Auditors Denied Access

There are rare instances when an auditor is denied access when attempting to conduct an audit of a management system. The organization may not want the auditor to view proprietary or classified information or physical areas. The stated reason may be competitive sensitivity, contractual requirements, or national security.

The ANSI-ASQ National Accreditation Board (ANAB) issued a rule last year that registrars (certification bodies) must require the audited organization to provide specific information at contract development time if any information or areas will not be accessible due to security, confidentiality, or other restrictions.

If restrictions are identified, the certification body must ensure the scope of certification does not include the restricted processes, specifications, or areas to such a degree that the effectiveness of the management system cannot be verified.

If it isn’t possible to determine the conformity of the restricted areas without first undertaking an audit, then the audit must ensure the processes can be proven to be similar to the processes assessed in the unrestricted areas. And, that the same audited procedures and controls are applied and used within the restricted areas.

The audit report must clearly document all exclusions for these restricted programs, customers, and activities.

One method to deal with restricted documents and areas is to sanitize them so the auditor can have access to validate conformity and have sufficient evidence so the integrity of the report and the certification decision are not compromised.

Another approach is for the certification body and client to agree to identify and use a “trusted contact” to work with the auditor to obtain the necessary evidence to validate conformity. The “trusted contact” will be a client person with higher security clearances to enable a thorough review of the classified documents. Of course, the “trusted contact” must demonstrate independence and impartiality to the greatest extent possible.

ANAB states that some industry sector rules, e.g., AS9104-1, may document their own requirements for access and control of access to restricted areas. In these cases, the sector requirements take precedence over the ANAB rule. For more information, you can see Accreditation Rule 36 at the ANAB web site.