Within any organization, in order to follow the government's security policy, there are some clear outlines on security classifications, and while the author is the one who sits back and looks at the information and determines its security classification, there is typically one of their supervisors or a senior member of the management team who should challenge that classification to make sure that you do not overclassify a document.
As the auditor, what I can do is ask and question whether you are sure this is the right classification, but in the end I cannot change it. It is the author's discretion to classify.