Before beginning our main article topic, I want acknowledge that the EBS Quality Solutions blog was recently selected by Feedspot as one of the Top 25 ISO Blogs! You can access the ISO Blogs list here. We greatly appreciate the recognition from Feedspot and continuing support from all of our readers! Now on to our normal programming.
What Happens After Your ISO Audit?
Now that you have completed your audit, what’s next? If you received less than a perfect score, meaning that the auditor found a couple things and issued some ISO 9001 audit findings (nonconformances), you will need to address these deficiencies before receiving your ISO 9001 certificate. A perfect score (no findings) will result in immediate issuance of your ISO 9001 certificate, usually within a couple of weeks.
Managing ISO 9001 Audit Findings
Alright, so you received one or more nonconformances during your stage one or stage two audit. Relax, it isn’t the end of the world; in fact, this is fairly common with new management system certifications.
Assuming that these are minor findings, you should be able to address them relatively quickly and receive your ISO 9001 certificate within a few weeks. In fact, you have really passed your audit, contingent upon satisfactory action to close out these minor issues. Now, if the findings are significant or cited as major nonconformances, you have a more difficult climb to get that certificate, but it should still be attainable given the right effort and actions.
We are going to assume right now that you effectively implemented your management system and that any audit findings are few and minor in nature. If you did receive major nonconformances, we recommend that you work with your registrar or a qualified ISO 9001 consultant to determine the best course of action going forward towards your ISO certification.
As the auditor closed out the assessment, he or she should have explained the process for responding to any findings sited during the audit. This process always varies a little from registrar to registrar, but the general approach is basically the same. In today’s online world, corrective actions for findings are usually submitted electronically through some type of cloud or website portal established and maintained by the registrar. If you haven’t yet done so, this will require that you establish an online account with login credentials. There may also still be a method for documenting your corrective actions on paper and submitting them via email or fax, but the days of paper submissions are disappearing quickly. Your auditor or registrar contact person can provide additional information about these options. Remember that your auditor is most likely a sub-contractor and has no control or influence over the systems used by the registrar.
Start the corrective action process by entering each nonconformance into your corrective action system. If you are using one of the ISO 9001 software applications, this might be your general corrective action module or some applications have separate corrective action modules for audit findings. Be sure to enter or create a separate corrective action for each finding and assign the appropriate responsibility for completing the root cause analysis and corrective action activities. Make sure that those assigned to the action are aware of the significance and urgency of the tasks to be completed. Given the importance of these corrections, it might be wise to take a team approach when completing the corrective action tasks.
Follow your corrective action process to complete root cause analysis and define a corrective action plan to address each audit finding. The initial submission to the registrar will most likely include the results of your root cause analysis and proposed corrective action plan for each finding. This initial submission is generally required within thirty days from the audit date. Often, assuming truly minor issues and a thorough analysis and plan, this submission is enough to satisfy the auditor and release their recommendation for certification to the registrar. If the auditor isn’t completely satisfied with your response, they will request additional effort or information and an updated submission.
Registrars will expect follow up submissions providing objective evidence that the corrective actions have been implemented (60 days) and verification that the corrective actions have been closed (90 days). For significant or major findings, there is a good possibility that the auditor will want to pay another visit to your facility to review and verify corrective actions before recommending your organization for certification. The cost of this additional visit will be your burden.
Disputed Audit Findings
If you feel that one or more nonconformances cited by the auditor is incorrect and your management system was in compliance, all registrars have an established process for resolving disputes. This usually involves some type of review board who will consider the finding along the evidence you provided during the audit to determine whether the nonconformance was valid. Contact your registrar to learn about their dispute resolution process and how to initiate the process, if needed. This process may take at least several weeks to complete and significantly delay receipt of your certificate. Be reasonably sure that the dispute has merit and that it is worth the fight. You may find that it is easier and quicker to just correct the issue and move on. You may also want to get a second opinion from an external ISO 9001 consultant prior to initiating a dispute.
While we have never experienced this type of situation, we have heard horror stories of auditors who have been belligerent, disrespectful, and/or extremely unprofessional during a certification audit. Please remember that during any audit, you are always in control and the auditor is a guest within your organization. At any time in which your feel a situation between your staff and the auditor is becoming extremely confrontational and out of control, you can end the audit and request that the auditor leave the premises immediately. After they have left the building, contact your registrar immediately to explain the situation and discuss a path forward towards certification, preferably with another auditor. On the flip side, if the auditor feels threatened or unsafe, they have the right to remove themselves from the situation and leave the building at any time also. The best situation is when both sides remain calm and civilized during the audit, no matter what the situation.
We have seen situations where there is just a bad mix between the auditor and organizational staff. If after you complete your certification audit you feel that the chemistry between your organization and the auditor is intolerable, you have the right to request a new auditor going forward. This might be due to any number of reasons from unprofessional behavior, poor audit process or technique, unacceptable audit findings, etc.
We’ve seen clients that request a new auditor only to get someone who is even worse in some way. Be careful what you ask for, you might get it. On the other hand, you paid good money and put forth significant effort and resources for this certification and you should demand a reasonable level of excellence from your registrar and associated auditors.
This is the most rewarding paragraph I’ve written in this article series. Once you implement acceptable corrective actions for any ISO 9001 audit findings and provide the auditor with supporting evidence of the corrective actions, your auditor will recommend your organization for ISO 9001 certification. Your registrar will complete their internal reviews of the audit results, and if everything is acceptable, they will issue your ISO 9001 certificate. This process usually takes a couple of weeks and you will generally receive your certificate electronically in PDF format unless other arrangements have been made.
Your certificate should be valid for three years, assuming that you successfully maintain the management system and complete your annual surveillance audits. Please don’t be like many organizations we have seen over the years that ignore their management system for months, then two weeks before an audit, rush through to update records and sweep everything under the rug. There is no value in this approach and it will catch up to you sooner or later. Maintain, utilize, and constantly improve your management system on a daily basis and it will return the investment in time and resources through improved performance and effectiveness at all levels of the organization.
Congratulations on successfully developing, implementing, and gaining certification for your ISO 9001 management system. Take some time to celebrate your achievements with your staff and employees. Also, make sure to let the world know about your new ISO certification. However, also remember that you are still a rookie at this ISO 9001 stuff and that your management system is extremely immature. The best companies know that the pursuit of excellence is never ending and that there is always room for improvement and growth.