How to Prepare for the ISO 9001 Certification Audit

The certification audit tends to be a stressful experience and particularly challenging for department managers. Being well prepared for the audit and knowing what to expect not only reduces stress but also increases the chances for success. So be sure to prepare your company properly in the days leading up to the big day.

The International Organization for Standardization (ISO) sets international standards in the industrial and commercial fields of the world.
Nowadays, businesses can implement various ISO management systems depending on the products or services provided to gain profits and stay ahead of competitors. Various industries that compete globally are usually ISO certified to prove to their customers that the products and services provided can be trusted with multiple attributes such as quality, security and safety.
The implementation of ISO management system standards has several benefits, such as increased company credibility, customer trust, employee performance, and company image.
To be ISO certified and subsequently maintain your ISO certification annually, your organisation is required to conduct internal audits regularly as part of the ISO standards’ requirement to ensure good implementation of processes in your organisation’s management system.

Here are some recommendations to help your organization prepare for a successful ISO 9001:2015 audit.

An ISO audit is an activity that companies conduct to evaluate, confirm, and verify processes related to the quality, security and safety of products and services so that companies are able to ensure the management system has been effectively implemented.
The objectives of conducting an ISO audit are:
To check the suitability of standards, regulations, procedures and conditions of implementation in your organisation.
To ensure consistency in the implementation of processes.
To look for areas of improvement and to develop key processes and working conditions in your organisation.
To comply with statutory and regulatory requirements
To fulfil customer requirements or market demands.
 The standard that provides guidance for conducting an ISO audit is the ISO 19011:2018 – Guidelines for auditing management systems.
In general, the parties involved in an ISO audit are the auditor and the auditee. The auditor is the person who is responsible for carrying out the audit. At the same time, the auditee is the person being audited or the party being audited by the auditor.

The ISO audit checklist is made as part of the audit programme for the auditor to reference the essential clauses that need to be checked. In addition, the audit checklist can also be used as a guideline by the auditee to prepare before being audited. As part of the audit planning, an ISO audit checklist should be prepared by the auditor.
 An ISO audit checklist should be developed taking into account:
Audit Scope and Depth.
Relevant ISO standards, regulatory, customer and internal requirements (e.g., ISO 9001:2015, ISO 13485:2016, US FDA, GMP, etc.)
Defined audit plan and criteria.
 The ISO audit checklist must be able to demonstrate that the standard requirements have been met, as well as the requirements that have not been met. Typically, this is the indication of conformance / non-conformance for the respective clauses.

There are 3 types of audits that you need to know to successfully maintain your ISO certification and check the effectiveness of your company’s operations and business processes.

A first party audit is an audit carried out within your company. This audit is also known as an internal audit. Your organisation must plan the internal audit programme and schedule its date of implementation.
Your organisation must also explain the audit process in one of the procedures, stating the frequency of the internal audit to be conducted and what is the purpose of the internal audit that will be conducted.
An internal audit can be carried out by a designated department/section consisting of internal auditors, or it can be carried out by an ad hoc or outsourced internal auditor team as and when it is required.
First party audits are usually carried out as an evaluation of compliance with standards such as ISO 9001:2015, ISO 14001:2015 or ISO 45001, as well as other standards according to the needs of the organisation. An internal audit may also be treated as a gap analysis process to identify the gaps within your organisation.
Common areas that are usually checked during an internal audit include the organisation’s quality policy, quality objectives, risk management, management, document control, resources, and operation processes.

A second party audit is also known as a supplier audit. A supplier audit is an audit conducted by the purchaser or customer on a supplier or company providing products or services to the purchaser. In this case, as long as your organisation have a purchasing process, a second party audit is usually inevitable for critical products or services.
In the case of outsourced processes, most companies would perform checks on their suppliers and evaluate the impact of the suppliers’ processes as part of their whole operations. A supplier audit may be carried out by an audit team appointed by the purchaser.
Similar to first party audits, second party audits should be planned as part of your organisation’s audit programme schedule and communicated to the supplier. The ISO audit checklist may also be used to audit areas relevant to the supplier and your organisation.
For example, your company is a well-known clothing company abroad. Your company wants to appoint a local company in Singapore to manufacture clothes on behalf of your organisation. Then, your company will have to conduct a supplier audit to ensure that the local company can make clothes according to your organisation’s requirements.
Suppose your organisation adheres to specific ISO standard requirements. In that case, the supplier should be audited based on that standard as well. One tip to smoothen this audit process is to check and see if the supplier has complied with the ISO standard that your organisation is currently complying to. This will ensure that a common understanding is established for the required processes defined by the ISO standard.

A third party audit is also known as a certification audit. This audit is always carried out by the auditors of a certification body. This audit process aims to assist your organisation in achieving ISO certification to the relevant ISO standard by an approved certification body. The certification body must be accredited by a recognised accreditation body as well.
Certification audits are generally carried out in 2 stages. One of the requirements prior to a certification audit is the evidence that the organisation has implemented a management system for at least 2-6 months, depending on various certification bodies.
The first stage is usually called a ‘desk audit’, which is an audit that checks the completeness of documents against the requirements of the standard. The second stage is generally called a ‘compliance audit’. During this stage, the Certification Body auditors (ISO auditors) will examine objective evidence stated in the documented information or company’s procedures, work instructions and records.
If there are no major audit findings, the Certification Body will recommend your organisation for ISO Certification. The ISO certificate will then be issued and is usually valid for a period of 3 years. Subsequently, for the next two years, your organisation will be evaluated through surveillance audits to ensure that your management system is still being implemented effectively. During the fourth year, a re-certification audit will usually take place and the cycle repeats.

The ISO 9001 certification audit will be similar to a (good) internal audit. The auditor will verify that your company's quality management system complies with ISO requirements and is working well for your organization.
No matter if physically on-site or remotely through video conferencing, the auditor will watch work being performed, observe the work environment, and interview personnel at all levels of the organization, including department management and executives. The auditor will request documents, look at records and data, and cross-check what he has seen and heard.

It's quite normal for employees to be unnerved by external auditors – something which could lead to mistakes that impact on the success of the certification assessment. So what should you do to prepare, put staff at ease, and increase your chances of success?
Communicate what will happen on the day and what to expect from the auditors.
Explain that the auditor's job is not to find fault but to establish that the system is working.
Emphasize that the audit is not pass or fail but that certification can be issued after correction of any problems.
Show employees how to best interact with an auditor.
Teach employees how to respond to common auditor questions.

It's important to remember that ISO 9001 is a management tool. Your auditor will verify that management understand this tool and actively use it. How will the auditor verify this and establish compliance with the standard?
The quality policy should reflect the believes of top management and guide the organization.
Leaders actively communicate the quality policy, its meaning and importance.
There is a mechanism that ensures that organizational goals fall in line with the quality policy.
Results of audits and other performance indicators enter the decision making progress.
The QMS is fully integrated into strategic planning and other responsibilities of executives.
Top managers have a sufficient understanding of ISO 9001 requirements and their application.
Every certification audit includes an (extensive) interview of one or more top managers. A bad performance during the interview not only jeopardizes successful certification but also embarrasses. Based on our experience it is wise to prepare top management well prior to the audit.

There are certain elements of a quality management system where auditors often find problems. For example, one of the most common nonconformities is related to document control. Other common areas include internal audits and the effective correction of identified issues, management reviews and their adoption as a real management tool, calibration of monitoring and measuring equipment, and employees and their department metrics supporting the overall quality objectives. Below are a few preparation tips on how to prevent common nonconformities.
Have all personnel check their work area for uncontrolled, unauthorized or superseded documents. This includes "personal" copies and printouts, as well as sticky notes.
Have your audit manager review audit reports and verify that all nonconformities have been resolved effectively.
Check that there are complete records of at least one management review. Prepare the executive team to demonstrate their use of management reviews as a basis for executive decision making.
Get staff to check their monitoring and measuring equipment to ensure it's properly maintained and calibrated, identified as such, and that there are records to prove it.
Have managers and staff remind themselves of their personal or department objectives, and how they support the quality policy and quality objectives of the company.
Ensure that training records are complete and available. Certification auditors frequently check ISO 9001 related training records (employee introduction, executive training, auditor training).
Use the audit preparation as an opportunity to have everybody organize and tidy up their work areas.

As part of the certification audit, your auditor will observe work being performed and ask questions. Auditors also commonly interview managers and executives.
As preparation for the audit, explain that auditor questions should be answered truthfully and that the auditor will ask for evidence to support answers. Nevertheless, staff shouldn't volunteer additional information or steer the auditor towards issues not pertinent to the subject. Also, make everybody aware that they should ask the auditor or the accompanying member of the implementation team for clarification if they don't understand what the auditor is asking. While it would be inappropriate for the escort to answer the question for them, it's acceptable to interpret the question into language your employees understand.

Audits may cover any requirement of the ISO 9001 standard, but as a general rule the following audit questions should be expected:
Quality policy: Do you understand the content of the quality policy? How does the quality policy relate to your work? How do you contribute to the objectives of your company's quality policy?
Objectives: What are your objectives, how do you achieve them, and how do you measure success? How do your objectives relate to the quality policy?
Customer focus: How does your work affect your company's customers? Do you know what the customers think of your company's products or services?
Customer requirements: How do you know if the products you are producing meet customer requirements? How do you know you perform your work correctly?
Document control: Are your work instructions current? How do you know? Is there a chance that you mistakenly use obsolete documents? Show me the instructions for the XYZ process.
Process interaction: Do you know how your work processes affect other processes? Do you understand what impact your work has on other processes?
Suppliers: How do you select suppliers? Are suppliers approved? And if so, by whom? What do you do if a supplier doesn't perform according to expectations?
ISO 9001 standard: Show me the ISO 9001 standard! (Only applies to internal auditors and those responsible for implementation and documentation of ISO 9001 requirements).
Obviously not all audit questions apply to all employees and managers. Also, remember that these are not meant to be pass-fail questions. Instead, the auditor is using these questions to establish if the ISO 9001 system is properly and effectively implemented.