Compliance audit (COMP)
The independent, third-party assessment of the conformity of any activity, process, deliverable, product or service with the criteria of specified standards, such as BS EN ISO 9000/14000, local standards, best practice or other documented requirements. May relate to, for example, asset management, network security tools, firewalls and Internet security, real-time systems and application design.
Level 3 Collects and collates evidence as part of a formally conducted and planned audit of activities, processes, products or services. Examines records as part of specified testing strategies for evidence of compliance with management directives, or the identification of abnormal occurrences.
Level 4 Plans programmes to audit activities, processes, products or services. Collects, collates and examines records as part of specified testing strategies for evidence of compliance with management directives or the identification of abnormal occurrences. Analyses evidence collated and drafts part, or all, of formal reports commenting on the conformance found to exist in the audited part of an information systems environment.
Level 5 Evaluates and independently appraises the internal control of automated business processes, based on investigation evidence and assessments undertaken by self or team. Ensures that independent appraisals follow agreed procedure and advises others on the audit process. Provides advice to management on ways of improving the effectiveness and efficiency of their control mechanisms. Compliance activity can include safety assessments of the design, testing and validation and verification methods used in given safety-related systems. Involves the identification and evaluation of associated risks and how they can be reduced.
Level 6 Specifies organisational procedures for the internal or third-party assessment of an activity, process, product or service, against recognised criteria such as BS EN ISO 9000/14000. Manages audits of automated processes. Agrees the terms of reference, prepares detailed plans, arranges interviews and obtains copies of documents. Identifies areas of risk and specifies interrogation programmes. Conducts interviews and reviews documents, processes and performance. Where required, provides day-to-day team direction, taking responsibility for team performance. Recommends changes in processes and control procedures based on audit findings. This can include the assessment of safety-related software systems to determine compliance with standards and required levels of safety integrity. Involves the establishment, maintenance and management of the safety assessment framework and practices that support wider business objectives. Provides general and specific advice and authorises the issue of formal reports to management on the effectiveness and efficiency of control mechanisms.
Level 7 Ensures that there is planned audit coverage across the organisation and liaises with executives to ensure that this coverage is relevant and understood. Agrees the terms of reference for audits with clients. Plans audits, assembling other auditors and specialists as required. Briefs audit teams. Reviews documents, processes and performance, conducts interviews with client staff and others directly and indirectly involved in audits. Draws conclusions, prepares recommendations and presents audit findings. Leads and manages audit teams. Reports to the most senior level on the findings, relevance and recommendations for improvement arising as a result of the totality of audit coverage.