Audits, specifically those done to prove compliance with an ISO standard, are on-site verifications which include inspections and thorough examinations of your organization’s systems that verify their compliance with a certain ISO standard. This is done to ensure sufficient compliance with the requirements of the management system(s) and to track and improve the efficiency of your operational processes. There are various types of audits depending on what they are meant to audit or who your auditors are, each with their own range of unique benefits. We will talk about the different types of audits you will experience in each cycle of your certification, some of the requirements of each type of audit, their purpose and goals, how they will help you as an organization, and the overall importance of auditing to the growth of your company.
Types of Audits
The classification of audit types is based primarily on the relationships between the participants and the examiners. ISO audits have 2 main types, Internal and External Audits.
These are performed by internal auditors who are employed by the organization being audited and are also known as first-party audits. They’re performed within a company to verify the efficiency of their own adopted procedures and check for conformance to international standards and possible shortcomings. An internal auditor typically has a working knowledge of your organization and knows “what makes your company tick”. Internal audits are meant to dive deeply into your processes and uncover anything and everything that could or might be a non-conformance to the External Auditor. It is during Internal Audits that you want to find, report, and later act on these findings to help improve your organization.
When conducted by an audit team comprising of employees from a different department, you can maintain impartiality and ensure less conflict of personal interest. If provided with the appropriate training, these teams of internal auditors can offer objective insight with the added advantage of knowing the context of the organization inside out by virtue of working there and offering more specific feedback in view of it.
Internal audits allow you to inspect your company and ensure compliance with laws and regulations in a more casual environment with lower stakes. Because the internal auditor is typical a colleague, you should feel much more at ease when the auditor is around. The Internal Auditor is your friend! As with any audit, you do not want to hide information or mislead the auditor to make the audit go by quicker; you should view these audits as an opportunity to learn and grow from shortcomings and prove to your external auditor that you are working towards constant improvement. They operate as an essential tool in preparing you for your next external audit.
Most international standards include internal audits as an important part of the ongoing process towards continual improvement for an organization because they allow you the opportunity to constantly monitor and review the efficiency of your processes. Internal Audits give your organization an opportunity to identify potential risks and gaps in your system and design corrective actions before they start costing the company. They also help you track and document changes that are important to present to external auditors when seeking certification.
Internal Audits are typically held at least once per year and before external auditors are brought in. Internal audit findings will not put your certification in jeopardy and help to prove to the external or third-party auditor of your compliance with the standard.
Also called “third-party” audits, external audits are performed by impartial auditors and can be called objective assessments of company procedures and provide transparency and confidence to interested parties that your organization is truly running an effective and compliant management system. Objective assessments and their feedback allow these interested parties to be better informed about your organization. With most ISO standards, you are not required to disclose audit results, but if you receive favorable feedback from your audits, you may be inclined to promote that with permission.
External Auditors are typically contracted by your accredited Certification Body and assigned to audit your processes during your 3-year certification cycle. The auditor will come to your site for a set period to prove compliance with an ISO Standard resulting in the certification approval or approval pending corrective action. It is important to note that external, or third-party, audit length is determined based on requirements published by the International Accreditation Forum (IAF) that apply to all accredited Certification Bodies.
Corrective actions must be taken if the external auditor finds a non-conformance in your system that will be detailed in their closing meeting with you and in their report. External Audits are necessary if you wish to hold an accredited ISO Certification, and are a great way to help your organization with impartial evaluation and reports, international certification and recognition.
Audits are a stressful time for most organizations. They can be seen by employees as head office spying on them and they may feel their jobs are at risk. It’s important to explain the role of audits for the greater good of the organization and to reassure your people that this is meant to show how the company can improve, and not an opportunity to point fingers and blame.
Internal audits should be a chance for employees to speak up, have their voices heard and shed light on aspects of their processes that could be improved. The internal auditor should be someone who understands your organization but can remain objective. It is during the internal audit that your organization wants to find areas for improvement, so don’t hide things or avoid things to make your job easier.
External audits are typically stressful because there is a lot more at “stake”. Don’t worry, the auditor does not want to take away your certification, they want to prove why you should achieve it. An external audit cycle is 3-years with Year 1 granting certification and Years 2 and 3 providing surveillance to ensure your certification can be maintained. External audits are typically more formal but should still be viewed as a learning and growth opportunity. Do not hide or avoid topics with your auditor and be sure you are prepared to report on the findings from your internal audit and how you are making the changes and improvements from those audits. Third-party audits should add value to your organization, and provide a chance to demonstrate you are running an effective and successful business.
What to Do If you Feel Your Audits or Certification Isn’t Effective
If you feel your audits are not adding value to your organization, before you drop your certification, consider if your audits are effective. You may want to bring in a consultant or expert to help your organization truly understand just how helpful ISO Certification is and how important audits are to the continual improvement of your organization.
If you are unhappy with your current audits or auditor, do not feel trapped. Talk to your Certification Body, they should be more than willing to accommodate an auditor change depending on your location, auditor availability and certification cycle. Consider the cost-benefit here. If you are not seeing the value of audits with your current auditor, a slight change in cost for a new one who might have a higher travel cost may be more cost-effective for your organization than simply accepting a lower quality audit. If your CB will not accommodate your change request, know that you are never obligated to remain with a CB. You may want to consider transferring your certificate and understand the cost-benefit from transfer fees to better service or higher satisfaction. When searching for a new CB, express your current troubles and expect an answer for how this new CB will rectify the issues.
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.