How often do you need an ISO audit?
This particular question has two answers, depending on your angle! There are two types of audits in the world of ISO certification, an External Audit carried out by a Certification Body, and an Internal Audit, usually carried out by a member of staff or by (or with) a consultant. We look at both in more detail below.
We are often approached by organisations who have become disillusioned with the amount of ongoing external audits impose by their Certification Body, where a team of auditors stay on site for a number of days. This can of course cost huge sums of money, with these organisations struggling to see the value.
Certification Bodies follow what is called the ‘MD5’ guide from the International Accreditation Forum (IAF) to go by when it comes to calculating the amount of days required on site for an audit. By considering the standard and size of the organisation, the MD5 guide sets out the amount of days required on site for the initial certification audit, as well as slightly vague guidance for ongoing surveillance audits;
"The duration of the recertification audit should be calculated on the basis of the updated information of the client and is normally approximately 2/3 of the time that would be required for an initial certification audit (Stage 1 + Stage 2) of the organization if such an initial audit were to be carried out at the time of recertification (i.e. not 2/3 of the original initial certification audit duration)."
IAF MD 5: 2009, Clause 6.1
It’s important to note that ISO certification follows a cycle, where the 3rd year recertification audit is intended to be more in-depth than your first surveillance audit. Accordingly, your initial audit to achieve certification should provide direction on how long your consequent surveillance audits should take.
When it comes to frequency, it is mandated that an organisation should be audited every 12 months. External Audits held any more frequently than this should be an agreement between your organisation and the Certification Body. Ultimately, it should be for your benefit.
When it comes to Internal Audits, again, these must be carried out at least once annually. However, the way you approach these audits is up to you, as long as the entire Management System is audited within this year. You may prefer to do this in one go, or carry out audits quarterly or even monthly where you focus on particular aspects. Some organisations may have particular processes that are more critical which are audited more frequently than others. The complexity of your organisation should ultimately dictate your approach.
It can be a tendency to reduce the amount of Internal Audits carried out because problems aren’t reported. The reality is that issues do probably exist; it’s just that the Internal Audits aren’t as effective as they could be.
To be an effective Internal Auditor, it’s beneficial to have substantial experience working in the organisation with enough influence to be listened to and respected by senior management. It’s a tough job, as in most cases, Internal Auditing is an additional burden on top of an existing job role. As a result, it’s important to invest in Internal Auditing skills through training and it can be advantageous to gain outside assistance. Benefits include:
- A fresh perspective on issues
- An impartial, unbiased opinion
- Reassurance from a qualified expert
- Mentoring for the person or team responsible
Once productive Internal Audits become the norm, it makes ongoing External Audits far more straight-forward. After all, if all problems are picked upon within Internal Audits, there shouldn’t be any found when your Certification Body’s audit arrives!
Find out more about us
Next entry: How ISO 9001 boosts customer service
Previous entry: Why do companies mandate ISO 14001?