How does the audit cycle work in ISO certifications?

How does the audit cycle work in ISO Certifications?

The audit cycle in ISO certifications corresponds to the number and frequency of audits required for your company to receive and maintain the highly sought-after certificate. For this to happen, there is a very well-established process that depends on both your company and the certifying body.

In today’s article, we will go through all the stages and what each of them serves for. To begin with, it’s worth remembering that an ISO management system certificate is valid for 3 years after issuance. Thus, it is valid for 36 months as long as the company meets some simple requirements and also maintains the system in compliance with the audited standard.

 

The 1st contact in the audit cycle is the internal audit

The first type of audit that organizations generally encounter is the internal audit. As the name suggests, this type of audit is conducted by the company itself and does not yet involve the participation of the certifying body, however, it is fundamental for the smooth running of the process.

Ideally, this audit should be conducted by someone from within the company, a professional who knows the processes, the problems, and even some of the organization’s weaknesses. This moment aims to identify, anticipate, and provide treatment for non-conformities and the adaptation of the system before the external audit phase.

It is also worth remembering that the internal audit is a mandatory requirement for all ISO management systems, regardless of the subject or discipline (Quality, Environment, Information Security, Anti-bribery, among others).

 

Third-Party Pre-Audit (Optional)

The purpose of this stage is to conduct an external evaluation, a gap analysis that will point out errors, failures, or weaknesses in the system before the certification audits.

It’s important to emphasize that this type of audit cannot replace the internal audit; they are different moments. While the pre-audit is optional, the internal audit is mandatory. However, the pre-audit can help identify areas for improvement and enhance the system.

Furthermore, the pre-audit has a smaller sampling, and it also helps to have an initial contact with the audit process without all the tension and load of the “real” audits.

 

Initial Certification Audit – Stage 1 and Stage 2

After your company considers itself ready to undergo the certification audit, the external evaluation of the management system begins. This is the official moment for the body to evaluate the system against the audited standard.

This moment is divided into 2 stages. The first one corresponds to a documentary evaluation (Initial Audit of Stage 1 – or Phase 1), as all management systems require some form of documented information or records. Thus, at this moment, these documents are evaluated by the auditors.

Here, the auditors analyze the documents and understand how the organization implemented the system and whether there is indeed sufficient documentation for the existence of a management system. If the company is in a condition to continue in the audit process.
In the 2nd stage (Initial Audit Phase 2), the auditor now contacts the employees and the team of your company to conduct hearings and interview people. At this moment, we navigate through the management system and the company to understand if it complies with the sent documents and, of course, the good practices required by the standard. Also, here, audit trails are created and the actual collection of evidence of compliance and good practices occurs.

 

Certification Recommendation, Certificate Issuance, and System Maintenance

If the company is successful in this initial stage, the auditor or audit team recommends certification to the body. After this, there is a technical analysis of the evidence collected by the auditors and the information of the process. If all goes well, the company receives the certificate with a 36-month validity.

From the beginning of the contract, it is agreed how the audit cycle will function post-certificate issuance. These audits are also called maintenance audits and usually have an annual frequency.

Thus, after certification, the first maintenance audit must occur within 12 months of the certificate issuance, mandatorily. Otherwise, the certification can lose its validity. We advise that this happens within a maximum of 11 months, with an ideal schedule being 60 or 90 days before the deadline expires.

Moreover, while the initial audits are more exhaustive, assessing all the requirements of the management system and with more sampling, the maintenance audits are smaller. They assess about 50% of the system, and the rest (the other 50%) is evaluated in the next maintenance cycle audit. However, there are some mandatory requirements that are analyzed in all audits, such as the context of the organization, for example.

Finally, even though shorter, these maintenance audits are vital to keep your certificate valid and your system in compliance with the standard.

 

End of 36 Months: Recertification Audit

After the initial 36 months expire, a recertification audit must be executed, mandatorily. In it, all the requirements of the management system will be re-evaluated.

This audit is more comprehensive and aims to assess whether the company is in a condition to start a new cycle of maintenance audits. It is essential for the certification processes and to ensure continuous improvement of your system.

 

Additional Audits and Process Credibility

There are special cases where a company’s certificate can be suspended, such as the occurrence of a major non-conformity. In this case, the company has a deadline to address the occurrence and receive a new audit to demonstrate evidence of the effectiveness of the actions taken.

This type of audit is generally quite short and specific, aiming to evaluate and ensure the effective treatment of a more serious non-conformity. This type is also known as a follow-up audit or corrective action audit and can even be conducted remotely, depending on the situation.

The presence of the audit phases and the audit cycle is crucial to reinforce the credibility of the ISO certification and the company itself. These processes ensure that the organization meets the standards required by the norm, allowing a detailed and impartial evaluation of their management systems.

Therefore, the presence of the audit phases and the audit cycle is essential not only to ensure compliance and continuous improvement but also to validate the credibility of the company and maintain excellence in management standards over time. In the end, all this translates into better processes and more results!

QMS Certification

QMS is an accredited third party certification body, it is currently present in 33 countries and focuses on the certification of management systems. QMS America is managed by the US office and has consistently grown in market recognition by technical level, customer satisfaction and competitive pricing.

Scroll to Top