How to Reflect Qualifications in the Audit Report

The audit report is perhaps one of the most analyzed documents within an entity that, after a more or less long period of work on a management system, sees its effort evaluated by an external third party (or internal, if the audit has this character), in a document that it will want to reflect its good work.

That’s why qualifications are such an important section within the audit report.

Being constructive, qualifications establish the beginning of the necessary margin for improvement in companies, with greater or lesser regulatory binding.

However, how qualifications should be reflected in the audit report is not a trivial matter because the qualification must be a faithful reflection of an objective non-compliance.

The qualification should not be an opinion of the auditor, but their writing of the deviation from compliance by the company of a precept, whether legal (for example, if we are talking about a regulation such as the GDPR – General Data Protection Regulation, or normative (for example, if we are talking about an international standard such as an ISO standard).

In other words, if the precept being audited deviates from the reality applied in the company, it should be reflected as such in the report written by the auditor. There must be a direct correspondence between the legal or regulatory requirement and the way of “not doing” things in the entity.

If the implemented procedure complies with what the regulation in question requires, it will be complying with it. If it doesn’t, there will be a non-compliance and therefore a qualification will be written in the report.

AUDITED COMPANY adapted all its data protection procedures two years ago to comply with the GDPR, establishing that it would have to conduct a biennial audit as a security measure for all its processing, whether they contained sensitive data or not.

On the day of the audit, the audit team arrives at AUDITED COMPANY and registers as a visitor at the access desk to the facilities, taking all their data and making a digital copy of the ID of each person on the team to give them their access passes to the offices. They observe that no one informs them about the collection of this data and they note it down to make sure to ask about it during the audit.

When the time for interviews comes, the audit team asks about compliance with the duty to inform data subjects, as required by current data protection regulations, in relation to the registration of visitors, and they request evidence of this information, but AUDITED COMPANY confirms that they do not inform visitors in any way about the collection and processing of their personal data.

In the audit report, the audit team will reflect this deviation from regulatory compliance as an objective qualification, without opinion, simply with the express mention of the lack of information that a data controller must provide to data subjects when handling personal information in their business processes.

The qualification must be fully detailed, should not give rise to misunderstandings or misinterpretations, and it is even advisable to make express mention of the article of the law, regulation, or standard against which the audit is being conducted, and for which non-compliance by the auditee occurs.

This will reduce the debate between the parties (audit team and audited entity) that could lead to a misunderstanding of the non-compliance that occurred on the part of the audited entity if the qualification did not provide complete information or if it were subjective.

It may happen that, during the review of the provisional report, the auditee may claim that the auditor did not correctly understand the information provided, or did not take into account evidence that was indeed provided. If it is finally proven that the auditor was not correct in their notes, for example, and compliance with the audited precept can be evidenced and, therefore, the non-existence of deviation, indeed the qualification should be corrected or eliminated.

Another specific situation that may occur is that a qualification is replicated by the audited entity because between the audit interview and the delivery of the provisional report, the deviation has been corrected and they want to eliminate that qualification for the delivery of the final report.

In these cases, it would be possible to maintain the qualification as it originally appeared, although it is up to the audit team to nuance in the report somehow the immediate correction of the qualification by the audited entity.

Therefore, the need for a correct drafting of the qualifications in the audit report must be valued so that the auditee has no possibility of incurring misunderstandings or open debates about the evidence found.

At GlobalSuite Solutions we have the GlobalSuite® software that guarantees time and cost savings in carrying out audit work in a collaborative environment with complete monitoring. Likewise, we have more than 15 years of experience in Personal Data Protection and Information Security. Our specialized consulting teams offer the advice and support necessary to help companies carry out their periodic audits with the reliability and security of a fully solvent external team in any of the standards that require an audit, from GDPR to UNE 19601, ISO 27001, ISO 22301, etc.