What to Expect from an ISO Audit
External audits can be a daunting experience. Whatever ISO standard you are being assessed against, sometimes it can be hard to know exactly what the auditor will be looking for and want to review.
In my experience with ISO 9001, 27001 and 14001 audits, I have found that preparation is key to a success.
The system works like this: a company will develop their management system, which consists of policies, procedures, people (training and awareness), technology, etc., and then invite a certification body (we use BSI) to check out whether their management system is compliant with the standard –this check is done during the certification audit.
The auditor will check your policies and procedures and gather evidence to verify that the criteria of the standard is being met. This evidence may be records, statements of facts, or other information that is relevant to the audit criteria. For example, the auditor might check contracts and training records.
If the certification audit is successful, the certification body will issue a certificate stating that the organisation in question is compliant with the specific ISO management system standard.
The external audit process:
Documentation audit (stage 1)
The certification auditor will come and review all of the documentation that you have created for your management system to ensure that you have everything in place to meet the requirements of the standard.
The certification auditors will come and audit what is happening in all of your processes to compare them to what was documented and ensure that everyone is compliant.
Surveillance / maintenance audits
Once the certificate is issued, it is valid for three years –during this time, the certification auditors will come and audit a sample of processes from the system to make sure you are maintaining the system. Over the surveillance time the entire system is intended to be audited, but not all at once.
In summary, to prove to an auditor that your organisation can pass a certification audit, you must do two things:
You must prove that you comply with every clause of the standard, and secondly you must demonstrate by the knowledge of your team that you understand the ethos behind the standard. If you approach your preparation with these two checks in mind you won’t go far wrong.