Finanvo is a financial institution that provides financial and monetary transactions, such as loans, investments, and deposits. Recently, they experienced a large increase of clients in a short amount of time, which caused frequent network service interruptions. Thus, Finanvo’s top management started to explore new solutions that could help them reduce the number of service interruptions and maintain the quality of their services.

Finanvo decided to implement an information security management system based on ISO/IEC 27001. They applied for certification after one year of having an active ISMS. They selected AuditOrg, a well-known certification body, to conduct the audit. The audit team comprised five auditors, of which two had worked for one of Finanvo’s biggest competitors. This meant they had adequate experience in auditing financial institutions.

Following best audit practices, AuditOrg initiated the audit by gathering information regarding the scope of the management system and Finanvo’s understanding of the standard requirements. As part of their audit activities, the auditors carried out a general review of the organization’s documented information, including records on training sessions. Some employees’ training records were missing, so the audit team interviewed them to verify their participation. The auditors used the collected information from the interviews as a sample to measure the employees’ understanding of information security. After obtaining the needed information, the auditors calculated the amount of training hours and analyzed the collected evidence. The findings helped the auditors support their conclusions and report all audit activities truthfully and accurately.

The auditors concluded that they did not detect any major nonconformity in Finanvo’s information security management system.

Answer the following questions by referring to the above-mentioned scenario:

What type of audit is AuditOrg conducting?

Audits that are conducted by an independent organization to ensure conformity against a specified criteria are known as third party audits.

Auditees have the right to request the replacement of an auditor that was previously worked for one of their competitors since this can be perceived as a conflict of interest.

AuditOrg’s audit team members have collected all types of evidence below, except ____________.

The audit team collected mathematical evidence by calculating the training hours. They also collected analytical evidence by analyzing the evidence collected. They did not collect any confirmative evidence since they did not obtain any confirmation of a third party regarding their observations.

Which auditing principle has AuditOrg applied in this case, “The findings helped the auditors support their conclusions and report all audit activities truthfully and accurately?”

The principle of fair presentation requires from auditors to report audit findings, audit conclusions, and audit reports truthfully and accurately.

How would you evaluate the level of responsibility demonstrated by AuditOrg’s auditors?

The auditors of AuditOrg have demonstrated due diligence during the audit by following best audit practices.