What is ISO auditing?

In the simplest of terms, an ISO management system audit is a check on conformity and effectiveness, which is measured against the requirements outlined in the applicable standard. Popular ISO standards include ISO 9001 for quality management, ISO 14001 for enhanced environmental performance, ISO 45001 for management systems of occupational health and safety, the ISO 27001 for optimal information security.

During an ISO audit, an auditor would typically verify that the management system conforms to the requirements of the relevant ISO standard, going on to verify that the management system conforms to the internal requirements such as organisational policies and procedures.

Additionally, an ISO auditor will assess the level of effectiveness of the processes and systems or in other words, measure the extent to which the organisational objectives are being met.

The role of the ISO auditor is to be alert for any improvements that can be made to the system. The focus of the entire process is to verify that problems, issues or non-conformities within the management system have been addressed.

The actual definition of an ISO audit comes from ISO 9000: 2015, which states that an audit is a “systematic, independent and documented process” for acquiring objective evidence and analysing it to ascertain the magnitude to which the audit criteria are being fulfilled.

Within the ISO recommendations, there are three main types of ISO management system audit, first-party audit, second-party audit and third-party audit.

1. First-party audits are also known as internal audits. These audits are typically conducted by an organisation’s own staff that have been adequately trained to carry out such processes. Alternatively, these audits are also carried out by an external party on behalf of an organisation if they do not have sufficient internal resources.
2. Second-party audits are also known as supplier audits. These audits are typically carried out by a lead auditor within an organisation and are designed to ensure that organisations are actually adhering to their declarations. Simply put, these audits ensure that companies that supply services/products are actually doing what they are saying that they are doing.
3. Third-party audits are also known as certification audits. The purpose of these audits is to gain certification to the relevant ISO standard by an approved/accredited body and are always carried out by a certification body auditor.

Irrespective of the ISO management standard that you are adhering to, it is mandatory to conduct internal audits regularly. A reference to that statement can be found in the ISO 9001:2015 under clause 9.2.1, which states that organisations should conduct internal audits at planned intervals to maintain the effectiveness and requirements of the International standards. As one of the most popular standards is ISO 9001, this article will outline the steps in the ISO 9001 audit.

ISO 9001 audit

An ISO 9001 audit can be the most effective way to examine an organisation’s processes to identify areas for improvement or possible complacency. Identification of such areas can help the processes to run better, faster and more efficiently.

There are five steps in an ISO 9001 internal audit, including planning the audit schedule, planning the audit process, conducting the audit, reporting the audit and following up. Let us examine each of these steps:

• Planning the audit schedule: A critical part of good processes has an overall audit schedule that is readily available to let everyone within your organisation know when each process will be audited over the upcoming cycle. If an organisation conducts surprise audits, it gives a message of mistrust to its employees. By publishing the intentions of the audit, the message is reverted to support, trust and transparency.
• Planning the process audit: The preliminary step in planning is to identify the unique process that will be audited and confirm with the process owners about the schedule. This collaborative effort will allow better homogeneity across the organisation. Moreover, the auditor can review previous audits to see if any follow-up is required or if the previously found concerns have been addressed. A good audit plan ensures that the process owner gets value out of the audit process.

• Conducting the audit: An audit should begin with meeting process owners to ensure that the audit plan is complete and ready. Many avenues are available for the auditor to gather information during an audit. Examples of such avenues include talking to the employees, reviewing records, analysing the process data or even observing the process objectively in action. The cornerstone of this activity is to gather evidence that the processes are functioning as planned in the Quality Management System (QMS) scope statement. Additionally, the emphasis is on determining the effectiveness of the QMS in producing the required results. One of the most valuable instruments that an auditor can provide to a process owner is the apt identification of areas that do not have sufficient evidence of appropriate functioning. By pointing out areas that are not up to the mark, adjustments and corrections can be made to improve functionality.
• Reporting: A closing meeting with the process owner helps to ensure that the flow of information is not delayed. Creating written records helps to provide information in a permanent format to enable follow-up. The report should not only summarise the non-conforming areas of the process but should also include the positive areas and potential improvement areas.
• Follow-up: Follow-up is a critical step as it allows us to evaluate if the identified problems have been addressed through the implementation of corrective actions. Moreover, ISO standards dictate that a follow-up is necessary to monitor the disposition of the audited results and ensure that action plans have been effectively implemented.