Looking to become certified to ISO 9001? Not sure what to expect from the process, and from ISO Audits? It’s a good idea to prepare yourself and your organization for what to expect from an auditor, what is needed from you, and what will happen at each stage of the certification process to have a smooth and stress-free experience. In this article, we will briefly explain the different types of audits an organization can expect to go through when seeking their first certification to ISO 9001 and subsequent audit cycles once you are certified.
If you have never been certified to ISO 9001 before, you should expect a long road ahead of you. The first step to certification is implementation. This can be done in house with your own people, or with a consultant. Learn more about how to implement ISO 9001 and what to expect [LINK]. It may take your organization a few months to fully implement your Quality Management System and have it effective and ready for a certification audit. While the standard is generic and concise, it can be quite overwhelming, so ensure you are asking questions and reaching out to professionals at every step.
One specific requirement of the standard is Internal Audits, that is the act of evaluating your own processes internally and recording evidence to report to your management, company and certification auditors.
Internal audits are self-examination done by the company itself at least once per calendar year. They are performed on-site and are useful in determining conformity, effectiveness, and opportunities for improvement. By going through internal auditing your organization will be able to compare your quality management system to the required standard(s) and prepare for the certification audit. There are no “stakes” with an internal audit, they are completed to meet a requirement of the standard and serve as a learning opportunity for your organization. It is during this process that you want to find as much as you can so you know what your certification auditor will see and so that you can be prepared with ways to improve. Your certification auditor, or external auditor, holds a lot more power in a sense because this is the person who is a representative of your certification body and will determine if you achieve third-party certification to ISO 9001.
An external audit is performed by a third-party auditor associated with your hired Certification Body. The external auditor will conduct a certification audit or surveillance audit at least once during each calendar year to determine if your organization should be recommended for ISO certification or continue to hold your current certificate. An external auditor must perform audits based on a set of rules from their own ISO Standard for auditing best practices and must obtain strict qualifications set by the certification bodies. Auditors must also be selected by a certification body with consideration to the organization’s industry, the auditor’s understanding of their industry and the specific industry codes the auditor must hold to conduct the audit.
An external audit scope may include any number of processes, and the scope will be detailed to you ahead of time in an audit plan so you and your people can be prepared and present. In the 3-year cycle of certification, each process must be audited during the initial certification or recertification audit and at least once per the 2-year surveillance cycle to evaluate effectiveness.
Let’s go deeper into the different audits involved in obtaining and maintaining an ISO Certification:
A certification audit is conducted once every 3 years to verify the effectiveness of the whole QMS against the ISO 9001 standard. A third-party certification audit is conducted by an IAF-MLA signatory member Certification Body accredited to ISO 17021 – the standard for Management Systems Certification Bodies. The certification audit is broken down into 2 stages, a stage 1 audit and a stage 2 audit:
Certification audits consist of two stages
STAGE ONE audit is used to determine if your company is ready for stage two. A certification body will detail the minimum requirements your organization must meet to ensure you’re ready for a stage 2 audit, going through your documentation and comparing it to the requirements of the standard to assess compliance and readiness for an audit. It is best to be sure your organization is ready because, during a stage 2 audit, your certification body can raise non-conformities and other issues with your system that may require the auditor to return to audit your system, resulting in additional costs.
STAGE TWO is an on-site audit where a third-party auditor will review your documents, your processes, interview your employees and review your operations to determine compliance with the ISO 9001 standard. Your Certification Body will submit an audit plan ahead of the arrival of your auditor to allow you to prepare your documents, schedule the availability of relevant employees and allow for any necessary preparations. If your organization has more than one shift, the audit will be planned accordingly to sample as much evidence from each shift as needed to prove compliance. During the audit, you can expect the auditor or audit team (depending on the size of your organization) to hold an opening meeting which will detail their audit plan and schedule, after which the audit will begin. The scope and timeframe of the audit are dictated by ISO 17021. Certification Bodies cannot change the number of days the audit needs to be on-site, that is a predetermined guideline which is based on the number of employees at your organization and the level of risk associated with your QMS. Be upfront about how many employees you have, full-time, part-time and contract employees. If this number changes, inform your certification body as this may change your audit schedule.
In the 3-year cycle of an ISO Certificate, you will receive 2 surveillance audits, once each calendar year after your certification audit the first year of your cycle. Once you receive your ISO certification, the next 2 years will include smaller surveillance audits, with the auditor only auditing select processes and departments. The length and duration of these audits are again dictated by ISO 17021. Between the time of your certification audit and your surveillance audit, you will need to ensure you are continuing to meet the requirements of ISO 9001, for example holding internal audits, management review meetings, etc. within the timeframes dictated by the standard. You will also need to continue upholding the internal requirements your organization has documented as part of your QMS, i.e., hiring processes, performance reviews, etc. Failure to meet the requirements of your own system or the standard will result in non-conformances being raised during your external audit.
As mentioned in this article, failure to meet the requirements of ISO 9001 will result in a non-conformity which must be addressed and resolved via corrective action within a certain timeframe before your organization can be granted certification. The timeframe given for resolution is dependent on the severity of the non-conformance. Non-conformances can be Major, Minor, or an Opportunity for Improvement.
The road to Certification for ISO 9001 can seem long and daunting, but the payoff is well worth it. Setting your business up for long term success by utilizing ISO 9001 and the world’s leading quality management system to effectively and efficiently run your business is just good business. Ensuring your organization has rules and processes in place that ensure you produce exactly what you say you will make good business sense. Having a third-party come in to verify this once a year holds you and your staff accountable to your rules and processes as well as the standard. Holding an accredited ISO 9001 certificate is outward proof to your customers that you hold their values and hopes for the quality of your products and services to the highest standard, the ISO Standard. Being ISO 9001 certified proves to your customers, your suppliers and your stakeholders that you care about the quality and consistency of your work above anything else, and you care about the longevity of your business practices. It may seem like a long road when you first embark on it, but the hardest step is always the first step. Once you have created momentum and movement within your organization of quality first, your organization will see the rewards that certification brings.
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.