What’s it like being an ISO Management Systems Auditor?

Darryl Beresford is a Lead Auditor at Alcumus ISOQAR. Here we speak to him about what it takes to build a career as an auditor, and the pros and cons of the job.

Share this story

Written by: Alcumus
20th May

How did you arrive where you are in your career today? What’s your background?

I have a long and diverse employment history that covers areas such as the motor trade, retail and (briefly) manufacturing. But my first love - and where I spent most time - is in IT which includes, at various time, software development and time as a Quality Manager. My most recent role was as Quality Manager and Information Security Officer for an IT solutions provider.

In your experience, do many auditors set out early in their career hoping to become auditors? After all, not many kids grow up dreaming of one day being an auditor.

No! I’ve never met anyone who has set out to be an auditor early in life. It is, after all, a rather niche position. Maybe it’s something that as an industry we should promote more to youngsters because it’s an excellent career choice.

It seems that many auditors are, with respect, not in the first flush of youth. Why is that?

Being an auditor requires experience, both in industry and in life, so there’s that. But it’s probably largely because of lack of awareness of auditing as a career. It’s as much a stepping stone to other options as it is the end point for others. On another note, I think the industry needs a better male/female split too; most auditors are male and there’s no obvious reason for that. It is changing though. Indeed in ISOQAR many of the senior figures are female.

What qualifications do you need?

There’s no official route to becoming an auditor. It’s for the Certification Body that employs you to decide whether you’re competent to do the job or not - there’s no checklist or mandatory requirements. What you have to do is develop your understanding of a standard and sector it applies to by learning from the established auditors and then undertake witnessed audits where you’re observed by colleagues. I should say that all auditors will have done IRCA training too but that’s only a week or two. Essentially it’s all about demonstrating competence, rather than getting certificates.

Because there’s no single route, it means it’s a career choice that’s open to people from all walks of life and all career backgrounds.

Do you need a degree?

As a rule, no. That said, to audit ISO 27001 you should really have a qualification equivalent to a degree, although not necessarily a degree itself (in fact I don’t have one), plus you need experience working in IT.

Good communication skills are always important, especially the ability to communicate verbally and in writing, since we have to report back on our findings clearly with clients.

There’s really no obvious route in academic terms to becoming an auditor. There’s no degree course that I know of. Most of us have done time in our selected industries, then perhaps been involved in setting up management systems and internal auditing, before moving on to making it a full time role.

What standards do you audit? And is it important that you’re able to audit multiple standards?

All ISOQAR auditors cover the three core standards: ISO 9001 Quality Management, ISO 14001 Environmental Management and ISO 45001 Occupational Health and Safety Management. I think it’s very important that auditors understand the main standards as well as the crossover points between them as many audits we go on include multiple standards.

In addition, I cover ISO 27001 Information Security. I also cover some child standards, ISO 27701 for Personal Information Management and Standard 55 for secure cheque processing.

I’m currently awaiting getting ‘signed off’ for ISO 22301 Business Continuity Management. It’s good to add more strings to your bow. Some of these niche standards add to your employability and career prospects too.

Which is your favourite standard to audit, and why?

ISO 27001 Information Security without a doubt. The thing I like best is that most things the standard tries to prevent are criminal! Whilst all ISO standards make the company stronger or better, ISO 27001 actually seeks to prevent criminal behaviour from both outside and inside the company as well as tackling accidental and commercial issues.

What’s it like in the post-pandemic world? Are you still getting out and about?

The exact nature of the ‘new normal’ is still developing in the world of auditing, but it’s looking like a hybrid approach of onsite and remote auditing. It’s a nice blend - it means you’re not always on the road but still get out and about into new environments, which is a major appeal of the job.

How do you actually add value to clients? Are you able to advise when auditing, or is that not allowed?

There are strict rules on what auditors can do in terms of consulting and auditing. We’re not there to replace consultants. We’re only there to check the systems are compliant with the standards. Having said that we can raise ‘opportunities for improvement’ that allow us to put forward ideas that may improve their systems as a bit of value add. If we provide too many ideas, we can end up auditing our own work, not the company’s, not to mention alienating all the consultants out there!

Are clients afraid of auditors when they turn up? How do you put them at ease?

Some clients are clearly nervous about the audit! Some, however, have being doing this a very long time and enjoy the opportunity to show off their work and also learn a bit from us.

As I spent a number of years being audited myself, I do understand how they feel and try to present a friendly but professional approach. I also tell them that we audit systems not people: we’re not there to catch people out or make them look foolish.

What’s the worst thing about being an auditor?

Auditors often work and travel alone so if that’s not your thing, it may take a little getting used to. But we’re all just a click away from chatting to colleagues for support and at ISOQAR we’re very big on working as a team. It’s a very supportive environment. Our approach to each other is like our approach to our clients - we’re there to help and learn together.

And the obvious question: What’s the best thing about being an auditor?

It’s tough to pick just one thing. I enjoy the autonomy, being treated like an adult and not being micro-managed is important to me. The variety of the job is a big plus, each company is different even though the standards remain the same. Meeting people is something I enjoy and I’ve come across many interesting people. Plus, if you don’t like them much, it’s only a few days at most and then you’re on to the next one!

Exciting opportunities at Alcumus ISOQAR are available now!