ISO/IEC TS 17012:2024 is a technical specification developed by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It offers guidance on employing risk-based approaches for evaluating and managing audit processes within organisations, particularly emphasising conformity assessment and the auditing of management systems.
The TS 17012:2024 document is expected to serve as a framework for organisations seeking to incorporate risk-based thinking into audit practices for internal audits, third-party audits, or certification processes. This is particularly important as the world of conformity assessment becomes more dynamic and organisations need to manage multiple types of risks (e.g., strategic, operational, financial, compliance, and environmental risks). It is designed to ensure that audits are conducted in a more efficient, effective, and risk-focused manner, particularly in conformity assessment and management system audit processes.
It provides guidance on the use of remote audit methods in the audit of standard management systems. It is applicable to all organisations that plan and conduct any type of internal or external audit (i.e., first-party, second-party, and third-party audits) of management systems. It supports the general audit principles provided in ISO 19011:2018 and provides further guidance on the specific conditions, opportunities and limitations of applying remote audit methods.
The use of remote audit methods for the audit of management systems is not intended to replace on-site audit methods. Instead, remote audit methods are designed to be used as a tool to ensure that audits are conducted effectively and efficiently.
Purposes of ISO/IEC TS 17012:2024
- Promotion of Risk-Based Audit Approaches
- Improvement of Audit Processes
- Efficient Use of Resources
- Support for Improvement and Development
- Support for Conformity Assessment and Certification Processes
- Improvement of Audit Quality
- Aligning Audit Processes with Strategic Objectives
Contents of the Standard
- Clause 5 Management of the audit programme (same as ISO 19011)
- Clause 6 Conducting audits using remote methods (same as ISO 19011)
- Clause 7 Competence and evaluation of auditors (same as ISO 19011)
- Annex A: Remote auditing methods (specific to ISO/IEC TS 17012)
- Annex B: Useful practices (specific to ISO/IEC TS 17012)
The content of the standard can be summarised under the following headings:
Clause 4: Audit principles
The same principles as in ISO 19011 apply.
Clause 5: Managing an audit programme
- Specifies the issues that an organisation should consider when preparing its audit programme, such as risks and opportunities, information security and confidentiality issues, necessary information, etc.
- Specifies the conditions necessary for an organisation to use appropriate and accepted methods to achieve objectives, such as determining the scope of remote methods…
- The organisation must perform a risk and opportunity assessment to determine whether the methods are applicable. The document contains two tables with examples of risks and opportunities related to the audit programme and their potential effects.
- Provides further guidance on the development, implementation, monitoring, and review of audit programmes.
Clause 6: Conducting audits using remote methods
- The types of methods depend on the audit type, objectives, and scope.
- Lists the necessary steps to initiate audits between the audit team and the auditee, such as obtaining information about the methods, requesting remote access, and confirming data security,
- Explains the risks and opportunities that should be considered to determine whether changes in effort and/or resources are necessary, or whether changes in audit methods are required,
- Special considerations regarding risks and opportunities that may arise during the conduct of audits (Annex A),
- Support personnel may assist in facilitating the establishment and operation of remote methods, executing remote access protocols, performing controls, etc.,
- Additional communication needs, such as a dedicated communication channel or backup method, should be considered,
- Includes additional considerations related to the verification of information.
Clause 7 Competence and evaluation of auditors
- In determining competence, consider onsite/remote/combination methods, the uncertainty in achieving audit objectives.
- Examples of personal behaviours, technical skills, and sensitivity to digital data privacy,
- knowledge and skills related to confidentiality, information security, and remote auditing technologies.
- Auditors to understand benefits and limitations, be able evaluate suitability and risk.
- In conducting auditor evaluation consider accessibility and effectiveness of the technology to observe, competence of the evaluator in the evaluation methods selected and technologies used.
- In maintaining and improving auditor competence consider knowledge and skill like ability to adapt to new remote auditing methods and evolving technologies.
Annex A – Remote audit methods
Types of audits where remote methods are used;
- Fully remote
- Hybrid/mixed
- Some technologies (folder sharing, FTP servers, etc.) and some good practices (communication protocols, ensuring access to IT support, backing up mobile phone use, etc.
- Examples of the application of methods for auditing: documented information, the organisation’s Digital Twin, use of proxy auditors,
- Document reviews, staff interviews and witnessing of activities
Annex B – Useful applications
General best practices,
The investigation process, selection of the audit team, and management of the audit programme for ICT methods,
Conducting the audit for reviewing, collecting, and verifying information: topics such as the opening meeting, etc.
Who uses ISO/IEC TS 17012:2024?
It provides guidelines for the use of remote methods in the audit of management systems. It applies to all organisations that are required to plan and conduct any type of internal or external audit of management systems (i.e., first, second, and third-party audits).
- Auditors: Internal and external auditors responsible for conducting audits of management systems, processes or compliance with regulations.
- Certification Bodies: Organisations providing third-party certification services are likely to adopt this approach to assess organisations’ compliance with management system standards.
- Risk Managers: Since risk management is integrated into the audit process, risk management experts may find this technical specification useful to support audits within their organisations.
- Compliance Officers: ISO/IEC TS 17012:2024 will also be useful for compliance officers who are responsible not only for verifying compliance but also for assessing and reducing risks.
- Conformity Assessment Bodies: Organisations that assess conformity with specific standards or regulations may use this document to improve their audit procedures and risk assessment.
To summarise our article, ISO/IEC TS 17012:2024 has been developed to enable organisations to optimise their audit processes, making them more efficient, goal-oriented, and continuously improving through the adoption of risk-based audit approaches. This helps audits become a process that not only verifies current compliance but also allows organisations to better manage risks, improve business processes, and achieve their strategic objectives.