Computer Assisted Auditing Techniques ("CAAT") for Accredited Certification of Management System

Certification Bodies operating in Management Systems have the ability to utilize the Computer Assisted Auditing Techniques (CAAT) program when auditing and certifying their clients. This program includes audits that utilize teleconferences, web meetings, interactive web-based communications, and remote electronic access to the management system documentation and/or management system process. IAF MD4:2008 specifies the minimum requirements, in addition to those stated in ISO/IEC 17021-1, that certification bodies need to implement when conducting CAAT services, and how to maintain compliance with their accreditation. Certification bodies must agree on mutually acceptable information security measures with their clients before using CAAT. If it represents more than 30% of the planned on-site activity time, the certification body shall justify the plan and request approval from SCC. Once a CB is able to demonstrate a robust process for managing and utilizing the CAAT system, SCC as the Accreditation Body can grant a "blanket approval" for the remote assessment activities to go over the 30% of allocated time planned for on-site activities, however it shall not replace a full on-site activity. SCC will verify compliance through on-going assessments and verification to ensure CBs comply with all criteria set out in IAF MD4:2008.