Before we dive into the world of ISO audits, if you’re savvy on ISO audits and are just here for a complete, actionable, and totally free ISO 9004:2018 self-audit checklist, you can grab that here:
Otherwise, read on.
What is an ISO audit?
An audit in the context of ISO standards is the process of making sure a certain business system or feature, whether a process itself, a quality management or business process management system, or a product, is compliant to certain requirements.
The requirements by which the compliance of an organization are assessed could be defined by certain ISO family standards, or they could reflect the need to analyze certain performance indicators or business needs.
For a more formal definition, the ISO 19011:2018—Guidelines for Auditing Management Systems standard defines an audit as:
“[the] systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [a set of policies, procedures or requirements] are fulfilled.” – ISO 19011:2018 – Guidelines for Auditing Management Systems
What is the purpose of an audit?
Why the audit is taking place will depend on the intent of the organization, and the context in which the audit is taking place.
There are many different kinds of audit, used for different purposes. Some audits are used for performance, others are used for compliance and conformance. The purpose of the audit will depend on the needs of the company, or the specific regulatory context.
Performance-related audits include value-added assessments, management audits, added value auditing, and continuous improvement assessments.
They are generally used to assess how well a company is performing in relation to their business goals.
Compliance and conformance-related audits are typically used to collect evidence to verify compliance to specific SOPs / QMS standards.
Types of ISO audit
First, second, and third party audits
The three main types of categories ISO audits fall into are:
- First-party (internal)
- Second-party (external)
- Third-party (certification)
First-party, or internal audits are typically performed inside of an organization in order to measure strengths and weaknesses in relation to internal business goals, and/or external standards. These external standards could be either voluntary or mandatory, depending on the regulatory context of the audit.
Auditors carrying out a first-party audit will typically be employed by the organization, but should have no vested interest in the results of the audit.
Second-party, or external audits are are usually carried out by request of a customer (or contracted organization on behalf of the customer) on a supplier of products or services.
They are basically to make sure this supplier is doing what they say they are doing (or going to do) based on contractual agreements that are in place.
Third-party audits are typically undertaken when an organization wishes to get ISO certified. They are almost always performed by a designated Certification Body auditor.
They should be performed by an audit organization outside of the customer-supplier relationship, so that there is no conflict of interest.
The organization employed to perform a third-party audit should have no conflict of interest.
Depending on the context, a third-party audit could (and usually) results in a certification or license approval being awarded, but may also result in a citation, fine, or penalty if the audit should fail.
Process, product, and system audits
Within the above categories, the different audits can be grouped by what they are actually auditing. With this in mind, the following sub-categories can be outlined:
- Process audits
- Product audits
- System audits
Process audits are designed to make sure that the business processes in a company are performing against their designated goals and KPIs. The components of the process are assessed by their effectiveness in this regard.
The scope of a process audit may include:
- Checking the process adheres to specific metric requirements such as time taken to complete the process, cost, accuracy, risk, and even more industry-specific parameters such as responsiveness, amperage, pressure, composition, etc.
- Examining all resources used by the process, including people, equipment, and materials (including other processes and workflows) with the goal of understanding how effective/efficient the process is at converting inputs to outputs (resources to results) in order to determine process performance.
- Assessing the efficacy and design of instructional/informational material used to establish standards of conformance and process control in an organization. This can include checklists, flowcharts, diagrams, and any kind of representation or documentation of a process.
Product audits are intended to examine particular products or services offered by an organization, in order to assess whether or not it conforms to certain requirements. These might be performance standards, requirements set by customers or clients, or ISO standards.
System audits are used to assess management systems. They evaluate existing QMSs to determine their conformance with policies (internal/external), contractual obligations, and other regulatory requirements.
Examples of system audits include: environmental management system audits, food safety system audits, quality management system audits, and safety management system audits.
Ways ISO audits can be conducted
There are three main ways audits can be conducted:
- On-site audit
- Remote audit
On-site audits will typically be performed and recorded in increments of full days. How many days needed to complete an on-site audit will depend on the size and complexity of the organization being audited.
Remote audits are less common than on-site audits, as they are generally considered to be less effective. Nonetheless, they are performed via web meetings, teleconferences, or similar electronic communication and verification.
Self-audits don’t always have to refer to internal audits; they can also be requested by customers who seek assurance that their suppliers are meeting certain requirements or regulatory standards.
What happens during an ISO audit?
The main phases of an ISO audit are:
- Follow-up and closure
In short, the preparation phase is where you verify that the management system is in compliance with the relevant ISO standard.
It essentially covers everything you and any interested parties (the different auditors, the client, program managers, etc.) will need to do in advance to make sure the audit is in compliance with a specific ISO standard, or whatever objective needs to be met.
It starts as soon as the decision is made to conduct the audit, and ends when the actual auditing process begins.
This phase is to make sure that actions are taken in order to meet the quality objectives or ISO standards set by the organization.
It can also be referred to as “fieldwork”. It’s essentially a data-gathering task spanning the entire “on-site” time period up until the exit meeting.
Activities within the scope of the performance phase include on-site audit management, meeting with the auditee, understanding processes and system controls and making sure that they work.
The goal of this phase is to verify that any problems within the management system have been acknowledged and documented accordingly, then communicated to relevant interested parties.
The production of a report is usually a required task; the report should contain clear and accurate data to be used to assist management in addressing and/or correcting important issues raised during the audit process.
It is common for the issuing of such a report to coincide with the end of the auditing process, or as soon as the specified follow-up response has been completed.
Follow-up and closure
This phase is essentially a post-audit stage that concerns implementing any improvements or follow-up actions designated in the audit report.
“The audit is completed when all the planned audit activities have been carried out, or otherwise agreed with the audit client.” – Clause 6.6 within the ISO 19011 standard
The clause continues in stating that any verification of follow-up actions or tasks may be part of a subsequent audit.
ISO 9004:2018 Self Audit Checklist
Internal audits are used to assess effectiveness and identify opportunities for improvement within business systems. They can also be used to help prepare for external audits.
Below you’ll find a fully fleshed out self-audit checklist you can use in accordance to the 2018 revision of the ISO 9004 standard:
Example ISO audit question
What’s your quality policy?
What’s the intent of this question?
- To determine whether or not you’ve done a good job at communicating the policy to your employees, and whether or not they’ve internalized this quality policy.
- To make sure employees actually understand the quality policy.
- To check that there is even a quality policy at all.
Potential responses to this question
- Ideal: Employees can quickly and easily locate the quality policy and are able to provide clear instructions how/where to access it. They can also clearly articulate in their own words what the policy means to them and how it impacts their work, as well as why the quality policy is important to them.
- Above adequate: Employees are able to access the quality policy, and are able to read it confidently, and display an understanding of what they are reading.
- Adequate: Employees know where to find the quality policy, but don’t necessarily understand it, or care about it.
Tips to prepare for an ISO audit
Use these five tips to prepare yourself for an ISO audit:
- Establish a process
- Practice with internal audits
- Identify recurring problems
- Review your QMS
- Understand your objectives
1. Establish a process
Establishing a process can help to ensure your organization normalizes adherence to ISO standards, and is possibly general tip to prepare for an ISO audit.
The ISO 9004:2018 self audit checklist mentioned earlier in this article is a great start, or you could take a look at one of the structure templates for an ISO 9000 QMS mini-manual outlined in this policy and procedure template article, both embedded below.
The first one is designed for you to use as a blueprint to flesh out and support your own QMS mini-manual. The placeholder text in this template provides instructions as to the kind of content you will need to include:
The next is an example of what the above template structure might look like after it’s completely filled in, using a fictional company profile called Brightstar Marketing. Use it as a reference point for how to properly fill out and use your template.
2. Practice with internal audits
Holding practice audits internally can help you to identify any glaring non-conformance issues ahead of time, in preparation for the real thing. They should be taken seriously, and can also be used to prepare staff for audit interviews.
Generally they help to alleviate pressure ahead of a “real” audit. As mentioned before, using the self-audit checklist in this article is a great way to prepare.
3. Identify recurring problems
Recurrent problems can identify some of the most grievous systemic problems, and steps should be taken to limit or eliminate them as soon as they are identified. Ideally they should be prioritized. Single occurrences of non-conformance problems are to be expected and will not necessarily endanger your ISO audit result, but recurrent problems clearly signify that such a problem is not anomalous and could significantly delay you in receiving your certification.
4. Review your QMS
Your quality management system is a crucial component in the success of any ISO audit performed on your organization, and due care should be given in a QMS review to ensure compliance to relevant compliance goals.
You should be looking over your entire QMS at least once a year, during your management review. During that review, you should cover:
- Quality policy
- Objectives for the next year
- Customer feedback
- Non-conformity issues and corrective actions
- Status of internal audits
- Changes to processes and regulations
Your QMS review must be thorough and well-documented so that the results can be utilized for the creation of an action plan to resolve any emergent issues identified during the review process.
QMS reviews should be done well in advance of an audit so that any changes can be made to fix problems without complication.
5. Understand your objectives
Set, monitor, adjust. That should be your mantra for objective management.
Since the 2018 ISO standards revision, you have to be more strict about monitoring your objectives. Remember, they need to be in line with business demands and mirror your real situation; don’t be afraid to adjust them to reflect changing needs.
Using Process Street for ISO compliance
Since the 2015 revision of the ISO 9001 specification, it’s never been easier to make your SOPs highly actionable, and even automated while still adhering to strict ISO standards within your organization.
With Process Street you can be ISO compliant while managing your workflows and business processes, all with one piece of easy-to-use, quick-to-learn software.
So what are you waiting for? Sign up for a free account today!
How do you typically approach an ISO audit? Was there anything in this article that you found particularly useful, or even disagreed with? We want to know so we can improve this resource, and provide you with the best information possible. Let us know in the comments below!