How to approach an auditor in a certification audit

If you’re going for the certification audit, you are probably wondering how to approach the auditor. In my opinion, the most important thing is not to forget that auditors are only people, and no matter how professional they are, they will always be glad if you treat them fairly; on the other hand, treat them badly and they will be negative.

What shouldn’t you do?

Here are the things to avoid:

  • Don’t avoid their questions. They will know right away if you’re hiding something, or if you want to divert the discussion to something else – this is a good way to make them suspicious, because they will think you’re hiding a nonconformity.
  • Don’t lie. When they find out you’re lying (and they will), they will completely lose trust in you, and they will become even more careful than they were before.
  • Don’t waste their time. Don’t drag them somewhere they don’t want to go, or spend too much time on things they want to move through quickly. This will make them nervous, because they won’t be able to go through some other stuff that is important to them.
How to approach an auditor in a certification audit - Advisera

Importance of the positive relationship

So why should you treat the auditor nicely in the first place? Because there is a grey area in the “rules” where you can benefit from building a positive relationship. (Don’t worry, by this grey area I don’t mean anything illegal or unethical, as I’ll explain a bit later.)

Auditors have a basic rule that they must do auditing, not consulting – this means that they must tell you if something is good or bad (i.e. if there are nonconformities or not) and they should give you a short explanation on why there is a nonconformity or why something is a good practice; however, they are not allowed to give you detailed advice on how to resolve your problem.

You should be aware that certification auditors have audited dozens, if not hundreds, of companies and that they have seen everything – from really worst-possible practices to fantastic examples of intelligent solutions. Basically, they are a walking encyclopedia of what’s good and bad for ISO 27001, ISO 22301, or whichever standard you are getting certified in.

So what’s this grey area? This is actually the length of the short explanation I mentioned – if you develop a positive relationship, this short explanation won’t be only a couple of words, but perhaps a couple of sentences, which could be enough to make several clicks in your head that will save you quite a bit of money and time afterwards. On the other hand, if you treat this auditor badly, he will (of course) keep his explanations to a minimum, and there goes your chance to learn something from him.

What you should do at the certification audit

Therefore, you should do the following to develop a positive relationship:

  • Answer the questions directly. Give them clear and timely answers, supported with facts.
  • Admit you have a problem. Of course, you’re not going to tell them all your problems self-initiatively, but if being asked directly – tell them openly what the problem is. The auditors will interpret your candor as your intention to improve the system – in such cases they might raise a nonconformity, but you will almost certainly get them to discuss what would be the best way to close such a nonconformity.
  • Ask them their opinion. They might not have time to answer such questions, but by showing your enthusiasm about the subject, they will get a positive picture about you and your company.

So if you approach the auditor from the positive side, you’ll certainly find your audit not only more pleasant, but also much more useful than you expected.

This article is an excerpt from the book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. Click here to see what’s included in the book…

To learn more about certification audit, download this free white paper: What to expect at the ISO certification audit: What the auditor can and cannot do.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic