What happens at an ISO Audit ? And An ISO Audit Checklist Download PDF

May 14, 2015

Archived Blog & News

The content in this blog was accurate at time of publishing, however as standards (and the understanding of their application) change, some of this information may no longer be applicable.
If you have any questions on this or the other topics we’ve covered; please get in touch and we can discuss any queries you may have.

The visit of the ISO assessor seems to be shrouded in mystery.

Apart from what we wrote here, there’s very little on-line to explain what actually happens.

As a former ISO Assessor myself, I thought I’d share what makes for a good assessment visit. And I’ve produced an ISO Audit Free Download Checklist PDF. It provides an easily-printable and edited version of what I’ve written below. It is based on my experience.  Some of what I recommend is pretty basic, and may surprise you! Drop us a line if you need it.

Determine Which Type of Visit is Taking Place. There are three main types of visits ISO assessors complete:-

  • Stage 1 assessments
  • Stage 2 assessments
  • Surveillance or Continuing Assessment visits.

 

If you’ve got to a Surveillance Visit then you should be familiar with how auditors behave, but stage 1 and 2 assessments (for companies who aren’t used to external surveillance of their activities) can be unnerving, so here’s a brief explanation of what should happen at them.

Each certification body has a slightly different way of doing these visits, and although the certification bodies will try to deny this, there’s also a fair amount of variation between the auditors/client managers/assessors who turn up at your premises to complete them. They are human, after all.

So, What’s a Stage 1 Assessment About? The purpose of a stage 1 assessment is really to compare the documentation you have prepared against the standard you want to be approved against, and make sure all the various clauses have been met and the right documents produced.

Think About Some Practical Things! Its worth thinking about the practical needs of the auditor who is about to walk through your door. They might have travelled a fair distance; will they be able to find your premises easily ? Will they be able to find somewhere to park ? Generally speaking, auditors call companies before their visit to confirm details. Try and have some correct and understandable directions ready for the call.  So, “second left after the pub and turn right at the post box” might be fine for people who know the area, but such explanations are not always that helpful to the stranger. On the day of the visit, try and reserve a parking space for the auditor. Yes, these things really matter.  

The Essential Creature Comforts When the person arrives, it’s nice to have somewhere quiet to have an opening discussion, and I’ve never heard of an auditor turning down a drink when they arrive, so be prepared for making a tea or coffee.

Some Standard Procedural Questions. The opening discussion will cover specific issues. Some of these are requirements placed on the certification bodies by their approver (UKAS) so they are said as a matter of procedure. Generally the auditor will:-

  • Confirm the purpose of the visit
  • Confirm your intended scope of approval and the standard you are seeking (ISO9001, ISO 14001,ISO 27001 etc.)
  • Remind you that your contract with the certification body includes confidentiality agreements, so anything you tell them can’t be repeated outside the visit to third parties.
  • Ask for your working times
  • Talk you through a programme for the day
  • Tell you when the closing meeting for the visit will take place
  • Explain the audit process and the classification of findings
  • Ask if there are any significant Health and Safety issues on your property that they need to be aware of
  • They will also ask for the names of those present.

 

Your Assessor Would Value Some Background Information (But Not Too Much…) This could be the first time this auditor has ever heard the name of your company, so having a SHORT presentation explaining what you do and who your market is can be useful. But a 50 slide presentation on the intricacies of your latest product will not be welcomed – the auditor has a set of things to be covered and generally little time to do it so they don’t welcome time wasting.

The Start of Stage One – Reading, and Personal Space. The main part of the visit should then start. As a stage 1 is primarily a comparison of your documented procedures with the requirements of the relevant ISO standard, the auditor is likely to spend the majority of this visit reading and occasionally asking questions to clarify what they don’t understand. Sitting quietly and letting this happen (while providing additional drinks!) is useful and positive. If you have people who can’t stand quiet and insist on rambling on, its best to get them out of the way at this point.

More Creature Comforts. Lunch. Some certification bodies have the provision of lunch built into the contract. Whether they have or not, providing a few sandwiches usually goes down well, and means work can continue while you eat if necessary.

Can You Fail At This Point? (And How Your Auditor Can Help You) A point to note : you can’t fail a stage 1 as the approval decision is only given at the end of the stage 2. The more you can get out of the auditor at stage 1 the better, so the more potential issues they raise the better because it gives you the chance to address them before the stage 2. A stage 1 which finds nothing wrong is not always good news, as the stage 2 can still find things, even things which should have been identified at stage 1.

So the best strategy for stage 1 is to give the auditor access to everything, ask him about anything you aren’t clear about, and make sure he writes down any issues and includes them in the report.

Findings may be graded as:-

  • “Non-conformances”,or…
  • “Non-compliances”.

 

The grading doesn’t really matter at this stage.  But it is vital that any issue the auditor has identified for action before stage 2 is recorded clearly.  And you must understand what you need to do before stage 2. If in doubt, ask.

Important! NEVER let the auditor leave non-compliances or non-conformances that you don’t thoroughly understand, and wherever possible agree the actions you are going to take before they leave your premises.

Closing Actions and The Need for Comprehension. Before they leave, they should hold a closing meeting at which they summarise the day and go through all their findings. Again, make sure you understand what they think is wrong and what they expect you to do about it.

And So To The Stage 2 Assessment A stage 2 visit will begin in a very similar manner to the stage 1, with the auditor commencing with a formal meeting at which he should announce that this is a stage 2 assessment and confirm the scope of activities and the standard the assessment will be completed against.

A Programme of Activities. You should already have a programme of the days activities and the auditor should confirm that you have appropriate people available to explain the various processes and procedures.

Planning The Auditor’s “Tour”. Technically speaking, the auditor should be allowed to choose who he audits in each department, but it is wise that you give consideration to this. The audited person (“auditee”) needs to be able to explain the processes clearly, and preferably with the minimum fuss and time wasting. It’s also worth explaining to the auditee that he should just answer the questions he’s asked in as concise a way as possible. (Personal footnote:- While completing audits I have been provided with auditee’s who’ve just been made redundant and auditee’s with grievances against their employer. In both cases they did the best they could to portray their employers badly and I was given information which the respective companies found embarrassing)

The “Tour” Begins. The audit should then begin, with the auditor going to see the various departments within your business and verifying by a series of questions that the practices described in your documented procedures are being followed. Where issues were raised at the stage one as inadequate or non-compliant the auditor will try and assess the actions you have taken as the audit progresses.

The Closing Meeting. A stage 2 assessment should always finish with a formal closing meeting at which the findings are explained and a recommendation to approve (or otherwise) is given.

So, The Auditor’s Word is Final?  Not really, but.. All the paperwork from the visit, the report and various forms have to be submitted to the management of the certification body for an independent technical review. The auditors recommendation can actually be overturned by this review, although this is fairly unusual, but that is why the auditor should say he is “recommending you for approval”, rather than “granting/giving approval.”

There’s an airline pilot’s saying regarding good landings:- “A good landing starts 150 miles from the airfield”. Simply, if everything is in place, all important staff are briefed, and actions done in a timely and coordinated manner, then the final stage is made much, much smoother, and is a natural consequence of good preparation, planning and handling. This is certainly true of an ISO Audit.

I am “gamekeeper turned poacher”, in that I used to conduct audits before becoming an independent ISO Consultant. I know what both parties feel. So, if I can help, even at a late stage, please get in touch!.

There’s much more to a successful audit than simply “An ISO Audit Checklist Download PDF”