External Audits – What to expect?
External Audits by Certification Bodies is the last step before ISO Certification. Many companies tend to get excited about this part as they do not feel that they are ever ready for the audit. However, like any other concept within ISO Certification – this is just another angle through which you can improve your business.
As an ISO Consultant in Malta, Luke Desira gives a full refund for companies who do not get certified – after implementing all the systems that are advised by him during the consultancy/training process.
Checks by auditor before audit
Some of the activities that an internal/external auditor should do before an audit are:
- Check website of client to familiarize with company
- See any other publicly availability information
- Audit checklist
- Provides discipline to ask relevant questions
- Following requirements of the standard
- A place where to store information
Prior to conducting the audit, the auditor must communicate with the client the following items, as per the audit plan:
- Scope of certification
- Company that we are going to audit
- Management system that is being certified (audit criteria)
- Audit team (details of auditors)
- If there are going to be an observer
- Agenda of the full audit
- Timeline of which parts will be audited and when
- Audit checklist
Stage 1 Audit Plan (Readiness Audit):
The stage 1 audit should include the following information:
- Team leader: name of lead auditor (by certification body)
- Audit criteria: ISO 9001:2015
- Audit scope: scope of the company
- Plant tour
- Review context of organization
- Review of context & risk assessment process
- Verification of information regarding statutory & regulatory requirements
- Audit of documented information as required by the standard
- Closing meeting
- Review of key performance parameters
- Review of allocation of resources for stage 2 audit, agree with client and plan for stage 2
- Evaluation of internal audit & management review process(es) – by doing an audit of how they are done
- Assess the overall readiness for Stage 2 audit
- Report the finding including areas of improvement/concern to the client/auditee
Just by way of example, here is a full list of documentation that the external auditor (from the certification body), has requested from my client for a double certification – ISO 9001, and ISO 14001.
- For the quality Management System:
- 1. organization chart;
- 2. Human resources, job description, skills, any training courses held
- 3. list of equipment
- 4. equipment maintenance;
- 5. calibration certificate of equipment
- 6. list of suppliers and relative evaluation (checks on permit);
- 7. customer satisfaction;
- 8. management review, quality objectives;
- 9. context of the organization (internal and external issue);
- 10. interested parties;
- 11 risk and opportunities (key process and risks)
- 12. audit plan;
- 13 internal audit;
- 14 List of documents;
- 15 list of legislation;
- 16 Non conformities and CA.
- For the activity
· contract/agreement/order with the client;
· Planning of activities
· technical data sheets of the products used
· delivery notes / invoices/ traceability of materials;
· checks a carried out during the operational phases.
- For environmental management system:
· fire extinguishers Maintenance;
· last invoices for water and electricity;
· Air conditioning maintenance;
· Waste management: list of waste, declaration to WEEE, last consignment note, declaration waste production
· Water/electricity consumption 2020/2021
· Preparation and Response to Emergencies – fire drills, environmental drills.
– Employees fire warden courses;
· List of legal environmental requirement;
· Safety Data Sheet of the product used.
So, more factually speaking, the above list is the a full, comprehensive list of documents that must be created for ISO 9001 and ISO 14001 Certification. It is interesting to note that most of these documents are not created on a daily basis (to run the key processes), but rather, created/reviewed once a year.
This goes on to show that ISO Certification is not longer about having as many documents as possible, but rather, to create a Management system that strives for continual improvement.
Stage 1 Audit Report:
The aim of this report is to mention the following points:
- Record for recommendation
- Positive points
- Areas for concern/gaps
Stage 1 is check whether the organization
- Discuss with top management – context of organization, policy, objectives, risks/opportunities
- Confirm the scope of certification
- Process interaction
- Statutory and regulatory requirements
- Internal audit & MRM
- Not applicable sections within the standard
- Go through the clauses, to make sure that the documentation/requirements from the standard have been mentioned
Stage 2 Audit Plan (Implementation Audit) :
Following the audit that will be done in Stage 1, we will now look for evidence relating to the processes. “Say what you do, do what you say” is a famous saying relating to ISO Management systems. And this is how this is audited:
- Say what you do – Stage 1
- Do what you say – Stage 2
The following is the overall content of the topics that must be discussed in Stage 2 Audit:
- Opening meeting
- Go through the agenda for the day
- Follow-up on corrective actions from Stage 1
- Ideally, you start with the key processes (sales & marketing procedure, purchasing, operations, design and development). This is because they might take very long to complete.
- For larger organizations, we are going to divide the company into smaller companies. In the sense, that the each of the department would have their system on how they, for example, handle complaints.
- Note at the end of the audit, we are going to have a ‘wash up meeting’ to discuss any non-conformities, or any concerns they might have.
- Note that for auditor with more than 1 day, we are going to do a feedback meeting at the end of each day
- Note that for a company being audited by more than 1 auditor, there is going to be an auditor liaison meeting, where the auditors will discuss all the observations they have from after the audit.
Opening & Closing Meetings of External Audits by Certification Bodies
The purpose of the opening meeting is to:
- Introduce the lead auditor
- Introduce any other participants, including observers and guides, interpreters and an outline of their roles;
- Introduction of what is the scope of the external audit
- All auditees introduce themselves and provide feedback about familiarity with the audit process
- confirm the agreement of all participants (e.g. auditee (management and processes to be audited), audit team) to the audit plan;
- introduce the audit team and their roles;
- ensure that all planned audit activities can be performed
- the audit methods to manage risks to the organization which may result from the presence of the audit team members.
Confirmation of the following items should be considered, as appropriate:
- the audit objectives, scope and criteria;
- the audit plan and other relevant arrangements with the auditee, such as the date and time for the closing meeting, any interim meetings between the audit team and the auditee’s management, and any change(s) needed;
- formal communication channels between the audit team and the auditee;
- the language to be used during the audit;
- the auditee being kept informed of audit progress during the audit;
- the availability of the resources and facilities needed by the audit team;
- matters relating to confidentiality and information security;
- relevant access, health and safety, security, emergency and other arrangements for the audit team;
- activities on site that can impact the conduct of the audit.
The presentation of information on the following items should be considered, as appropriate:
- the method of reporting audit findings including criteria for grading, if any;
- conditions under which the audit may be terminated;
- how to deal with possible findings during the audit;
- any system for feedback from the auditee on the findings or conclusions of the audit, including
- complaints or appeals.
A closing meeting should be held to present the audit findings and conclusions.
The closing meeting should be chaired by the audit team leader and attended by the management of the auditee and include, as applicable:
- those responsible for the functions or processes which have been audited;
- the audit client;
- other members of the audit team;
- other relevant interested parties as determined by the audit client and/or auditee.
Depending on the audit findings, the audit team leader should
- advise the auditee of situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions
- agree with the participants on the time-frame for an action plan to address audit findings.
The following items will also be discussed during the closing meeting:
- advising that the audit evidence collected was based on a sample of the information available and is not necessarily fully representative of the overall effectiveness of the auditee’s processes;
- the method of reporting;
- how the audit finding should be addressed based on the agreed process;
- possible consequences of not adequately addressing the audit findings;
- presentation of the audit findings and conclusions in such a manner that they are understood and acknowledged by the auditee’s management;
- any related post-audit activities (e.g. implementation and review of corrective actions, addressing audit complaints, appeal process).
- Discuss any diverging opinions regarding the audit findings or conclusions between the audit team and the auditee and, if possible, resolved. If not resolved, this should be recorded.
- If specified by the audit objectives, opportunities for improvement recommendations may be presented. It should be emphasized that recommendations are not binding.
Auditor skills and traits
The following are some of the skills and traits that an auditor must have to conduct an audit in the most professional and competent manner possible:
- Professional & ethical
- Reassure the auditees
- Assertive & diplomatic
- Skills needed
- ISO 9001 lead auditor
- Skills of the industry in company
- Communication skills
- Reporting skills
- Probing skills (find to root causes)
- Time management
Guidelines on allocation of auditor days for External Audits by Certification Bodies
Person Days Allocated
Determine the amount of work involved and the time duration that will be required – size and complexity of the audit will mainly decide this – but remember, audits cost money therefore try to keep the time as short as possible. There are requirements specified by IAF for Quality Management System audits
It must be understood that the time required for the audit depends on number of factors as outlined in the text that follows the table 1 given below
Table 1:Guide for auditor time for initial assessment (stage 1 & stage 2 together) (Derived from IAF MD5:2019)
Note: there cannot be more than 180 days between stage 1 and stage 2 audit.
|Effective Number of Personnel||Audit Time (Stage 1 + Stage 2)||Effective Number of Personnel||Audit Time (Stage 1 + Stage 2)|
|426-625||11||>10700||Follow progression above|
How time of External Audits by Certification Bodies is split
Approx. 20% of the time is for Stage 1 audit, and the remaining time is to be spent on Stage 2 audit. Note that the time to dedicate for a surveillance audit, is calculated from another table.
Term “effective number of personnel” has been referred to in ISO 17021 as “personnel” and is typically “person doing the work under the control of the organization”. Certain factors are to be considered while determining the effective number of employees, viz., the number of shifts of working where similar work is carried out or many persons doing the repetitive type of work (Ex: Data entry / front office work / identical products being produced on similar machines in a manufacturing set up etc).
For example, let’s take a construction company, which operates on a 3-shift basis. If there are people doing similar jobs in the different shifts, than we can exclude the people who are doing the same job like their colleagues (in different shifts).
Table 1 sets out typical number of audit days to be used in an initial assessment. Experience has shown that it is appropriate to base this upon the number of employees of the organization and the nature, scale and complexities of operations for a typical organization in that industry sector.
The auditors’ time should then be adjusted based on any significant factors that uniquely apply to the organization to be audited. The additional factors that need to be considered shall include but are not limited to:-
Increase auditor time:
- Client System Complexity (Physical area of the audit site, Number of processes, Unique processes, Design Responsible etc)
- Complicated logistics involving more than one building or location where work is carried out.
- Staff speaking in more than one language (requiring interpreter(s) or preventing individual auditors from working independently);
- Very large site for the number of personnel (e.g., a forest);
- High degree of regulations (e.g., food, drugs, aerospace, nuclear power etc);
- System covers highly complex processes or relatively high number of unique activities;
- Activities that require visiting temporary sites to confirm the activities of the permanent site(s) whose management system is subject to certification.
Decreased auditor time:
- Very small site for number of employees (e.g., office complex only)
- Very Few processes,
- Maturity of management system (example certified for more than 5 years)
- High percentage of employees doing the same, repetitive and simple tasks
- Work being carried out in shifts where the nature of work remains identical
Terms and definitions relating to audits:
The following terms and definitions do not apply only for External Audits by Certification Bodies, but also for internal audits.
- ISO19011 – guidelines for auditing management systems
- ISO 17021 – requirements for certification bodies providing audit and certification of management systems
- Audit evidence – records, statements of fact or other information which are relevant to the audit criteria, and verifiable
- Auditee – organization as a whole or parts thereof being audited
- Joint audit – carried out at a single auditee by two or more auditing organizations
- Audit criteria – set of requirements used as a reference against which objective evidence is compared
- Auditor – person who conducts an audit
- Audit findings – results of the evaluation not the collected audit evidence against audit criteria
- Observer – individual who accompanies the audit team by does not act as an auditor
- Technical expert – person who provides specific knowledge or expertise to the audit team
- Competence – ability to apply knowledge and skills to achieve intended results
- Audit – systematic, independent and documented processes for obtaining objective evidence and evaluating it objective to determine the extent to which the audit criteria are fulfilled
- Corrective action – action to eliminate the cause of a nonconformity and to prevent reoccurrence
- Non-conformity – non-fulfilment of a requirements
- Audit scope – extent and boundaries of an audit
- Effectiveness – extent to which planned activities are realized and planned results achieved
- Audit programme – set of one or more audit planned for a specific timeframe and directed towards a specific purpose
- Integrity – the foundation of professionalism
- Fair presentation – the obligation to report truthfully and accurately
- Due professional care – the application of due diligence and judgement in auditing
- Confidentiality – security of information
- Independence – the basis for the impartiality of the audit and objectivity of the audit conclusions
- Validation – confirmation, through the provision of objective evidence, that the requirements for a specific intended use of application have been fulfilled
- Output – result of a process
- System – set of interrelated or interacting elements
- Audit trail:
- Planned – following the thought process to audit a process
- Investigation – looking for objective evidence for a root cause of a problem
- Quality assurance – part of quality management focused on providing confidence that quality requirements will be fulfilled
- Management system – set of interrelated or interacting elements of an organization to establish policies and quality objectives and processes to achieve those objectives
- Process – set of interrelated or interacting activities that use inputs to deliver and intended result
- Process mapping – the purpose of process mapping is for organizations and businesses to improve efficiency
- ISO 10001 – provides guidelines to an organization in determine that is customer satisfaction provisions meet customer needs and expectations
- Risk – the effect of uncertainty
External Audits by Certification Bodies
External Audits by Certification Bodies should be seen as an opportunity for improvement. Having an extra pair of eyes looking at your management system, to help you improve can be a blessing.