The Quality Hub Podcast
Listen Below. Learn More.
The ISO 9001 Certification Audit
Episode 7 – The ISO 9001 Certification Audit
The ISO 9001 Certification Audit
In this episode, we have two special guests – the much-loved Suzanne Strausser, VP of Consulting, and the ever-knowledgeable Joe Hill, Manager of Audit Services at Core Business Solutions. Join us as we dive into the intricacies of the two stages of the Certification Audit, uncover what the auditor is seeking, and explore their audit methodology. Plus, valuable tips on the dos and don’ts of participating in the certification audit.
Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.
Episode 7 Key Content
Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, Xavier Francis, and I’m here with Joe Hill, manager of Audit Services, and Suzanne Strasser, vice president of Consulting and Development here at CORE. So glad you both could be with us today.
Glad I could be here as well as Xavier.
Yes, glad to be back.
Today’s show is entitled Your Certification Audit. And we’re going to cover what to expect during your certification audit. But first, let’s learn a little bit more about our guests. Let’s start with Joe. Welcome to the podcast and we’d love to hear a little bit of your background.
Well, thanks again, Xavier. Joe Hill, manager of audit services here at Core Business Solutions. I have been with CORE for approximately six years. Before joining Core, I did work for a registration body. Although qualified as an auditor, my primary role was actually the quality manager there. So I implemented the standards that the registrars have to adhere to. I was also in charge of our auditor pool there.
So you audited the auditors?
Audited the auditors? Yes, I did. Oh, that’s great.
So you audited the auditors? Yes, I did. Oh, that’s great.
So we’re glad you both are here and I appreciate you taking the time today. So over the last six podcasts, we’ve been covering planning, implementation, and reviewing of a quality management system, and we even talked about doing the internal audit. We’re finally at our certification audit. Joe, what can we expect during our certification audit?
Yeah, So the big moment is here. We’re here for the certification audit, which probably take a few months, and building the system, kind of preparing, training, the employees, etc. And the certification audit is about to happen.
Yes, we put it all together. Now what.
Exactly? So the certification body, their initial audit, they are required to do that audit in two stages. So they’ll do a stage one audit and a stage two audit.
Will they be on separate days generally?
Yes. There is an expectation that there is some time frame between the stage one and the stage two audit. So the stage one audit, it’s just a high-level document review. The auditors going to ask to look at things like your quality manual, and any procedures that you may have written. They always ask you to look at your most recent management review minutes as well as your last internal audit reports.
So they’re checking what we’ve done at this point.
Yep. They’re essentially just looking at your documented system to see if it appears that you are ready to go through with the full-blown Stage Two audit.
So if you’re not, if they put the brakes on and go, we are going to need you to look at this a little bit more before we hit stage two.
Yes, they will indeed. So stage one, it’s that preparation. You know, it’s kind of seeing if you are prepared to go through that full-blown stage two audit. If the auditor for some reason feels that you are not prepared, yes, they will kind of put the brakes on. They’ll kind of delay the stage two. If it had already been scheduled, they’ll say, hey, we have a little bit of work to do before we can come in and do this.
So they’re checking what we’ve done at this point.
Yep. They’re essentially just looking at your documented system to see if it appears that you are ready to go through with the full-blown Stage Two audit.
So if you’re not, if they put the brakes on and go, we are going to need you to look at this a little bit more before we hit stage two.
Yes, they will indeed. So stage one, it’s that preparation. You know, it’s kind of seeing if you are prepared to go through that full-blown stage two audit. If the auditor for some reason feels that you are not prepared, yes, they will kind of put the brakes on. They’ll kind of delay the stage two. If it had already been scheduled, they’ll say, hey, we have a little bit of work to do before we can come in and do this.
Right. And I know we try to go in very prepared with our customers. So let’s say we, you know, we’ve got we’ve hit with flying colors. They’re ready to do the stage two audit. What is that?
So stage two is probably more of what people would think of as an audit. Stage two, the auditor is going to dive into your operational processes and speak to employees, requests, and records of evidence for various pieces of operations.
See this as almost like you’re proving it. You have proven that you should be certified.
Yep. Stage two is the proof in the pudding that you have the quality system in place and you’re in conformance.
So, you know, originally the audit was in one fell swoop, so they didn’t have the two-part audit and they’d found that folks weren’t ready. So that’s why they broke it up. So like Joe said, stage one is really about, whether are you ready to proceed to the next step.
When that probably saves everybody time and total effort. I mean, you know if you get everything planned out and then you’re just not ready, you’ve wasted people’s time and money. Yes. Yes. This is not an inexpensive endeavor. So let’s not spend money yet if we don’t have to and we’re not ready.
Exactly.
So we’re here. We’re sitting in our stage two audit. What is the registrar looking for? The auditor that is in front of us from a registrar body? What are they looking for?
Well, ultimately, the registrar is going to be looking for conformance to the given standard for which you are pursuing certification. Now, of course, there are many different standards out there.
Right? Right. I mean, we’re right now we’re talking about quality, which in ISO, that’s 9001. You might be looking at ISO 45001, You might be looking at ISO 14001 or ISO 27001. That’s an information management system. There are standards for so many things, AS, AS9100, or AS9120. But we’re talking about quality here.
Right, Right. So each individual standard has its own unique set of requirements and expectations, of course, based on what standard it is. So the auditor is looking for conformance against that set of requirements. The registrar is required to assign an auditor who is not only qualified in the standard but also needs to be qualified in your industry.
Right? Depending on what industry you work in, the auditor should have some experience.
So manufacturing versus service. But to have somebody audit you who has worked specifically with manufacturing and all that type of stuff, they’re not necessarily going to audit a service organization.
Correct. Even if you look at manufacturing, you can break that down even further as well.
So if someone has been in manufacturing, they wouldn’t necessarily audit somebody who may be in the food industry.
Correct. Yeah. You can even like the metals industry versus plastics versus chemical manufacturers. So there are different industries and different manufacturing principles that apply to whatever that industry might be. So, again, the registrar is going to assign an auditor who has experience in whatever industry the customer is working in.
That makes total sense. So, Joe, they’re expecting us to meet the requirements of the standard. We’re being audited towards where we just started the audit. What should we do during the audit?
Well, first and foremost, you just want to be open, honest, and hospitable with the auditor. The auditor is just there to have a conversation with you, going to ask questions about your role, and what you do with the organization. So just be honest and forthright.
So if they ask a question you’re not sure about. Don’t try to hide that. You don’t know what it is.
Exactly. You don’t. Don’t try to hide anything. There’s nothing wrong if the auditor asks you a question you don’t know. Or maybe you’re not the appropriate person to address the question. There’s nothing wrong with telling the auditor that. Yeah, well, I don’t know the answer to that or, Well, I’m not the right person. You might want to go talk to this person about that.
Well, we do have other people that are involved in the audit. It’s not just a single person.
Exactly. The entire organization essentially is involved with the audit top management, mid-level management down to the shop employees. Anyone could be audited.
So I’ve been audited. And when I was audited, sometimes I was asked yes or no questions, and other times I was asked to explain something. Right. And I know that I was told by my quality manager to not elaborate. Why would that be? Why would we not want to elaborate? If they just asked me a yes or no question.
You don’t want to provide too much information. It’s kind of auditing 101. Yeah. If the auditor asks a yes or no question, answer yes or no and leave it at that, you know, allow the auditor to pull more information from you. And most of the auditors, in my experience, they do enjoy trying to find the staff who are the talkers, and they’ll just let them talk and they’ll just keep taking notes as long as they’re talking.
What does that do from an auditing standpoint?
It can open up some audit trails, you know, depending on how much information they’re there providing. It can just give the auditors some additional paths to follow.
Is that good or bad?
It could be either. It’s a bit of a double-edged sword.
Maybe you’re answering the questions the auditor would already ask after the yes or no question. But sometimes you might be answering something that, Oh, I never get that. Let me look into that and see what’s going on.
Exactly.
Yeah, I had that happen one time in an audit. In my first audit, our auditor was pretty combative, and it was an area that I was concerned about. And we got through the audit. Okay. And at the very end, the supervisor of the area said, Oh, wait, I have this report. Let’s take a look at that.
Yeah, Yeah. That’s I mean, there’s a there’s a fine line. Of course, you want to be open and honest, but there is that fine line of, you know, providing too much information.
You almost want to look at it like a court case in some respects where you have to answer the question you’re asked. You want to be forthright, you know, and be honest with what you’re answering, but you also don’t want to elaborate too much and open a can of worms.
Exactly.
Couple a couple of other things that I think about. And I know we’re talking to management reps here or the management of the company. The first thing I tell my customers is that an audit is, in my view, a lot about impression management. So if you’ve cleaned up the organization, if you have coffee for the auditor when they walk in and treat them with respect, be confident about your processes.
And a lot of folks are proud of what they do. So that should come across. So that makes a difference. I think, to the auditor. Oh yeah, I know it does to me when I, you know when I ordered a facility.
But it’s one of the things here. We’re proud of what we’ve done. Yeah, I do think that we’ve done a great job here, which you should.
Right.
And say, Hey, here we want to show you.