The purpose of verification is however quite different from that of a management system audit. The verification team attempts to determine if the claim or assertion is accurate, complete, consistent, relevant and transparent, rather than if a set of practices is fully implemented and established. It becomes immediately clear then, that the verification process is very much focused on data. Verification findings relate to whether or not there are material discrepancies between what is claimed, and what the verifiers discover.
Definition: Materiality Discrepancy - professional judgment that the discrepancy in the assertion will change or influence the intended user’s decisions.
So how does a verification team actually go about verifying an assertion?
Two of the key steps are:
(1) Developing a risk based sample plan, and
(2) Verifying the data.
This article will discuss the sample plan, and a future issue of QMI Brief will address the process of verifying the data.
An organization’s assertion can be an Annual Environmental Report, an Annual Sustainable Development Report or a GHG Reduction or Removal Claim. In other words, the scope of a verification is not a single piece of data. Depending on the size of the organization, there can easily be hundreds or thousands of data values contributing to the assertion. They cannot all be verified in a reasonable or economic time frame. For this reason, a risk based sample plan that focuses the efforts of the verification team on the data that is more likely to be inaccurate becomes critical.
The verification team begins by conducting a detailed review of the organization’s records, reports and procedures in order to fully understand the data and the systems that produced the data. The verification team’s knowledge and experience is applied to identify the risks that could lead to errors or omissions in the assertion. Data and data management activities that correspond to these risk areas are further defined, and a plan put in place as to what will be looked at.
Types of Risk
Inherent Risk (IR): Probability of an error or omission due to the complexity of the process used to calculate or arrive at the assertion.
Control Risk (CR): Probability that the organization’s own management controls will fail to prevent, detect or correct an error or omission.
Detection Risk (DR): Probability that the auditor will fail to identify evidence of material discrepancy in the data
Audit Risk (AR): Likelihood that the auditor will arrive at the wrong opinion regarding the auditee’s assertion
For example, the verification team may form the opinion that there is a high inherent risk in the data from a Continuous Emissions Monitoring system for stack opacity, a low inherent risk in the pH results from the plant wastewater stream, a low control risk associated with the energy usage data from the utility meters, and a high control risk for the annual solid waste generation data derived from extrapolating the results of a waste audit.
The aim in developing the sampling plan is to balance the detection risk against the inherent and control risks in order to achieve an acceptable level of audit risk. If the inherent and control risks are high that there will be errors in the data, then the auditor needs to decrease the detection risk, i.e. increase the audit sample to increase the chances of identifying errors in the data.
It would be appropriate then, for the verification team to devote more time to the opacity and solid waste generation data in the earlier example. In doing so, the team could indicate that time would be spent on verifying: -