Auditors are core to organisations seeking certification. They form an opinion by using professional judgement to assess whether an organisation is ready for certification. However, along the years, some auditors have picked up a number of poor traits that make them bad auditors.
Here are the top 12 things bad auditors do:
- Impose their own opinions
- Write findings that are not supported with objective evidence
- Blindly tick items off checklists, with no thought for what matters
- Believe the paperwork and ignore what’s actually happening on the ground
- Allow their own prejudices to blind them to what is actually happening
- Audit against “best practice”; a moving target that’s often the auditor’s personal opinion
- Write findings that are gross generalisations, not supported by the facts
- Feel obliged to find something wrong even if all is well
- Allow cost-cutting to starve the audit of the time required to do it properly
- Support managers who set objectives that might be SMRT but aren’t Achievable (because the manager has bitten off more than he can chew and can’t afford adequate resources)
- Support managers who set objectives that aren’t even SMRT
- Forge a close relationship with managers so that they can write disingenuous audit findings that lead to consultancy business – sometimes at the expense of people’s jobs.
It’s a long list, reinforcing the notion that auditors aren’t to be trusted.
Good auditing is based upon principles that are defined in ISO 19011:2011, mandatory for auditors who work for Accredited Certification Bodies and responsible consultancies like IT Governance. The principles are:
- Fair presentation
- Due professional care
- Evidence-based approach
Used diligently, these principles can eliminate all the bad practices listed above.
IT Governance Audit Classes
At IT Governance audit classes, we share techniques for auditing in accordance with ISO 19011:2011 principles and guidance:
- Audit with business value in mind
- Use a process approach to defeat silo mentalities and avoid tick-box nonsense
- Audit against a defined management system standard (e.g. ISO 27001, ISO 22301, ISO 9001)
- Avoid expressing auditor opinions
- Don’t insist upon documented information for the sake of it
- Eliminate documented information that’s useless
- Avoid blame games; prefer to blame the process, if blame is required
- Use active listening to confirm understanding before assessing conformance
- Write findings that are supported by objective evidence
- Demonstrate rationale for findings by showing their relevance to policy and objectives
- Write findings that empower people by addressing common problems such as:
- Cross-functional disconnects and departmental agendas
- Inadequate resourcing
- Poor training, mentoring, skills development
- Weak or non-existent management commitment
- Inadequate monitoring, measurement, inspections, reviews, tests, exercises
- Poor corrective actions that do not address root causes
- Poor supply chain management.
Become a good auditor and book on to our auditor training courses, teaching you the fundamental good practices:
 It’s often said that objectives should be Specific, Measurable, Achievable, Relevant and Time-bound (SMART).