An ISO auditor isn’t out to get you. We want to see you succeed after all of the hard work you’ve put towards developing your systems.
But success requires consistent effort in the weeks and months leading up to your ISO audit, and ensuring you prepare adequately in this time is essential.
If you have an audit coming up soon, here’s what you can expect and the most common mistakes to get on top of ahead of time.
What to expect during an ISO audit
An ISO audit evaluates an organisation’s compliance with one or more ISO standards. These standards cover a wide range of areas, such as quality management (ISO 9001), health and safety (ISO 45001), environmental management (ISO 14001) and information security (ISO 27001).
An ISO audit is typically conducted by a third-party auditor, who completes an independent assessment of the organisation’s management systems to determine how closely systems align with the relevant standard requirements. During this, they pinpoint any areas of non-conformance that need to be addressed by the business to get or maintain their ISO compliance.
When you successfully pass an ISO audit, you are found to be in compliance with the relevant standard and granted certification. Companies work towards this to enjoy benefits such as improved efficiency and productivity, improved customer satisfaction, enhanced reputation and credibility, increased competitiveness, better risk management and compliance with regulations.
Breaking down the main steps of an ISO audit
When your auditor completes the ISO audit, they will usually follow a process involving three main stages.
Stage 1: Audit schedule
First and foremost, you need to set a suitable audit schedule. This is where you determine how frequently business areas will be audited. It provides you with a clear timeline and also helps you ensure that areas of your business are audited at the frequency that makes sense based on their level of risk and importance.
Stage 2: Document review
After this, the auditor moves onto the document review stage, which is where they review your documented evidence of compliance. They will look over documents such as your quality manual, procedures and records to ensure they are well documented and comply with the requirements of the relevant ISO standard.
Stage 3: Process review
The main component of an ISO audit is the process review. This assesses an organisation’s compliance with the requirements of an ISO standard. It involves several stages, including on-site audit, close-out meeting and reporting. By the end of a process review, the auditor will have pinpointed any discrepancies and areas for improvement and developed a plan to address non-conformances.
After the business has taken necessary corrective action, addressed all areas of non-conformance and provided evidence of this, the certification body will issue them with certification.
Common ISO audit mistakes
1. Hiding your NCRs (AKA CAPAs, Non-conformances or issues)
When completing an ISO audit, hiding non-conformities (NCRs) immediately raises red flags for an auditor with extensive experience reviewing systems.
Companies can fall into the trap of doing this when upper management thinks that too many NCRs in the quality management system (QMS) will complicate audits by bringing more attention to issues. In other instances, leadership teams avoid documenting non-conformances and try to implement changes “off the record” to avoid putting issues on display. At times, organisations may even manipulate records to make it appear that their systems are compliant when they’re not.
Hiding NCRs is a serious violation of the ISO audit process, as it undermines the integrity of the audit and certification process. Organisations that are found to be hiding NCRs may face penalties or lose their certification.
In actuality, ISO auditors don’t care how many NCRs companies have and too few can raise red flags. It’s much better to accurately document any problems and the procedures you’re implementing to address them.
Those that implement compliant systems most effectively actively document every corrective or preventative action they take. An ISO audit isn’t a pass-or-fail test, it’s a process of continuous improvement, and the non-conformities you find and address are opportunities to better your existing management systems.
2. Employee training isn’t documented
ISO standards require organisations to document their employee training for both preliminary and follow-up training.
During an ISO audit the auditor will request records of employee training for each and every staff member, so employers need to ensure they have this on hand.
Rather than relying on individual departments or team leaders to keep track of the training employees undertake separately, record keeping needs to be centralised. This is when all records are collected, stored and managed in a single location or system. For example, many organisations use cloud-based systems for this because all documents are stored securely in one convenient place.
Documenting employee training can include keeping records of work evaluations, training test scores, certifications and degrees, performance reviews, job postings, position descriptions, employee resumes, training attendance and training course agendas.
This is an important aspect of certification because it ensures that all employees are properly trained on the processes, procedures and systems that are relevant to their role. It also helps track employee progress, identify areas where additional training may be required and provide evidence of compliance.
3. Unprepared or lack of commitment from management
Management commitment to compliance is key.
If it’s treated as a side project developing the level of quality, effectiveness and consistency ISO standard guidelines require will be an uphill battle. There needs to be planning, understanding, engagement and commitment from management.
When management doesn’t fully understand the requirements of the ISO standard and audit process, this can make it difficult for them to ensure that employees are provided with sufficient resources, training and support. Without clear guidance, efforts can also become disjointed as there is no shared direction.
These setbacks can result in the company falling short during its ISO audit. When this happens, it only takes longer and costs the business more to reach its compliance goals because it will need to go back and address non-conformances before it can successfully pass its audit.
4. Ineffective or insufficient corrective processes
Companies most often implement ineffective or insufficient corrective processes when they don’t fully understand the issue they’re dealing with. The issue is only looked at on a surface level, and because of this, the solution doesn’t get to the root of the problem.
Well-defined procedures for identifying, investigating and correcting non-conformities are essential for pinpointing the source of an issue and also determining a suitable solution that is applicable to the situation.
Avoid corrective processes falling short by ensuring that:
- Your company doesn’t have a culture of covering up problems;
- Employees have enough time and resources to address issues effectively;
- Agility and continuous improvement are at the forefront of your business;
- Suitable systems are established for monitoring progress.
5. Not having a system in place to maintain certification
To maintain ISO certification companies need to complete regular audits of their systems. Compliance isn’t something to “set and forget” – it requires an ongoing effort from management and employees to ensure systems continue to meet the guidelines, including the requirement for continual improvement.
This becomes an issue for organisations when there’s a lack of monitoring over time, documentation, employee training, internal audits and management review. When these areas aren’t actively managed, by the time their next audit comes around a business could find that they no longer meet the requirements.
Instead, companies need to be proactive and regularly assess their compliance performance to determine where improvements could be made ahead of their next audit. This ensures they’re prepared to demonstrate ongoing compliance with the standard, making the audit process as smooth as possible.
How to choose an ISO auditor
Companies will often choose to hire an ISO auditor from outside the business, reasons why include that they:
- Provide an impartial and unbiased appraisal;
- Bring an outside perspective;
- Apply specialist knowledge;
- Complete audits day in and out and can conduct the ISO audit efficiently, saving time and money;
- Are less likely to have conflicts of interest that could compromise the integrity of the audit;
- Take on the responsibility of completing the audit, so this doesn’t fall on employees, which allows for greater staffing flexibility;
- Provide expertise and business improvement suggestions to help your company move forward.
If you’re planning to work with an auditor, there are a few important points to consider before choosing which auditor is right for you, including whether the auditor:
- Is accredited by an accreditation body that’s recognised by the relevant regulatory authorities;
- Has experience auditing organisations in the same industry as your company;
- Has the necessary knowledge of and experience with the ISO standard you want to get compliant with;
- Uses technology, such as cloud-based systems, to provide solutions that are lean and low-burden;
- Has fees that are transparent and fit within your company’s allocated budget;
- Has a good reputation and can provide you with references from their prior work;
- Can provide ongoing support for decision-making and growth.
Contact us about an ISO audit
To maintain audit-readiness by regularly completing an ISO audit of systems, get in touch with our ISO auditors. With extensive experience in a diverse range of industries, we have the knowledge and expertise to help you achieve your compliance objectives.
Alternatively, ask about our legislative updates, ISO gap analysis or integrated management system development services.