The ISO 9001 audit process explained
An ISO 9001 audit is the formal check that your Quality Management System (QMS) does what the ISO 9001 standard expects – and what you say it does in your documented processes. It is the process an independent Certification Body uses to decide whether to award, maintain, or renew your ISO 9001 certificate.
ISO 9001 audit process: getting started
Gaining and maintaining certification for your ISO 9001 Quality Management System is not a single event. It’s a rolling audit cycle designed to confirm that your organisation and Management System stay compliant with the relevant ISO standard you want to be certified to.
Once you’ve developed and implemented your ISO 9001 QMS, it is audited by an independent Certification Body as part of an ISO 9001 certification audit. If you meet the requirements, you’re awarded your certificate and move into a three-year cycle of surveillance and recertification audits to keep it.
The same audit process applies across all ISO Management Systems. Every ISO audit is based on the same principle: checking that you are actually doing what you say you are doing in your documented Management System and verifying that it is compliant with the ISO standard.
Important stages in the ISO 9001 audit process
The ISO 9001 audit process follows a clear set of stages. Typically, you will move through:
- Preparing your ISO 9001 Quality Management System, including internal audits and management review
- (Optional) A pre-assessment or gap-analysis style visit to check readiness
- Stage 1 ISO 9001 audit – a document review and readiness check
- Stage 2 ISO 9001 certification audit – a full assessment of how you work in practice
- Annual surveillance audits in year one and year two
- A recertification audit in year three
Each stage builds on the last, so evidence from your internal audits, management reviews and day-to-day operation feeds directly into the external audits carried out by your Certification Body.
How ISO 9001 internal audits support certification audits
ISO 9001 internal audits are your own checks on how well the Quality Management System is working in practice. They are carried out by, or on behalf of, your organisation and are required by the standard. Internal audits help you confirm that processes are being followed, records are being kept and issues are being picked up before an external auditor arrives.
Before a Stage 1 or Stage 2 ISO 9001 certification audit, you should already have planned and completed internal audits across key parts of your QMS, followed by management review. External auditors will use your internal audit programme, reports and follow-up actions as evidence that the system is being used, not just written down.
Internal audits are different from external certification audits, but they cover many of the same requirements. A strong internal audit process will make your ISO 9001 certification audit more straightforward, highlight gaps early and support continual improvement between surveillance and recertification audits.
ISO 9001 audit cycle
Initial ISO 9001 certification audit
This is the ISO 9001 certification audit carried out to determine whether you should be awarded your ISO 9001 certificate for the first time. It’s also known as an external audit, a third-party audit or a registration audit and is conducted by a Certification Body. The Certification Body (CB) will appoint an auditor or possibly a team of auditors, depending on the size of your organisation, the number of sites and the scope of your Management System.
Ideally you should ensure that the Certification Body from which the auditor comes is UKAS accredited.
An ISO 9001 Quality Management System Initial Audit is split into two stages, with an optional pre-assessment.
PRE-ASSESSMENT (OPTIONAL)
This is an optional stage that some certification bodies like ISOQAR offer. A qualified auditor carries out an informal pre-assessment, essentially a dummy run of an audit. It helps you identify strengths and weaknesses before the formal ISO 9001 certification audit.
Stage 1 ISO 9001 audit
The Stage 1 Audit is also referred to as the Document Review (or Document Audit) or sometimes as the Readiness Review. The basic objective of the Stage 1 Audit is to determine if you’re ready for the Stage 2 ISO 9001 Audit.
When is the Stage 1 Audit performed?
The Stage 1 ISO 9001 audit should be performed once you have developed and implemented your Management System. By this point you should have generated evidence of how the system works in practice, such as internal audits, management reviews and records for the auditor to examine.
How long does the Stage 1 Audit take?
The length of the audit is determined by a formula set by UKAS. Factors such as the size of your organisation, risk and complexity are considered. It is measured in whole days. This means that whichever UKAS accredited certification body you choose, it will make no difference to how long the audit is. For most small or medium businesses, the Stage 1 Audit will be completed on-site within one day. The Stage 2 ISO 9001 Audit is usually longer.
Where does the Stage 1 Audit take place?
If you have more than one site, it will normally be conducted at your head office. Being on-site allows the auditor to get an impression of the organisation and the site, but it can also be done remotely depending on the complexity of the Management System.
What happens in the Stage 1 Audit?
The audit will typically focus on your documented information rather than day-to-day activities. You could describe it as a reconnaissance exercise, where the auditor gets a flavour of what your organisation and Management System is all about. It may involve discussions with employees.
Your Certification Body should contact you in advance to let you know what will happen on the day so that you can gather the people and materials needed.
The main objectives of the Stage 1 ISO 9001 Audit are:
- An audit of your ISO 9001 Quality Management System documentation including the scope of the system, objectives and any relevant policies and documentation that support the operation of the system
- A walk of the site to help planning for Stage 2
- To obtain information about the site(s) from which the organisation operates
- To obtain information about key processes, procedures and any equipment used
- To confirm all statutory and regulatory requirements applicable to the organisation are documented
- To establish whether all relevant personnel are prepared for the Stage 2 Audit
- To establish the status of Internal Audits and Management Reviews
- To plan for the Stage 2 Audit, including which sites to audit
If possible and if sufficient records are available, the following will also be audited:
- Internal audit processes
- Management review
- Senior management commitment
- Complaints
- Purchasing
- Objectives and targets
All the above will help the auditor plan for the Stage 2 Audit. If you haven’t already booked the dates for the ISO 9001 Stage 2 Audit, it’s now time to have a discussion with the auditor to agree when it will take place.
What happens after the Stage 1 Audit?
You will receive verbal feedback from the auditor at the end of the Stage 1 ISO 9001 Audit. You will also receive a written Audit Report normally within 5 days after the audit. Stage 1 normally does not result in nonconformities, because you are not yet formally claiming full conformity with the standard. If the auditor identifies issues at this stage, they will raise Improvement Requests in the Audit Report. These must be addressed before the ISO 9001 Stage 2 audit, otherwise they may become nonconformities at Stage 2 and could harm your chances of being awarded certification.
The report will include:
- Assessment of your ISO 9001 Quality Management System and determination of your readiness for a Stage 2 Audit
- Assessment of your understanding of the requirements of the standard
- Agreement of the scope of your ISO 9001 Quality Management System and Scope of Certification
- Plan for the Stage 2 Audit and agreement on the date(s) and sites
- Improvement Requests and areas for potential improvement of the Management System
Top Tip for the Stage 1 Audit
For many organisations this is the first meeting with their auditor, so it’s important to use the time wisely. Be open and honest and don’t try to hide issues, because they will just pop up during the Stage 2 Audit and create issues with your certification. Although the auditor isn’t allowed to help you with developing your ISO 9001 Quality Management System, you can use the opportunity to air your ideas to hear if they conform to the requirements of the ISO standard. Your auditor will also have visited many other organisations in similar situations and can tell you about how they managed.
Stage 2 ISO 9001 audit
The Stage 2 ISO 9001 audit is the main ISO 9001 certification audit and is the last stage before a certificate can be issued. It normally takes place on-site and is longer and more in-depth than the Stage 1 Audit.
The overall purpose of this ISO certification audit is to determine if your ISO 9001 Quality Management System is compliant with the standard and whether you can be awarded an ISO 9001 certificate.
When is the Stage 2 Audit performed?
When you booked your Stage 1 ISO 9001 audit, you probably also agreed dates for your Stage 2 audit about six to eight weeks later. Normally your system should have been running for at least three months – ideally longer – before the auditor comes in for Stage 2.
You also need to leave enough time to address any Improvement Requests from Stage 1. The date of your Stage 2 audit should be confirmed with the auditor at the end of the Stage 1 audit.
Stage 1 and Stage 2 ISO 9001 audits should be performed no more than six months apart, otherwise the Stage 1 Audit may have to be repeated.
In theory you can schedule the Stage 2 audit to start the day after Stage 1 if you are confident in your Quality Management System and need the certificate quickly, but this is not ideal.
How long does the Stage 2 Audit take?
As with the Stage 1 ISO 9001 Audit, the length of the audit is determined by the formula set by UKAS. The duration will be calculated before the Stage 1 Audit takes place. In exceptional cases, depending on the findings of the Stage 1 Audit, the length of the Stage 2 Audit may be adjusted but you will be told this in advance.
Where does the Stage 2 Audit take place?
A Stage 2 ISO 9001 Audit is usually conducted on-site at your head office and across a sample of sites. However, audits may be done remotely due to exceptional circumstances. If you have multiple sites, the sites to be audited will be agreed at the Stage 1 Audit. The Certification Body uses the ‘square root’ rule to determine how many sites will be audited on the Stage 2 Audit. So, for example, if you have 25 sites in the scope of your certification, then at least five should be audited in an Initial Audit. This is a rule that is used by all UKAS accredited Certification Bodies.
Over the course of your three-year certification cycle, all sites included in the scope of your certification will normally be visited at least once.
What happens in the Stage 2 Audit?
This is the most thorough audit of your ISO 9001 Quality Management System and is where the auditor gathers the evidence needed to decide on certification.
The Stage 2 Audit will start with an Opening Meeting where the auditor will explain what is going to happen. Some of the issues covered include:
- Review of actions from the Stage 1 ISO 9001 Audit to ensure the Improvement Requests have been acted upon (also referred to as ‘closed out’)
- Inspection of documented information for evidence that the Management System is compliant with the standard
- The overall effectiveness of your Management System and whether it’s helping you achieve your organisational objectives
- Audit of activities and processes to determine whether you have operational control and are operating in accordance with your policies and procedures
- Evaluation of your own Internal Audits and Management Reviews
- Effectiveness of preventive and corrective actions
- Examination of key performance objectives and targets
What happens after the Stage 2 Audit?
At the end of the audit, the auditor will hold a closing meeting with you to review the audit and talk about any nonconformities and potential corrective action. At the meeting, you will be told whether you have been recommended for ISO 9001 certification or not.
You will also receive a written report after the meeting which will include observations made by the auditor and a summary of the findings. The report will identify minor nonconformities, major nonconformities and opportunities for improvement.
A major nonconformity is the total breakdown of a system meaning you fail to meet a requirement of the standard. A number of minor nonconformities against one requirement can represent a total breakdown of the Management System and thus be considered a major nonconformity. Major nonconformities must be rectified before certification can be recommended by the auditor. This may involve a further site visit by the auditor.
A minor nonconformity may be either a failure or a single observed lapse in some part of the management system. Minor nonconformities do not affect the recommendation for approval but must be addressed prior to the issue of your certificate.
Opportunities for Improvement (OFI). These relate to existing conditions which, according to the auditor, may warrant clarification or investigation to improve the overall status and effectiveness of the Management System. They do not affect the recommendation for certification.
If there are any nonconformities – whether they are minor or major – you will not receive your ISO 9001 certificate until corrective action has been taken following the ISO certification audit. You will normally be allowed up to three months to do this.
If you are not recommended for ISO 9001 certification on the day of the ISO certification audit, it does not necessarily mean the auditor will have to visit you again. You will probably just need to provide evidence that you have taken corrective action.
Annual surveillance ISO 9001 audits
One of the main objectives of an ISO 9001 Quality Management System is to ensure continual improvement. The Plan–Do–Check–Act cycle, supported by audits and reviews, helps achieve this.
Annual surveillance audits are a major part of this cycle and are a mandatory requirement for maintaining UKAS-accredited ISO certification.
When is the Annual Surveillance Audit performed?
In most circumstances, your organisation will undergo an annual surveillance audit at the end of Year 1 and Year 2. The first of these is usually performed slightly before the end of the first year with ISOQAR. This sets the three-year cycle so that your Recertification Audit can take place before the end of Year 3. This is important because if any nonconformities are discovered at the end of the third year, there could be a lapse in your certification while you take corrective action.
Some larger organisations choose to have their annual surveillance audits performed more frequently and spread out over the calendar. The schedule can be agreed with the auditor.
How long does the Annual Surveillance Audit take?
As with other audits in the cycle, the time allocated to an annual surveillance audit is determined by the formula set by UKAS. It is normally shorter than a Stage 2 ISO 9001 audit.
Where does the Annual Surveillance Audit take place?
The annual surveillance audit is usually conducted on-site. However, audits may be done remotely in exceptional circumstances. If you have multiple sites, your head office will always be audited, along with different sites than those chosen for the Initial ISO 9001 Certification Audit. Different sites again will be selected for the second annual surveillance audit and the Recertification Audit, although the head office will be included in every audit.
What happens in the Annual Surveillance Audit?
During an annual surveillance audit, the auditor will take a similar approach to the Stage 2 ISO 9001 audit. However, less time will be spent on some areas of your Management System and only selected parts of your organisation will be audited.
Much of what happens will be driven by what the auditor discovered on previous audits, with particular focus on any areas of weakness. The following will be covered as a minimum:
- Review of nonconformities and corrective actions from previous audits
- Maintenance and performance of the Management System
- The effectiveness of your Internal Audits
- Consideration of your Management Reviews
- Preventative and corrective actions
- Updates to documentation
The second annual surveillance audit in the three-year certification cycle will likely examine different aspects and operations in your organisation. The aim is to audit all processes within the cycle.
What happens after the Annual Surveillance Audit?
As with other audits, the auditor will summarise the findings at the end of the visit. A written report will also be provided outlining any nonconformities.
If there are any major nonconformities, you will have up to three months to take corrective action and provide evidence that you have done so. Failure to do so could mean that your ISO 9001 certificate is withdrawn.
For minor nonconformities, the auditor will agree a plan with you. Depending on the risk and severity, the auditor will use their discretion to establish how the nonconformity can be ‘closed’. It can be closed at the next audit, through evidence being sent to the auditor, or, if needed, through another audit.
Recertification ISO 9001 audit
Your ISO 9001 certificate is valid for three years from the date of issue. To maintain your ISO 9001 certification, you will undergo a thorough Recertification Audit in Year 3, similar to the original Stage 2 audit.
When is the Recertification Audit performed?
It’s best to have your Recertification Audit completed at least three months before the end of Year 3. This allows time to take corrective action on any nonconformities (either minor or major) identified in the audit and helps you avoid any break in your certification.
How long does the Recertification Audit take?
A Recertification Audit typically lasts about two-thirds of the time allocated to the Initial Audit.
Where does the Recertification Audit take place?
The Recertification Audit is usually conducted on-site. If you have multiple sites, it will always include your head office as well as sites not included in your Initial Audit and Surveillance Audits.
Audits may be done remotely due to exceptional circumstances.
What happens in the Recertification Audit?
The Recertification Audit is more comprehensive than the Surveillance Audits and is similar to the Stage 2 ISO 9001 audit.
The audit will cover items including:
- Issues that arose at earlier audits such as nonconformities and areas for improvement
- The overall effectiveness of your Quality Management System and whether it’s helping you achieve your organisational objectives
- Review of the scope of your certification and whether it’s still appropriate
- Audit of activities and processes to determine whether you have operational control and are operating in accordance with your policies and procedures
- Evaluation of your own Internal Audits and Management Reviews
- Effectiveness of preventive and corrective actions
- Examination of key performance objectives and targets
What happens after the Recertification Audit?
What happens after the Recertification Audit is similar to what happens after the Stage 2 audit. There will be a closing meeting followed by a written report from the auditor.
It is essential that you address any nonconformities identified by the auditor before the third anniversary of the date your certificate was issued. If you fail to do this, your certificate could be withdrawn.
Assuming everything goes well, you will be issued with a new ISO 9001 certificate, and the three-year cycle begins again.
ISO 9001 Audit FAQs
What is an ISO 9001 audit?
An ISO 9001 audit is an independent check of your Quality Management System to confirm it meets the requirements of the ISO 9001 standard and that you are following your own documented processes. External auditors review documents, records and activities to see whether your system is being used effectively in day-to-day work. Their findings are used to decide whether to award, maintain or renew your ISO 9001 certificate.
How many stages are there in an ISO 9001 certification audit?
The initial ISO 9001 certification audit has two main stages: Stage 1 and Stage 2. Stage 1 is a document and readiness review, while Stage 2 is a full, in-depth assessment of how your Quality Management System works in practice. After that, you move into a three-year cycle of annual surveillance audits and a Recertification Audit in Year 3.
How long does an ISO 9001 audit take?
Audit duration is set using a formula agreed by UKAS and depends on factors such as the size of your organisation, the number of sites and the complexity of your activities. For many small and medium organisations, Stage 1 can often be completed in one day, with Stage 2 taking longer. Annual surveillance audits are usually shorter than the original Stage 2 audit.
Do we need internal audits before the ISO 9001 certification audit?
Yes. ISO 9001 requires you to plan and carry out internal audits to check how well your Quality Management System is working before you go for certification. External auditors will review your internal audit programme, reports and follow-up actions as key evidence that the system is being used, not just written down. A strong internal audit process makes the external ISO 9001 certification audit more straightforward and supports continual improvement between surveillance and recertification audits.