Step-by-step Guide on Performing ISO 9001 Audit in Australia

ISO 9001 Audit

An ISO 9001 audit or a quality management system audit analyses an existing quality management program to ascertain its conformance with company policies, contractual obligations, and regulatory requirements.

In this blog, we will discuss the entire process of an ISO 9001 audit to help you understand the different stages involved.

The ISO 9001 Quality Management audit comprises an Internal audit and a Certification Audit.

While Internal Audit is performed by an ISO 9001 Consultant, Certification Audits are performed by auditors certified by JAS-ANZ.

They analyse whether an organisation complies with the ISO 9001 standard. They find out existing and potential flaws in the management system and offer robust solutions. The auditor examines every facet of a Company’s operations and performance within the scope of the management system

Internal Audit for ISO 9001 Certification

As defined in ISO 9001, an internal is the “systematic, independent and documented process for obtaining audit evidence and evaluating the system objectively to determine the extent to which audit criteria are fulfilled.”

Internal auditing or the auditing of your quality management system (QMS) is essential if you intend to get ISO 9001 certification for your Company. Organisations are expected to perform internal audits at predefined intervals to ensure that their management systems comply with ISO 9001:2015 standards and other operational requirements.

Most companies believe that meeting the ISO 9001 requirements for business management is perhaps sufficient to get ISO certification. However, to ensure that their QMS complies with the necessary clauses of the ISO 9001 standard, it is essential that they get an internal audit done.

Furthermore, though everyone, from senior management to entry-level employees, plays a distinct role in meeting ISO 9001 certification requirements, the business should consider hiring a third-party ISO consultant to ensure compliance with an outside perspective to guarantee certification.

Step-by-step Guide for performing Internal Audit

Here is Anitech’s step-by-step guide for conducting an internal audit:

1) Planning Internal Audit

This is the fundamental step of an Internal Audit. The Consultants performing an internal audit for a Company will schedule an audit date in advance and notify the client.

Here are the steps involved:

• Only necessary staff and stakeholders are invited to the audit. This will provide sufficient time for the Company to complete any pending project or obligation.
• A consultant will review the audit’s scope and identify the pertinent procedures and documents
• They will also analyse the applicable procedures and other documents.
• The professionals shall specify the proof needed to demonstrate compliance with procedures and the standard.
• An ISO 9001 Consultant will have a checklist of the questions and evidence they intend to review as part of the internal audit.
• Only necessary staff and stakeholders are invited to the audit. This will ensure minimal disruption to the regular operation of the business while the internal audits take place.
• They will also review internal and external audit reports from the past. Check for corrective measures if any, while preparing for the internal audits.

2) Performing Internal Audit

• A Consultant will explain to the management and staff the entire process, and terminologies used in the internal audit. They will also guide them on how records are stored for showcasing compliance.
• Search objective compliance evidence with requirements, available in the form of a record.
• On finding any issue in the quality management system, the certified experts will explain it to the Company’s management and staff, and ensure they understand it.
• Consultants will not look for fault as the process of internal auditing is about fact-finding.
• Consultants will provide objective solutions and shall not be opinionated.

3) Audit Report

• The consultant will record all the findings of the internal audit in a report that will also include the objective evidence found.
• They will record non-conformances found and will offer solutions for potential improvements.
• The Audit Report will have no mention of any individual person from an organisation but the system itself.

Certification Audit for ISO 9001 certification

The purpose of this ISO 9001 audit is to determine whether you are eligible to receive your ISO 9001 Certificate on the very first attempt.

This is conducted by a certification body certified by Jas Anz.

Based on the size of your Company, the number of sites, and the scope of your Management System, the Certification Body (CB) will appoint an Auditor or possibly a team of auditors.

A Certification Audit consists of two stages and an optional pre-assessment.

Stage 1 Audit for ISO 9001 Certification

The primary purpose of the Stage 1 Audit is to determine whether your organisation is prepared for the Stage 2 ISO 9001 Audit.

Stage 1 Audit is also known as the Document Review or Document Audit and occasionally as the Readiness Review.

The audit’s key focus will be on the available documented information. You could compare it to a reconnaissance mission, during which the auditor gets a sense of your organisation and Management System. It may involve employee discussions.

It will be conducted at your main office if you have multiple locations.

Furthermore, depending on the complexity of the Management System, the Auditor can conduct the inspection remotely or on-site to gain an understanding of the organisation and the location.

Your Certification Body should contact you in advance to inform you of the day’s events so that you can gather the necessary personnel and materials.

Objectives of Stage 1 Audit

Stage 1 ISO 9001 Audit has the following key objectives

• A review of the documentation for your ISO 9001 Quality Management System, including the system’s scope, objectives, and relevant policies and documentation supporting the system’s operation.
• A visit to the site to aid in the planning of Stage 2
• To obtain information about the site(s) from which the organisation operates.
• To obtain information about the organization’s key processes, procedures, and equipment.
• To confirm that all applicable statutory and regulatory requirements are documented.
• Determine if all relevant and important personnel are prepared for the Stage 2 Audit.
• Determine the status of Internal Audits and Management Reviews.
• Plan the Stage 2 Audit, including which sites will be audited.

What happens after Stage 1 Audit?

The auditor will provide verbal feedback after the Stage 1 ISO 9001 Audit. In addition, you will receive a written Audit Report within five days of the audit. Technically speaking, the Stage 1 Audit will not result in nonconformities because you have not yet claimed compliance with the standard’s requirements. However, if any issues are discovered during the audit, the Auditor will issue Improvement Requests in the Audit Report. These must be addressed before proceeding to the ISO 9001 Stage 2 Audit; otherwise, they will be deemed nonconformities during the Stage 2 Audit, which could harm your chances of receiving certification.

We recommend you conduct the Stage 1 ISO 9001 Audit after you have developed and implemented your Management System. This is to ensure that you’ve had sufficient time to produce evidence regarding the effectiveness of your system, such as Internal Audits, Management Reviews, and records for the Auditor to review.

How long does it take to complete the Stage 1 Audit for ISO 9001 Certification?

Most small and medium-sized organisations will complete the Stage 1 Audit on-site within one day. Typically, the Stage 2 ISO 9001 Audit is lengthier. High-risk operations will require more days to cover the audit requirements.

Stage 2 Audit for ISO 9001 Certification

Stage 2 of the ISO 9001 Audit is the final step prior to certification. It typically occurs on-site and is longer and more comprehensive than the Stage 1 Audit. The purpose is to determine if your ISO 9001 Quality Management System is compliant with the standard and if certification can be granted.

The Stage 2 Audit is scheduled at the same time when your Company scheduled for a Stage 1 ISO 900 Audit, but for approximately 6 to 8 weeks later.

The interval between Stage 1 and Stage 2 ISO 9001 audits should not exceed six months; otherwise, the Stage 1 Audit may need to be repeated. Theoretically, if you are confident in your Quality Management System and in a hurry to receive your certificate, the Stage 2 Audit could begin the day after your Stage 1 Audit, but this is not recommended.

However, it is expected that your system should have been operational for at least three months, and preferably longer, before the Stage 2 Auditor arrives.

Furthermore, you must allow sufficient time to address any Improvement Requests from the Stage 1 Audit.

The duration of the audit will be determined prior to the Stage 1 Audit. In rare instances, the length of the Stage 2 Audit may be adjusted based on the findings of the Stage 1 Audit, but an organisation will be informed in advance if this occurs.

Stage 2 Audit Process

This is the most comprehensive ISO 9001 Quality Management System audit. The Stage 2 Audit will begin with an Opening Meeting in which the Auditor will provide an overview of what will transpire.

Below given are certain issues covered:

• Review of Stage 1 ISO 9001 Audit Corrective Actions to Ensure Improvement Requests have been processed (also known as “closed out”).
• Examination of documented information for indications that the Management System complies with the standard.

• The overall effectiveness of your Management System and its contribution to achieving your organization’s goals.

• An examination of your activities and procedures to determine whether you have operational control and are following your policies and procedures.

• Internal Audits and Management Reviews Evaluation

• The efficiency of preventive and corrective measures

• Analysis of key performance objectives and benchmarks

What happens after the Stage 2 Audit?

The Auditor will hold a closing meeting with you after the audit to review the audit and discuss any nonconformities and potential corrective action. You will be informed at the meeting whether you have been recommended for ISO 9001 certification. After the meeting, you will also receive a written report with the Auditor’s observations and a summary of the findings. The report will identify minor deviations, major deviations, and improvement opportunities.

A major nonconformity is the total failure of a system, which indicates that you do not meet a requirement of the standard. Several minor nonconformities against a single requirement may represent a total breakdown of the Management System and are therefore categorised as major non-conformities. Prior to the Auditor recommending certification, major nonconformities must be resolved. This may require an additional site visit by the Auditor.

A minor nonconformity with your management system is not a prerequisite for approval, but it must be resolved prior to the issuance of your certificate. Depending on the type of management system employed, a minor nonconformity may be a failure or a single observed lapse.

Opportunities For Improvement (OFI)

These pertain to existing conditions that, in the Auditor’s opinion, may require clarification or investigation to improve the overall status and efficacy of the Management System. They have no bearing on the certification recommendation.

Your organisation won’t be granted certification in case of any minor or major non-conformities until corrective action has been taken. You will be given three months’ time to solve the issues found.

Annual Surveillance audits

Continuous improvement is one of the ISO 9001 Quality Management System’s primary objectives. The Plan-Do-Check-Act methodology, supported by audits and reviews, will help achieve this objective.

Typically, your organisation will undergo an Annual Surveillance Audit at the conclusion of Years 1 and 2. The first of these will occur just before the conclusion of the first year with ISO QAR. This is done so that your Recertification Audit can take place before the end of Year 3 according to the three-year cycle. This is crucial because, if any nonconformities are discovered at the end of the third year, your certification could be suspended while you take corrective action.

Some larger organisations prefer to schedule their Annual Surveillance Audits more frequently throughout the year. The schedule is subject to Auditor approval.

Annual Surveillance Audit Process

On an Annual Surveillance Audit, the Auditor will employ a methodology comparable to that of the Stage 2 ISO 9001 Audit. However, some areas of your Management System will receive less attention, and it is likely that only a subset of your organisation will be audited.

Much of what happens will be driven by what the Auditor discovered in previous audits, for example, examining areas of weakness. The following will be covered as a minimum:

• Previous audit nonconformities and corrective actions are reviewed.
• Administration and operation of the Management System
• The performance of your Internal Audits.
• Management Reviews consideration
• Corrective and preventive measures
• Updates to documentation

The second Annual Surveillance Audit of the three-year certification cycle will likely examine a variety of your organization’s operations and components. Auditing all processes within the cycle is the objective.

What happens after the Annual Surveillance Audit?

As with other audits, the Auditor will summarise the findings at the end of the visit. A written report will also be submitted outlining any non-conformities to the customer.

If there are any major nonconformities, you will have up to three months to take corrective action and provide evidence that you have done so. Failure to do so could mean that your ISO 9001 certificate will be withdrawn.

For minor nonconformities, the Auditor will agree on a plan with you. Depending on the risk and severity, the Auditor will use their discretion to establish how the nonconformity can be ‘closed’. It can potentially be closed at the next audit, or through evidence being sent to the Auditor, or maybe even another audit.

Recertification Audit

The Recertification Audit is far more extensive than the Surveillance Audits and similar to the ISO 9001 Audit at Stage 2.

The audit will cover items including:

• Nonconformities and improvement opportunities that emerged during previous audits.
• The effectiveness of your Quality Management System and whether it is assisting you in achieving your organization’s goals.
• Examine the scope of your certification and determine if it is still applicable.
• An examination of your activities and procedures to determine whether you have operational control and are following your policies and procedures.
• Evaluation of your Management and Internal Audits Reviews
• The efficiency of preventive and corrective measures
• Analysis of key performance objectives and benchmarks

What happens after the Recertification Audit?

The Auditor will submit a written report after the end of the assessment. It is extremely important that you address any non-conformities identified by the Auditor before the third anniversary of your certificate’s issuance. Your certificate could be revoked if you fail to comply. If everything goes according to plan, you will be issued a new ISO 9001 certificate, and the three-year cycle will begin again.

Why Choose Anitech’s ISO 9001 Consultants?

Anitech’s ISO 9001 Consultants have a reputation in the industry for their robust QMS implementation, timely audits, and professionalism.

Our consultants are certified and trained professionals who have experience in simplifying your complex audit procedure.

They will ensure you understand the intent and process involved and explain all terminologies used.

Our consultants will offer excellent leadership to your management and employees throughout the audit and will share their knowledge on QMS to help your organisation.

They will assist you throughout the certification as well as post certification.

Anitech’s ISO 9001 Audit shall be like any course or a learning opportunity for your management staff to learn a skill or two.

If you want our ISO 9001 Consultants to help you implement a robust Quality Management System, perform internal audits, and help your organisation obtain ISO 9001 Certification, feel free to reach out to us on 1300 802 163 or e-mail – info@anitechgroup.com or enquire here.