Certification audits are generally carried out in 2 stages. Typically, one of the requirements prior to a certification audit is the evidence that the organisation has implemented a management system for at least 2-3 months, depending on various certification bodies. The exception is for start-ups where you can rely on “mock” processes. Ideally create an example scenario and create sample records “as if” this was already fully functioning then the auditor can audit those records.
Stage 1 Audit – “Pre-Audit”
The first stage is usually called a ‘desktop audit’, which is a high-level audit that checks the adequacy of the documented system against the requirements of the standard. It can sometimes be done online to save time or if your business is in a remote location. The aim here is to identify if your business is ready to proceed to stage 2.
It is not essential to have records in place for Stage 1, but we do recommend having all the requirements addressed in the documented system before booking the Stage 1 audit. Don’t worry if you get a few non-conformances in the Stage 1 audit. You will be given up to 6 months to fix these before you need to have the Stage 2 audit.
Stage 2 Audit – “Certification Audit”
The second stage is generally called a ‘certification audit’. During this stage, the Certification Body auditors (ISO auditors) will examine objective evidence stated in the documented information or company’s procedures, work instructions and records and go into depth in every area of the systems, following process paths to ensure the system elements are linked. They will be very focussed on whether the systems are being “used”, are accurate for the company and are understood – as well as being compliant.
If there are no major audit findings, the Certification Body will recommend your organisation for ISO Certification. The ISO certificate will then be issued (normally within 2 weeks) and is usually valid for a period of 3 years.
Ongoing – “Surveillance” or “Sample” audits
Subsequently, annually for the next two years, your organisation will be evaluated through surveillance or sample audits where the auditor examines a selection of the system each year to ensure that your management system is still being implemented effectively. During the fourth year, a re-certification audit will usually take place and the cycle repeats.
Preparing for the Stage 1 “Desktop” audit
As the purpose of the Stage 1 audit is to sanity check your readiness for Stage 2, while your systems don’t have to be perfect, it is important to have the basic building blocks in place.
Here are the most important requirements:
|Documented system building blocks are in place
|While you don’t need to show evidence of use of the system for stage 1, you DO need to have most of the documented building blocks in place. All the requirements of the standard need to have a placeholder whether this is in a piece of software, a procedure, the manual, or another method. The auditor will be looking for areas of the standards that have not been covered off on.
See below for a link to checklists you can work through
|It is a good idea to prepare an internal audit schedule and to show that you will be conducting a whole system internal audit prior to the Stage 2 audit.
|An Integrated Management System manual is not a requirement, but it is a very useful tool both for your business and for the audit.
It is very helpful if the manual is a kind of table of contents of the documented system and, if it’s finished prior to the Stage 1 audit, with links to the documented system throughout.
Preparing for the Stage 2 “Certification” audit
There are a few things which will need special preparation for the very first certification audit your company undertakes.
Check off the items below as you complete them.
|Ensure you have completed at least one Management review covering off on the requirements of the relevant standards. Minute this meeting and raise actions and assign. Be prepared to show some progress on these actions.
|Ensure an internal audit schedule has been developed and at least one audit has been completed with an audit report, findings and if relevant, issues and actions coming out of the audit.
|Non-conformances / Issues / Incidents
|Corrective actions will definitely be a focus for the auditor. Ensure all the team is familiar with how to raise an issue or improvement, and ensure you have some recorded which have been progressed to show the auditor. Same goes for incidents. You need at least one record for every function in the compliance system.
|ISO training||Run an internal training or consider enrolling all your staff in a brief online training course in ISO standards. This will provide the whole team with a good foundation and understanding of what matters in your system and how to continuously improve.
*ICS can offer cost-effective training for management and staff through our preferred training partners. Just ask us.
|Staff attendance||Brief all staff on the upcoming audit and ensure all responsible staff are present and areas of the business are represented.
In particular ensure relevant management are there for both the opening and closing meetings. It makes a poor impression if management are absent – particularly as management commitment is one of the most important requirements.
|Run a session (or create a video) to ensure all staff are familiar with the management system, where it is housed and can demonstrate its use and provide documented evidence if required.
The auditor can choose to speak to individuals in the company and all staff should be familiar with the basics of where things are to be found and what their role is.
(There is no need for employees to memorize the HSEQ policy, but they should be able to paraphrase the basic elements of the policy and what it means to them.)
|Reassure your staff||Get everyone together and explain that the purpose of the Certification audit is NOT to find fault with individuals, but to identify opportunities for improvement.
|Looking after the auditor(s) on the day
|It normally makes a good impression if you give the auditor a brief induction, a site tour and get them to sign the visitor book etc. It is common for the client to provide lunch, but this is not a requirement.
You will need to do all the above PLUS the following for subsequent external audits:
|Requirement||Action||Stage (Done etc)||Comments|
|Internal audits / MR||You will need to have completed your full complement of internal audits for the 12 months plus a management review.
Internal auditors are required to be trained so either enrol some members of your team in a course (ICS can recommend face to face or online) or outsource to your consultant.
|You will need to demonstrate how you are keeping your legislation register up-to-date and how the requirements are reflected in our documented system.
Consider if ICS’ Legislation updates service might alleviate the burden of this ongoing task.
|Non-conformances / Issues / Incidents
|Ensure all the team is familiar with how to raise an issue or improvement and ensure you have been consistently recording and closing them out since the last audit. Same goes for incidents.
|Maintenance||The auditor will be on the lookout to ensure you are USING the system and that your systems are continuously improving. Records need to be kept up-to-date, meetings held, documents updated and so on.
PLAN DO CHECK ACT Is the basis of all the standards
ICS Tips and Tricks
Here are a few insider tips we have found helpful over the years:
1. Table of Contents / “Cheat Sheet” is useful
Ensure the auditor can easily find everything – have a “table of contents with locations or hyperlinks” or similar so that the auditor can find things easily and get finished more quickly.
Do NOT print the whole system for the auditor! This is not necessary. Simply have the documents in easy reach.
Streamline as MUCH as possible and look for errors and duplications, irrelevancies in the system BEFORE the audit. Everything that is visible will be assumed to be important and will be audited. If something is not in use, remove it rather than receive a non-conformance because there is a discrepancy between what your documented system says and what you actually do.
3. Cloud-Based IMS
You may like to consider if cloud-based systems would make you and your team’s life easier and your systems more user-friendly and easy to maintain.
Cloud software can be used to automate a lot of the busy work associated with compliance, keeps everything in one easy-to-find location and can be set up to remind your team of their responsibilities without you having to nag! It’s also fantastic at providing you with graphs and trends for the audit. It can also manage your workflows and get the different parts of your system talking to each other.
Contact us if you’d like to see how this might work with your system.
4. Run a trial internal audit to try and detect any gaps or weaknesses
Normally if you are working with a consultant, they will have conducted a “helicopter view” internal audit across all the requirements BEFORE you go to audit but if not, you can use a checklist to check your system is operational. Here are some free self assessment checklists you could use.
Roleplay being the auditor and detect “weak links”, gaps and people who need extra training ahead of time!
5. Enlist extra support on the day
Sometimes it can be helpful to have your consultant along to help “interpret” auditor speak and help find things the audit asks for. It’s not essential, but for the first audit it can be reassuring to have the extra support. If you need some support or a healthcheck audit to give you the reassurance that you are ready, contact us at ICS.
Best of luck with your audit!