What are External Audits?
What to Expect from External Audits and ISO Certification
Audits are an important part of a company’s application for ISO certification. These tests and inspections can verify if the processes and systems comply with standards and follow best practices. They can identify areas that need improvement or provide proof that the company has met the ISO requirements.
ISO certification requires both internal audits and external audits. In this article, we’ll look at the latter—including the types of audits you will need, what the auditor will look for, the steps and time involved, and tips on preparing for them.
The External Audit Process
External audits will examine your business from different perspectives and points of view and are conducted in stages.
An external audit is done by a third-party auditor who is licensed by the Certification Body. Usually, the auditors are selected based on their experience, qualifications, as well as their understanding of your specific industry.
During the three-year cycle of ISO certification, you can expect least one day initial audit of all your processes, and another one audit during the surveillance cycle to check whether the recommendations have been effective.
Types of External Audits
The first step is the Customer Audit, where a potential or existing customer reviews your processes from the lens of whether you are able to meet their needs, expectations and requirements. For some businesses, this can be replaced or augmented by a supplier audit. The schedule of auditing varies from customer to customer.
This is a critical step in the ISO process. Your registrar will do a thorough check of your business processes and practices to check if they conform to the ISO standard. You can expect to have this done every three years.
Stage 1 is a preliminary audit that determines your company’s level of readiness for ISO. This allows you to spot areas where you need to improve, or understand the documents and reports that you need to provide. This is sometimes done remotely.
Stage 2 is a more thorough, on-site inspection where the auditor will review procedures, interview your employees, and check if you meet the criteria for an official ISO certificate.
Even after your company gets ISO certification, your registrar will do annual surveillance audits. Much like a car tune-up or the annual doctor check-up, this external audit determines if you are still meeting the ISO requirements or if there are areas that need to be improved or revised. Should you have received any non-conformities or areas for improvement on your stage 2 audit. The Surveillance Audit will be focused on what you have done to correct the issues.
You will not be given a new certificate, but this is required so you can keep your ISO certification.
Methods and Processes
Audits can be performed in different ways, depending on your company’s needs and what is being checked. This can include remote audits which include teleconferences or online consultations, on-site audits, and self-audits.
The self-audits can help you prepare for the official external audits. You can select employees to join the audit team, but they shouldn’t audit their department or area of responsibilities. You can also hire professional auditors who can train or guide this team, or completely outsource the internal audit to them.
While the external audit is clearly the most critical part of getting ISO certification, an internal audit is what helps you meet the criteria. Conduct one at least three months before you do a certification audit, and make sure that you document the process.
The internal audit will help you find out your “non-conformities” or where you do not meet criteria and create an action plan. These records will actually be reviewed during the external audit and can make or break your company’s ability to proceed to the next step.
For that reason, it’s worth utilising professional auditors from respected ISO 9001 consultants even during the internal audit stage in order to lay the proper groundwork for the rest of the process.
How to Prepare for an External Audit
- Use the PDCA model. PDCA stands for “Plan Do Check and Act”. It is one of the best approaches for business improvement, and can help give you a systematic, verifiable way of meeting the ISO criteria. Plan includes identifying your competencies and gaps, and then create a strategy. Do includes your action plan, including your activities and the timelines. Check refers to monitoring and evaluating your progress, and Act means creating your next steps based on the results.
- Create process documents and checklists for all business activities. Your auditor will check if employees follow best practices as they go about their work. In order to train your employees, and provide your auditor with a guide, create a process document. This prevents inconsistencies, and expedites the auditing process.
- Check employee intent and effectiveness. Ask employees to describe their work, and then review if they are able to do it – and do it effectively. While ISO often looks at the big picture, this step enables you to see beyond compliance and actually understand if your company processes enable productivity and high performance.
These are just some of the things you can expect during an external audit, and what you can do to prepare for it. Your auditor can help answer your questions, or provide more specific plans and checklists.
We have recently seen an increase in organisations claiming they have achieved “certification” to various International or ISO Standards such as ISO9001 Quality, ISO14001 Environmental,