As part of implementing and maintaining an ISO Management System, an Internal Audit and External Audit are required. So, how do I prepare for an ISO Audit?
Luke Desira‘s background had led him to have a very different approach to ISO Certification. His first job was at a multi-national corporation employing 45,000 people, and his role was of an Quality Engineer for the production of medical devices. Granted, it is one of the most regulated industries. However in that capacity, he has learnt on how not to run a management system for SMEs in Malta.
In his second role, he was engaged by a local construction company. The scenario in this case was the complete opposite. The company did not have any systems in place, and everything was done ad-hoc. With that in mind, he set out to help local SMEs to find the middle way. To not have too many, or too little systems and procedures in place.
Primarily, there are 2 types of audits that need to be done in any organization. The internal audit, and the external audit. Even though they are done in different contexts their aim is the same – to provide advise for continual improvement. Let’s take each audit individually, and so how do I prepare for an ISO Audit.
An internal audit for ISO certification is done by someone internal within the company. The audit has to be done by someone who:
- is not involved directly within the process that is being audited
- is trained to perform ISO audits
- has an inquisitive mind that meticulously follows a process
- understands the processes of a company
Given the above conditions, it is very common for SMEs in Malta to hire an ISO consultant. In SMEs, more often than not, people are involved in multiple processes. Therefore, it will be very hard to find a person, who is knowledgeable on the processes of the company, is unbiased on the process, and that is trained on ISO 9001 and has the right character traits.
Now, if you are hiring a run-off-the-mill consultant with an archaic mentality, they will want to see that you are following the requirements of the standard, to the letter. Invariably, this will cause you to follow a route that will render your Quality Management System bureaucratic. Which is the opposite of what we want to achieve when creating a QMS.
So, when preparing for an Internal Audit, and you are not the auditor, you do not need to prepare anything. You will only need to see this as an opportunity to have your work being double checked by someone who is committed to improvement. The point of an internal (or even external) audit, is not to point fingers – but to identify missing links and to further improve the system.
Preparing for an external audit is relatively similar. First of all it is good to point out that there are 2 types of external audits:
- Certification audit – this is the first external audit done by the certification, just when the implementation is completed. After this audit, should there not be any major findings, you will be granted the ISO certificate. Moreover, every 3 years, which is the validity of an ISO Certification, you will need to do another certification audit.
- Surveillance audit – the 2nd and 3rd audit are called surveillance audit. The structure and questions asked are relatively similar to the certification audit, however it is given a different name.
When preparing for audit by the certification body (external audit) you will need to make sure that the management system is in place. The most important saying for ISO certification is “say what you do, do what you say”. Therefore, provided that the management system has been created as a reflection of what you actually do within your business – there is nothing to worry about.
Most auditors of certification bodies are very reasonable and understanding of the realities of a business.
It is also important to keep in mind, that an ISO certification is a system for continual improvement. Just like when graduating from University you are not perfect in your profession – you just have the foundation of what you’ll be learning in the future. Getting certified doesn’t mean that you are perfect – it means that you are willing to improve.
How do I prepare for an ISO Audit?
Based on the above, here are a few pointers to help you prepare for an audit (whether it is internal or external):
- Have a positive attitude – and be ready to accept constructive criticism. The point of an audit is to find areas for improvement, and gaps within the system. If you are a manager, and notice that a process is not being followed properly by your subordinates, make sure to have a positive attitude – and not an attitude of blame, or that of pointing fingers.
- Have the right people available, for the processes being audit – it is good to have the people involved in a process present for the audit on their process – this will (i) make sure that you will have the right information readily available (ii) keep these people on their toes in their day-to-day work, knowing that their work is being checked.
- Allow enough time for the audit – rushing through the process will not benefit anyone. If you are doing an audit to meet the requirements of the standard, you will not take any benefit. But if you believe that the audit will help you learn and improve, it invariably will.