Surviving Your First External Audit

After three years of working with us at Assent to maintain ISO Certification at his company, IT Analyst, Jeremy Benson shares some of his tips on Surviving Your First External Audit.

There is very little information in the public domain about the audit experience – particularly for those who are striving to reach certification for the first time or have been unceremoniously thrust into an audit due to a change in job role. It can be daunting; here are some tips to help.

Audit Conduct

It’s easy to say it, but try to relax through the audit. There is nothing worse than being uptight and feeling like you are in the dock being scrutinised by a jury; it will just create a difficult atmosphere and you could be in the same meeting room with an Auditor(s) for several days. The Auditors are just doing the job that your company has asked them to do. Building a working rapport with them will make the whole experience much smoother and pleasant for both of you.

Be a Good Host

Treat your Auditors with the same respect you’d hope to receive yourself when visiting another company. Provide them with good directions in advance and organise parking if required; find out any special dietary requirements.

If you have visitor wifi internet access (and your policy allows it), offer it to them when they arrive; they are less likely to be surreptitiously vulnerability scanning your internal network and more likely to be thankful; they can keep an eye out for important work emails during quieter spells during the day.

Working lunches are often required to be supplied as part of the Certification Body T&C’s, but it’s courtesy to do this even if not. In the majority of cases, this is a good time to “down tools” and forget the audit for a short period. I try to avoid discussing work during lunches, as usually both Auditor and Auditee need some audit relief at this point! Arguing findings over a sandwich is unlikely to be beneficial to either side.

Prepare Staff in Advance –

Staff within the wider organisation will naturally hide during audits and be reluctant to talk to Auditors, diverting their gaze when they walk by and suggesting someone higher up the organisational food chain should talk about processes when cornered.

There isn’t a lot you can do about this, but some things can help;

  • Give all staff prior warning that the audit is taking place. At least twice. And again on the day of the audit.
  • Remind staff of important areas that they can help with in the audit such as observing Clear Desk Policy, awareness of where training material can be found. Do a sweep of the building on each audit-day morning, if practical, to tidy away any minor indiscretions of the Clear Desk Policy.
  • Reassure staff if they are required to see the Auditor. Your own conduct of being relaxed in audit will help this – approaching members of staff whilst ashen faced and appearing brow-beaten will scare the life out of timid members of staff.
  • Thank staff participants publically for their time and input when audit is over – this goes a long way to making all staff feel inclusive of the system and helps next time around.

Remember to warn staff that your own time will be very limited during the audit – this should minimise disruptions from staff who expect you to be able to do two jobs at once.

The Audit Experience

All audits start and end in the same way – an opening meeting in which the audit schedule and finer points of audit are spelled out, and the closing meeting where findings are repeated and the next audit is discussed. In between is where the majority of the work is done, and the approach can vary from Auditor to Auditor.

However, brace yourself for being in a meeting room for long periods, providing paperwork and evidence for your Auditor to review. Remember to be a good Host and offer your Auditor regular drinks, or have facilities close by – it’s thirsty work. Try to take as much core material into the audit with you, or have PC access to electronic copies. Having to constantly go off in search of documents or evidence can be time consuming and disrupts the audit schedule. They expect some information will need to be found, but if you can’t lay your hands quickly on your major policy documents then that won’t help your cause.

At the start of each day is a good time to find out which staff members may be required to participate, so that you can ready those staff an hour or two in advance.

At the end of each day is a good time to review the Auditor’s schedule for the following day; there is little time to try and cover gaps in your security posture or system, but it can be helpful to use this time to look for evidence in advance for the following day.

Dealing With Findings

In the majority of audits, there are going to be ‘findings’ – hopefully just ‘observations’ (or ‘opportunities for improvement’ as they are now called), but there can also be minor or major ‘non-conformances’.

There is nothing to gain from getting uptight when Auditors find areas of the business that aren’t quite up to standard – it’s their job to keep you on track, improve the system, and measure it against a defined standard (and they are seeing different systems weekly). They are unlikely to change their mind over these findings, but the importance of the finding (in the context of your organisation) and how it is best mitigated or approached is the area to focus efforts on.

Discuss findings at the time, in detail, and how to best fix them, so that by the end of the audit, you understand the issue and are already clear on the way forward – this is important, because there is only a little detail of a ‘finding’ that can be put in an audit report, and the context can be quickly forgotten weeks later. Treating ‘observations’ the same as ‘minor non-conformances’ (and resolving each one) demonstrates to the Auditor that you value their input and is a good way of evidencing improvements to the overall system in the future.

Post-Audit

Hopefully by now you are relaxing in the warm after-glow of a successful audit – but it’s important to write up any observations and non-conformances (and respective actions) found in your system as soon as possible; whilst they are still fresh in your mind. The next audit will come around quickly.

– Jeremy Benson, Internal IT Analyst (from one of our ISO 27001 certified clients)