The Certification Audit – also known as the External Audit – is a crucial moment for companies seeking a certificate for their management systems, as well as for identifying problems and improving processes.
Its main objective is to verify whether an organization meets all the normative requirements necessary to obtain a specific certification. It can be used to assess any management system – such as ISO 9001, ISO 14001, ISO 45001, among others.
For everything to proceed according to the certification process, the interested company must hire a certifying body that will be responsible for conducting the audits and validating whether the management system is properly implemented and functioning in accordance with the standard’s requirements.
In today’s content, we will explain how a Certification Audit works and go over the details of the certification process as a whole. By the end of this text, you will be ready to start your company’s process and know what to expect from the “daunting” external audits! With that said, let’s get started!
Understanding the Audit Program
Every certification process begins with scheduling the audit, a fundamental step to ensure that everything is organized and effective.
At this stage, the certifying body evaluates information related to the company’s processes, the certification scope, the number of plants (units) to be audited, the number of employees, and all other factors relevant to the audit planning. Based on these data, a program is developed within a standard Audit Cycle, which generally lasts three years and is divided into:
- Year 1: Certification Audit
- Year 2: Surveillance Audit 1
- Year 3: Surveillance Audit 2
Planning the Audits
With the program in place, the next step is planning the audits. At this point, the auditor develops a plan that specifies the processes and areas that will be evaluated during the audit.
This planning serves as the foundation for conducting the subsequent stages and must be carried out individually for each unit to be audited. It is essentially a “description” of how the audit will occur, including audit trails, sectors, and the schedule for the audited areas.
Understanding the Phases of the Certification Audit
Every audit is composed of two basic phases. Each phase helps auditors and the certifying body evaluate the company’s system and determine whether it truly complies with the standard applicable to the scope (e.g., ISO 9001, ISO 14001, or ISO 45001).
Phase 1 – Documentation Review:
In this phase, the audit team examines all the documentation of the management system, including policies, procedures, internal audit reports, management review minutes, work instructions, and so on. This stage is usually conducted remotely, with the client sharing documents via links or specific repositories.Phase 2 – On-site Audit:
This phase consists of an on-site visit – which can be conducted remotely in exceptional cases or even in a hybrid format. During this visit, the auditors observe the company’s daily practices to verify whether the management system has truly been implemented as described in the documentation. The on-site audit follows a specific protocol:- Opening Meeting: The auditor presents the audit plan, explains the confidentiality criteria, and details how the evaluation will be conducted within the organization.
- Evidence Collection: Through interviews, observations, and document analysis, the auditor checks whether the processes comply with the standard and whether employees follow the good practices described in the standard and internal procedures.
- Audit Conclusions: After gathering all the information, the auditor evaluates the data and identifies whether there are conformities, observations, or non-conformities. (We will discuss this topic in more detail later.)
- Closing Meeting: At the end of the process, the auditor meets with the technical team and managers to present the audit conclusions. Here, the strengths of the company are highlighted, and any non-conformities are clearly identified.
Types of Audit Conclusions
It is important to understand that the auditor does not go to the company to “hunt for errors” but to validate the company’s compliance with the standard. In essence, the auditor is there to find conformity!
However, during this process, it is common to encounter aspects that do not fully meet the requirements and that could be improved. Thus, after analysis, the auditor may reach conclusions such as:
- Observations or Opportunities for Improvement: When the auditor identifies that the company needs to improve its processes.
- Non-conformities: Cases where the normative requirements are not being met or do not correspond with the way the processes are executed.
Preparation of the Audit Report
After completing the documentation audit and holding the closing meeting, the auditor must prepare a detailed report with all the evidence collected and the final outcome of the process.
In this report, the auditor should specify the company’s strengths, any non-conformities (if found), as well as observations and opportunities for improvement. All this information should be backed by the evidence that led to these conclusions.
If no non-conformities are identified, the process is considered complete. Otherwise, the organization must present an action plan describing the root causes, corrective measures, and deadlines for resolution. This makes the audit report even more critical.
Decision on Company Certification
Although the auditor’s work is fundamental, the decision to certify the company is not solely the auditor’s final decision. After the process is completed, the audit report – along with any action plans addressing non-conformities – is forwarded to a decision-making committee.
This committee, composed of specialists from the certifying body, evaluates the evidence presented. Based on this evaluation, they decide whether or not certification will be granted to the company. The final decision is made by the Certification Decision Maker, a technical specialist who provides the final opinion on the evidence collected and thereby grants the certification to the company.
When this decision is made, the certifying body issues a certificate to the company, a document stating that it operates in accordance with the guidelines of the standard (ISO 9001, ISO 14001, ISO 45001, or others). This certificate is valid for three years, during which maintenance audits will take place.
Read about: Nonconformity Management – Steps and How to Do It
Certification Audit: Guaranteeing Continuous Improvement!
The certification audit is a rigorous process but essential to ensure that organizations meet the required quality standards. Without these audits, companies miss out on significant opportunities to improve and address problems, potentially leading to stagnation.
If you want to ensure continuous improvement and achieve great results for your organization, make sure your audit process is effective and provides valuable management insights. For that, you can count on QMS in this journey. Contact us and hire the best certifying body. This way, you secure a certification recognized in the market and evolve your processes with each audit!
