For a startup organization, the first ISO audit of your processes can be a potential horror story since that would be the first time they have to successfully defend their business activities before a specialized professional team. 

Mr. Verma is an experienced manager in the software industry. So far, he has been audited 5 times with regards to the ISO Certification process. He has never had an incident where the auditor reported a major non confirmation issue.

How did he manage this impressive record?

It isn’t a secret. The simple explanation is that Mr. Verma’s company has implemented a tight, strict control over all their documents and data. This leads to an efficient control over all their processes. 

The data was logically arranged, the processes are organized and implemented properly. They split their quality system process into small manageable blocks and ensured the process is aligned to the required standards. 

Generally, the best process is the shortest distance between two points. If the objectives and the process plans are clearly communicated and the employees are properly trained to implement it, you gradually relieve yourself of the fear of such audits.

Let us go through this process in a clear and simple manner.

What is an ISO Audit?

ISO Auditing is defined as the official verification of a particular company’s activities. This mainly includes (but not limited to) the inspection of a process so that it complies with the given ISO requirements. 

Such verifications/audits can cover the entire company or focus specifically towards a particular process or activity in that company. Examples of such specific audits include auditing documents, risk etc.

ISO 19011:2018

ISO 19011:2018 clearly defines an audit as “a systematic, independent & documented process for obtaining audit evidence (such as records, statements of fact and other data which are relevant and verifiable) and thereafter evaluating it objectively to determine the extent to which the audit criteria (this includes a set of policies and procedures) are fulfilled”.

Once your organization decides to undergo the ISO certification process, a Certification Audit is the first step. The Certification Audit consists of Stage 1 and Stage 2. Both these stages are different from each other. The purpose, duration, the data collected and reviewed, location etc are the main factors that differentiate the two stages. 

We will explain the two stages below so that you get an idea of the two and how it affects your certification process.

Stage 1 Audit

Stage 1 Audit can be termed as a ‘readiness review’ stage. The auditor mainly checks your documents to confirm whether you have clear and definite Standard Operating Procedures (SOPs) written down.

Below is a step-by-step walk through on what happens in a Stage 1 Audit process:

1. The auditor will go through your management system’s documentation
2. He will evaluate the company’s location and site-specific conditions. 
3. The auditor will identify the key performance aspects (KPIs), processes, objectives and operation of the management system. He will also check your understanding of these documents and the subsequent standards set up in your plan. 
4. The auditor will collect all the necessary information and documents regarding the scope of the management system, the processes and location of the client along with the related statutory, regulatory aspects and compliance. Examples include quality, associated risks, legal aspects etc. 
5. He will now review the resources allocated for Stage 2 Audit and reach an agreement with the company/client on the details of Stage 2 Audit. 

Finally, the auditor will evaluate and decide if the client is ready for Stage 2. 

Stage 1 Audit is generally carried out at the company’s premises. 

To sum up the above, Stage 1 Audit revolves around documentation status, scope accuracy, locations etc along with analyzing how ready the organization is to move to the Stage 2 Audit within the scheduled time frame.

Stage 2 Audit

Stage 2 Audit focuses on the implementation of the factors checked during Stage 1 Audit. 

This stage is more of an operational audit where the auditor checks how the stated processes (that were documented & checked in stage 1) are put into action. The auditors will step into the field (on-site) and literally observe and analyze the planned design in action. They then gauge the effectiveness of the implementation and how well it aligns with the company’s designs and documents. 

In short, the auditors are actually looking at whether the system in place is able to achieve what it had planned to achieve (in the documented format). 

Internal audits are conducted to determine if the Quality Management System conforms to the planned arrangements to the requirements of the international standard and also the quality management system stated by the organization. The auditor then concludes whether these are effectively implemented and maintained. 

In layman’s terms, auditors first review the documentation (during Stage 1) and then visit the site (stage 2) to see if the standards set are being followed and happening as planned. That’s all. 

It is also important to note here that these two stages (Stage 1 & Stage 2 Audit) will repeat itself during the ‘intent’, ‘compliance’ and ‘improvement’ stages too (we will be explaining these later on in this blog).

Why should we do an ISO Audit?

There are many reasons why an organization should do an audit. Some of the most important reasons are given below:

1. Meet Customer Requirements

Many companies decide to get ISO 9001 certified for the simple fact that many of their customers prefer ISO certified companies. Though this is not an ideal reason to pursue this process, this is undeniably an important reason for more companies getting ISO certified. This can also be termed as a short-sighted or short-term benefit since such companies do not genuinely embrace the ICO vision for continual improvement.

Nevertheless, once you achieve ISO Certification, there is a higher probability to open up new markets that were much harder to penetrate earlier.

2. Quality level is raised for the whole company

After satisfying a Quality Management System Standard, the quality level of the entire organization is raised (including product quality and most processes). This is a significant advantage gained due to the organization’s conformance to the standard requirements.

3. Customer satisfaction is increased (both stated and implied)

ISO audits, besides helping you meet a particular client’s stated requirements, also helps you in satisfying their implied (or unstated) requirements too. This would delight them and ensure a guaranteed rise in customer satisfaction.

4. Business knowledge and awareness is increased

For example, the ISO 9001 standard requires you to describe your processes using clear business metrics. This is designed to manage and control your processes in a more effective manner. Here, the metrics are used to understand, communicate and enhance your system’s performance. Such practices inevitably increase your awareness of your own business activity.

5. Better employee culture

An ISO 9001 Quality Management System will provide your employees with a clear expectation on their objectives and job description. They are also provided with guidelines on how to do their job more efficiently and effectively. The feedback for such performances are also communicated to them. There is no doubt that, gradually, the company culture and employee morale itself rises substantially.

6. Operational consistency

When you increase the control over your processes (which forms the core of an ISO audit process), an organization can decrease its variation. Decreased variation is another way of saying ‘more consistency’. Therefore, ISO audits pave the way for operational consistency.

7. Reduce waste, save money

Poor quality and inefficiency leads to a lot of financial wastage (not to mention the wastage of time too). As you improve your processes, such wastages are restricted and reduced. As mentioned in the previous point, lack of consistency also leads to a lot of wastage. Again, an ISO audit ensures your consistency is increased thereby reducing wastage too.

8. International recognition

This is a privilege that is a given with any ISO audit process.  Once your audit is successful and you are certified, you are now recognized for a world-wide standard for quality. Whether it is an ISO audit in India or elsewhere, you now join a select group of companies that hold this prestigious status.There are a lot of other reasons too for your organization to do such audits and get certified. But the above reasons are more than enough to get a fair idea on why you need an ISO audit.

Types of ISO audits

1. Intent – Certification Audit

Certification audit is the initial stage where the certification auditor will check whether your management systems conform to the set standard requirements. This includes all the documentation involved, the required records, processes etc. For example, for an ISO 9001 certification, the corresponding ISO 9001 auditor goes on to check if the main processes comply as per how it is described in the documentation. Even so, that part will be limited due to the fact that the management system has been in place only for a short duration (weeks to a few months). 

The external Certification Audit justifies the company’s intent towards getting an ISO Certification. The auditor will assess your quality management system (QMS) and determine if you have implemented (along with the relevant documents) all the ISO requirements. 

Based on this conclusion, the auditor will either approve the ISO Certification or recommend remedial/corrective measures. 

Here again, there will be a Stage 1 Audit and a Stage 2 Audit. Stage 1 concentrates on the documentation part while Stage 2 will evaluate the implementation side. 

Certification Audits are generally conducted once every 3 years. 

After the ISO audit certification process, the surveillance audits are conducted periodically to make sure that you are maintaining your ISO requirements. In one sense, surveillance audits are similar to certification audits except Surveillance 1 focuses on your compliance part (with respect to the ISO guidelines). Surveillance 2 focuses on any improvement areas. 

2. Surveillance 1 Audit & Surveillance 2 Audit 

The certification body guarantees that the management system will be in place throughout the validity of the certificate. This means that the body can only periodically check, through an auditor, if the procedures and processes are in place as per the requirements. These are called surveillance visits. They are conducted generally once a year (or two times in a year in some cases).  

The main purpose of surveillance visits is to determine whether the management system is actually working properly on a daily basis. These include checking areas that were not previously checked (during the certification audit), if all corrective measures are implemented, the top management’s willingness and action towards supporting the system etc.  

They also focus on weak issues (ascertained during the certification audit or during the 1st surveillance visit), minor non conformities and also follow up on earlier observations made by the auditor. 

Surveillance audits will focus more on how your processes are being conducted and less on the documents provided.

This is a major reason on why you should focus on your policies with an intention on doing it on a daily basis rather than for the sole purpose of a certification.  

A brief sum-up is given below:

Certification Audit

This is done to make sure that the organization is compliant with the stipulated standard requirements and ready for certification. 

Surveillance 1 

Confirm that changes applied has improved the system.

Surveillance 2

Follow up on any additional observations on the changes in place, confirm that the management is consistently supporting the system and subsequently guide the organization towards achieving a return on investment.  

Whether the certification is for an ISO 27001 audit or ISO 9001, the stages remain the same as given above (though the focus points change).  

3. Non conformities and how to close them

Simply put, a non conformity is the failure to meet a requirement or a procedure. Ideally, one should identify the root cause for this failure, and determine how to eliminate this cause to avoid such nonconformities in future. This corrective action is the solution to prevent such non conformities. 

There are two types of non conformances; major and minor.  A major non conformance is classified in the event of a complete Quality Management System breakdown. Such a breakdown would prevent you from satisfying the ISO 9001 requirements. 

A minor non conformance is an incident that would prevent you from meeting the required ISO requirements but does not create a major consequence. It will not result in total failure or create a major negative impact on your Quality Management System. For example, an employee fails to correctly implement a process.

The organization should also prepare a Non-conformance report which includes the following:

• The process/activity that went wrong that ended up in a Non Conformance Report
• The requirement affected by this non conformance 
• Preventive measures so that it does not happen again in future
• Corrective measures

4. Review of the Corrective measures

ISO standards stipulate that organization should review the corrective measures and assess the effectiveness of the measures. If required, the organization will revise it by updating risks and the opportunities determined during planning. 

This review process has become an important step for organizations after they have prepared the corrective action report. Review reports are done through meetings, observation etc. 

Preventive measures are now called ‘risks and opportunities’. But the idea and concept behind it is the same; risk assessment and solution (depending on how severe it is).  

All these steps should be documented (including the nonconformities, corrective measures, the results etc). 

With the right approach, ISO Certification should be a breeze

To conclude, analyze the worst case scenario mentally and think about the consequences. It is not the end of the world. There are reports that you will receive with recommendations to take corrective measures. You also have the time now to plan and implement those measures. 

Once you go through this mentally, you will feel the fear leaving you or at least it will reduce significantly. It is still uncomfortable, but definitely not panic- worthy anymore. 

While selecting an ISO audit agency, it is important to clearly understand if the consultant’s services are a perfect fit for your objectives. 

If you need strong assistance, guidance and help with this process, why don’t you read more on how we here at CertPro can help you in this regard.

Click ‘here’ now or better, contact us .