South African businesses have suffered massive financial setbacks due to inadequate auditing, with cumulative losses from poor audits and compliance failures running into billions. Through its material irregularities process, the Auditor-General of South Africa recovered and prevented financial losses totalling ZAR3.47 billion in the 2023-24 financial year.

In one case, the Public Company Accounting Oversight Board (PCAOB) fined KPMG South Africa and two partners $275,000 for using an unregistered accounting firm in audits between 2015 and 2017. Cases like these highlight the urgent need for businesses to engage only accredited auditors.

A manufacturing firm recently lost its ISO 9001 certification due to an unregistered auditor’s failure to identify quality control issues, leading to a cancelled R12 million contract. Similarly, a financial services provider faced regulatory fines and was forced to spend over R5 million on corrective measures after a flawed ISO 27001 audit exposed them to a data breach.

Muhammad Ali, Managing Director of ISO specialist World Wide Industrial & Systems Engineers (WWISE), warns that such cases are common. “Every year, we handle 17 to 20 remediation projects where unqualified auditors have misled businesses. By the time we step in, the damage is done,” he explains.

ISO certifications, such as ISO 9001 for quality management and ISO 27001 for information security, serve as global benchmarks for business excellence. However, many organisations unknowingly expose themselves to risk by hiring unregistered auditors. “There are many so-called auditors without verifiable qualifications or experience,” Ali warns. “They mislead companies, cut corners, and leave businesses vulnerable to compliance failures and financial losses.”

ISO audits are categorised as first-party (internal), second-party (supplier audits), and third-party audits conducted by registered lead auditors from accredited certification bodies such as SABS, TUV, SGS, or Bureau Veritas. When done correctly, audits ensure regulatory compliance and operational efficiency. However, assessments by unqualified auditors create serious financial and operational risks.

Unregistered ISO auditors lack accreditation from recognised bodies such as SAATCA in South Africa, CQI | IRCA in the UK and Europe, PECB in the Americas, or Exemplar Global in the Asia-Pacific region. Despite the presence of these regulators, many individuals claim ISO expertise after completing short online courses with no practical auditing experience. “These auditors lack industry-specific knowledge, fail to conduct thorough assessments, and ultimately compromise an organisation’s compliance efforts,” says Ali.

Many businesses hire unregistered auditors due to a lack of awareness or the lure of lower costs, only to suffer greater financial losses. Some fail to verify an auditor’s credentials through regulatory websites like SAATCA or CQI | IRCA, while others are misled by large consulting firms using unqualified auditors. Industries most affected by poor auditing include manufacturing, food and beverage, construction, mining, and telecommunications.

The risks of hiring unregistered auditors are severe. Some companies have been unable to enforce contracts or take legal action due to poorly drafted agreements, while others have faced certification suspensions or revocations. In extreme cases, businesses have been forced to shut down due to compliance failures. “Losing an ISO certification doesn’t just impact compliance—it damages customer trust, brand reputation, and business continuity,” Ali emphasises. “A single failed audit can set an organisation back years.”

To avoid these risks, businesses must conduct due diligence before hiring an ISO auditor. This includes checking accreditation status with SAATCA, CQI | IRCA, PECB, or Exemplar Global, ensuring auditors have completed at least 200 hours of audits, and confirming they have undertaken a five-day ISO lead auditor course with an accredited provider. Ali warns that red flags include over-reliance on checklist audits, lack of industry-specific knowledge, large upfront payment requests, and resistance to scrutiny.

If an organisation discovers that an unregistered auditor has conducted their ISO audit, immediate action is required. Businesses may be able to pursue legal action if their contracts include provisions for auditor qualifications. However, in many cases, the best course of action is to bring in a certified lead auditor to reassess the audit and report any malpractice to accreditation bodies.

ISO certification is not just about compliance—it is a strategic tool for business credibility, operational efficiency, and regulatory alignment. However, this is only possible when qualified professionals conduct audits. “A proper ISO audit is not just a compliance exercise; it’s a strategic investment in risk management and business excellence,” Ali emphasises. “Hiring an accredited auditor is the only way to ensure genuine, lasting value.”