How To Survive An ISO Audit
G U E S T A R T I C L E
What Do Auditors expect to see?
All auditors have their own expectations, they expect you to be able to demonstrate your knowledge and support with sufficient evidence.
Keep your systems simple, ensure that records are kept up to date, and keep a record of what you do. A lot of companies meet the standards but don’t record what they do and therefore can’t evidence it to the auditor, I also recommend asking the auditor what is the best way to do certain tasks, don’t forget they see lots of companies and pick up lots of good practices.
What will the Auditor Look For?
The auditor is looking for three main things:
- You have all the required documentation to meet the standard for your scope
- Your activities are performed as per your documentation and the standard
- You conduct the required data capture to support your meeting and meet the requirements of the standard and your documentation.
Don’t write policies and procedures that you don’t need and that you don’t intend to comply with, once you issue a document or procedure make sure your staff use it and take it seriously.
What Makes Auditors Happy?
Be Honest, As well as having knowledge of the standards, ISO auditors have a great ability smell Bullshit, they have a mystical gut feeling that instantly alerts them when something isn’t as it should be.
Give clear and timely answers supported with evidence and only give the facts. If you find something isn’t as it should be don’t try and cover it up, it’s much better to admit you have a problem and show the auditor how you are going to fix it. This demonstrates how you resolve problems and if done efficiently and correctly you can turn this into a positive.
What will Annoy the Auditor?
Two things will annoy the auditor, firstly if they are prevented from doing their job and secondly if they are lied too.
Don’t avoid their questions, if they have asked for info they won’t stop until they get it, plus they know you are staling them. Don’t lie, as once they find out (which they will) they will lose all trust in what you tell them. Don’t waste their time, they want prompt answers and a stream of evidence that is ready when they want it.
What Can’t the Auditor Do?
The auditor cannot raise a non-conformance unless it is a breach of the standard.
Never argue with an ISO auditor, I was once told “it’s like wrestling a pig in mud, the pig will always win as he enjoys it” but this doesn’t mean if they raise something you don’t agree with that you shouldn’t question it. Simply ask them to show you which bit of the standard you haven’t met as you want to learn, this way they will have to support the NC without spoiling the relationship. Remember, auditors are humans and can make mistakes. I recommend using a pre audit checklist to ensure you’re compliant, and tick of every relevant clause of the stand you are looking to obtain (if you would like a checklist I am happy to supply for free, just email me Craig@CAWConsultancy.co.uk
What Can the Auditor Do?
The auditor can speak to anyone within the scope of certification, he can ask to see any document and can walk around the premises.
Don’t just prepare your management, ensure that all document is complete and all staff are aware that an audit is taking place and what the purpose of the audit is. If the auditor is greeted by new staff that he meets and they all know his name without introduction, it will help demonstrate to the auditor that the company has good internal communication and much more.
Please leave your views in the comments, also if you have any tips for how to keep ISO audits stress free then please post them to help educate people that ISO auditors are not the enemy. If utilised correctly will hugely benefit your business, remember it’s your audit make sure you benefit the most.
About the author:
Craig Willetts is the owner and MD of CAW Consultancy Business Solutions Ltd & CAW Business Apps. CAW Consultancy provides management system and accreditation assistance (ISO 9001, BS14001, OHSAS 18001 ISO 27001, ISO 22301 and SIA ACS, CHAS and many more), screening and vetting to BS7858:2012, risk management training and outsourcing, tender/bid writing and a range of other support services for security companies helping their clients gain the tools they need to thrive, and have highly trained sector specific consultants. For more information visit the website at http://www.cawconsultancy.co.uk/ or blog: https://cawconsultancyuk.blogspot.ca/. View Craig’s full profile at Linkedin.
This article has been reproduced here with permission from the author. Title picture is not associated with the original writing.