside you that not only follows the standard you are looking to certify to, but also pushes your organization towards continued and sustainable growth. If you have an internal quality department, consultants can also act as an impartial team member to help your organization prepare for your certification audit.

Another thing to consider when setting up your QMS is not to be afraid of NCR’s and OFI’s. Non-conformities and opportunities for improvement should be celebrated in the early stages of your certification journey. You want to find holes and problems from your consultant and internal auditors, and you do not want to hide things from your auditor. It is here that you can discover problems and implement solutions prior to your third-party certification audit. Use these audits to switch your mindset of the audit process.

So, how can you ensure your QMS is effective? Easy, don’t assume copying-and-pasting another organisation’s manual will help. If you state in your manual that you perform a process a certain way, and if in practice you don’t follow that process, well that’s an NCR. Write your manual specifically for your organization, either through your own internal quality department, or with the help of a consultant, or both. Use audits as a way to grow, not as a way to stress. And lastly, use management reviews to grow your business, not waste your time. Time is money they say, so be mindful how you are using management review meetings.

Some food for thought: Effective management systems will do nothing but help your organization, but an ineffective management system is the reason organizations don’t like ISO 9001. Consider this when you are pitching the idea of implementing an ISO Standard to your organization.

A key to understanding ISO Standards is to understand the 7 Quality Management Principles that Standards are based on. We have summarized the key points for you here.