Following our introduction to ISO and the ISO Quality Management system, we thought, for our next piece of content, we’d cover perhaps the key step in achieving your ISO certification goal, and that’s audit itself.
For this article, we’ll assume that you’re targeting 9001, and we will be writing this from the ISO 9001 audit perspective; however, within it, you’ll find many principles that can be applied when you’re preparing for certification for any standard.
Lots of organizations are frightened of 9001 and how to apply it, let alone pass the certification audit. If that’s you, we’ve packed the article with some great tips to help you prepare.
In the post we’ll cover the following elements
- Why an ISO 9001 Audit
- Types of 9001 Audit
- Internal Audit
- How to conduct ISO 9001 internal audit
- External or Certification Audit
- Iso 9001: how often do external audits take place?
- Choosing an external ISO 9001 auditor
- The external ISO 9001 certification audit process
- How to pass your ISO 9001 Certification Audit
- Internal ISO 9001 Documentation
- The Certification Audit Process
- Tips to help pass ISO 9001 certification audit
- Maintaining Your ISO 9001 Certification
- Failing ISO certification
- Internal Audit
So are you ready for your ISO 9001 Audit?
Let’s get started!
Why an ISO 9001 audit?
Firstly let’s cover what is an audit.
An audit is a type of inspection where you’re investigated for evidence that shows you comply against something (in this case that you meet the requirements of ISO 9001 standard).
An audit is carried out by an auditor. An auditor can either be internal (from within the company) or external (from outside it). For certification audits the auditor has to be from an independent external organization.
By undertaking an external ISO 9001 certification audit, an organization is taking the final process step before the award of a ISO 9001 certification.
If the audit is successful and based on findings, your independent auditor will grant certification to your business.
If there are findings that prevent certification being granted, as long as they are minor, you’ll be asked to deploy corrective actions (correcting the auditor’s findings) ahead of certification.
To be granted 9001 certification, you HAVE TO BE assessed by an independent auditor from outside your organization. They’ll assess your implemented quality management system (QMS) and review evidence and documentation to verify that you comply with all ISO 9001 requirements.
Types of 9001 Audit
An audit usually takes place for one of two reasons.
1/ You are having a dry run/practice and are using an internal (or external) auditor to look for reassurance that you meet the standard. These are called internal audits or first-party audits.
2/ You are having a certification audit and are using an external auditor to validate you against the standard. These are often referred to as one of the following
- External Audit
- Third-Party Audit
- Certification Audit
To begin with, let’s take a look at Internal Audits.
Internal Audits offer significant benefits. They help you prepare for certification.
An internal audit is usually built from the following steps:
- A member of staff (usually someone from your QA function) will analyze your QMS against the ISO 9001 standard.
- They will communicate to the organization that an audit will take place and how the audit process will work.
- The audit will take place and note areas/processes that may impact the organizations’ ability to gain ISO9001 certification (i.e. processes may deviate from what is acceptable). The audit is usually in the form of
- A checklist that captures the requirement (i.e section of the standard that is being reviewed)
- Any observations
- Whether it meets an acceptable condition against the standard.
- They may note areas that might be outside of scope but could increase the risk of things in scope
- They will advise the organization on what corrective actions need to be undertaken.
- You do not obtain 9001 certification from an internal audit.
Internal audits are invaluable as they help reveal any imperfections in your organization’s quality management system, highlighting key improvements required before you attempt your ISO 9001 certification audit.
Let’s not forget that internal audits can be carried out by external auditors so you can tap into external expertise (i.e. people who’ve been down the road many times) to help you.
How to conduct ISO 9001 internal audit
In most cases, you’ll have some sight of when your certification audit is likely to take place.
It’s prudent to plan backward from this date in terms of how your organizations will prepare.
One of the primary tools you’ll look to utilize in that preparation is internal auditing, so it’s good to advise to plan this well in advance and include some time to deal with findings (especially where things may need correcting ahead of your certification audit).
What else can you do to beef up your internal auditing so that it puts you in an excellent position for your ISO 9001 Certification audit?
1 Communicate, Communicate, Communicate
It’s vital that your whole organization works as a unit to achieve certification. Therefore they need to understand the importance of your internal auditing program and that everyone takes it seriously. Explain:
- What it is you’re doing
- Why you’re doing it
- How important it is to your organization
- Their role in the process and why they need to show professionalism
- Explain their role if issues are found (it’s not a witch hunt) and how they can help.
Make sure you report back at each stage, don’t just send a flurry of communications out at the start and then fail to update people afterward.
2 Honesty is the best policy
The key here is that you want an accurate report of the state of your organization ahead of your certification audit. Putting on rose-tinted glasses and pretending everything’s great will do you no good.
Your staff must be honest during the audit. The whole point of your preparation and your internal audit plan is to shine a light on anything that might affect your certification so you can implement improvements. Corrections cannot happen if you don’t find the issues, so ensure your staff informs you of precisely what is happening. Remember, just because your internal auditor might not find the issue does not mean your external certification auditor won’t.
3. Study & validate your QMS
The key role of your internal audits is to validate your QMS and its implementation against the standard. During the audit follow normal processes, do not invent methods and processes for the sake of the audit. Ensure it’s all business as usual (i.e the same environment the external auditor will see.) This provides a great opportunity to put your QMS to the test. You can check that:
- It meets the requirements of the standard and that you’re compliant.
- Verify that the QMS has been implemented correctly
- Check that processes are being followed
- Check if anything requires adjusting
Remember, your internal audits enable you to capture any concerns & issues as to how you comply against the ISO 9001 standard. They offer an excellent method of aligning your management and employees to requirements and prepare them ahead of any external audits.
Through regular internal auditing, you are equipping your organization to capture and correct issues ahead of any external certification audit.
Top tips for internal audit best practice
- Ensure you’re auditors are adequately trained and thoroughly understand the latest 9001 standard
- Establish an audit plan that covers the whole organization – create this upfront so there is a clear step by step plan this will probably include
- Communication with your business – this is key so you can explain what you’re doing, why you’re doing it, and what help you’ll need. You should explain what an audit is, how it will be conducted, and the benefits that will be obtained by doing it.
- Develop a plan of how you will engage employees as part of the audit process; you must engage and involve staff – the worst audits are those where people feel as though something is being done to them rather than they are participating in the process.
- Resources you will need (i.e. internal auditors)
- The purpose of your audits (are they mock certification audits? Are they to audit corrections of previous issues etc?)
- Selecting departments/functions to be audited
- Assessing which functions are affected by your QMS
- Prioritising departments/functions
- The right preparation which will likely include:
- An audit plan (this will include auditors, documentation, tools (such as checklists), frequency
- Resource preparation – your auditors will need to be familiar with the functions they are auditing and will most likely want to review the specific areas of the QMS which are relevant.
- How you will review and communicate audit findings.
- Dealing with audit findings and corrective actions.
- Communicating results and feedback to your business.
External or Certification Audit
Ok now let’s take a look at an ISO 9001 certification audit.
Iso 9001: how often do external audits take place?
Firstly you’ll be audited when you are applying to be certified against the standard.
Then major Certification audits take place every three years, and there is usually an annual review.
Choosing an external ISO 9001 auditor
The key difference between internal audits and certification audits is that the individual conducting the audit is an external auditor from an approved ISO 9001 certification body who has been designated to your organization.
This may seem frightening to some, remember that the auditor is there purely to do a job; all you need to do is demonstrate compliance to the standard. They are not there to trap you; just assess your compliance.
The first step is to select an ISO 9001 registrar who will attribute an auditor to your organization.
Selecting a registrar is an important decision. They can decide your compliance yes, but they also drive several other important factors such as maintenance audits, long term schedule. You must select a registrar with the view that you will develop a long term relationship with them (you should see them not just as an auditing body but one that will help enable your business. Selection factors typically include:
- Accreditation they may offer
- Experience and attitude of auditor(s)
- Industry experience
- Partnering approach (how they can help you over the longer term)
The external ISO 9001 certification audit process
The external audit process works in a similar way to your internal audits; the significant difference is it will not be a member of staff who will be performing the audit.
The third-party auditor (or auditor team) will be assigned to your organization by an ISO 9001 registrar (also referred to as a Certification Body or CB). This independent entity also issues the ISO 9001 certificate once approved by the auditor.
How to pass your ISO 9001 Certification Audit
If your reading this section with a view that there is some magic bullet or avoidance technique for hard work, then I’m sorry I’m going to disappoint you.
Preparing for and passing your certification audit takes work. Your focus should center around the deployment of an effective QMS (quality management system) that meets the requirement of the standard.
AS we described above, there is no magic wand to help you obtain your ISO 9001 certification. It requires both careful planning and execution (and a good degree of common sense).
What’s key is that you have a clear plan that leads you to certification.
This is best if built around the standard so that you can articulate to yourself and your organization how your are progressing.
Your plan should state what requirements you have reviewed (and are satisfied that are correctly embodied within your processes and QMS) and what work is to go.
There should be sufficient slack in this plan that you don’t finish just as your certification auditor arrives but you have enough time to complete the review AND fix any findings to help you remain on track.
The actual process of preparing for your certification audit is very similar to your internal audit plan and contains many of the same steps that include:
- Why the company is being audited
- The objective
- The plan
- What you need from them
- Preparing your staff – this means ensuring that EVERYONE is aware of:
- The QMS
- The Quality Policy – what it is and how to find it
- Documentation – where can staff find
- Processes & Work Instructions
- Objectives – what are the quality objectives and how their processes help meet them
- All staff have undertaken training to perform their roles in accordance with the standard being targeted
- The likelihood of Interviews – staff should be briefed, so they are:
- Able to say, “I don’t know” if they don’t know the answer
- Able to refer to someone that does.
Internal ISO 9001 Documentation
For some, one of the most challenging aspects to comprehend is documentation. Many people tie themselves up in knots asking, “What documentation get’s reviewed?” “What evidence is required?”, “are my documents ready?”
The very first thing ahead of your certification audit is for you to review your organizational documentation. It goes without saying that if there are any outdated processes /procedures or other documents, they should be removed straight away. Anything in use should be in accordance with your QMS (which, of course, should be up to date).
The next thing is to validate that all documents have been approved in line with your organizational policies (you’ll often find that forms created by staff outside of your QMS find there way into everyday use and are unauthorized).
For the audit itself, to put it simply, your organization should be familiar with and have the following documents readily available:
a) Top-level documents including:
- Organizational Quality policy
- Quality Management System scope
b) Functional documents including:
- Work Instructions
- Process maps
- Relevant Forms
c) Supporting documents/data
The Certification Audit Process
Firstly you’ll need a couple of months of documentated evidence from your 9001 processes and procedures (so that you can evidence compliance).
Remember, the audit is not done and dusted in five minutes, for the average-sized company be prepared for it to take up to a week.
Your certification audit will typically take three steps:
1/ Auditor introduction and Opening Meeting
- Meeting to introduce the organization and review its quality objectives
- Key stakeholders
- Roles and responsibilities during the audit
- Timescales and steps.
The audit of the business process and the Quality management system will include:
- Review of QMS
- Validation of implementation. Usually done by holding departmental reviews to validate that the ISO 9001 standard has been met and implemented.
- Staff interviews
Note during this section the auditor will take notes for any areas that require follow up
3/ Audit Close
This will include
- Any deviations found to the standard that will prevent certification being issued
- Any corrective actions required
- The auditor will provide results/report
If the auditor does not find any major findings, then they will be able to award you an ISO 9001 certificate.
Tips to help pass ISO 9001 certification audit
There’s that word again! To give yourself the best chance of success, get your whole organization behind you by thoroughly:
- Explaining the certification process
- Explaining their part in it
- Avoiding a blame culture
- Obtaining buy-in.
2/ Engage management – have a review well in advance of the certification audit in order that the leadership understand the process, what’s being done and the importance of obtaining certification. Remember everyone has thier part to play INCLUDING management.
2/ Ensure you’re QMS is being adhered too.
Processes and procedures that you have put in place to support ISO 9001 MUST be being followed.
3/ Use your Internal Audit evidence to help you shine – have your corrective action plans documented and ideally completed. If you have commonly recurring issues that have not been addressed within the business then you probably aren’t ready for your certification audit.
4/ Act swiftly (but in a structured way) where issues are found by the auditor
5/ Don’t panic – remain positive, be aware of the audit process, and be as helpful as you can be. Remember the auditor is not out to get you; they are merely doing their job. They want the same as you an ISO 9001 certified organization that is effective, efficient and has a high standard of work.
6/ Finally and this is key, Don’t hide things! The auditor is likely to request numerous records and information. This will include evidence tracking your deployment of the 9001 standard. If possible, prepare and have this evidence available in advance of the audit so there are no last-minute snags.
Maintaining Your ISO 9001 Certification
Chances are if you’re looking to certify against ISO 9001, then you’re more than likely going to have a succession of audits. As we explained earlier, certification lasts three years, so once you’ve achieved it your next certification audit is three years away. At which point you will need a further external audit to enable you to renew your ISO 9001 certification.
There are usually annual maintenance audits on top of this with your external auditor.
Obviously, if you’ve kept a close eye on your QMS and kept a tight ship in terms of ensuring you maintain your organization is meeting the ISO standard, then you’ve nothing to worry about.
Alas, some businesses take their eye off the ball and slacken off after achieving certification and find that they have a mountain to climb three years later when they need to recertify.
So how do you ensure that doesn’t happen to you? Well:
- Hold regular internal audits
- Conduct training
- Close any deviations or non-conformances that you find
- Maintain ownership and clear actions
- Communicate well to the organization
- Find ways to get buy-in and involve all relevant functions in your organization.
The best thing is to implement an effective and robust QMS in the first place (and follow it). If you do, then your business should find maintaining ISO 9001 certification far easier in the long run.
Failing ISO certification
Remember it is possible to fail certification. If the auditor finds evidence (typically a major issue) that leads to failure, it is not the end of the world.
Think of it that it means improvements are required. There can be a range of snags that could lead to failure; for example, perhaps you have failed to mitigate risk, document control is poor, action plans have not been evidenced.
Whatever the issue, dust yourself down, review the auditor’s recommendations and endeavor to put right what’s been found. Once corrected, follow several rounds of internal audit to help ensure rectification has taken place and that any new processes have been proven before attempting certification again.
We hope you found this how-to guide on ISO 9001 Audit useful and informative. If you’ve started your journey on 9001 certification and have questions to ask or tips to share, we’d love to hear from you in the comments section below.