The Quality Hub Podcast
Listen Below. Learn More.
Episode 21 - ISO Audits – What Registrars Look for Part 1
Episode 21 Part 1
Click here for Episode 22 Part 2
Episode 21 Part 1 – ISO Audits – What Registrars Look for Part 1
In this episode of “The Quality Hub: Chatting with ISO Experts,” host Xavier Francis interviews AJ Puylara, National Sales and Marketing Manager at NQA, a global certification body. AJ shares his experience in the ISO industry and discusses the ISO certification process. He highlights the steps involved, including engaging with a third-party ISO consultant or registrar and conducting a gap assessment among others.
Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.
Episode 21 Part 1 Key Content
Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, and we have a treat for you today. I’m here with the National Sales and Marketing Manager at NQA, which is a global certification body. Thanks so much for being here.
We’re happy to have you. Now, today is part one of a two-part series entitled Let’s just take a little peek here. And we’ll be looking at what registrars do, how audits are run, and what auditors look for in an audit. But first, let’s learn a little bit more about his experience and also what he does and enjoys. Could you tell us a little bit about yourself?
Yeah, absolutely. So I started back in the ISO world working for a competitive registrar known as TUV back in 2018. So back then my role was lead generation as well as some quoting. So really just minimal impact back-end stuff is really fun, really overwhelming. So believe me when I say this, I understand how much information there is to process for any company that’s new to the world of ISO.
Oh my gosh. Yes.
We feel your pain and that’s why I’m here today to try to make it as simple as possible.
And so when did you join up with NQA?
Yeah. So I joined in 2019 as a regional sales manager. Then in 2022 May, I moved up and took took this new role. So really what that consists of is mostly back-end stuff. It’s my title, sales, and marketing, which is essentially 10% of my actual job. So a lot of the stuff is documentation. Everything in all the little things that you’re in this industry you’re all too familiar with.
Oh, absolutely. Absolutely. That’s great. And I do appreciate you taking some time today to be with us and sharing a little bit about your knowledge when it comes to, you know, basically what people are looking at when they’re going to be audited. Let’s start with the first question. What are the steps to getting and staying certified to an ISO standard?
All right. Good question. I’m going to start with the first 87 easy steps. No, I’m just kidding. I’m going to break it down into just some simple ones. And it’s just kind of general for first things first. And I get this question a lot from customers that are reaching out for the first time and they’re new to the ISO world. One, have you purchased the Requirements handbook? If you haven’t taken a look at that, if you don’t own it, there is no way for you to know how much of a bridge is needed to reach compliance right?
Right. Right. Absolutely.
That’s going to be the first step, especially with small businesses you’re mostly talking to in a lot of cases the owner of the company, the person that’s been there from scratch, they’ve implemented all these processes. So they have a very good grasp of what’s there and what’s not. So definitely the first step number two is going to engage with a third party, whether that’s going to be an ISO consultant like CORE or a registrar like NQA.
Ideally, if you plan on using a third-party consultant for the implementation and the compliance process, really you want to engage with an ISO consultant first. However, if you jumped the gun and reached out to NQA what we would do is just simply refer you out to CORE and another consultant. We are under the requirements that we have to send out 3.
You have to send out three and you have to stay neutral, which is why you can’t have a certification body and a consultant be the same the same place.
Yep, yep, yep. Conflict of interest. So that’s a good point, Next, there has to be an evaluation of whether this is done in-house or using the consultants, there has to be an evaluation of where you are at versus total compliance. And that’s done through a simple gap assessment. A lot of times in most cases, the consultant is going to do this. Now it’s just going to depend on sometimes the customer might have their gap assessment done by a supplier.
They might contact the registrar, but in most cases, it’s either going to be done strictly in-house or by a consultant. But the next step, I would say, is choosing a path of implementation. So this is where it gets a little bit difficult and it’s going to be dependent on several factors, what the scope looks like, what the interested parties and the amount of documentation truly is going to be a massive determination of what path to take because some right, some systems, some management systems are going to be a lot more complex than others.
Yeah. Whether you’re doing something like a simple quality management system like 9001 or if you’re doing cybersecurity or AS 9100, that’s, you know, a little more detailed. You have to deal with more regulations and things.
In a lot of cases, you know, companies are going to utilize the consultant route, which is what I always recommend if they’re starting from scratch when I won’t recommend that is if, let’s say someone was in corporate quality or heavily involved in quality in QMS and documentation and procedures and managing a quality management system and subject to third party audits for years. If they have that experience and they can tackle development in-house, so be it.
Yeah, I mean, if you’ve already handled some of that quality stuff involved into a quality manager, maybe an M rep for another company, you kind of know what you got to do. So do you need a consultant? At that point? That would be a good question.
100%. So once that path is decided, then it’s the building phase that’s going to involve a heavy amount of documentation, policies, processes, procedures, etc. During the implementation phase, there’s training and cultural development.
There is you’re doing something different than what you’ve done before. Yep,
Yep. So everyone needs to be on board and then conduct internal audits, and management review. This is just a general outline of what’s needed before a registrar like NQA and ready to come in and conduct the audit.
So yeah, that’s not much at all, is it?
No, it’s easy. It’s super easy.
You knock that out in the afternoon, right? No, that is a lot. And once, like you just said, once we get to the third-party audits, that’s when they’re going to start with you. If you’re there, register an auditor,
Correct. When you engage with the registrar, step one is going to be the initial quoting process. That can be simple, it could be complex. These days it’s leaning towards complex because since COVID we have a lot of different unique structures, even more so than before. I’m sure you guys have seen the same thing where you have the blend of hybrid employees, remote employees, and then fully onsite.
So a lot of things are now outsourced that may have not previously been. And so sometimes, as the review of scope comes into play where, let’s say a company has to manufacture sales and distribution of X, Y, and Z products, but then sales is outsourced. It’s you know, that’s considerations like, okay, wait a second, you outsource this process to a complete third party, yet it’s in your scope. Let’s take a look at this. So there are little details like that to work through.
And I know some CVs have different processes and we try to get everything upfront because when we issue a quotation, we want to be as close to perfect as possible. That way, when we source auditors for those audits, those days have minimal risk of change. It is in our interest to quote those as accurately as possible, just from a pure logistics standpoint and process standpoint.
You’re not sending the wrong auditor out to do the work.
At this point. We’re reliant on the information presented to us. It’s happened. The auditor gets onsite. They’re like, well, there are a lot more process owners that were communicated to me. There are a lot more employees. We need to add time. and that does happen, but we’d like to avoid that because that auditor might not have extra time.
Their utilization might be through the roof. So after the quoting phase in the contractual phase, we lead into our audits. And so what they consist of, we have we have a stage one or stage one, stage two audits for initial certification. That is going to be the audit that issues, the actual certificate. And from there, you know, certificates are on a three-year cycle.
So let’s say you get certified in 2023, expiration is going to be 2026. So we had initial certification in 2023. We would have surveillance audits in 2024, and 2025, and then the reassessment audit in 2026. And so after that reassessment, the cycle just starts over. And on and then we go for the annual audit.
So stages one and two of your initial audit, then two years of surveillance, and then a reassessment. I got it.
In stage one, it is required by most certification bodies they’re going to leave about a 30 to 45-day gap between stage one and stage two. Just to allow time to address any findings and any policies or procedures that need to be addressed and maybe changed and enhanced before stage two, The primary focus of stage one is the review of documentation. And that’s just to see Let’s let’s look at what you have written down.
Does this cover all the requirements of the standard? Because we have to start there before we can even audit processes and then facility sites, specific conditions with ISO 9001. You know, this can be location, especially if it’s warehousing. Like how close are you to two major highways, etc. It could be several different things for EMS. It could be what are what are some conditions with wildlife or bodies of water, things like that for contamination, etc. Reviewing the organization’s QMS status management, system status, and understanding of the requirements of the standard, in particular the identification of KPIs, key performance indicators, risks, processes, objectives, and operations of the management system. Overview of applicable regulations.
Once again, I’m talking about EMS. You know, let’s say we’re evaluating the facility site, specific conditions and there’s a manufacturer of chemicals and we’re near a body of water. There’s going to be additional regulations that apply and so those need to be reviewed as well. And everyone’s favorite part, interviewing organizations, and personnel.
This helps assess the readiness to have a Stage Two audit conducted. The big thing in this is this is why we try our best to have conversations in the front end during the quoting process, confirming the applicability of the scope for the organization’s QMS. Now I mentioned, that an outsourced process being in being within the scope of certification, that that would be something that we would address upfront.
That way the auditor doesn’t have to bring that up because likely it changes one. The audit plan for stages two and two might change the effective headcount of what we’re auditing. If we have things outsourced, we’re not going to audit that. We would audit the control of those outsourced processes, but not necessarily call up the third party and interview salespeople. Right
So you would keep that out of your scope.
Keep it out of the scope. Then there are some cases where we’ve had to be creative. For example, ISO 20000-1 I.T service. So we had a company that was outsourcing that completely, but the standard was a requirement for a customer.
Wow, well, so how do you handle that if they’re not handling any of it, But you need to certify them to it. Yeah.
Yes. We had to play around with the scope we had to their scope before capturing all the activities that this third-party IT service desk was conducting. But we switched it from that to the management of the third-party service organization and the processes that they have and we did loop in their key contacts at the third party for an interview during the audit.
But that is we had a large adjustment in scope if we didn’t review that scope in the front end and the auditor saw that, they’d be like, hang on, we got to press pause in this audit completely. And then obtaining objective evidence that internal audits and management reviews are being planned, performed, and will be completed before stage two. A new company that we’re working with asked me. I always recommend them to be completed before stage one. That way there are no questions but that’s the official requirement is that they’re completed before stage two.
Yeah, and maybe some of this is they’re trying to get done pretty quickly.
And then there’s a focus on planning for the stage two audit. So in essence, that’s the stage one
Sounds like the auditors are making sure the company is ready for stage two.
Yeah, if you break it down, simply review documentation, review a scope confirmation scope review internal audits, management review, and planning for stage two.
Awesome.
Stage one oftentimes is just one day,
so that sounds like a lot of bullet points for one day. But that’s the key focus.
And what about stage two then?
During stage two, the objective of the audit is to assess the organization’s adherence to its policies, objectives, and procedures and even define and ascertain conformance to the requirements of the standards. So that’s why we reviewed the documentation of those policies objectives and procedures and stage one. And now we get to audit the actual things in action as they were defined.
So the process centers would be in stage one or would they be in stage two?
Process owners, we would still conduct interviews during stage one, but we will. It’s more heavily weighted during stage two. So, get everyone ready for the process owner interviews and it doesn’t stop at the process owners that can flow down to the employees. Top management is not off the hook. Leadership Clause – Review of documentation records that support the implementation and is expected when we’re in there assessing the processes.
If nonconformance or opportunities for improvement are identified, they will be documented in a report that the auditor will provide and that will be presented during the closing meeting. So the audit starts with the open meeting, it ends with the closing. the key thing with stage two, it’s objective evidence. So the auditor is going to look for evidence that policies and procedures are being followed and they’re being supported by not only documentation but by the employees, whether that be through the training, actual fulfillment of these procedures, etc. So objective evidence is going to be your friend.
That seems very reasonable, especially from an audit standpoint. This ends part one of our two-part series. Be sure to tune in next week when we’ll continue our discussion and we’ll be covering audit findings, corrective actions, and continuous improvement, all from an auditor’s perspective. And we want to thank everyone who’s listened to our podcast today. We hope it’s been informative for you and if you haven’t already followed us on your favorite podcast platform, be sure to do so. That way you won’t miss part two next week on the quality of our podcast. Have a great day.