- in the words of Corporal Jones, “Don’t panic Mr Mainwaring”
What to expect when an auditor visits your offices
You probably know the feeling of the moment you do an exam and you want to revise just before you handing it over to the examiner. This usually would do more harm than good. The same works for auditing. Once you start making changes to documents or records on the eve of an audit because you think you have missed something you are then forever playing audit roulette.
Any visit from an auditor should be preceded by them contacting you to agree an agenda for the visit, especially if the subject area is large and the quantity of processes being audited are multiple. An audit will not examine every word, document, workflow process or record in the systems being audited. They are based on selective checking and therefore you won’t be able to control the direction or interest of the auditor. In my experience they are well versed in finding the one item on a page that you hoped they would miss!
What they will do though is work with you and start off by looking at your documentation. Is it all relevant? Often, we tend to overwrite processes and policies because we think that more content equates to more adherence. Sometimes a four page monologue can be contracted into one page of succinct process.
They will also, softly, interview relevant Management Team members and Process owners so they can gauge the levels of awareness amongst staff in the focus areas.
At this point I will offer my first `top tip`. Try and keep your defences down. It will lead to a more productive day if you accept that they have come to help you improve your functions in the long run.
If you have any weaknesses, don’t hide them. By having an impartial view and assessment they will be able to say things that you probably already know. This can lead to Management buy in and improvements to your processes.
If the audit is an official visit and based on a framework such as an ISO Standard, they may well use technical terminology, make references to clauses, subsets and annexes. This is normal and not designed to confuse.
Another helpful hint. Know your way around your document and process library. Have a clearly labelled set of files and folders. There is nothing more frustrating to an auditor than the classic `click/fail` situation and you muttering away to yourself “I’m sure it was here yesterday”.
An auditor hasn’t come to judge you per se, they are there to test the adequacy of your internal controls. It took me a while to realise that auditors aren’t blessed with a 6th sense. They can’t predict the future. A typical audit, in the ITSM world, is based on a historical 9-12-month period. They won’t go back further than that and they can’t audit what hasn’t happened yet so focus on that window.
Read more
-
How would your organization benefit from an external Audit?
How would your organisation benefit from an external Audit?
-
Do you need a formal ISO accreditation to benefit IT audits?
Do you need a formal ISO accreditation to benefit IT audits?
-
ITIL 4 the Guiding Principles
ITIL 4 the Guiding Principles (simplified)