In the context of a third-party certification audit, confidentiality is an issue in an audit programme.

In the context of a third-party certification audit, confidentiality is an issue in an audit programme.

Select two options which correctly state the function of confidentiality in an audit
A . Auditors are forced by regulatory requirements to maintain confidentiality in an audit
B . Observers in an audit team cannot access any confidential information
C . Confidentiality is one of the principles of audit conduct
D . Auditors should obtain the auditee’s permission before using a camera or recording equipment
E . Audit information can be used for improving personal competence by the auditor
F . As an auditor is always accompanied by a guide, there is no risk to the auditee’s sensitive information

View Answer

Answer: C, D

Explanation:

Confidentiality is one of the principles of audit conduct that auditors should adhere to when performing audits. Confidentiality means that auditors should exercise discretion in the use and protection of information acquired in the course of their duties3. Auditors should respect the intellectual property rights of the auditee and other parties involved in the audit, and should not disclose any information that is sensitive, proprietary, or confidential without prior approval from the auditee or other authorized parties3. Auditors should also obtain the auditee’s permission before using a camera or recording equipment during an audit, as these devices may capture confidential information or infringe on the privacy of individuals3. Therefore, these two options correctly state the function of confidentiality in an audit. The other options are either incorrect or irrelevant to confidentiality. For example, auditors are not forced by regulatory requirements to maintain confidentiality in an audit, but rather by ethical obligations and contractual agreements3. Observers in an audit team can access confidential information if they have signed a confidentiality agreement and have been authorized by the auditee3. Audit information can be used for improving personal competence by the auditor only if it does not compromise confidentiality or conflict with other interests3. As an auditor is always accompanied by a guide, there is still a risk to the auditee’s sensitive information if the guide is not trustworthy or authorized to access such information3.

Reference: ISO 19011:2018 – Guidelines for auditing management systems