December 14, 2024

What SA auditors should know about ISO certification when auditing telecoms clients

Earlier this year, Namibia’s Mega Mobile Telecommunications Company (MTC) became the first telecommunications firm in the Southern African Development Community region to achieve full certification from the International Organization for Standardization (ISO). Even more impressively, it achieved certification for six standards simultaneously.

The ISO, which comprises standards bodies from more than 160 countries, is responsible for setting uniform standards for companies and organisations worldwide.

Muhammad Ali, managing director of South African ISO specialist World Wide Industrial & Systems Engineers, welcomed MTC’s achievement and thoroughness in becoming ISO-compliant.

He believes far too many industry players – particularly those in emerging markets like South Africa – have used ISO certification to cut corners.

“Concerns around this began to emerge globally around the early 2010s when the rapid expansion of the telecoms sector exposed inconsistencies in governance. Some companies pursued certification to meet market expectations or regulatory requirements without making substantial operational changes, leading to superficial conformance,” he says.

He adds that ISO management representatives working for telecoms companies must be informed about effective implementation, maintenance and continual improvement toolsets. “This is why you find consultants pushing their own agendas, using the standards and audits to increase their scope [of influence].”

According to Ali, the most significant gaps that allow companies and consultants to hide behind meaningless ISO certifications include:

  • Inconsistent auditing standards: While certification bodies are supposed to adhere to strict guidelines, there can be variability in how rigorously different auditors apply the standards.
  • Incompetent auditors: Auditors must gain the requisite experience or industry code to audit effectively.
  • Auditor intimidation: Larger corporations can be intimidating to certification bodies, so even when auditors encounter problems with systems, processes and risk strategies that are not effectively implemented, they are not brought to the fore. Many certification bodies also cannot afford to lose their clients, which compromises the integrity of the certification process.
  • Lack of oversight by regulatory bodies: Limited monitoring can allow companies to maintain certifications without continuously adhering to best practices.
  • Weak internal controls: Some telecoms companies may not prioritise embedding ISO standards in their operational culture, leading to ‘tick-box’ conformance rather than genuine improvements.

Ali says that with these practices being too commonplace, auditors must be equipped with the skills to differentiate between genuine ISO conformance and superficial efforts.

One way to do this is via effective second-party audits. This involves suppliers being audited against the relevant ISO standard to verify their ability to deliver on mandates and understand the full spectrum and scope of products and services. Once evaluated, there needs to be an independent re-evaluation of a supplier’s performance according to strict service level agreements, with penalties for poor governance, fraud, corruption and consequence management.

Ali points to a review of audit trails as the second factor. Detailed records showing how standards are applied, monitored and adjusted will reflect genuine conformance.

“Another way to separate the genuine from the superficial is to evaluate operational integration. ISO standards should be embedded in the company’s processes, not only in documentation but in real-world practices,” he adds.

“Auditors should also engage with staff at all levels of a company. This will inevitably reveal whether ISO procedures are being implemented properly or if they only exist on paper. Finally, a company with superficial certification likely will not be able to show active efforts to refine or enhance its processes in line with ISO standards.”

Image credit: David Arrowsmith/Unsplash

Leave a Reply