ISO 9001 Certification Audit
Wow, you’ve finally arrived at your ISO 9001 certification audit. While there will be some nerves and anxiety, if you have done all the work to development and implement your management system in a manner that best suits your organization and have not taken any shortcuts, then your assessment should be fairly uneventful. Be sure to complete any needed preparation and training activities prior to the audit to further ensure success.
Stage 1 ISO Audit
Stage One Background
The initial stage one assessment is just to verify that your management system has been effectively developed and implemented. The auditor will generally be reviewing your process documentation (policies, procedures, forms, etc.) which should clearly demonstrate that your management system appropriately addresses the ISO 9001 clauses and requirements.
Just to give you a little history, back in the day, registrars would only schedule a single assessment, assuming that the management system was fully and appropriately established. Auditors would show up on site to complete a three or four day assessment only to find that the management system was far from ready. The audit would need to be postponed until a later date when the organization was truly ready, wasting the auditors time and leaving them and the registrar unpaid and with an empty calendar for the three or four days. So now registrars complete this stage one assessment to verify that the management system and organization are ready for the full system audit.
We have seen some registrars that allow this assessment to be completed through a remote desk audit of the organization’s documentation, however, most reputable registrars now insist on an actual site assessment allowing the auditor to put eyes on the facility and interact with personnel as needed. This is needed even more when organizations choose to operate with minimal process documentation as allowed by more recent versions of the ISO 9001 standard. When this is the case, the auditor must now determine system readiness through observation of the processes and interviews with personnel. In most cases, this initial assessment will take one day with a single auditor.
Note that before the ISO 9001 audit was split into two separate assessments, organizations with new management systems would often elect to pay for and complete a “pre-assessment” to verify that their system was properly implemented and ready for the certification audit. The stage one assessment has essentially replaced the pre-assessment, so there really is no need to add this additional cost and hassle to your ISO 9001 journey. If registrars or auditors try to sell you pre-assessment services, we recommend that you pass and allow the stage one assessment to fulfill the pre-assessment exercise. If they hard sell this service, you might rethink using that registrar.
If your processes are well developed and documented, stage one auditors will probably spend most of the day in your conference room reading through process documentation. They will also want to discuss processes with process owners throughout the day. The focus of this assessment is to verify that the management system has been adequately established and is ready for the stage two assessment. The auditor will not be assessing whether the system is compliant to your processes or the standard through review of objective evidence (process records).
You will be assigned an auditor by the registrar based on their industry experience and knowledge, ISO standard, geographic location, availability, and other pertinent factors. You can certainly request resumes or bios for all available auditors that fit your criteria and narrow that to a list of preferred auditors but this might also impact availability and lengthen your certification process. You can also request a phone interview with some of the auditors, but in the end it is extremely difficult to vet these auditors based on the limited information available. We recommend that you allow the registrar to identify the best auditor, obtain their bio for review and your records, and evaluate the auditor through your initial certification audit.
Most of the auditors we have experienced exhibited professional behavior and have done their job well. We do occasionally see or hear about one that is difficult to work with or is unprofessional in their approach or mannerisms. Just know that auditors are only human and each one will be different. Some of them very different. We have experienced auditors that spend most of their time chit-chatting and little time actually auditing. While some organizations may see this as an easy audit, most of our clients are frustrated with this behavior and feel that their time and money was wasted, and there was no value gained through the exercise. We have also had those auditors that do nothing but nit-pick every little issue and fail to see the bigger picture with the management system and the organization. Again, little or no value gained, and the organization certainly isn’t any better or improved by the assessment. The best auditors see and understand the bigger picture and focus on those elements and issues that will drive significant improvement in the organization. They understand that each company is different and allow for flexibility in how the company implements and satisfies the ISO requirements. They are also business minded and appreciate all the challenges each business faces.
There are also those auditors who want you to develop process maps, turtle diagrams, or other supporting documentation for all of your processes. While these can be beneficial for some organizations, they aren’t required, and the auditor is often pushing them to make his or her job easier. Other auditors will tell that you must adopt and implement certain methods or tools for various processes. These auditors often come out of specific industries where these methods are common practice, however, that doesn’t make the methods appropriate or required for your organization or management system. An example of this is auditors who prescribe the 8D method for completing corrective actions. This is a good method and you might consider it for your system, but the standard does not require you to adopt and use it. If your established methods satisfy the requirements in the ISO 9001 standard, the auditors have no business telling you how to specifically implement and satisfy the ISO clauses. In fact, auditors are forbidden to provide any type of “consulting” services to the organization. While many auditors will offer suggestions and recommendations based on their experience and knowledge, you in no way must accept or adopt these suggestions.
Many of the ISO 9001 requirements are written in a rather nebulous manner leaving them open to interpretation. This allows the standard to be flexible and universal for all different industries, cultures, products, services, and environments. The 2015 version of the ISO 9001 standard is less prescriptive than previous versions for many of the requirements allowing you, the organization, the freedom to determine how to implement the system in a manner that best suits your company, products, services, processes, and people. The down side is that this can result in differences of opinion or even conflict between your organization and the auditor, especially with interpretation of the ISO 9001 requirements.
Stage 2 ISO Audit
So, you survived your stage one audit and are now ready for the stage two assessment. We’ll assume that you have addressed any findings or issues sited by the auditor during the stage one assessment and are now permitted to move forward with stage two.
The next step now would be to schedule your stage two audit. If things went reasonably well during the stage one visit, your auditor may have worked with you to set the stage two dates before he or she even left the building, and if that is the case, no further action is required to schedule the stage two audit. However, if those dates have not yet been established on the calendar, contact your registrar to get the stage two assessment scheduled. You can probably expect those dates to be 30-60 days out.
Stage Two Overview
This audit will be a little more intense and involved compared to the stage one assessment, however, if you have done the work and completed all the necessary preparation, it should go well.
One of the main differences between stage one and stage two is that the audit will now want to review objective evidence demonstrating compliance to both your established processes and to the ISO 9001 standard. Compliance to the standard should have been verified during stage one with review of your processes. Now auditors want to see if you “walk the walk”. Your management system processes should be generating records (retained documented information) on a continuous basis.
While ISO 9001 does not mandate much in the way of process documentation (procedures, etc.), it does still require a significant number of records to be retained and controlled. It is these records that the auditor will be requesting to verify that your processes, products, and management system are operating in a compliant manner. Just be prepared to provide some form of objective evidence, whether verbal or written, for each of your processes under the quality system.
All auditors will start out the first day of audit (both stage one and stage two) with an opening meeting. It is imperative that the chief executive or top-ranking officer along with the head of quality be present at this meeting. Anyone else is welcome at your discretion. We’ve even seen small companies (10-15 employees) invite the entire organization to be present for this meeting. During the opening meeting, the auditor will generally address the following items:
- Introductions / sign-in (as applicable),
- Audit purpose and objectives,
- Audit scope (standards and areas to be audited),
- Proposed schedule, duration, and requested changes,
- Functions or individuals that will be required during the audit,
- Approach and methods to be used during the audit,
- Definition of nonconformances,
- Confirmation of formal communication channels,
- Rules of conduct,
- Confirmation of closing meeting review,
- Confidentiality as applicable,
- Auditor escorts during the audit,
- Auditor safety,
- Questions / comments.
Many of the auditors we’ve worked with over the years like to get a high-level tour of the facility after the opening meeting and prior to digging into the meat of the audit. It is always great if they can see operations in action during this walk through. Make sure everyone is aware of this activity and all processes are being followed. In most smaller organizations expect this exercise to take around 30 minutes, give or take. During this and any other facility tour:
- Provide a high-level description of each area or process,
- Know that the auditor can interview anyone within the management system scope,
- Don’t open closed doors unless asked,
- Keep the tour moving unless the auditor wants to stop,
- Make sure all areas are clean, organized, and compliant.
These same practices apply to any time the auditor is moving through the facility as part of the audit activities. For manufacturing type organizations, the auditor will take some time to move through production areas to assess operational processes and activities. This includes areas such as engineering, receiving, warehouses, staging, manufacturing / production, QC labs, etc.
Daily Summary / Closing
In most cases, the stage two audit will extend beyond one day. The shortest stage two we have experience is 1.5 days and the length will all depend on the size of your organization (number of employees). The auditor should take some time at the end of each day to summarize and discuss all nonconformances cited during that day. You are welcome to provide any additional evidence that may have been found which supports process compliance, and in some cases, where the additional evidence is acceptable, the auditor may retract the finding. In some cases, we have even implemented corrective actions for a finding while the auditor was still on site, however, since the nonconformance still existed at the time it was discovered, it remained in the report.
On the final audit day, auditors will often complete audit activities an hour or two before the scheduled audit close to allow time to complete the audit report and prepare for the closing meeting. Some auditors will send an electronic copy of the report to you prior to leaving your facility and request either a written signature or electronic acknowledgement that the audit is complete. As with the opening meeting, the chief executive and head of quality should be present. Include any other staff you feel are pertinent. As the auditor discusses each finding, be sure that you understand and agree with the finding and associated evidence. Continue to question and discuss the issue as needed to gain clarity and agreement.
If nonconformances are cited where agreement cannot be obtained between your organization and the auditor, agree to disagree, accept the finding, and pursue other recourse through the registrar’s escalation and dispute resolution process.
What To Do (Or Not Do) During The Audit
During your ISO 9001 certification audit, make sure employees follow these practices:
- Make a positive first impression with the auditor,
- Remain courteous, prompt, and professional at all times,
- Create a perception of organization and structure (clean / straighten up your area),
- Ensure all materials are properly labeled,
- Ensure all equipment is properly labeled, calibrated, and maintained,
- Don’t leave controlled documentation laying out,
- Make sure all records in use are of the corrective revision,
- Answer the auditor’s questions in polite and professional manner,
- Request clarification if you don’t understand the question or request,
- Don’t offer information beyond what the auditor requests,
- Don’t argue, ramble, or criticize,
- It’s alright to not know the answer to a question,
- If you don’t know the answer, simply say so, and offer to find the answer, or defer to someone who does.
Audit Findings (Nonconformances)
Where records fail to meet established processes or stand up to the ISO 9001 requirements, auditors will again cite nonconformances which will need to be addressed and corrected prior to receipt of your certificate. Your auditor should clearly explain and discuss any potential nonconformance immediately upon discovery and allow you an opportunity to verify the issue and produce evidence to the contrary. If the finding is legitimate, accept it and move on. The auditor will capture all pertinent information to support and document the finding as needed. Remember, it isn’t personal and he or she is just doing the job they were hired to do. We’ll discuss the process for addressing audit nonconformances in a future article.
Unless you are totally negligent with the development and implementation of your management system, you really can’t fail a certification audit. You can certainly receive some minor findings (nonconformances). It is not unusual for most new and immature management systems to receive one or more minor nonconformances during the initial certification audit. This is often due to a minor oversight during implementation or difference in interpretation of requirements between you and the auditor.
Be sure to discuss the finding with the auditor if you aren’t clear on the finding or why it is being cited. Consider each minor nonconformance when they are cited by the auditor to determine if the finding reflects a valid deficiency within the system, and if so, accept it. If you feel that the finding reaches beyond the ISO 9001 standard requirements or that your processes adequately satisfy the requirements, state your case in a calm and professional manner. As is often the case in life and business, you need to carefully pick your battles. If the auditor is insistent that the finding is valid, do a quick cost/benefit analysis in your head and determine if the fight is worth the effort. If the finding can be resolved by a quick process tweak or simple document revision, perhaps it’s best to accept the minor nonconformance and save your fight for a more unacceptable issue or conflict.
Major nonconformances are another story. These are only issued when gross systemic breakdowns exist within the management system or an entire process is omitted from the system. For example, if you totally neglected to implement a corrective action system, a major finding would be warranted. Also, an auditor may consider several correlating or related minor nonconformances and escalate these to site a major nonconformance. This might be several minor findings associated with unacceptable or missing required records within the management system which results in a major finding against retained documented information. You will want to take these major nonconformances seriously, because one or more can be enough evidence to deny certification or significantly delay your stage two assessment activities.
Auditors will not deny certification due to a couple minor nonconformances, however, you will be required to take some level of corrective action to address the issues based on the number and severity of the findings. For findings during the stage one assessment, this could be as simple as addressing the issues after the audit is complete, with the auditor reviewing your actions at the stage two assessment. If the findings are more severe, the auditor may not allow the stage two audit to be scheduled until he or she receives evidence that the nonconformances have be adequately addressed. A worst-case scenario might require execution of another stage one assessment to verify that major findings have been satisfactory addressed and closed. Stage 2 findings will need to be corrected and evidence submitted to the auditor before certification is awarded. A worst case scenario might require the audit to return to complete an on-site assessment of the corrective actions, but such return visits are rare. As long as you are diligent about addressing and correcting the nonconformances, your auditor and registrar will continue to work to complete your assessment and award ISO certification.
Good preparation will go a long way towards ensuring a pleasant ISO 9001 certification audit and successful outcome. Make sure everyone in the organization understands how to engage and behave around the auditor, especially those who will come into direct contact with him or her. When nonconformances are found, remain professional and make sure that you are clear on the finding. Any discussion about the finding should remain respectful and professional. Remember everyone, including the auditor, is just trying to do their job and that there is always recourse after the audit is finished if you still want to challenge anything in the audit report.