The International Organization for Standardization (ISO) sets international standards in the industrial and commercial fields of the world.
Nowadays, businesses can implement various ISO management systems depending on the products or services provided to gain profits and stay ahead of competitors. Various industries that compete globally are usually ISO certified to prove to their customers that the products and services provided can be trusted with multiple attributes such as quality, security and safety.
The implementation of ISO management system standards has several benefits, such as increased company credibility, customer trust, employee performance, and company image.
To be ISO certified and subsequently maintain your ISO certification annually, your organisation is required to conduct internal audits regularly as part of the ISO standards’ requirement to ensure good implementation of processes in your organisation’s management system.
At the end of this page, you will be able to:
- Grasp a better understanding of what is an ISO audit and the checklist required.
- Learn the three types of audits.
- Learn how to prepare for an ISO Audit.
- Learn how to perform an ISO Audit.
What is an ISO audit?
An ISO audit is an activity that companies conduct to evaluate, confirm, and verify processes related to the quality, security and safety of products and services so that companies are able to ensure the management system has been effectively implemented.
The objectives of conducting an ISO audit are:
- To check the suitability of standards, regulations, procedures and conditions of implementation in your organisation.
- To ensure consistency in the implementation of processes.
- To look for areas of improvement and to develop key processes and working conditions in your organisation.
- To comply with statutory and regulatory requirements
- To fulfil customer requirements or market demands.
The standard that provides guidance for conducting an ISO audit is the ISO 19011:2018 – Guidelines for auditing management systems.
In general, the parties involved in an ISO audit are the auditor and the auditee. The auditor is the person who is responsible for carrying out the audit. At the same time, the auditee is the person being audited or the party being audited by the auditor.
What is an ISO audit checklist?
The ISO audit checklist is made as part of the audit programme for the auditor to reference the essential clauses that need to be checked. In addition, the audit checklist can also be used as a guideline by the auditee to prepare before being audited. As part of the audit planning, an ISO audit checklist should be prepared by the auditor.
An ISO audit checklist should be developed taking into account:
- Audit Scope and Depth.
- Relevant ISO standards, regulatory, customer and internal requirements (e.g., ISO 9001:2015, ISO 13485:2016, US FDA, GMP, etc.)
- Defined audit plan and criteria.
The ISO audit checklist must be able to demonstrate that the standard requirements have been met, as well as the requirements that have not been met. Typically, this is the indication of conformance / non-conformance for the respective clauses.
What are the 3 types of audits?
There are 3 types of audits that you need to know to successfully maintain your ISO certification and check the effectiveness of your company’s operations and business processes.
1. FIRST PARTY AUDIT
A first party audit is an audit carried out within your company. This audit is also known as an internal audit. Your organisation must plan the internal audit programme and schedule its date of implementation.
Your organisation must also explain the audit process in one of the procedures, stating the frequency of the internal audit to be conducted and what is the purpose of the internal audit that will be conducted.
An internal audit can be carried out by a designated department/section consisting of internal auditors, or it can be carried out by an ad hoc or outsourced internal auditor team as and when it is required.
First party audits are usually carried out as an evaluation of compliance with standards such as ISO 9001:2015, ISO 14001:2015 or ISO 45001, as well as other standards according to the needs of the organisation. An internal audit may also be treated as a gap analysis process to identify the gaps within your organisation.
Common areas that are usually checked during an internal audit include the organisation’s quality policy, quality objectives, risk management, management, document control, resources, and operation processes.
2. SECOND PARTY AUDIT
A second party audit is also known as a supplier audit. A supplier audit is an audit conducted by the purchaser or customer on a supplier or company providing products or services to the purchaser. In this case, as long as your organisation have a purchasing process, a second party audit is usually inevitable for critical products or services.
In the case of outsourced processes, most companies would perform checks on their suppliers and evaluate the impact of the suppliers’ processes as part of their whole operations. A supplier audit may be carried out by an audit team appointed by the purchaser.
Similar to first party audits, second party audits should be planned as part of your organisation’s audit programme schedule and communicated to the supplier. The ISO audit checklist may also be used to audit areas relevant to the supplier and your organisation.
For example, your company is a well-known clothing company abroad. Your company wants to appoint a local company in Singapore to manufacture clothes on behalf of your organisation. Then, your company will have to conduct a supplier audit to ensure that the local company can make clothes according to your organisation’s requirements.
Suppose your organisation adheres to specific ISO standard requirements. In that case, the supplier should be audited based on that standard as well. One tip to smoothen this audit process is to check and see if the supplier has complied with the ISO standard that your organisation is currently complying to. This will ensure that a common understanding is established for the required processes defined by the ISO standard.
3. THIRD PARTY AUDIT
A third party audit is also known as a certification audit. This audit is always carried out by the auditors of a certification body. This audit process aims to assist your organisation in achieving ISO certification to the relevant ISO standard by an approved certification body. The certification body must be accredited by a recognised accreditation body as well.
Certification audits are generally carried out in 2 stages. One of the requirements prior to a certification audit is the evidence that the organisation has implemented a management system for at least 2-6 months, depending on various certification bodies.
The first stage is usually called a ‘desk audit’, which is an audit that checks the completeness of documents against the requirements of the standard. The second stage is generally called a ‘compliance audit’. During this stage, the Certification Body auditors (ISO auditors) will examine objective evidence stated in the documented information or company’s procedures, work instructions and records.
If there are no major audit findings, the Certification Body will recommend your organisation for ISO Certification. The ISO certificate will then be issued and is usually valid for a period of 3 years. Subsequently, for the next two years, your organisation will be evaluated through surveillance audits to ensure that your management system is still being implemented effectively. During the fourth year, a re-certification audit will usually take place and the cycle repeats.
What are the types of ISO audits?
As discussed earlier, ISO audits are carried out in accordance with the ISO standards applied in the organisation to assess the effectiveness of the management system in the organisation.
Here are some types of ISO audit on standards that are generally applied by various industries:
1. ISO 9001 (QUALITY MANAGEMENT SYSTEM) AUDIT
The ISO 9001 audit process is carried out to evaluate the compliance of your organisation’s Quality Management System (QMS), whether it is in accordance with ISO requirements and ensuring continual improvement. ISO auditors will check and review the completeness of documented information on the results of the activities of each department in providing quality products and services.
ISO 9001 is the most commonly applied standard. This standard is a generic one that may be applied to all industries looking to enforce quality in their products and services.
2. ISO 14001 (ENVIRONMENTAL MANAGEMENT SYSTEM) AUDIT
The ISO 14001 audit process is carried out to ensure that the Environmental Management System (EMS) implemented by the organisation complies with the requirements of ISO 14001 and applicable environmental regulations and determines that the Environmental Management System has been implemented and maintained effectively.
You may refer to this article here for more information on the content of the ISO 14001 Environmental Management System and its requirements.
3. ISO 45001 (OCCUPATIONAL HEALTH AND SAFETY MANAGEMENT SYSTEM) AUDIT
The ISO 45001 audit process is carried out to ensure that the Occupational Health and Safety (OH&S) management system implemented by the organisation complies with the requirements of ISO 45001 and applicable OH&S regulations, as well as to determine that the OH&S management system has effectively and proactively prevented work accidents and adverse effects on health.
More information on ISO 45001 standard.
4. ISO 27001 (INFORMATION SECURITY MANAGEMENT SYSTEM) AUDIT
The ISO 27001 audit process is implemented to ensure that your organisation’s Information Security Management System (ISMS) complies with ISO 27001 and other regulatory requirements. The main focus of this audit will be to ensure the confidentiality, integrity and availability of information handled by your organisation.
More information on ISO 27001 standard.
5. ISO 13485 (MEDICAL DEVICE QUALITY MANAGEMENT SYSTEM) AUDIT
The ISO 13485 audit process is implemented to ensure that your organisation’s medical device Quality Management System (QMS) complies with the requirements of ISO 13485 and various countries medical devices regulations.
This audit process focuses on your organisation’s ability to ensure the safety, quality and performance of the medical devices that are being designed, manufactured or distributed by your organisation.
As ISO 13485 is also a Quality Management System, organisations who wish to take a step further may easily apply for ISO 9001 certification as the requirements are mostly fulfilled in ISO 13485.
More information on ISO 13485 standard.
6. OTHER ISO MANAGEMENT SYSTEM AUDITS
Several other ISO standards, such as ISO 22301, ISO 22000, etc., can be audited according to the organisation’s products, services, business processes and management systems.
These management system audits usually requires the adoption and practice of:
- First party audits (internal audits) – To check and ensure internally that your organisation has complied with the standard’s requirements.
- Second party audits (supplier audits) – To check that your organisation’s suppliers have complied with the standard’s requirements.
- Third (certification audits) – To obtain and maintain your organisation’s official ISO certification.
How do I prepare for an ISO audit?
An ISO audit is usually scheduled at least once a year, depending on the process being audited. It must cover all activities, especially those relevant to the management system or ISO standards being implemented. Companies need to consider the following while scheduling for an ISO Audit:
- The complexity of procedures or processes that may be separated and audited at different timings.
- The processes that have a history of recurring problems and therefore needs more frequent or detailed examinations.
First, your organisation should plan an internal audit programme to take into account the status and importance of the processes and areas to be audited, as well as the results of previous audits. Audit criteria, scope, frequency and methods should be determined.
Next, your organisation should select auditors for your internal audit process and ensure objectivity and impartiality of the process. Ideally, internal audits should be carried out by an individual with no affiliation or direct responsibility for the work performed in the area being audited.
Internal auditors do not need to have technical knowledge of the process being audited. However, auditors must understand the audit standard, audit procedures, what is involved in internal audits processes and be able to assess whether the documented process is being followed properly.
An internal audit requires information from various sources to confirm that the process is being followed properly. To achieve this, the following activities may be necessary:
- Understand relevant procedures, work instructions, standards, laws and regulations.
- Identify areas to be audited, including outsourced processes.
- Requesting permission from the auditee on the area being audited, including documented information that requires access and is confidential.
For an internal audit to be carried out in an orderly and systematic manner, your organisation should also prepare an audit checklist that lists the processes that should be reviewed and the evidence that needs to be collected. It is important also to consider whether the area being audited still meets the requirements and achieves its objectives.
Next, conduct the internal audit. By performing the internal audit, your organisation will also be preparing for an actual ISO audit conducted externally by the certification body.
How do I conduct an ISO audit?
The ISO audit may be carried out internally according to the planned audit schedule and program. The appointed auditors carry out their duties using an audit checklist prepared as an audit tool. Before starting the internal audit, auditors should explain to the auditee the details of the audit, such as the purpose of the audit, how and when it will be conducted and reported.
Together with the auditee, the auditor will then examine the documented objective evidence and evaluate process performance and compare it with ISO standard requirements.
Be sure to take into account the competency level, qualifications and training of the staff being audited. It is also essential to determine whether the process or area being audited is still relevant or needed.
Any problems identified should be discussed with the auditee for the auditee to define the correction or corrective actions that will determine how the team or department can prevent future occurrences (such as further employee training, adjusting processes, updating documentation, document control, etc.).
After conducting the internal audit, the final step will be to present the internal audit results during the management review meeting. Part of the management review process is gathering the necessary objective evidence in a manner that can be immediately reviewed and analysed by your team.
Most often, the evidence of management reviews being conducted is also a requirement for management systems standards.
Each audit finding and non-conformance (NC) is documented according to the checklist. A separate checklist can be used for each individual audit performed on a department or supplier.
Conclusion
A proper ISO audit is an audit process that can help your organisation to decide whether your organisation’s processes are accurately documented, properly implemented and effectively maintained. Regularly scheduled ISO audits can help companies find issues that may lead to deviations from the company’s own “Best Practice” interpretation and help companies identify opportunities for improvement.
As a company that provides management system consulting, Stendard can help your organisation by providing ISO audit services (supplier and internal audit) with experienced ISO consultants in various industries and providing training for prospective internal auditors in your organisation.
In addition, Stendard also provides gap analysis services if your organisation has already implemented a particular management system. We will evaluate existing systems against the related standard requirements to identify your organisation’s readiness for your certification audit.
If you have any queries, always feel free to reach out to us.