The ISO audit process explained

Home » Resources » The ISO audit process explained

If you’ve thought about getting ISO certified, you’ve probably wondered, ‘What do I need to get prepared?’ Our Lead Auditor explains what’s involved, how you can prepare for each stage, and how to interpret the terminology associated with becoming ISO certified.

Preparing for the auditor

Every client will have a different timeframe for their certification process, depending on what stage they are at with their system development, or how quickly they need to have their Quality, Safety or Environmental Management System certified.

When you’re ready to meet the auditor, you should have the system in place, or at least 90-95 percent of it. Not everyone’s going to have everything fully in place when the system is first implemented. As auditors, we recognise that and work with the client to make sure any gaps are rectified before the following audit.

The first meeting is about ensuring you have an understanding of the system and what you hope to achieve by having the system in place. Clients should also have an understanding of what the standards are, and which standards the company is trying to achieve certification for.

The Stage 1 Audit

The first step is a Stage 1 Audit, where we carry out a high level overview of the documentation and the system to make sure all the policies and procedures are in place. This is typically before we’ve even been out to the company site, and a lot of times – particularly these days – this is done virtually, or remotely.

Then there will usually be at least one Management Review meeting on the system. At this stage we also need to see that you have started performing internal audits on the system itself.

For companies that have had the system in place for 12 months or more, we’d expect the full suite of internal audits to be completed, however for a client that has just started their system and only had it running for a couple of months, they might only have two or three audits done.

This depends on the size of your company and what you’ve had to do to complete internal audits on the system.

At this point, we’ll chat about any gaps that we identify and list them as deficiencies – not nonconformances – which gives the company an opportunity to rectify those things before we set a date to come back for the Stage 2 Audit.

The Stage 2 Audit

This is the main part of the certification audit process, where we will actually come to the clients’ premises, visit them on site, or do whatever is required to undertake the full audit.

During the Stage 2 Audit, the Lead Auditor will go through all the documentation and paperwork to look for all the evidence required to meet the standard.

There may still be some gaps identified through this stage, but we work with you to determine whether they are observations, minor nonconformances or major nonconformances.

We take clients on the journey and keep them abreast of everything we’re finding and any areas of concern that we have.

Watch our Lead Auditor explain the process in this webinar.

The ISO steps webinar graphic consists of a computer outline with a play button on the screen.

How long does each stage take?

Depending on the size of the company, Stage 1 usually takes around half a day. We have a half hour to an hour discussion with the client and some of the key staff and then get stuck into the documentation – which can often be done virtually.

The Lead Auditor will provide a brief report of the findings and then determine whether the client is prepared to go to Stage 2 or if they still have work to do. If that’s the case, we will extend the dates by a couple of weeks or a couple of months to get everything completed before we come back for the Stage 2 audit.

These are discussions we have personally with each client to help set you up for success. We never rush to complete a Stage 2 audit, just to have the company fail. That is a waste of everyone’s time and resources.

A Stage 2 Audit can be anywhere from two to five days – again, depending on the size of the company or their operations. A lot of this time is spent meeting and interviewing staff, as well as going through all the documentation. We’ll always try to minimise staff being disrupted, so a lot of the time we’ll ask for the documents and let you get on with your daily activities. We’re flexible and will work around you as things come up.

If we’re looking for any further evidence or we’re not sure where something is or what the intent of a particular section is, we’ll have those discussions and work with the evidence that is there to make sure you’re trying to meet the intent of the standard.

Our aim is to work together, giving you feedback and updates on how the audit’s going, observing the activities that you undertake and people doing their jobs. Once that evidence is gathered, the Stage 2 Audit is complete.

Understanding the jargon

Confused about the difference between an OFI and NC? Or wondering what to do with a major or minor?

These are terms that will come up during the Stage 2 Audit or further surveillance audits that are done every 12 months.

An OFI is an opportunity for improvement. If you are carrying out an activity in a particular way, your Lead Auditor may have industry experience or an insight into how other companies do it, and will suggest an OFI. This is not to say you have to change it, but it might work better for you. It has no effect on your certification, or chances for certification.

An observation is where a certain part or process needs to be acted upon before it is raised to a minor nonconformance. You’ve got 12 months to examine the observation, make the improvements, or fill the gap that has been identified. An example would be if you do nine parts out of 10 for a meeting, then you’ll have 12 months to rectify that tenth part.

A minor nonconformance has a much shorter timeframe of 90 days to rectify the issue. For example, if you only have seven out of 10 components for a meeting, you’ll have three months to address the missing components. You’ll need to send evidence to your Lead Auditor to say that you rectified it – either through photographs, documents, or other written evidence. We’ll assess the evidence, and then close that minor nonconformance out.

The next level up is a major nonconformance. An example would be that you are required to have a meeting or document a process and you don’t it. It’s a requirement of the standard that you do it, and you’ll have 30 days to rectify that.

If a client is applying for certification, the certification cannot be issued until any major nonconformances are closed out.

With minor nonconformances or observations, you can still be issued with your certificate.

Generally speaking, major nonconformances are usually only identified in the Stage 1 Audit, which is then rectified before the Stage 2 Audit and certification.

However if it does happen and an issue is only identified in Stage 2 while on site or examining equipment, for example, we’ll make sure you have an understanding of how to rectify the situation in the timeframe provided.

Issuing the certificate

Following the Stage 1 and Stage 2 Audit and any time to rectify nonconformances, once your system has been assessed as meeting the standard, you’ll have a close out meeting with your Lead Auditor, where you will briefly go through a summary of the report. We’ll point out any issues but above all, we’ll celebrate the successes and all positive things we’ve found during the audit.

Digital versions of the certificates and the standards can then be issued, and hard copies provided.

It typically takes one week from the end of the Stage 2 audit to certificates being issued, however this can be sooner if it is required for tenders or other documentation.

The audit cycle and re-certification

Certification runs on a three year cycle. After the initial certification audit, we’ll come back in 12 months time and do a surveillance audit. The surveillance audit is usually half the time of the initial certification audit. This involves a sample of all the different components of your standard to make sure that everything’s being done, and allows for any minor gaps or issues to be identified.

A second surveillance audit will be held in another 12 months. Following this three year cycle, in the fourth year, each client will need to be recertified. Your Lead Auditor will complete a re-certification audit, including site visits and a full documentation review.

This is an opportunity to take a fresh look at your system and identify any new gaps that may have emerged as a result of changing processes or growth within your business.

Your certificates will be reissued following the re-certification audit, providing you with up-to-date documentation to confirm your certification is current.

The Southpac Certifications ISO Audit Cycle involves four parts: Certification Audit, Surveillance Audit, and Re-certification Audit.

We’re not the big bad auditors.

Our auditors are flexible, understandable and approachable. That’s why we call it Certification Differently. Contact our team to discuss your individual circumstances and how we can help you achieve certification sooner.