Saving the good name of auditing
A customer admitted to me earlier this week they fear being audited and it surprised me somewhat. When asking why anyone would be scared of little old me it became apparent that the audit process in general is scary for many individuals and organisations. The conversation developed like this
What if they find something bad?
In the standards I audit against (27001, 9001 or internal standards) the term “non-conformity” is kicked around alot. It is “technically” right in the terminology, but don’t worry - most auditors will highlight the good areas of your system, and if the raise a “non conformity” it just means it needs a bit more work. Problems with your system, process or anything else - would you prefer they are highlighted by an auditor or when things go wrong?
What if they are mean?
No auditor should ever be mean, obstructive or aggressive. My advice would be if they are any of those things terminate the audit! I was taught to be professional, fair, confident, diplomatic and open-minded. Remember who the customer is and explain in a clear concise way how things work and why. Also be open to differing opinions and suggestions for improvement. If you feel they have been unprofessional, you can report them to the governing body and ask for a different auditor.
They won't understand how my organisation works!
At first, perhaps not, but give them time and guidance. Auditors have a very short time to learn about you, your organisation, your systems, so be clear and answer honestly.
Its just a scary process, I don’t want to fail!
Often getting any standard is very important to an organisation so failure is not an option. That said any good auditor should tell you being audited isn’t always a pass/fail “thing”. If an auditor finds a “non conformity” accreditation is deferred until you get that area/process sorted. It’s a bit like an MOT, you (often) don’t need a full re-test for a non-conformity, just a check you have taken appropriate correction and corrective action to fix that issue. Don’t think of it like your driving test, or that if you fail you must do the whole thing again!
On occasion auditors have a reputation for being invasive, objectionable and sometimes even rude. Well during any International Register of Chartered Auditors (IRCA) training course they tell you good auditors are:
.. (this list goes on) however an auditor should never be:
So remember you are the customer, don’t panic and if you want any independent advice or a pre-audit check please contact me.
Thanks for reading.
David Smith Information Security Manager Limited