Once your business has obtained ISO compliance it needs to maintain its status. Your business will need to agree to regular audits, monitor and document your activities.
An ISO auditor will review your records to ensure you are eligible to retain your ISO-compliant status.
During an ISO Audit I would check to ensure you are doing what you are following your documented processes. This would include: verifying that the management system you have in place complies with the relevant ISO standard and checking to ensure actions meet the quality objectives of the organisation.
An independent ISO audit improves your reputation by demonstrating your commitment to quality, the environment, and workplace health and safety. It confirms your pledge to improve information security management and the integrity of your information processes – vital parts of ISO 27001.
A successful ISO audit also improves staff morale by communicating a positive message to employees, it will cultivate leadership and inspire creativity across your business.
There are two types of ISO Audits which I can help you with; Internal Auditing and ISO Certification Body Auditing.
Completing your own Internal Audit
Internal Audits can benefit your business by reducing non-conformities to meet the needs of your customers. Simultaneously they can increase the productivity of your products or services to develop continual improvement across your business.
The Internal Audit life cycle has four stages, which will support your business and satisfy the expectations of your ISO Certification Body.
Planning is the first step in any management system audit. In most businesses this usually consists of two levels; an audit schedule & an individual audit plan.
Your audit schedule is a strategic activity usually prepared by your management. Systems lead and consist of a series of internal single audits. These can be based on previous audit results, risk management and should cover the important areas of the business that is supported by top management.
The individual audit plan helps to refine and clarify the audit scope of what is required in the audit schedule. Typically, this can include;
- Clauses of the standard
Remember, audits are designed to provide assurance to show effectiveness, bring business improvement and ensure customer satisfaction.
To execute an Internal Audit you can use the 4 common auditing techniques either individually or as a combination.
- Compliance auditing- Used to ensure that the management system documentation and defined processes comply with a document of external origin.
- Product/ vertical or end to end to end auditing-
This is an effective means of auditing a range of processes throughout the business which is applied to a particular product or contract. This type of audit requires a good understanding of business processes and activities.
- Configuration Auditing- There are two types of configuration auditing.
-Functional Configuration Audit which examines or verifies that a configuration item has achieved the functional and performance characteristics specified in the product information.
– Physical configuration audit formally examines and verifies that a configuration item has achieved the physical characteristics specified in the product information.
- Process auditing- This is the most common way to audit and is an examination of results to determine whether the activities, resources and behaviours that cause them are being managed efficiently and effectively.
The final stage of the Internal Audit generally uses a two-phase approach to audit report preparation.
- Informal debrief- The Internal Auditor will debrief you and discuss general conclusions or any findings which require attention or action.
- Formal report- After your Informal debrief, the Internal Audit will prepare a Formal Audit report containing a summary of the audit, objective evidence, an overview of the samples referenced, an evaluation of findings and non-conformities.
This is an important part of the Internal Audit life cycle as it allows your organisation to monitor necessary actions and when they are due to be completed.
The follow up verifies the implementation of the actions and you can review the objective evidence where possible or support a further assessment if needed then formally close the audit.
ISO Certification Body Audit
Stage 1 Audit
This will be conducted by your chosen Certification Body. Your auditor will investigate whether or not you have successfully managed to comply with the proposed scope and the targets you have set for your company.
The Stage 1 Audit may show up some weaknesses and areas for improvement, however this process is designed to be constructive, and DTC can help prepare you for the stage two audit.
Stage 1 Audit Report
All of the Stage 1 Audit findings are presented in a summarised report. This allows you to focus on the important areas and processes that need strengthening to achieve certification- DTC can help.
The identified areas for improvement are usually classed as non-conformities and are an expected part of the overall procedure for certification.
The 4 most common non-conformities can be caused through:
- Operator error
- Employees need retraining
- Tools or equipment damage
- Incorrect quantity of parts sent
Stage 2 Audit
The stage 2 audit is to confirm that your processes and systems are free from nonconformities.
Again, this will be conducted by your chosen Certification Body. Your auditor will evaluate your performance and efficiency and make recommendations for ISO certification.
There may still be a need to address nonconformities following this audit. Timeframes for completion will be provided by the auditor- I will work with your business to help achieve this.
Annual Surveillance Audits verify that companies are adhering to the standards set out by certification. With larger organisations, the Surveillance Audit may need to be completed through a multi-stage approach to ensure that all the individual units meet the required standards.
The Surveillance Audit will be conducted by an auditor from your chosen Certification Body, who will check any previous nonconformities from previous inspections, the effectiveness of your systems within the context of your audits, new activities and previous results.
During the surveillance audit, all the elements covered in the Stage Two audit will also be reassessed, with a view to ensuring that all the original systems and processes are operating as specified and producing the correct outcomes.
The surveillance audit will always review these areas:
- Systems performance and maintenance
- Corrective actions processes
- The effectiveness of your own internal auditing process
- The implementation of recommendations following your internal audits
- Regular management reviews of ISO implementation
- Customer satisfaction rates
- Updates to the documentation systems
Surveillance Audits are essential for ensuring that your company stays on track with its system and processes. They also prepare your company for recertification, which are planned for the end of each three-year cycle.
Your ISO certificate is valid for three years after your initial issue. Recertification requires you to undergo an audit similar to the initial auditing process, however without the need for a stage one audit.
This audit explores the same areas as Surveillance Audits, but looks more deeply into the holistic and global implications of your implementation strategy. The Recertification Audit will review your processes and systems from beginning to end, and investigate your continued commitment to continual improvement.
The auditor will perform a thorough examination of every aspect of implementation before issuing certification. A strategic assessment plan that underlines the next certification cycle will also be issued.
I can support you throughout all auditing process as part of my ongoing ISO support.
Pre-Qualification and Requests for Quotation
Training and Competence
Brand and Reputation