What should auditors do if they encounter evidence of non-compliance during the audit?

Auditors have a critical responsibility to ensure that their findings are accurately captured and communicated. When evidence of non-compliance is encountered, documenting and reporting it is essential for several reasons. Firstly, thorough documentation provides a clear record of the findings, which is crucial for any follow-up actions and for demonstrating due diligence in the audit process.

Additionally, reporting non-compliance is aligned with the principles of transparency and accountability within the organization's management system. It ensures that all levels of the organization are aware of issues that may affect compliance with established standards, which is particularly important in the context of ISO/IEC 27001 where information security is a priority.

Furthermore, addressing all findings, regardless of perceived severity, helps organizations foster a culture of continuous improvement. It encourages proactive measures to be taken to rectify issues and prevents minor non-compliance from escalating into more significant problems in the future. Thus, documenting and reporting non-compliance is not only a best practice in auditing but also a requirement for adhering to the integrity and effectiveness of the audit process.