The simple - but unhelpful - answer is: "Who knows?"
The fact is, each auditor has their own unique approach to the auditing process, so it's very difficult to predict what any individual is going to ask about the management system.
It has been common, since Certification audits began, to prepare employees to answer a Certification auditor's questions. This preparation might include strict instructions:
- Answer only the question you're asked
- Don't elaborate
- Don't try to answer if you don't understand the question
- Don't give your opinion
- If you don't know, refer the auditor to your supervisor
These "rules of engagement with the auditor" are often seen at work stations, posted in office cubes and so on. In a previous career as a Certification Auditor, I can tell you that when this approach is adopted, it can make employees overly anxious and nervous - and frankly - a good auditor will be totally able to overcome this apparent "stone-walling". In many cases, it can bring down what could have been an effective audit because communication becomes ineffective. It really is playing games, whether it's understood that way or not. And even the best of auditors will struggle to keep a smile on their face. Let's face it, this is not supposed to be an interrogation where the Geneva Convention rules apply: "Name, rank and serial number..."
A far better way to answer the imponderable question "What will they ask" and avoid any negativeness from a Certification auditor, by "stonewalling", is to do the following:
- Take control of the audit, take the auditor to a person to...
- Have people explain what they do, then
- Have them demonstrate how they do it
- Describe how the process is controlled through any applicable documents
- Explain what they do when things might go wrong (if applicable)
- What records are generated (if applicable)
- If the process is performing as planned to the established goals (if applicable)
- Their contribution to customer satisfaction and improvements
I'm not a big fan of people being able to whip out a card and recite the quality policy - it's often trite and meaningless (the policy, I mean) so what does it prove?
By taking control of the audit in this manner, the outcome of the audit will become more predictable, the auditor doesn't get to ask (obviously) dumb questions, it makes it easier for them to just audit (which is, after all, a listening activity for which they need to remain silent). As a result, the auditor gets a good feeling that this isn't going to be "one of those audits", where people don't answer freely. This automatically raises the auditor's perception in a positive way. They are able to listen, take vital notes and the pressure to be thinking of the "next question" become less of a burden.
In fact, it's less to do with "passing the audit" and more about the organization actually confirming that it has competent people, who know how to control their processes, what to do when something unplanned happens and so on - vitally important to any organization, whether they are going for ISO Certification or not. Every manager and supervisor should have confidence that their employees know their stuff!
I'd suggest that if your organization has prepared for a Certification audit, that you seriously rethink why you are doing it at all. You are probably avoiding a real issue - that of demonstrating leadership and confidence in your process controls. Imagine if a customer was hearing your people answer "just the question asked", instead of confidently describing what's done, why and how it meets their needs. I know which I'd be more impressed with, in all three roles - auditor, manager and customer.