Preparing for Your ISO Certification Audit – Tips From the Experts

Why Outsource Your Internal Audits

Tips From SimpleQuE’s Experts on Preparing for Your ISO Certification Audit

The consultants and auditors at simpleQuE have performed thousands of audits (including 2nd and 3rd party) and have prepared companies across a broad spectrum of industries for successful ISO, AS (aerospace) and IATF (automotive) certifications. This article consolidates the collective knowledge and practical tips from our auditors to help you understand the process and prepare your organization for a Certification Body (CB) audit.

What is a Certification Body?

A CB is accredited to audit and issue certifications: it provides organizations a resource for management system certification by evaluating policies and procedures to verify implementation and effectiveness against the specific requirements of the standard. 

Selecting the right Certification Body

Select a Certification Body (CB) that will conduct the assessments and ultimately issue your ISO 9001 (or other) certificate for which they are accredited. This should be done while you are working on the implementation of your quality management system (QMS). Don’t wait until the last minute, as CB’s have a lead time to be able to plan and schedule your audit. The more lead time you can give your CB the better for everyone. Setting the audit date draws a line in the sand internally for completion of the QMS.

We recommend you select one through properly accredited channels through the International Accreditation Forum. You may want to read simpleQuE’s Blog – The Number 1 Question to Ask When Selecting a Certification Body. In the US, you can find ANAB-accredited CB’s, including contact information and links to those who can issue certifications. Next in the selection process is to:

  • Request quotes or submit an application for pricing. Most certification bodies have quote requests or applications online that you can populate and submit. Reach out to the certification body by phone and get help completing the quote request if anything is not clear.
  • Agree upon the scope of what will be certified, any boundaries, and what may not be applicable.
  • Select the CB and sign a contract so they can get you scheduled and the process started.

Assessment by your CB consists of a series of audits:

  • Document review (sometimes combined with Stage 1)
  • Initial certification audit – Stage 1
    • Confirm that organization is ready (or not) for a full Certification Audit. Typically 30-60 days prior to the Stage 2 Certification Audit.
    • Verifies required documentation exists, certain requirements have been met such as a full internal audit completed, a management review completed, and risks considered.
    • Verifies processes have been established and is appropriate for the scope of certification, and that appropriate monitoring and measuring of processes are in place with appropriate objectives.
    • Plans the Certification Audit based on information and data gathered
  • Certification audit – Stage 2
    • A full QMS or EMS audit. Confirms that the management system fully conforms to the requirements of the standard.
    • Certification is issued upon successful completion of Stage 2 assessment and closure of any findings.
  • Surveillance audit
    • Certification is maintained through a series of annual surveillance audits (sometimes semi-annual). Every third year a full recertification audit is performed and a new certificate issued.

The next step is to become familiar with the specific requirements of the CB and implement them. For example:

  • Every CB has a rescheduling or cancellation policy for changing planned dates. As long as you give enough notice, dates may be changed without financial penalty.
  • reporting any significant changes to the company or your QMS
  • reporting the number of employees at each site, on each shift, permanent and temporary, shifts and shift times
  • reporting the number of buildings, sites, and remote locations that will be included in the QMS
  • reporting if there are any areas of the organization that are proprietary, confidential or require special government clearances
  • reporting if any safety equipment is required for the auditor

There are two stages for the audit. For all of the audits, you will be assessed on your conformance to:

  • the ISO or other standard you want to attain,
  • your Quality Management System,
  • statutory, legal, government regulations if required,
  • any customer requirements,
  • the requirements of the Certification Body (CB). See their contract and any supplemental documents.

Prepare your company’s personnel for the audits. They should know what to expect, and what questions might be asked. It is important that everyone knows how to conduct themselves during the audit and answers questions truthfully, but cautiously to an outside auditor to make sure they don’t talk too much.

There may be a document review (also known as a documentation audit) prior to any on-site certification visit by the CB. Some CB’s do this during the first on-site visit (Stage 1 audit). See below for the content of this document review.

Stage 1 Audit

During the Stage 1 assessment, the auditor will review documents, records, policies, and may interview employees as he/she walks around the facilities to become familiar with your processes and help make preparations for the certification assessment (Stage 2 audit). The Stage 1 is to evaluate whether you are ready to proceed to the Stage 2 assessment. Items covered during the Stage 1 are:

  • Plant tour
  • Verification of employee counts, shifts, support sites, supporting functions (on-site and remote), and design responsibility
  • The scope statement will be reviewed and agreed upon, and needs to be documented
  • as agreed upon somewhere in your QMS documentation (typically the quality manual
  • A completed internal audit covering all elements of ISO 9001, and have an annual
  • schedule of the internal audits for the next 12 months.

NOTE: Some companies will hire a consultant to perform a full internal audit as an outside set of eyes to ensure the company is ready and prepared for the certification body audit. All CBs offer a practice or preassessment audit as an optional service, but their auditors are not allowed to consult and that auditor can’t participate in your certification audit. You also cannot use the CB’s practice or pre-assessment audit as your internal audit, only the consultant’s or your internally conducted audit can count toward your internal audit.

Knowledge. Expertise. Experience.

Outsource Your Internal Audits

Consulting Services For ISO, IATF, AS, and more
  • You will also need to have completed a management review according to clause 9.3,
  • with appropriate records and action items. Best practice is to utilize and take credit for
  • existing management meetings that cover some of the topics in 9.3, as long as there are meeting minutes with action items. Then conduct an annual meeting to cover topics in 9.3 that aren’t covered in the ongoing management meetings. Through the course of 1 year, you will need to demonstrate that every topic in 9.1 is covered at least once through the year.
  • Document review (sometimes done offsite in advance of the Stage 1) to make sure you have processes identified, necessary documentation in place, and a quality policy. If you have a quality manual, it is part of this review, along with any procedures.
  • Evaluate core processes the company has defined, so the auditor can use this to prepare and plan for the Stage 2 audit using your defined core processes.
  • Performance monitoring and data analysis. The auditor wants to see how the QMS is
  • performing, including customer feedback. This information is also used in planning and preparing the audit schedule for the Stage 2 audit. Bad performance or negative trends will drive increased scrutiny during the audit to evaluate where the QMS may be breaking down.
  • The corrective action log will be evaluated to see that internal audit findings generated CARS and that customer rejects are also recorded. The auditor may also use this information to identify part numbers or production lines for audit trails due to bad performance.
  • Any extra time the auditor has will be spent auditing and identifying any glaring areas of concern. This is good since the auditor will not technically write any findings and will help
  • identify areas that need to be addressed prior to the Stage 2 certification audit. You can also learn about the auditor’s pet peeves and target areas for the next audit.
  • Any issues identified are expected to be addressed prior to the Stage 2 audit. If not, they will become audit findings at the Stage 2 audit.

Stage 2 Audit

There is typically 1 to 90 days separation between the Stage 1 and 2 audits, which will be agreed upon between you and the CB. If working with a consultant, the CB is more flexible to decrease the time between Stage 1 and 2 audits to a minimum, knowing that there is a risk of findings should anything be found during the Stage 1 that should be fixed prior to the Stage 2. The risk is doing so poorly during the stage 1, that the stage 2 must be delayed, or the stage 1 repeated. With reduced timing between the Stage 1 and 2 audits, there is increased risk of financial penalty for cancelling an audit on short notice.

The purpose of the Stage 2 audit is to systemically go through all of the processes and quality management system to ensure compliance with ISO 9001. Emphasis is placed on looking at objective evidence to demonstrate compliance, and to show the QMS is working as intended.

What to do if there are findings

Any violations will generate an audit finding or nonconformance. Audit findings will be classified as major or minor depending upon the severity and impact to the QMS or customer. Each CB auditor will explain the criteria for major versus minor. All findings have a timeline to be closed out with the CB, and depending upon the severity of findings and quantity of findings, the CB may have to return to close out the findings.

With only minor findings, it is common to provide the root causes and corrective action plans with timetables, along with some evidence of progress toward completing corrective actions.

With this information, the CB auditor can typically close the findings remotely and follow up the next year when they return to re-audit the QMS. Some CB’s and auditors may require all action items completed to fully close findings.

For any findings or nonconformances, be sure to discuss with the CB auditor to ensure you understand and agree. If you need others to get involved or more time to research the issue, let the auditor know you are still trying to provide objective evidence to overturn the finding.

By the end of the audit, all findings will be known. Each finding will require an internal corrective action with root cause analysis and corrective action plans. These will need to be communicated with the CB auditor per their timeline (typically 30 -60 days) to get agreement on the corrective action plans. With evidence of corrective actions being taken, the CB auditor can close the findings. When all findings are closed, the CB auditor submits his/her closure evidence to the CB office, who will review all the activities and grant certification and send the ISO certificate (typically hard and digital copy).

Congratulations, you passed and achieved certification!

Celebrate by recognizing the ISO 9001 implantation team. Tell the world that you’re certified. Post the information on your website. Consider a press release or other marketing methods to promote this recognized achievement with current and potential customers.

How long is the ISO certification valid?

The ISO 9001 certificate will be valid for 3 years. This initial certification (Stage 1 and 2) is the longest duration, evaluating the entire quality management system. Annually, the CB will return to perform surveillance audits to test and see that the QMS is being maintained. These are shorter duration audits, only sampling some of the core processes and QMS elements. Every 3 years a recertification audit occurs, covering the full QMS and allowing a reissue of the certificate for another 3 years. The frequency and duration of CB audits is dependent on changes to the organization or number of employees, or other significant changes to the business. A poor stage 2 audit may also dictate the need for more frequent audits than annually.

Don’t forget that once you attain that certification, it also requires maintenance. Learn more about Maintaining ISO Certification and an Effective and Sustainable QMS.

SimpleQuE is a leader in AS, IATF® and ISO consultingauditing and training.  Whether you are just beginning the certification process or looking for a partner for ongoing maintenance and internal audits, simpleQuE makes the process easier and more efficient. Contact us for a consult and see the difference that simpleQuE can bring to your quality management process.

Learn More About The simpleQuE Advantage

The simpleQuE Advantage Begins Here! Contact Us Today