Whenever organizations seek certification, they rely on the good judgment of auditors. Most of the time that’s fine, but sometimes auditors pick up bad habits and make poor decisions.
If you’re an auditor or an organization that’s being audited, you should look out for these ten mistakes that bad auditors make:
- Imposing their opinions
- Reporting findings that aren’t supported with objective evidence
- Blindly ticking off checklists without thinking about what matters
- Believing their paperwork and ignoring what’s happening on the ground
- Auditing against best practice, which is a moving target that’s often the auditor’s own opinion
- Writing generalized findings that aren’t supported by facts
- Feeling obligated to find something wrong
- Allowing cost-cutting to starve the audit of the time needed to do it properly
- Supporting managers who set objectives that might aim to be SMART (specific, measurable, achievable, relevant, and time-bound) but which fail in one or all of these areas
- Forging a close relationship with managers so they can write disingenuous audit findings that lead to consultancy business
Good auditing practices
ISO 19011 describes the principles that all auditors should act upon: integrity, fair presentation, due professional care, confidentiality, independence, and an evidence-based approach.
Used diligently, these principles can eliminate all the bad practices that auditors make.
You can learn more about what it takes to become a good auditor in our ISO27001 Certified ISMS Lead Auditor Online Masterclass. We help you understand the tasks of an auditor and offer plenty of advice. As well as avoiding the ten mistakes we mentioned earlier, all auditors should:
- Audit with business value in mind
- Use a process approach to defeat silo mentalities and avoid tick-box nonsense
- Audit against a defined management system standard (e.g. ISO 27001, ISO 22301, or ISO 9001)
- Eliminate useless documented information
- Avoid blame games (but if it’s absolutely necessary, blame the process rather than individuals)
- Listen to what people in the organization tell you before assessing conformance
- Demonstrate a rationale for your findings by showing their relevance to policy and objectives
Auditors should also produce findings that address common problems, such as:
- Cross-functional disconnects and departmental agendas
- Inadequate resourcing
- Poor training, mentoring, and skills development
- Weak or non-existent management commitment
- Inadequate monitoring, measurement, inspections, reviews, tests, and exercises
- Poor corrective actions that don’t address the problem’s root cause
- Poor supply chain management
Outsource your internal audit to IT Governance
Gain the assurance you need to achieve compliance with ISO 27001. Globally regarded as the ISO 27001 experts, IT Governance’s team of consultants can help you meet the Standard’s requirements for an objective and impartial audit process. The IT Governance Internal Audit Service consists of two separate audit days spread over one year. On completion, you will receive a detailed audit report highlighting any nonconformities identified. The report will provide the required assurance as to whether the ISMS continues to conform to management’s requirements and to those of ISO 27001.