Powered by Advisera

How to approach an auditor in a certification audit

Dejan Kosutic

If you’re going for the certification audit, you are probably wondering how to approach the auditor. In my opinion, the most important thing is not to forget that auditors are only people, and no matter how professional they are, they will always be glad if you treat them fairly; on the other hand, treat them badly and they will be negative.

What shouldn't you do?

Here are the things to avoid:

  • Don't avoid their questions. They will know right away if you're hiding something, or if you want to divert the discussion to something else – this is a good way to make them suspicious, because they will think you're hiding a nonconformity.
  • Don't lie. When they find out you're lying (and they will), they will completely lose trust in you, and they will become even more careful than they were before.
  • Don't waste their time. Don't drag them somewhere they don't want to go, or spend too much time on things they want to move through quickly. This will make them nervous, because they won't be able to go through some other stuff that is important to them.

Importance of the positive relationship

So why should you treat the auditor nicely in the first place? Because there is a grey area in the “rules” where you can benefit from building a positive relationship. (Don't worry, by this grey area I don't mean anything illegal or unethical, as I'll explain a bit later.)

Auditors have a basic rule that they must do auditing, not consulting – this means that they must tell you if something is good or bad (i.e. if there are nonconformities or not) and they should give you a short explanation on why there is a nonconformity or why something is a good practice; however, they are not allowed to give you detailed advice on how to resolve your problem.

You should be aware that certification auditors have audited dozens, if not hundreds, of companies and that they have seen everything – from really worst-possible practices to fantastic examples of intelligent solutions. Basically, they are a walking encyclopedia of what's good and bad for ISO 27001, ISO 22301, or whichever standard you are getting certified in.

So what's this grey area? This is actually the length of the short explanation I mentioned – if you develop a positive relationship, this short explanation won't be only a couple of words, but perhaps a couple of sentences, which could be enough to make several clicks in your head that will save you quite a bit of money and time afterwards. On the other hand, if you treat this auditor badly, he will (of course) keep his explanations to a minimum, and there goes your chance to learn something from him.

What you should do at the certification audit

Therefore, you should do the following to develop a positive relationship:

  • Answer the questions directly. Give them clear and timely answers, supported with facts.
  • Admit you have a problem. Of course, you're not going to tell them all your problems self-initiatively, but if being asked directly – tell them openly what the problem is. The auditors will interpret your candor as your intention to improve the system – in such cases they might raise a nonconformity, but you will almost certainly get them to discuss what would be the best way to close such a nonconformity.
  • Ask them their opinion. They might not have time to answer such questions, but by showing your enthusiasm about the subject, they will get a positive picture about you and your company.

So if you approach the auditor from the positive side, you’ll certainly find your audit not only more pleasant, but also much more useful than you expected.

This article is an excerpt from the book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. Click here to see what’s included in the book…

To learn more about certification audit, download this free white paper: What to expect at the ISO certification audit: What the auditor can and cannot do.

About the author:

Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related online tutorials, documentation toolkits, and books.

If you enjoyed this article, subscribe for updates

Subscribe to get the latest updates on certification and compliance directly to your inbox.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.