Organizations use ISO audits as part of the ISO certification process. An audit is a review done by an independent third party that provides assurance regarding continued compliance with ISO standards. Not only does the International Organization of Standardization (ISO) require audits as part of the certification process, it also requires ISO certified organizations to engage in audits to maintain the title.

When looking to get ISO 9001 certified, organizations need to make sure they compile the documentation to support their Quality Management System (QMS). The required documentation required includes both mandatory and non-mandatory information. The mandatory document list includes control procedures, records procedures, internal audit procedures, a list of control of non-conformance procedures, corrective action procedures, and preventive action procedures. Within each of those categories, additional documents need to prove the process works in action.

Organizations may decide to start with an internal audit. While the person may be a corporate employee or an independent contractor, the internal auditor should be separate from the process being evaluated. Often done throughout the year, internal auditors identify potential weaknesses and offer suggestions before the external auditor’s review. The internal auditor also tends to understand more intimately the individual company rather than hold the company solely to an external standard.

A certification audit determines whether an organization has collected the documentation, records, processes, and controls needed for being ISO 9001 certified. Starting with a checklist, the auditor reviews the policies, asset inventories, plans, implementation of policies, procedures, and plans that the organization needs to collect. The audit checklist is used to review management’s responsibilities and assist the internal auditor in auditors preparing the organization for the external audit process and to review management’s responsibility for review and ongoing monitoring of the controls.  By comparing the documentation against day-to-day practices, the auditor ensures that the organization is not only compliant with the standard on paper but also in practice.

Certifications last three years, but during that time, the ISO requires assurance that certified organizations maintain continuous compliance. A surveillance audit is a review in between certifications. These audits occur annually, at a minimum, but may be as regular as twice in a year. The surveillance audit focuses more on ensuring that organizations maintain the QMS.  For example, if the certification auditor noted weakness or a nonconformity during the initial certification audit, the surveillance auditor will review to ensure that management addressed the concerns. Unlike the certification auditor who focuses on documentation, the surveillance auditor focuses on implementation.