CoP Audit Policy

The Audit Experience

If CIF decides to perform an audit of the Cloud Service Provider for compliance with the Code, the following will typically happen:

1. Notification. CIF notifies the organisation about the audit, and requests confirmation of dates and logistical arrangements for an on-site visit. Where non-conformance is suspected based upon 3rd party claims, the on-site visit must occur within 21 days of notification. In other cases, it must occur within 45 days of notification.

2. Offsite Review of Application and Supporting Documentation. CIF, or its designated auditors (operating under the Terms and Conditions for Right of Audit and Confidentiality) reviews the Application and supporting documentation for compliance with Code requirements.

3. Onsite Review. CIF, or its designated auditors (operating under the Terms and Conditions for Right of Audit and Confidentiality), conducts an on-site review to validate compliance, in particular with respect to (a) adequate disclosure of non-public information in all commercial proposals; and (b) evidence of proper operation of documented management systems required by the Code.

4. Report. CIF, or its designated auditors, prepares a report of findings within seven days from the end of fieldwork.

5. Management Response. The Cloud Service Provider has seven days to provide written management responses to the report.

6. CIF Action. Depending on the results of the audit and the management responses, CIF may at its sole discretion do nothing, or unilaterally take any action it deems appropriate up to and including public rescission of the Certification including the immediate and unilateral withdrawal of permission to use the Certification Mark. 

If the result of an audit is a finding that the organisation has not complied fully with the Code, the Cloud Service Provider will be liable for the costs of the Audit which shall be £1000, or actual costs, whichever is higher.