What to Expect in External Audits by Certification Bodies…

External Audits by Certification Bodies

“Oh no! Your company is getting audited, hope all goes well! What if they find something wrong with my organisation?”… I’m sure that as a business owner, this thought went through your head at least once in your life, right?

External Audits by Certification Bodies is the last step before ISO Certification. Many companies tend to get excited about this part as they do not feel that they are ever ready for the audit. However, like any other concept within ISO Certification – this is just another angle through which you can improve your business.

Remember, external audits by certification bodies should be seen as an opportunity for improvement. Having an extra pair of eyes looking at your management system to help you improve can be a blessing.

When it comes to ISO certification, the organisation must go through several audits when it is in the process of getting ISO certified. However, it is important to note that this structure of external audits is not a standard procedure for other systems. Organisations can be subject to external audits as required by clients or suppliers who are seeking a partnership.

When it comes to SIO certification, the organisation which is seeking to become ISO certified must first do a management review meeting, which is then followed by an internal audit. For more information about the implementation process of ISO certification, you can read here. Then, after the organisation chooses an accredited certification body to work with, the timeline for the external audits will be set. In total there are four different audits that are performed by the certification body.

Stage 1 versus Stage 2 Certification Audit

The certification audit is the first o a series of external audits that the organisation must go through to be awarded the ISO certification. the certification audit is split into two stages, where the Stage 1 Audit complements the Stage 2 audit.

Stage 1 Audit

In the Stage 1 Audit, which is also commonly known as the Desk Audit, is the part where you say what you do! The certification body will often perform this remotely, hence the name Desk Audit, and its purpose is to examine the documentation of the organisation and compare it with what the ISO standard dictates. The certification body will then see how compliant the processes set by the organisation are.

It is during this stage where the certification body will evaluate your organisation’s conditions, see how you are operating and look at the objectives and the key performance indicators (KPIs) for the management system. In this Stage 1 Audit, the certification body discusses with the senior management regarding the context of the organisation, its scope and objectives as well as its policy and risk evaluations. The scope of the organisation will also be examined. Moreover, some others things that fall under the category of Stage 1 Audit include process interaction, regulatory requirement and making sure that all documentation is up to speed with what there is specified in the ISO standard.

The reports of the Stage 1 Audit generally include points about the concerns that the certification body has identified, as well as the positive points that the certification body came across upon examining the processes.

If all is satisfactory, the certification body would move to the next phase, that is the Stage 2 Audit.

Stage 2 Audit

Then there is Stage 2 Audit, also known as the Field Audit or Implementation Audit. This is the part where you actually do what you say. The Stage 2 Audit looks at the procedures’ documentation and how they should be functioning versus how they actually are being carried out. The Field Audit is basically an audit of the internal audit. If your organisation successfully passes from both external audits, you will be awarded with the ISO certification

The following is the overall content of the topics that must be discussed in Stage 2 Audit:

  • Opening meeting
    • Go through the agenda for the day
    • Follow-up on corrective actions from Stage 1
  • Ideally, you start with the key processes (sales and marketing procedure, purchasing, operations, design and development). This is because they might take very long to complete.
  • For larger organizations, we are going to divide the company into smaller companies. In the sense, that each department would have their system on how they, for example, handle complaints.
  • Note at the end of the audit, we are going to have a ‘wash-up meeting’ to discuss any non-conformities or any concerns they might have.
  • Note that for audits with more than 1 day, we are going to do a feedback meeting at the end of each day
  • Note that for a company being audited by more than 1 auditor, there is going to be an auditor liaison meeting, where the auditors will discuss all the observations they have from after the audit. 

After you become certified, your work is not done. Every year, you need to do a management review meeting, followed by an internal audit and an external audit, referred to as Surveillance Audit. This type of external audit is similar to how a certification audit is performed but is called a surveillance audit because the certification body is revisiting the organisation to see how well the processes are holding up. After 3 years of being ISO certified, you need to undergo what is known as a recertification audit. This is another type of external audit which follows the same principles as the others. It forms part of a system based on continual improvement.


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

Opening & Closing Meetings of External Audits by Certification Bodies

Opening Meeting

The purpose of the opening meeting is to:

  1. Introduce the lead auditor
  2. Introduce any other participants, including observers and guides, interpreters and an outline of their roles;
  3. Introduction of what is the scope of the external audit
  4. All auditees introduce themselves and provide feedback about familiarity with the audit process
  5. confirm the agreement of all participants (e.g. auditee (management and processes to be audited), audit team) to the audit plan;
  6. introduce the audit team and their roles;
  7. ensure that all planned audit activities can be performed
  8. the audit methods to manage risks to the organization which may result from the presence of the audit team members.

Confirmation of the following items should be considered, as appropriate:

  • the audit objectives, scope and criteria;
  • the audit plan and other relevant arrangements with the auditee, such as the date and time for the closing meeting, any interim meetings between the audit team and the auditee’s management, and any change(s) needed;
  • formal communication channels between the audit team and the auditee;
  • the language to be used during the audit;
  • the auditee being kept informed of audit progress during the audit;
  • the availability of the resources and facilities needed by the audit team;
  • matters relating to confidentiality and information security;
  • relevant access, health and safety, security, emergency and other arrangements for the audit team;
  • activities on site that can impact the conduct of the audit.

The presentation of information on the following items should be considered, as appropriate:

  • the method of reporting audit findings including criteria for grading, if any;
  • conditions under which the audit may be terminated;
  • how to deal with possible findings during the audit;
  • any system for feedback from the auditee on the findings or conclusions of the audit, including
  • complaints or appeals.

Closing Meeting

A closing meeting should be held to present the audit findings and conclusions.

The closing meeting should be chaired by the audit team leader and attended by the management of the auditee and include, as applicable:

  • those responsible for the functions or processes which have been audited;
  • the audit client;
  • other members of the audit team;
  • other relevant interested parties as determined by the audit client and/or auditee.

Depending on the audit findings, the audit team leader should

  • advise the auditee of situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions
  • agree with the participants on the time-frame for an action plan to address audit findings.

The following items will also be discussed during the closing meeting:

  1. advising that the audit evidence collected was based on a sample of the information available and is not necessarily fully representative of the overall effectiveness of the auditee’s processes;
  2.  the method of reporting;
  3. how the audit finding should be addressed based on the agreed process;
  4. possible consequences of not adequately addressing the audit findings;
  5. presentation of the audit findings and conclusions in such a manner that they are understood and acknowledged by the auditee’s management;
  6. any related post-audit activities (e.g. implementation and review of corrective actions, addressing audit complaints, appeal process).
  7. Discuss any diverging opinions regarding the audit findings or conclusions between the audit team and the auditee and, if possible, resolved. If not resolved, this should be recorded.
  8. If specified by the audit objectives, opportunities for improvement recommendations may be presented. It should be emphasized that recommendations are not binding.

WANT  TO LEARN MORE about External Audits by Certification Bodies?

As an ISO management system consultant Luke Desira will make it his personal mission to put your company on a class above all others! Read more about ISO and other content related to business process transformation here.

If you are on the hunt on information on how to get certified, have a look at this guide on how to get ISO certified with Luke Desira, and find out about the 10 pitfalls that you may encounter during the implementation process of ISO Certification.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email


Give Luke a call

+356 7920 6686

Related Articles

High Level Structure

Breakdown of the High Level Structure of ISO Standards

If you take a look at all the ISO standards that have been published after 2015, you may notice a pattern in their structure. You see, ISO 9001, ISO 45001, ISO 14001 and the latest ISO 27001, amongst others, have adopted a high level structure. What this effectively means is that every one of these

Read More »
Preparing for a Stage 1 Audit for an ISO Standard - Stage 1 Audit

Preparing for a Stage 1 Audit for an ISO Standard 

In this blog, we are going to discuss the audit objectives and steps of the Stage 1 Audit. It also includes information on how to prepare for and conduct on-site activities, together with an introduction into the types of documented information to be reviewed during the stage 1 audit.  Objectives for a Stage 1 audit

Read More »
certification bodies

Certification Bodies and What to Look Out for

When getting ISO certified, one of the most important steps is found at the end of the process, that of choosing a certification body. You see, when you implement an ISO standard in an organization, you have to get certified. This has to be done through an accredited certification body. In this blog, you can

Read More »
Scroll to Top