The ISO audit process explained
If you’ve considered getting ISO certified, you’ve probably wondered, ‘What do I need to prepare?’
In this article, our Lead Auditor explains what’s involved, how to prepare for each stage, and how to interpret the terminology associated with becoming ISO-certified.
Preparing for the auditor
Every client is different. Therefore, every client has a different timeframe for their certification process. This may be due to the stage of their system development. Or depending on how quickly they must certify their Quality, Safety or Environmental Management System.
When you’re ready to meet the auditor, you should have the system in place, or at least 90-95 per cent of it. Not everyone will fully have everything in place when the system is implemented. As auditors, we recognise that and work with the client to rectify any gaps before the following audit.
The first meeting is about ensuring you understand the system and what you hope to achieve by having the system in place. We also assist clients in understanding the standards and which standards the company is trying to achieve certification for.
The Stage 1 Audit
The first step is a Stage 1 Audit. This is where we carry out a high-level overview of the documentation and the system to ensure all the policies and procedures are in place. This is usually the first.
Then, there will usually be at least one Management Review meeting on the system. At this stage, we also need to see that you have started performing internal audits on the system.
We’d expect the full suite of internal audits to be completed for companies with the system in place for 12 months or more. However, a client that has just started their system and only had it running for a couple of months might only have two or three audits done.
This depends on the size of your company and what you’ve had to do to complete internal audits on the system.
At this point, we’ll discuss any gaps we identify and list them as deficiencies – not nonconformances. This allows companies to rectify those things before we set a date to come back for the Stage 2 Audit.
The Stage 2 Audit
This is the central part of the certification audit process. This involves visiting the client’s premises or doing whatever is required to undertake the audit.
During the Stage 2 Audit, the Lead Auditor will review all the documentation and paperwork to look for all the evidence required to meet the standard.
There may still be some gaps identified through this stage, but we work with you to determine whether they are observations, minor nonconformances or major nonconformances.
We take clients on the journey and keep them abreast of everything we’re finding and any areas of concern that we have.
Watch our Lead Auditor explain the process in this webinar.
How long does each stage take?
Depending on the size and complexity of the company, Stage 1 usually takes around half a day to a full day. We have up to an hour discussion with the client and some of the key staff and then get stuck into the documentation.
The Lead Auditor will provide a brief report of the findings and then determine whether the client is prepared to go to Stage 2 or if they still have work to do. If that’s the case, we will extend the dates by a couple of weeks or a couple of months to get everything completed before we come back for the Stage 2 audit.
These are discussions we have personally with each client to help set you up for success. We never rush to complete a Stage 2 audit, just to have the company fail. That is a waste of everyone’s time and resources.
A Stage 2 Audit can be anywhere from two to five days – again, depending on the size and complexity of the company or their operations. A lot of this time is spent meeting and interviewing staff, as well as going through all the documentation. We’ll always try to minimise staff being disrupted, so a lot of the time we’ll ask for the documents and let you get on with your daily activities. We’re flexible and will work around you as things come up.
If we’re looking for any further evidence or we’re not sure where something is or what the intent of a particular section is, we’ll have those discussions and work with the evidence that is there to make sure you’re trying to meet the intent of the standard.
Our aim is to work together, giving you feedback and updates on how the audit’s going, observing the activities that you undertake and people doing their jobs. Once that evidence is gathered, the Stage 2 Audit is complete.
Understanding the jargon
Confused about the difference between an OFI and NC? Or wondering what to do with a major or minor?
These are terms that will come up during the Stage 2 Audit or further surveillance audits that are done every 12 months.
An OFI is an opportunity for improvement. If you are carrying out an activity in a particular way, your Lead Auditor may have industry experience or an insight into how other companies do it, and will suggest an OFI. This is not to say you have to change it, but it might work better for you. It has no effect on your certification, or chances for certification.
An observation is where a certain part or process needs to be acted upon before it is raised to a minor nonconformance. You’ve got 12 months to examine the observation, make the improvements, or fill the gap that has been identified. An example would be if you do nine parts out of 10 for a meeting, then you’ll have 12 months to rectify that tenth part.
A minor nonconformance has a much shorter timeframe of 90 days to rectify the issue. For example, if you only have seven out of 10 components for a meeting, you’ll have three months to address the missing components. You’ll need to send evidence to your Lead Auditor to say that you rectified it – either through photographs, documents, or other written evidence. We’ll assess the evidence, and then close that minor nonconformance out.
The next level up is a major nonconformance. An example would be that you are required to have a meeting or document a process and you don’t it. It’s a requirement of the standard that you do it, and you’ll have 30 days to rectify that.
If a client is applying for certification, the certification cannot be issued until any major nonconformances are closed out.
With minor nonconformances or observations, you can still be issued with your certificate.
Generally speaking, major nonconformances are usually only identified in the Stage 1 Audit, which is then rectified before the Stage 2 Audit and certification.
However if it does happen and an issue is only identified in Stage 2 while on site or examining equipment, for example, we’ll make sure you have an understanding of how to rectify the situation in the timeframe provided.
Issuing the certificate
Following the Stage 1 and Stage 2 Audit and any time to rectify nonconformances, once your system has been assessed as meeting the standard, you’ll have a close out meeting with your Lead Auditor, where you will briefly go through a summary of the report. We’ll point out any issues but above all, we’ll celebrate the successes and all positive things we’ve found during the audit.
Digital versions of the certificates and the standards can then be issued, and hard copies provided.
It typically takes one week from the end of the Stage 2 audit to certificates being issued, however this can be sooner if it is required for tenders or other documentation.
The audit cycle and re-certification
Certification runs on a three year cycle. After the initial certification audit, we’ll come back in 12 months time and do a surveillance audit. The surveillance audit is usually half the time of the initial certification audit. This involves a sample of all the different components of your standard to make sure that everything’s being done, and allows for any minor gaps or issues to be identified.
A second surveillance audit will be held in another 12 months. Following this three year cycle, in the fourth year, each client will need to be recertified. Your Lead Auditor will complete a re-certification audit to start the cycle again.
This is an opportunity to take a fresh look at your system and identify any new gaps that may have emerged as a result of changing processes or growth within your business.
Your certificates will be reissued following the re-certification audit, providing you with up-to-date documentation to confirm your certification is current.
