USA / USD

ISO 9001 Certification Audits

19 February 2023

The ISO assessment is conducted in two parts, the Stage 1 and Stage 2 Certification Audits, and followed by Surveillance Audits. In this article we'll explain why, and what it means for your business. We'll also take a look at Pre-Certification Assessment and discuss whether they're necessary. Equipped with this information, you'll make a better decision when arranging your Certification Audit.

The Stage-2 Audit is part of the Certification Audit

1)  Hire a Registrar

The Certification Audit – and the subsequent issuance of the certificate – is done by an ISO 9001 registrar, also called a certification body. The process starts with you selecting a registrar. Not any registrar but one that fits your company's circumstances because your choice of registrar will have wide-ranging consequences and affect the success of your quality management.

You'll typically enter into a 3-year contract with your registrar. The contract includes the initial certification and subsequent Surveillance Audits. Depending on your preference and the registrar's capabilities, you can choose to have the audit conducted remotely or on-site. No matter if you opt for a virtual or physical audit, the effectiveness and results will be the same.

Prerequisites

Before your registrar can commence your Certification Audit, your organization needs to meet the following prerequisites:

Your ISO system needs to be fully implemented

You need to have completed an internal audit

There need to be sufficient records available to verify compliance

Some certification bodies stipulate additional requirements or a minimum number of months (often two) for the acquisition of records but this should be discussed directly with your registrar.

2)  Pass the Stage 1 Certification Audit

The ISO assessment is conducted in two phases. The first is the Stage 1 Certification Audit. It is used by your registrar to verify your company's readiness for the full assessment, to check your quality management system documentation, and to get an understanding of your organization. During the Stage 1 Certification Audit, your registrar examines documents such as the quality policy, the scope of your quality management system, and your procedures, as well as certain records such as internal audit reports and minutes of management reviews. This audit, which is always conducted remotely, is also referred to as Documentation Audit.

Some certification bodies expand the scope of the Stage 1 Certification Audit beyond the review of documentation to include an assessment of your operations. As it comes prior to the second phase of your certification audit and is meant to evaluate your readiness, it's called a Pre-Certification Assessment. It's similar in scope and cost to the main assessment audit and may be conducted on-site or remotely.

Many registrars don't make the Pre-Certification Assessment mandatory but rather sell it as an optional add-on. If you require the peace of mind that this assessment brings, you will be better served by our ISO 9001 Internal Audit Service. Our service is as objective but more rigorous mirroring the certification audit, which allows us to offer our certification guarantee. However, the differentiating factor lies in the consulting and training services accompanying our audit. The included consulting aids in optimizing your organizational operations and overall business performance. In addition, giving your internal auditors the opportunity to shadow our expert provides them with a unique and valuable learning experience.

Your Stage 1 Audit concludes with an audit report that lists any problems that your registrar identified with your documentation or your quality management system.

3)  Undergo the Stage 2 Certification Audit

Upon satisfactory correction of any identified issues, your registrar will conduct the Stage 2 Certification Audit either on-site or remotely. It's the main part of the assessment and it comprises an extensive evaluation of your operations to verify that your ISO system is both effective and in compliance with ISO 9001:2015 requirements. The duration of the Stage 2 Certification Audit is calculated based on your employee count in accordance with the IAF MD5:2023 regulation mandated by the International Accreditation Forum. Small companies with 10 employees, for example, require 2 audit days.

The Stage 2 Audit is performed as a process audit meaning that the auditor follows a sequence of your work activities. Audit activities include the observation of work processes, interviews of workers, managers and executives, and a review of records. The findings are then presented at the closing meeting and formalized in a written audit report.

The ISO 9001 Certification Audit Process

4)  Address Nonconformities

Virtually every audit results in audit findings. Possible findings are minor and major nonconformities as well as observations. A nonconformity is an issue where your organization fails to comply with an ISO 9001:2015 requirement or with one of its own, internal procedures. A nonconformity could also indicate an issue where your quality management system isn't effective. Observations, on the other hand, don't refer to current problems but may warrant attention in the future.

A few minor nonconformities are normal, and you only need to show an acceptable plan for correcting them. Complete breakdowns of your quality management system in one or more areas result in major nonconformities. Due to their severity, your registrar will conduct a follow-up audit to verify correction before recommending your company for certification.

5)  Receive Your Certificate

Once all nonconformities have been addressed to the satisfaction of the registrar, you successfully passed the two-stage certification assessment and you'll be issued your certificate. This process takes about 1-2 weeks. Your certificate will list any limitations of scope (for example, if you excluded departments or products), show the marks of the registrar and accreditation board, and the expiration date.

6)  Surveillance Audits

Though your successful passing of the two-stage assessment concludes your initial certification, it is not the last time your certification body audits your organization. To retain certification your company needs to undergo a so-called Surveillance Audit every 6-12 months. Surveillance Audits are similar to the Stage 2 Certification Audit but require only one third of the time. While minor nonconformities are normal during Surveillance Audits, major nonconformities could lead to decertification.

Conclusion

The various phases of the Certification Audit often cause confusion. Particularly when comparing different registrars and their proposals it's helpful to understand the two-stage Certification Audit and the role the Pre-Certification Assessment plays. After reading this article, you'll be in a better position to make the right decisions when hiring your registrar. And to make the Stage 2 Certification Audit a success, take a look at our audit preparation tips.

Naomi Sato

Naomi Sato

Consultant and Product Manager

Naomi holds dual responsibility as an ISO 9001 consultant and product manager, and is an enthusiastic contributor to our online and print resources.

Think your associates and colleagues might enjoy this article too? Share it!

How can we help?

Please enter your full name

Please enter a valid email

Please enter a valid phone number

Please enter a message

Send Inquiry

Thanks. Your message has been sent. We'll get back to you as soon as possible.

Looking for information or advice?
Ask us anything

We'll reply ASAP

YES

NO