“Oh no! Your company is getting audited, hope all goes well! What if they find something wrong with my organisation?”… I’m sure that as a business owner, this thought went through your head at least once in your life, right?
External Audits by Certification Bodies is the last step before ISO Certification. Many companies tend to get excited about this part as they do not feel that they are ever ready for the audit. However, like any other concept within ISO Certification – this is just another angle through which you can improve your business.
Remember, external audits by certification bodies should be seen as an opportunity for improvement. Having an extra pair of eyes looking at your management system to help you improve can be a blessing.
When it comes to ISO certification, the organisation must go through several audits when it is in the process of getting ISO certified. However, it is important to note that this structure of external audits is not a standard procedure for other systems. Organisations can be subject to external audits as required by clients or suppliers who are seeking a partnership.
When it comes to SIO certification, the organisation which is seeking to become ISO certified must first do a management review meeting, which is then followed by an internal audit. For more information about the implementation process of ISO certification, you can read here. Then, after the organisation chooses an accredited certification body to work with, the timeline for the external audits will be set. In total there are four different audits that are performed by the certification body.
Stage 1 versus Stage 2 Certification Audit
The certification audit is the first o a series of external audits that the organisation must go through to be awarded the ISO certification. the certification audit is split into two stages, where the Stage 1 Audit complements the Stage 2 audit.
Stage 1 Audit
In the Stage 1 Audit, which is also commonly known as the Desk Audit, is the part where you say what you do! The certification body will often perform this remotely, hence the name Desk Audit, and its purpose is to examine the documentation of the organisation and compare it with what the ISO standard dictates. The certification body will then see how compliant the processes set by the organisation are.
It is during this stage where the certification body will evaluate your organisation’s conditions, see how you are operating and look at the objectives and the key performance indicators (KPIs) for the management system. In this Stage 1 Audit, the certification body discusses with the senior management regarding the context of the organisation, its scope and objectives as well as its policy and risk evaluations. The scope of the organisation will also be examined. Moreover, some others things that fall under the category of Stage 1 Audit include process interaction, regulatory requirement and making sure that all documentation is up to speed with what there is specified in the ISO standard.
The reports of the Stage 1 Audit generally include points about the concerns that the certification body has identified, as well as the positive points that the certification body came across upon examining the processes.
If all is satisfactory, the certification body would move to the next phase, that is the Stage 2 Audit.
Stage 2 Audit
Then there is Stage 2 Audit, also known as the Field Audit or Implementation Audit. This is the part where you actually do what you say. The Stage 2 Audit looks at the procedures’ documentation and how they should be functioning versus how they actually are being carried out. The Field Audit is basically an audit of the internal audit. If your organisation successfully passes from both external audits, you will be awarded with the ISO certification
The following is the overall content of the topics that must be discussed in Stage 2 Audit:
- Opening meeting
- Go through the agenda for the day
- Follow-up on corrective actions from Stage 1
- Ideally, you start with the key processes (sales and marketing procedure, purchasing, operations, design and development). This is because they might take very long to complete.
- For larger organizations, we are going to divide the company into smaller companies. In the sense, that each department would have their system on how they, for example, handle complaints.
- Note at the end of the audit, we are going to have a ‘wash-up meeting’ to discuss any non-conformities or any concerns they might have.
- Note that for audits with more than 1 day, we are going to do a feedback meeting at the end of each day
- Note that for a company being audited by more than 1 auditor, there is going to be an auditor liaison meeting, where the auditors will discuss all the observations they have from after the audit.
After you become certified, your work is not done. Every year, you need to do a management review meeting, followed by an internal audit and an external audit, referred to as Surveillance Audit. This type of external audit is similar to how a certification audit is performed but is called a surveillance audit because the certification body is revisiting the organisation to see how well the processes are holding up. After 3 years of being ISO certified, you need to undergo what is known as a recertification audit. This is another type of external audit which follows the same principles as the others. It forms part of a system based on continual improvement.