The desk-based documentary audit: reading conformity from public evidence

The desk-based documentary audit examines the conformity an organization declares using only openly available evidence. There are no interviews, no access to the Statement of Applicability, no management review minutes. There are web pages, trust portals, service agreements, contractual annexes, transparency reports and technical artifacts published by the organization itself.

A certification audit or a second-party audit works on the complete system, with sampling of records and direct observation of processes. The desk-based audit works on the public footprint: what the organization chose to show and what, by omission, it left out of view.

The IAC Observatory registers and verifies that footprint. It does not accredit bodies or certify systems; it observes the open evidence and records what holds and what does not. The desk-based audit concludes neither conformity nor non-conformity; it concludes verifiable public support, or the absence of it.

The method does not audit organizations; it audits claims. Every statement of conformity a company publishes is a discrete unit that is isolated, broken down and tested. A claim always has four implicit components: which standard, which legal entity, which services it covers, and from when until when.

A claim without those four data points is not verifiable, however emphatic it may sound. The desk-based auditor treats each claim as a witness, asked the same questions: who says it, about what, on what support, and until when. A statement that does not answer those questions is not discarded; it is classified as an unverified claim, which is a category distinct from a false claim.

This discipline avoids the most common error in reading corporate communication: taking tone for evidence. A dense, well-written security page creates the impression of control. The method forces the reader to ask, sentence by sentence, which of those statements an outsider can verify and which one can only believe.

The recurring finding of every desk-based audit is not the lie; it is the fragmentation of scope. An organization publishes a verifiable certification for a narrow set of services, and on another page declares a broader management system covering products the certificate never named. Both statements can be true at once, and between the two a gap opens up.

When the standard, the certificate, the legal entity, the dates and the covered services cannot be traced along a single line, the system exists but its public perimeter is not unified. For a client or a regulator, that means reading three pages and two portals to understand which service is in and which is out.

Here a technical point the method cannot omit: ISO/IEC 42001 is today issued, in market practice, as non-accredited certification, outside the published accreditation scope. A certification within accredited scope rests on a traceable chain of oversight; one outside that scope rests solely on the reputation of the body that issues it.

To show the method in operation, a concrete example helps, with a warning up front: what follows is a desk exercise on public evidence, not a formal audit or a conformity opinion. It does not assert findings as truths about the organization; it describes which evidence is public and which is not.

Take a large-scale AI provider that publishes abundant security material. On an information security standard, the public evidence tends to be dense: the organization ties the certification to a named set of services, publishes contractual measures and declares that the certificate is available. The bridge between claim and verification, within that perimeter, holds.

On the AI management standard, the same exercise finds something else. The organization declares that it maintains the management system over a scope broader than the security certificate, and publishes consistent governance artifacts. What the exercise does not always locate in the open is the certificate with the critical metadata: issuer, number, validity period, legal entity. The governance is observable; the certification, not fully verifiable from what is public.

The exercise illustrates the general rule: the same organization may have different levels of public support for different standards, and the hurried reader averages them into a single impression of compliance. The method separates them and names each one by its degree of verifiability, without inventing what the open evidence does not show.

The desk-based audit has a value the certification audit cannot give: it is replicable by any third party with the same sources. It depends on no privileged access and no contractual relationship. Anyone with the primary URLs can redo the comparison and arrive at the same map of gaps. That transparency is, in itself, a form of rigor.

Nor does the method penalize the organization for what it does not publish. It acknowledges its own limits: what is not located in the open may exist and be perfectly documented behind closed doors. The desk-based audit does not say the system does not exist; it says that, on the public evidence, it cannot be verified. The difference between those two statements is the whole ethics of the craft.

What the IAC Observatory registers, then, is not conformity. It is the distance between what an organization claims and what an outsider can verify. That distance is a governance datum in its own right: it measures how much of the declared compliance lives in trust and how much lives in evidence.