ISO Audits and Certification
Introduction - what is auditing?
In the context of management systems, auditing is the process of formally checking and reviewing that everything is operating effectively, correctly and in compliance with the audit criteria.
The audit criteria for management systems audits is usually based on checking that operations are;
- In compliance with documented procedures
- In compliance with the requirements of ISO or other applicable Standards
- In compliance with regulatory, legislative or any other applicable requirements
Audits should be completed by someone competent who should be, wherever possible, independent of the area they are auditing while also having a good understanding of what they are auditing.
Auditing should be a useful activity that can help to identify any areas where there may be issues or shortcomings while also identifying opportunities for improvement.
As well as management system audits completed internally within an organisation audits may also be completed by other 3rd parties such as customers or certification bodies where the process will be much the same but with different and often additional criteria.
For ISO compliance it is essential to complete audits, retain documented evidence of the audits and also to have a schedule in place for planning and completion of future audits and the alphaZ package includes all the resources required to achieve this;
- Audit Checklist Templates (blank and pre-prepared)
- Audit Schedules
- Audit guidance and procedures
- Audit reporting templates
- Issue tracker /reporting forms for logging any actions required based on audit findings.
Management System Auditing (Internal Audits)
Internal audits are a key component of an effective management system and are also essential for ISO compliance. Internal audits can help to identify issues, opportunities for improvement and provide assurance that the management system and other processes are operating effectively.
The alphaZ package includes various resources to assist with completion of effective internal audits and the IMS1 document includes a procedure / overview of how internal audits are managed and completed which references the other key components.
Competence - all auditors need to be competent so that they understand the audit process and can complete audits effectively. There is no mandatory or recognised qualification that must he held for an auditor to be competent and there are numerous online or in-person internal auditing courses that can be completed.
For those wishing to complete the training in-house the alphaZ package includes all the resources necessary to support the training of internal auditors including an internal audit training certificate template for issuing certificates of competence to trained auditors.
Audit training resources available;
- General Guidance Internal Auditing - Internal audit guidance document
- IMS1 5.3 Management System Audits - internal audit procedure
- P-1-10 Internal auditing and ISO compliance - more detailed internal audit procedure
- Training / Toolbox Talk > Internal Auditing - Sign-off sheet for training
- Training / Guidance > Training Certificates - Auditor certificate of competence
Audit Schedule - audits should be planned and a programme of audits should be prepared based on considerations of risk and previous audit findings.
The alphaZ package has different types of audit schedules available;
- ER 11Audit Schedule - Excel based internal audit schedule which includes risk-based audit planning, annual audit schedules and a clause-checker to review planned audits against all ISO clauses
- F-Q17 Audit Schedule - Simpler annual audit schedule which can be completed to cover all audits or used for a particular area or function.
Documenting the audits - audits must be documented and to assist with this there are various audit recording and reporting templates available ;
- Management System Audit Checklists -these pre-prepared checklists are based on the management system and can be used to review that management systems have been implemented and functioning correctly. Also checklists based on the ISO standards so can check and demonstrate that compliant with every applicable ISO clause.
- Process Audit Checklists - these pre-prepared checklists are based on a particular area or function and do not reference the management system or ISO standards.
Audit Findings - The purpose of the audit is to check if everything is being done effectively and where it is established that there are issues or potential improvements these should be reported. When reporting findings it is important to do so in a diplomatic way and to avoid conflict wherever possible. Consider the language used to report findings, a term such as observation will ensure the issue is flagged up and dealt with and may be less likely to cause conflict than using a term like non-conformance (which should only be used for very significant findings).
Once a finding has been reported it is important that it is dealt with and the alphaZ package includes various resources that can be used to report and then manage any actions required based on audit findings in a time saving and efficient manner;
- ER1 Issues & Actions register - simple register for logging of issues which can also be used to log audit findings and then track actions taken
- Problems Forms - significant audit findings can be logged using the problems form following the significant problems procedure details in IMS1
- Improvement Form - suggested improvements can be logged on an improvement form for formal review and action
- Audit Report - where required the audit findings logged on the audit checklist can then be converted into an audit report using the audit report template.
Review of Audit Findings - Audit findings can then be reviewed using the issues & actions register and will also be formally reviewed during management review.
Audit Documentation Filing - The management filing structure includes a folder for audits and all audit related documents should be filed in this folder.
ISO Certification Audits
If you need to achieve ISO certification it will be necessary to appoint a certification body to complete an ISO certification audit. The format, cost and number of days required to complete this audit will vary depending on the certification body and the number of ISO standards being assessed.
Accredited Certification - when deciding which certification body to appoint it is important to determine whether you need the ISO certification to be accredited. In the UK the only recognised accreditation body is UKAS so if you need accredited certification ensure the certification body is UKAS accredited for the standards you require. If you do not need accredited certification there are lower cost options but care should be taken to avoid providers with alternative and unrecognised 'accreditation' and those where you are required to sign a lengthy contract. isoassured provide low cost certification without any contract.
The external Certification Audit
Once you have appointed a certification provider they should provide you with some information and a schedule for the planned external certification audit. The audit may be split into a Stage 1 and a Stage 2 audit with the Stage 1 being mainly a review of management system documentation and used to determine that ready to progress to Stage 2. Stage 1 may be completed remotely or in some cases will be combined with the Stage 2 audit which is the full certification audit.
Note : Where UKAS accredited certification is required it is important that the management system documentation is dated so that everything has been in place for at least 6 months prior to the Stage 1 audit to comply with UKAS rules relating to maturity of management systems.
During the certification audit the audit team will be looking for evidence that the management systems are in compliance with the relevant ISO standards and the gathering of evidence could be a mixture of subjective questioning, evaluation of case history and demonstration by the auditee of the means and methods in which they ensure that the company's objectives and standards are being met.
The audit will likely comprise;
- An initial opening meeting with the manager or nominated representative to discuss what areas will be reviewed and timings for interviewing of other auditees
- A review of any previous issues raised during previous audits
- A mixture of one-to-one interviews, review of files and computer-based records in order to gather evidence which shall form the basis of the report
- A closing meeting with the manager or appointed representative to discuss the findings of the visit.
Preparing for the audit
There are various checklists and guidance documents available to assist with preparation for audits or alternatively an external consultant, either onsite or remote, can be used to complete final checks with you to ensure everything is ready for the audit.
It is a good idea to have the key management system documents and other key evidence that the auditor will need to review prepared and ready for the audit either electronically or in an evidence folder. Using the supplied filing structure detailed in the IMS1 document can also facilitate this - all of the folders are relevant to the audit and none should be empty.
Evidence that may be required for the audit;
- Management System Documentation - IMS1 and IMS Registers
- Forms and Policies - Policies approved and dates correct
- Management Review and Objectives - recently completed management review
- Issues and Actions - evidence of how problems and non-conformities are dealt with
- Customer Feedback - evidence that customer feedback is being collected and analysed
- Audits and Monitoring - documented audit and other inspection or monitoring records
- Key Suppliers - evidence that adequate controls over outsourced services
- Management of Equipment - equipment and premises managed effectively
- Management of Staff Competency and Training - evidence that managed correctly
- Evidence of management of service provision - some recent work / jobs
The audit team will also probably want a tour of the premises and it is important that everything is in order and anything that can be pointed at by an auditor is compliant - anything that isn't should be relocated or signage attached to indicate that not in use.
Follow-ups (if required)
Once the audit is completed a written report will be produced detailing evidence viewed and providing a brief synopsis of the auditor's findings during the visits, which shall also include details of non-compliances and any observations made. A response may be required in response to any non-conformances and should be logged as per the IMS1 procedure.
ISO Certification Audit Top-Tips
Here are some pointers for tactics to make sure the audit goes smoothly and with no non-conformances;
- Good first impression - make sure you demonstrate from the start that everything is well managed by managing the audit teams arrival; if there are visitor site rules make sure these are explained and acknowledged and all other visitor procedures such are sign-in are followed. Offer refreshments and be hospitable!!!
- Evidence Folder - prepare an evidence folder with all the key evidence the audit team will need to see so they can go through this without having to constantly ask for the evidence they require.
- Competence records - make sure all internal auditors can demonstrate competence.
- Don't fight or be confrontational - a non-conformance doesn't mean you've done something terrible and often the best approach, unless it is clear the auditor has made a mistake, is to accept it and move on. Wait until you receive the report and then decide what response is appropriate.
- Use the correlations - if the auditor is citing a particular clause and you are unsure check the correlation document which provides guidance for how compliance can be evidenced for every clause.
- Read and check IMS1 - this document is there to help you through audits and most of the evidence you need can probably be found somewhere in this document.
- Read and check IMS1 - this point has been repeated because it is important.
- Plan who is doing what - It makes sense to plan who is going to be available and when. Your organisation still needs to function during the audit but it is also important top level management have some availability to assist with the audit.
- Secure any loose cannons - there may be some individuals in your organisation who have not embraced the management system / ISO in general and who should be strategically unavailable on the day of the audit!!!
- Be aware of the rules - some certification may be covered by additional rules from the accreditation provider such as UKAS rules covering maturity of management systems
- Quarantine / Signage - ensure any equipment that is not maintained or equipment that isn't controlled by the business is clearly signed / marked to take it out of the scope of the audit i.e. 'Do not use' sign or relocate into a quarantine area.
- Easy catch - some certification bodies expect their auditors to find a couple of non-conformances - consider giving them a couple of easy to fix issues.