ISO 9001 Certification Audit ~ The Ultimate Guide [with Checklists & Template]

The ISO 9001 Certification Audit is the final step before companies receive ISO 9001 certification. An external auditor from outside your organization will assess the quality management system (QMS) you have implemented with relevant documentation to see if you have met all of the ISO 9001 requirements.

Based on their findings, the auditor will either grant your organization certification or ask for corrective actions before you can be certified. Is your company ready to be audited for ISO 9001? To ensure that you have the best chance of earning ISO 9001 accreditation, here are some tips to prepare.

What follows is our ultimate guide for your ISO Certification Audit. It is geared towards ISO 9001, but can also be applied to ISO 14001, 45001, 27001 etc. You won't find a more detailed certification audit guide anywhere. It's a long read - but includes all the steps necessary and everything you need to know about how to perform the certification audit.

Preparing for an Internal Audit

Internal audits are a form of inspection in which your organization assesses its quality management system to see if it is ISO 9001 compliant. They often take place during QMS implementation and even after certification.

The best way to prepare for your external ISO 9001 audit is to have practice runs with your internal audits. Every organization seeking ISO 9001 certification should have routine audits with someone within the company to track the progress of its quality management system implementation and determine whether any corrective actions are needed to meet the certification requirements.

An internal audit will be able to uncover any flaws in your quality management system and identify any factors that need improvement before your external ISO 9001 review for certification.

How to Choose Internal Auditors

Internal audits are usually performed by an employee (or employees) within your company. However, subcontractors can also conduct internal audits. Note that the internal auditors you choose will need to be trained in the most recent ISO 9001 standard before performing routine audits; the training process can start as soon as you begin quality management system implementation so they can aid in the transition.

You must pick enough internal auditors to cover each department and area of your organization. Depending on the organization's size, you can have from one to four auditors chosen for each area. You will need enough auditors to ensure they don’t end up auditing their departments.

A rule of thumb is this: 10% of your total employees should be auditors. So, if you have one hundred employees, at least ten should be auditors.

When picking your auditors, choose employees who are excellent communicators and have a knack for finding issues and problem-solving. It also doesn’t hurt if they have strong interpersonal skills. Some smaller companies opt to make their ISO 9001 lead (or person in charge of implementing ISO 9001 requirements) their internal auditor because they are already well-versed in ISO 9001.

Creating a Well-Designed Internal Auditing System

You must rely heavily on your internal auditing system to be best prepared for the certification audit. However, if your auditing system isn’t up to par, your organization won’t be set up for success like it should be. Here are some tips to follow to create a phenomenal and effective auditing system:

1. Understand ISO 9001 - Make sure your auditors are thoroughly trained and understand the latest ISO 9001 standard.
2. Choose Departments - Determine what areas of the company need auditing before you begin routine audits. Sometimes, the areas that need assessment depend on the organization's size. If you’re unsure which departments to focus on, consider which departments will be affected by the new quality management system. Those are most likely the areas that will need frequent auditing.
3. Audit Frequency—How often will you audit? Determine how frequently you want to have internal audits. Many organizations opt to have quarterly or yearly internal reviews.
4. Audit Plan - Develop an audit plan. What resources do you need in terms of checklists and documentation? How many auditors will you need for your company’s size?
5. Audit Purpose - Determine the purpose of your company’s internal audits. What do you wish to learn from these checks? What are your goals and objectives? Do you want to concentrate on a specific department or focus more on the systems within it?
6. Meet with Auditors—Meet with your auditors to ensure everyone is on the same page regarding the plan, purpose, and scope of the audits.
7. Auditor Preparation - Your auditors should be very familiar with the documents they will be auditing against. They should understand the information they hold and develop questions for the auditees based on that information.
8. Audit Information—The auditors should also be prepared to explain how the auditing process will work with the auditees (including management) before beginning.
9. Audit Review—Following the audit, auditors should hold a meeting among themselves and again with the auditees to discuss what was done well and what needs improvement or does not meet ISO 9001 standards.
10. Corrective Actions - Once problems are brought up to auditees, give them the independence to suggest corrective actions. This way, they will take more ownership in implementing changes.
11. Create Deadlines - Have your auditors give auditees reasonable deadlines for completing corrective actions. The deadline may vary depending on the severity of the nonconformity.
12. Audit Team Feedback—Give your audit team feedback on how they audited. Is there anything that could be changed to better reflect the real auditing process? Allow them to adjust accordingly for the following internal audit. 
13. Include Everyone—Finally, make sure everyone is involved in the auditing process! Rotate employees as volunteers to assist auditors or shadow them during the reviews. This will give them more insight into what the process is like and why it is necessary. They will also be more prepared for the external audit by knowing what to expect.

What Is The Internal Audit Process?

During an internal audit, a member (or members) of your organization will be tasked with comparing your QMS to ISO 9001 standards.

They will begin by explaining the auditing process before starting their audit. They will also answer any questions auditees may have in addition to compliance problems they are already aware of and would like to address.

Following this opening meeting, the auditors will begin their audit. If they find a problem not within the scope of the inspection (or not relevant to the ISO 9001 standards they are testing the area against), they may still evaluate it to see what risks may come with not addressing it. If there is a chance the problem could affect your ISO 9001 certification eligibility, they may ask for corrective action to be taken.

Other problems with noncompliance with ISO 9001 that your auditors will find will be addressed with auditees and generated in the documentation they create. The documents usually take the form of a checklist or table that provides the following information:

1. Section of the ISO 9001 standard
2. Name of the requirement
3. Observations and comments
4. Acceptable/deficient condition (Are you compliant or not compliant with the ISO 9001 requirement?)

Preparing for the Official ISO 9001 Certification Audit

When preparing for the external ISO 9001 certification audit, the focus should be setting up an effective quality management system. When your organization is ISO 9001 certified, you’ve successfully implemented a quality management system according to ISO 9001 standards and demonstrated that to an external auditor.

Plan Ahead

Any corrective action taken before the internal audit will help improve the chances of success during the review.

Create a plan with a timeline representing any actions that still need to be taken to comply. In between internal audits, implement these actions so they have enough time to integrate into your quality management system before the next internal audit. That way, by the time you have your next inspection, your auditor(s) will be able to tell you whether or not those actions are sufficient or if anything new needs addressing.

Take the Audit Seriously

You will have about two to three months to prepare for your certification audit, so take advantage of what you can learn from your internal audits until then. Treat your internal audits as if they were the real thing.

Be Professional

This goes along with taking the audit seriously. Treat each employee and section fairly as if it were your department.

Understand ISO 9001 Standards

While your employees don’t necessarily have to memorize the ISO 9001 standards, they should know enough to understand the expectations and what will be audited in relation to them.

Prepare Your Team

Just like the external ISO 9001 audit, ensure that your employees are always prepared before an internal review. Ensure that everyone is on the same page about what will happen during the check and the information/documentation they need to know.

Check for Implementation

Since your internal audits are essentially practice runs for the official external audit, they are the perfect opportunity to ensure that the quality management system you have planned for your organization is correctly implemented and that any new processes are being followed accordingly.

It is also a good time to assess whether your QMS is working effectively. Internal audits provide an opportunity for businesses to adjust their systems if they have a flaw or portion that is not ISO 9001 compliant.

Follow Normal Procedures

During the internal audit, follow safety procedures in addition to all other procedures that should be followed throughout the organization's departments.

Be Honest

Make sure your employees are honest with the auditors. The point of internal audits is to help the organization improve well before the certification audit takes place. Improvements can’t happen if your employees are not entirely transparent about how their department runs.

The Third-Party Auditor

The external audit process will work similarly to your internal audits; the only difference will be who performs the audit. You must demonstrate your ISO 9001 compliance to an external or third-party auditor to achieve certification.

An ISO 9001 registrar (also referred to as a Certification Body or CB) will assign the third-party auditor (or auditor team) to your organization. This independent entity issues the ISO 9001 certificate once the auditor has approved it.

Certification Audit Process

The external audit can occur after completing a successful internal audit and having at least two to three months of documentation and records from your ISO 9001 procedures.

The official auditing process has three steps: the opening meeting, the auditing process, and the closing meeting.

Opening Meeting

When the external auditor(s) arrives, the management team and the auditor will first meet to review any management review meeting notes and your organization’s quality objectives.

The auditor(s) will discuss their role and the auditing schedule during the meeting. Depending on the size of the organization, the auditing process may take up to a week.

Audit of Processes and Quality Management System

After the opening meeting, the auditor(s) review your quality management system processes using their audit schedule as a guide. (Note that some process reviews may take more or less time than scheduled.)

The auditor(s) will visit a few or all of your departments to check if the ISO 9001 requirements noted in your documentation are implemented and being followed by staff. The auditor(s) will interview staff members, asking questions and noting what they discover; depending on the findings, auditors may make a note for further evaluation.

This will be when most of the auditing process takes place; during this step, you and your team will gain insight into what you are doing well and what needs improvement for better compliance.

Closing Meeting

If the auditor(s) find any problems in compliance with ISO 9001, they will bring those concerns up for you to take corrective action before receiving ISO 9001 accreditation. Some auditors may offer recommendations based on those findings. All this and more will be in an audit results report for senior management and employees to review.

However, if the auditor(s) do not find any significant issues with your QMS, you will be awarded an ISO 9001 certificate following the audit.

Tips to Pass Your External ISO 9001 Certification Audit

Be Prepared: Stick to Your Plan

A successful ISO 9001 system requires ongoing maintenance and takes a while to implement. It is most certainly not a one-time, one-hour ordeal.

Create a schedule outlining how to implement your new ISO 9001 system. What requirements should be met in a month? In a year? Create a timeline with milestones to make sure you stay on track. The last thing you want your organization to do is rush to meet the ISO 9001 requirements weeks before your official certification audit.

Prepare Your Employees

Your employees and management should also be prepared for the audit. Make sure they are up-to-date on the following quality management system features:

1. Quality Policy—Review the quality policy with your teams and make sure all of your employees understand it. They don’t have to memorize it, but they should at least have a clear understanding of the company’s quality management system and its goals.
2. Quality Objectives—Employees should know your organization’s quality objectives and how their day-to-day systems help meet these objectives.
3. Training - Ensure all employees have been adequately trained to perform their roles according to ISO 9001 standards.
4. Documentation - All employees and management should know where to get updated copies of documentation for procedures, work instructions, and forms related to their position and department.
5. General Audit Information - Inform your employees about the scope of the audit, when they should expect to be audited, and what the auditor may be checking for within their department.
6. Interviews—Your employees should be able to answer the auditor's questions honestly and confidently and should be comfortable saying, “I don’t know,” if they are unsure how to respond.

Review Documentation

Your team should be very familiar with relevant documentation to their role and area, but it's also important that your documentation is accurate in the first place. First, you should have the following documents on hand:

• Quality policy
• Procedures
• Scope of the quality management system
• Process map or flowchart
• Quality objectives
• Work instructions
• Forms
• Records

Before your audit, also review your documentation to make sure it is:

• Up-to-date with your current QMS
• Approved by management and supported by employees
• Followed by employees, the document pertains to
• Being used correctly by management and employees

It would be best to ensure any obsolete or outdated documents are removed and no longer in use.

Ensure Processes are Being Followed

All procedures that your organization has implemented under ISO 9001 standards (whether documented or not) should be followed. Ensure your employees are aware of any updated quality management system procedures that apply to their role and department and follow the new systems accordingly.

It’s also vital to check that all employees perform critical processes correctly (and in the same way).

Have Corrective Actions Ready or Implemented

Please resolve recurring problems as soon as they appear during internal audits. By starting early, you can find quick, foolproof solutions to the flaws in your quality management system.

If an auditor finds a problem during your official auditing process, they will give you enough time to repair those issues. If you are able to resolve those conflicts, you can still be certified.

However, if the auditor uncovers a problem you have seen often and doesn’t have a solution, you could lose your chance at certification. Therefore, you must address any findings from your internal audits before your certification audit. Also, make sure that for corrective actions that have been executed, you have verified them for effectiveness and have documentation that supports that.

Use Your Internal Audits as an Example

Regular internal audits allow you to see any concerns regarding ISO 9001 requirements. By assessing your company routinely, you can correct anything that needs fixing long before your official certification audit.

In addition, internal audits will allow management and employees to be more prepared for the real deal, especially the interview process.

Be Professional

Like your internal audits, it's important to be positive and professional. Make sure you make a good impression on the auditor—treat them professionally and with respect.

Remember that the external auditor isn’t your enemy—they’re trying to help you and your organization uncover any weaknesses so that you can take corrective actions to ensure a high-quality standard for your employees, your company, and, ultimately, your customers.

Have a Management Review Before the Audit

A good management review assesses the quality management system you have established for your organization at least once a year. Senior managers should review the following:

1. Quality policy
2. Objectives for the following year
3. Customer feedback
4. Nonconformity issues and corrective actions
5. Status of internal audits
6. Changes to processes and regulations

Routine management reviews should be documented according to ISO 9001 requirements. Each review should be followed by an actionable plan to resolve any concerns identified during the meeting. Such concerns should be resolved before the next internal audit so that suggested changes have enough time to be implemented.

Monitor Your Objectives and Record Your Progress

The auditor who visits your facility will want to see documentation or records that have tracked your progress while implementing your ISO 9001 system. They will look for evidence showing that you have been following your plan and meeting objectives. It is perfectly okay to change future goals if the business environment has changed since you have set the objectives; for example, perhaps the economic climate has fluctuated so that you may increase or decrease your sales goals.

Put Your Best Foot Forward

The ISO 9001 certification audit is critical to your organization, employees, and customers. Make sure you put your best foot forward!

An audit can be difficult to conduct in an unorganized or dirty workplace. Ensure that all of your company’s workplace areas are clean and organized, including any offices, desks, warehouses, or floors. Also, make sure any paperwork or documentation is organized and easy to access.

It helps if managers perform an initial inspection to ensure everything is where it should be and neat before the official audit.

What is your Fail? Reapplying for ISO 9001 Certification

Suppose you cannot commit to a significant issue found by the auditor with compliance. In that case, you must address those problems based on the auditor’s recommendations in their auditing report. Some of the most common significant problems found in quality management systems include:

• Stakeholders not defined
• Lack of monitoring and measurement processes
• No evaluation of internal or external risks
• Missing action plans to mitigate risks
• Ineffectively recording and documenting organizational knowledge
• Weak control of documents and data

Perform at least one or two more internal audits before you attempt your official certification audit again to ensure that action plans have been executed and have demonstrated their effectiveness.

You've Passed! Maintaining Your ISO 9001 Certification

Your first external ISO 9001 audit will certainly not be your last; certification only lasts three years. After that, you will need to have another external audit performed to renew your certification.

Suppose you have successfully maintained your quality management system and kept up with internal audits to ensure your organization still meets ISO 9001 standards. In that case, the routine external audit should go without a hitch. Also, if your company has implemented an effective QMS, improvements will automatically come about, increasing your chances of maintaining certification for much longer.

The entire process of implementing a quality management system in your organization according to ISO 9001 standards is well worth the time and money. While the ISO 9001 external audit may seem intimidating because it determines your certification status, your company will learn a lot more about your organization and its strengths and weaknesses.