What are External Audits?

What are External Audits

What to Expect from External Audits and ISO Certification

Audits are an important part of a company’s application for ISO certification. These tests and inspections can verify if the processes and systems comply with standards and follow best practices. They can identify areas that need improvement or provide proof that the company has met the ISO requirements.  

ISO certification requires both internal audits and external audits. In this article, we’ll look at the latter—including the types of audits you will need, what the auditor will look for, the steps and time involved, and tips on preparing for them.

The External Audit Process

External audits will examine your business from different perspectives and points of view and are conducted in stages.  

An external audit is done by a third-party auditor who is licensed by the Certification Body. Usually, the auditors are selected based on their experience, qualifications, as well as their understanding of your specific industry.

During the three-year cycle of ISO certification, you can expect least one day initial audit of all your processes, and another one audit during the surveillance cycle to check whether the recommendations have been effective.  

Types of External Audits

Customer Audit

The first step is the Customer Audit, where a potential or existing customer reviews your processes from the lens of whether you are able to meet their needs, expectations and requirements. For some businesses, this can be replaced or augmented by a supplier audit. The schedule of auditing varies from customer to customer.

Certification Audit

This is a critical step in the ISO process. Your registrar will do a thorough check of your business processes and practices to check if they conform to the ISO standard. You can expect to have this done every three years.

Stage 1 is a preliminary audit that determines your company’s level of readiness for ISO. This allows you to spot areas where you need to improve, or understand the documents and reports that you need to provide. This is sometimes done remotely.

Stage 2 is a more thorough, on-site inspection where the auditor will review procedures, interview your employees, and check if you meet the criteria for an official ISO certificate.

Surveillance Audits

Even after your company gets ISO certification, your registrar will do annual surveillance audits. Much like a car tune-up or the annual doctor check-up, this external audit determines if you are still meeting the ISO requirements or if there are areas that need to be improved or revised. Should you have received any non-conformities or areas for improvement on your stage 2 audit. The Surveillance Audit will be focused on what you have done to correct the issues.

You will not be given a new certificate, but this is required so you can keep your ISO certification.

Methods and Processes

Audits can be performed in different ways, depending on your company’s needs and what is being checked. This can include remote audits which include teleconferences or online consultations, on-site audits, and self-audits.  

The self-audits can help you prepare for the official external audits. You can select employees to join the audit team, but they shouldn’t audit their department or area of responsibilities. You can also hire professional auditors who can train or guide this team, or completely outsource the internal audit to them.

While the external audit is clearly the most critical part of getting ISO certification, an internal audit is what helps you meet the criteria. Conduct one at least three months before you do a certification audit, and make sure that you document the process.

The internal audit will help you find out your “non-conformities” or where you do not meet criteria and create an action plan. These records will actually be reviewed during the external audit and can make or break your company’s ability to proceed to the next step.

For that reason, it’s worth utilising professional auditors from respected ISO 9001 consultants even during the internal audit stage in order to lay the proper groundwork for the rest of the process.

How to Prepare for an External Audit

  • Use the PDCA model. PDCA stands for “Plan Do Check and Act”. It is one of the best approaches for business improvement, and can help give you a systematic, verifiable way of meeting the ISO criteria.  Plan includes identifying your competencies and gaps, and then create a strategy. Do includes your action plan, including your activities and the timelines. Check refers to monitoring and evaluating your progress, and Act means creating your next steps based on the results.
  • Create process documents and checklists for all business activities. Your auditor will check if employees follow best practices as they go about their work. In order to train your employees, and provide your auditor with a guide, create a process document. This prevents inconsistencies, and expedites the auditing process.
  •  Check employee intent and effectiveness. Ask employees to describe their work, and then review if they are able to do it – and do it effectively.  While ISO often looks at the big picture, this step enables you to see beyond compliance and actually understand if your company processes enable productivity and high performance.

These are just some of the things you can expect during an external audit, and what you can do to prepare for it. Your auditor can help answer your questions, or provide more specific plans and checklists.  


Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email

Related Resources

Cube HR

RKMS Group partner with CUBE HR

The partnership between RKMS Group, a leading UK based ISO Consultancy, Training and Apprenticeship Provider and CUBE HR, another leading UK based HR support provider, starting from 3rd of May 2021.

Read More »
RKMS Pulse

join the family

Subscribe to RKMS Pulse

Download your resource now