Scenario: Cobt, an insurance company in London, offers various commercial, industrial, and life insurance solutions. In recent years, the number of Cobt's clients has increased enormously. Having a huge amount of data to process, the company decided that certifying against ISO/IEC 27001 would bring many benefits to securing information and show its commitment to continual improvement. While the company was well-versed in conducting regular risk assessments, implementing an ISMS brought major changes to its daily operations. During the risk assessment process, a risk was identified where significant defects occurred without being detected or prevented by the organization's internal control mechanisms.
The company followed a methodology to implement the ISMS and had an operational ISMS in place after only a few months. After successfully implementing the ISMS, Cobt applied for ISO/IEC 27001 certification. Sarah, an experienced auditor, was assigned to the audit. Upon thoroughly analyzing the audit offer, Sarah accepted her responsibilities as an audit team leader and immediately started to obtain general information about Cobt. She established the audit criteria and objective, planned the audit, and assigned the audit team members' responsibilities.
Sarah acknowledged that although Cobt has expanded significantly by offering diverse commercial and insurance solutions, it still relies on some manual processes. Therefore, her initial focus was to gather information on how the company manages its information security risks. Sarah contacted Gobt's representatives to request access to information related to risk management for the off-site review, as initially agreed upon for part of the audit. However, Cobt later refused, claiming that such information is too sensitive to be accessed outside of the company. This refusal raised concerns about the audit's feasibility, particularly regarding the availability and cooperation of the auditee and access to evidence. Moreover, Cobt raised concerns about the audit schedule, stating that it does not property reflect the recent changes the company made. It pointed out that the actions to be performed during the audit apply only to the initial scope and do not encompass the latest changes made in the audit scope.
Sarah also evaluated the materiality of the situation, considering the significance of the information denied for the audit objectives. In this case, the refusal by Cobt raised questions about the completeness of the audit and its ability to provide reasonable assurance. Following these situations, Sarah decided to withdraw from the audit before a certification agreement was signed and communicated her decision to Cobt and the certification body. This decision was made to ensure adherence to audit principles and maintain transparency, highlighting her commitment to consistently upholding these principles.
Based on scenario, Sarah decided to withdraw from the audit before a certification agreement was signed. Is this acceptable?
- Yes, Sarah can withdraw from the audit, but only if the certification body approves her withdrawal
- Yes, there is no relation between Sarah's withdrawal from the audit and the certification agreement
- No, the certification agreement is directly tied to the auditor's presence
Answer(s): A
Explanation:
As the audit team leader, Sarah has the responsibility to ensure that the audit is conducted properly and in accordance with audit principles. If she believes that the audit cannot provide reasonable assurance due to Cobt's refusal to provide critical information or other issues, she is within her rights to withdraw. However, this decision must be made in consultation with and approved by the certification body, as they are responsible for the overall certification process. This ensures transparency and adherence to the standards of the audit.