After a military career which involved operational, training, and computing appointments, Ian McNaughton spent time working in governmental roles, finally settling in with a specialty in occupational health and safety (OHS).
After leaving the public sector, he started his own business focusing on OHS training and management systems auditing. He has broadened his expertise to include environmental, information security, and business continuity. Over the past decade he has been mostly engaged in management system auditing against a range of international standards. More lately, McNaughton has focused on management systems consulting.
He has audited and assisted in a broad range of industry sectors, acquiring wide-ranging experience. As an auditor, he brings a perspective of relative risk and explains the requirements of the various standards to auditees and clients. He also focuses on maintaining overall management processes and interactions.
In this profile, we chat with McNaughton about the ethical basis for auditing, risk mitigation in health and safety as well as information security, and how the system approached helped organizations make it through Covid successfully.
EXEMPLAR GLOBAL: How did you get started in the auditing side of your career?
IAN MCNAUGHTON: I’m certainly an ‘old and bold’ who’s just extending his working life because I think I can be valuable. I don’t know what else I’d do other than go fishing! My background was in the military; I was in the artillery but never went to war. Then I worked in the government for quite a few years before starting my own business. I was doing a lot of training and a fair bit of auditing. I audited for one of the major certification bodies, and then I got the opportunity to represent a company called ISOQAR. We do their auditing here in Australia. They come under UKAS rather than JAS-ANZ, and sometimes people try and make an issue of that, but I don’t think it is. So that’s a bit of our background. We’re very small—there’s me and our lead auditor. I’m moving more toward consulting and leaving the auditing to him. Even though we’re not very big, we do audit some quite big companies.
I got involved with Exemplar Global more than 15 years ago. The relationship has been an entrée to getting work with the Australian certification bodies, and I’ve kept it going. It’s as much protective as anything else, because there’s not a lot of accreditation systems, and if ever we came under the microscope (which we haven’t) we can say, ‘Hey, look, we are accredited to do what we’re doing.’ You never know when that’s going to happen. I think it’s valuable to be associated with Exemplar Global, who are appreciated and respected in the industry.
EG: Would I be correct in saying that information security is a key focus area for your company?
IM: Well, our lead auditor has a strong background in information security. He’s accredited as a lead auditor from ISOQAR under UKAS, and he’s audited some big companies for information security. We also do quality, safety, environment, and business continuity, which to some extent goes hand-in-hand with information security. Personally, my focus over the years has been on health and safety—that’s where I have my master’s degree, and I feel it’s important to put systems in place so that people don’t get hurt.
More and more of late, we have come to the realization that information security is probably as big a risk as health and safety. We certainly find when we’re auditing that a lot of the health and safety systems are quite mature and tidy. Meanwhile, the information security arena represents a huge risk for companies. And so, I think I’ll be doing more and more consulting in that area, and our lead auditor will be auditing across that area, too. I see ISO/IEC 27001 as an overarching structure, and I think there are a whole lot of other things that companies do for their information security that can plug into that structure. ISO/IEC 27001, particularly in Australia, is really in its infancy. Every day there are more and more stories about hacks and other information security failures, but I don’t see a lot about protective, logical structures that would systematically address those issues.
EG: Further to that, what are the protocols that auditors need to be aware of involving auditing within ISO/IEC 27001 as opposed to auditing against ISO 9001 or ISO 14001 or other more general standards?
IM: When I first read ISO/IEC 27001, I found the first parts of the standard to be a little unclear. It’s not until you get to the appendices that you find more specifics. For that reason, I think there’s been a tendency to go straight down to those appendices where the particular things that need to be done are listed voluminously. I see the need for those overarching management processes to link in with them. ISO/IEC 27001 may become more systematic when it’s next up for revision.
EG: The last major revision was in 2013.
IM: Think about what’s happened around the world in that period of time! I actually did a course last year on web security with one of the Melbourne universities. There are many different web security tools that at least partially compete with each other, and I think there’s a need to bring them under the broad spectrum of ISO/IEC 27001. Unless you’ve got a proper structure over your systems, then they can become divided and dispersed. I can remember when I first looked at management theory, which seemed to revolve around getting other people to do the work for you. That’s fine, but the key processes of monitoring and checking are the real focus of a management system. You’ve got all this work going out there, you’ve set your standards and your requirements, and then you’re monitoring to check and make sure it’s being done the way you want it to be done, and that way you get your efficiencies in your business.
EG: Everything we’re talking about here applies to risk management and risk mitigation, but those are rather esoteric thing to translate to the auditing process. Given that, how do you do audit with risk in mind?
IM: The pivotal thing there is your risk register. We’ve been doing this in health and safety for decades, and the risk register has become more and more important as time goes on. And similarly, with information security, if you go back a decade you’ll see that the risk register was done to satisfy the auditor. Not anymore. It is now a large part of the underpinnings of your system that you can then track down to show how you’re controlling or mitigating those risks.
For companies that have been with us for five or 10 years, we’re recommending they go and review their risk register against the monitoring and checking regime to make sure they’re monitoring and checking those most important things. Historically, stuff that’s been done for the auditor isn’t just done for the auditor anymore—it’s done to make sure the business is solid.
EG: How did Covid affect the way you’ve run your business?
IM: As for everyone, pretty much, Covid was a real eye-opener for us. We were a ‘go-to-site-audit’ kind of organization, and then overnight that became a problem. So, we bought subscriptions to WebEx last year, and we’ve been using Dropbox.
The nature of auditing changed, and even though there’s some desire to get back to on-site audits, I don’t know that auditing will ever be the same. We talk about remote audits, and now we talk about hybrid audits. Audits now are partially remote, and that offers a lot of benefits. Using tools like Dropbox brings great efficiencies in that you can review documents in an efficient manner, then you go on a site to check. That cuts back on travel and reduces stress for the auditor as well as the auditee. Traditionally, the auditee has been ‘on the mat.’ If you think about it, stress is a health and safety hazard, so we really need to manage that.
EG: That’s an excellent point—sometimes the audit itself contributes to a bad situation because it does create that stress, and people don’t perform well under stress. Because of that, you’re not going to get a good result from the auditing process, because people are so worried and nervous that they’ll make mistakes. It’s not productive.
IM: That’s right. One of the things I’ve learned is how the simplest things can be the most important. We have to ask why… why is the auditee going through this process? A lot of times in the past, companies did it to get a piece of paper. But no more. Now, they are doing it to improve the systems and the organization as a whole.
EG: That naturally leads to a discussion of the ethical basis for auditing.
IM: I think it certainly has an ethical basis. We’ve been lucky, because we’re a reasonably small company and we can allocate additional time to audits and making sure we get it right. That’s because we know that if we lose a client, as a small company, we feel the loss. But it’s not about fear. One of the mantras we run on is ‘play a straight bat.’ In other words, if we find ourselves in a difficult situation, we don’t get caught up in politics or machinations. We deal with the situation honestly and logically. There are some complicated issues out there, and as an auditor, you can help articulate things. You might not make the decisions, but you give clarity, and some of that might well be that we tell people, ‘You are doing well.’ Part of our job, when appropriate, is to give the auditee confidence that they are doing well. There’s a psychological aspect to auditing. I’m certainly not a psychologist, but that psychological aspect allows the auditee to tell you what they’re doing and to unload stuff when needed. And so that psychological aspect can be healthy if it’s done well.
EG: That’s excellent. I’d like to ask you about training if you don’t mind. In your career, can you talk about some of the things you’ve learned from various trainings that you still retain to this day?
IM: Well, training certainly helped me get where I am. Training, and more broadly education, allows you to simplify things. It allows you to deal with multiple issues and interfaces, which underpins what we do. As you get higher up in your education, it allows you to deal with the abstract thinking process. But when we try to instill that ability to think abstractly, sometimes it gets a little bit too ethereal. We can get pulled back by the client, who might say, ‘No, we do nuts and bolts here, and it works for us.’ So, we actually turn those abstract ideas and theories into the nuts and bolts.
In my career I have taken Exemplar Global-accredited lead auditor courses. I like the updates we get with the new standards, when we get the information and are then tested on the new standards. This is all quite valuable in demonstrating our competence and professionalism.
EG: You work with clients in inherently risky fields. How do you help them understand and put processes in place to mitigate risks?
IM: In health and safety, we always look at energy sources as potential risks. If you consider any energy source as a potential hazard and a risk, you’ve gone a long way in health and safety. This is a simple and important risk-mitigation principle, and it exists in information security, too. Disconnected off-site back-ups, for example, are very important. Many clients rely on the cloud for backing up data, but the basic premise of having disconnected off-site back-ups is just a fundamental practice. But that’s something that even reasonably big companies haven’t been doing. They say, ‘Oh, we can just back up in the cloud,’ but we’ve had examples where a virus has gone right through their system back to the cloud, and it took them six or nine months to get over it. Again, these are fundamental things. With information security risk, we tend to think about all the electronic-type things, but there are basic things like entry-logging visitors and cleaners or having a clear-desk policy that are very important as well.
EG: Everything you’re talking about, all of these disasters, whether physical disasters, lives lost, or financial disasters, are terrible, but if they’re treated properly in the corrective action portion of the program, it can really lead to a much more secure, fundamentally better system and organization. Unfortunately, the way human beings are, it’s often difficult to account for those things before they happen. We sometimes need to experience and deal with a bad outcome before taking the appropriate action.
IM: I use a basketball analogy. Sometimes a team will start a game and you’d swear there’s Glad Wrap on the rim. It’s just one of those days. I think that happens in every sphere, where you get a day when everything just lines up wrong and it needs to be managed. During Covid, I was amazed how well many of our customers did. Most of them worked through it somehow, and I think the systems approach helped them considerably. Some of them came out of the pandemic better than they went in. The system approach, I think, really assisted them in dealing with what could have been a catastrophic disaster.