ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Preparing for an ISO 9001 certification audit

Updated on August 3, 2013


ISO 9001 is the international standard for quality management systems, it provides a set of clauses which a company or organisation needs to follow if they want to achieve certification to the standard by an accreditation body. Preparing for an audit by an external accreditation body can be worrying, especially so if you are undergoing your very first audit, with concerns over whether your management system will meet the clauses and achieve or maintain compliance.

This article provides guidance on where to focus your efforts during preparations, what to expect during the audit and the approach to take if non-compliances are identified.

Your management system

It is easy to get lost in the clauses and terminology of the ISO 9001 standard, it is a document which can be ambiguous and which, as an international standard, can have confusing terminology.

Your management system does not need to use the same terminology as the standard but your management system does need to be robust and you need to know which parts of your management system relate to which clauses. Your management system documentation needs to be written in language which employees of the organisation will understand. Having a management system which is understood by the people who need to use it is far more important than trying to mirror or recreate the terminology used in the ISO 9001 standard.

Management system documentation is the collection of individual documents which together form your management system, this may include policies, manuals, procedures, work instructions, flow charts, forms and user guides.

Before any audit you must ask yourself two questions. Firstly, how do the people in my organisation access management system documentation and will they be able to access it if asked to do so by the auditor. Secondly, will they be able to understand the documentation when they do access it.

In order to make sure that the answers to both the above questions is yes you need to conduct training with the people to show them how to access the documentation and to gauge their understanding of the information contained.

Policy and Continuous Improvement Goals

The first step any auditor will take during an ISO 9001 audit will be to review your Quality policy and the goals your organisation has for improvement.

The Quality policy needs to be a written document which details a commitment to complying with ISO 9001 through operating a management system and further commitments to providing good services to your customers, developing your personnel and continuously improving the management system. The auditor will expect your policy to have been communicated to all personnel and to be visible to them through such means as noticeboards or an intranet. There also needs to be commitment to the policy from the highest levels of your organisation, the auditor will expect the policy to be signed or endorsed by the CEO, a director or company member of similar standing. The auditor will not expect employees to be able to recite the policy word for word but will have an expectation that they know where to find it. When the auditor interviews senior management they will have an expectation that these senior personnel have a good knowledge of what the policy says.

Within your policy you will identify key areas such as providing high levels of customer service, providing training to your personnel or handling non-conformity swiftly and effectively. The auditor will expect these types of statement within the policy to translate into measureable goals which are monitored. For example, your statements on customer service should translate into measureable goals on delivery or customer satisfaction. You need to know these links and be able to show how the goals are being monitored, discussed and communicated. Auditors will be especially interested in goals which are not being achieved and will want to know what is being done to rectify the outcome.

Mandatory Procedures

There are six mandatory procedures within ISO 9001, in order to comply with the standard you must have written procedures to satisfy these six clauses. Failing to have written procedures for these clauses will result in a major non-compliance.

The six mandatory procedures are:

  • Control of non-conformance
  • Preventive action
  • Corrective action
  • Internal audit
  • Control of records
  • Control of documents

How you produce the procedures is your choice, these do not need to be traditional procedure type documents and can instead be flow charts or could combine text with photos or graphics.

The Quality Manual

The Quality Manual is another mandatory requirement of the ISO 9001 standard and is something which the auditor will review extensively.

The Quality Manual is a written document which describes the scope of your management system and then explains how you intend to comply with the standard. The scope of the system is a statement of the services or activities which your management system addresses. Some organisations elect to cover only part of their activities within the management system.

Quality Manuals used to be lengthy documents which covered each clause in the standard but the requirement to do this changed in with the 2000 revision of the standard. Most Quality Manuals will now identify the scope of the management system, identify the types of document used in the management system and then provide a diagram which explains the relationships between the key components of the system.

Since the 2000 revision auditors have an expectation that the Quality Manual will contain a flow chart which details the interactions of the parts of the main parts of the system and documentation. If you cannot provide this then it will be considered a major non-compliance to the standard.

Your Quality Manual needs to be a controlled document with a document ID, revision status and issue date. Just as with the Quality Policy the auditor will not expect personnel to have extensive knowledge of the Quality Manual but will expect them to know how to access it if required.

Internal Audits

The ISO 9001 has a requirement for the organisation to conduct internal audits in accordance with a written procedure. Before you audit you must be clear about the following:

  • Your internal audit procedure. It is a mandatory requirement that you have a written procedure.
  • Your internal audit calendar or schedule.
  • Who the internal auditors are and how they've been trained. Are they independent from the processes they are auditing.
  • How audits are recorded.
  • How non-conformances identified during the audits are reported and then how resulting actions are agreed and tracked to completion.
  • How internal audits are reported to senior management.

Your internal audits must evaluate both compliance with the ISO 9001 standard and compliance with internal procedures. If the external auditor selected a clause of the ISO 9001 standard and asked if an internal audit had addressed that clause could you demonstrate this?

There will be an expectation that the auditor can see at least six months of history of internal audits and the auditor will expect to see the action taken on any non-conformances raised during those audits closed out in a timely manner.

As your system becomes more mature the external auditor will expect to see some sort of risk-based selection process behind your audit schedule, i.e. the processes with most risk or worst performance become the focus.


Throughout the ISO 9001 standard there are clauses which require non-conformances to be handled in a structured manner. expect to have to demonstrate to the auditor how you record and handle the following types of non-conformance:

  • Internal audit non-conformances
  • External audit non-conformances
  • Issues raised by external regulatory bodies
  • Complaints from customers
  • Non-conforming products (received from suppliers or which have been identified during your own processes)
  • Internal non-conformances (raised by internal parties outwith audits)

The auditor will want to see at least 6 months of records of these demonstrating the non-conformance details, the investigation results, the actions taken and showing approved closure.

Equipment maintenance and calibration

During the audit the auditor will identify equipment or software which is in use which could affect your quality of service (e.g. temperature gauges, measuring equipment, verification software). As this equipment of software affects service quality the auditor will expect the equipment to be appropriately maintained and, if required, calibrated. Any equipment which measures a parameter which could affect quality needs to be calibrated.

Where equipment is calibrated the equipment must have some sort of physical marking to indicate it's calibration status. You must also be able to provide records which demonstrate the calibration status, i.e. calibration reports.

Where equipment is outwith calibration the auditor will expect it to be quarantined and suitably withdrawn from use.

With maintenance of equipment it is up to you to demonstrate that you have established maintenance routines and are applying these with associated records.

Process Records

Process records are the records which people produce daily as a result of their work these could include quotations, order acceptances, contract reviews, picklists, route cards, inspection records, delivery tickets.

During the audit the auditor will expect to sample these records whilst in use. It is critical that that your personnel are using these records correctly and are not selecting to bypass all or part of the recording process. Conducting your own samples to verify that records are being completed fully and correctly.

The auditor may also wish to check how you ensure that records are retrievable so this could mean a sample of archive records being verified. Always ensure that you have an effective archiving system and that you understand how it operates.

Management Review

The Management Review records are the golden ticket for any external auditor visiting your organisation, they will always review these records thoroughly. The ISO 9001 standard identifies areas which must be addressed during Management Review meetings and therefore seeing these records gives the auditor an insight into the inner workings of your organisation, how it is performing, how much focus is given to improvement and where the management system is going.

Check the ISO 9001 standard to ensure that your Management Review meetings are addressing the clause.

Check that the meetings are being thoroughly documented so that the auditor can see all areas are being addressed.

Be certain that any problems with the management system are reflected in these records and that the records address how you are going to deal with the problems.


If the auditor does not fully explain how their non-compliance system works then be sure to ask for details before the audit commences.

Typically there will be three levels of non-compliance as follows:

  1. A suggestion or prompt for a follow-up. This isn't strictly a non-compliance but is a warning that the auditor isn't fully satisfied with an area of the management system.
  2. Minor non-compliance. The auditor has identified something which needs to be resolved. This should not prevent your management system achieving or maintaining ISO 9001 certification.
  3. Major non-compliance. The auditor has identified an issue of non-compliance with the standard which is going to prevent your management system achieving or maintaining ISO 9001 certification.

It is important to understand these non-compliance levels so that you can discuss the level any non-compliances with the auditor during the audit as they are identified, this gives you a better opportunity to provide evidence to eliminate to reduce the severity of the non-compliances.


ISO 9001 audits rarely turn out to be as daunting as first feared.

Remember that the auditor is looking for a management system which meets your organisation's needs. Improvement culture and good knowledge of the management system within your personnel are going to impress and influence the auditor most of all.

Good luck!


    0 of 8192 characters used
    Post Comment

    • LeanMan profile image


      5 years ago from At the Gemba

      Unfortunately the external auditor has an interest in your company passing the audit even if your system is lacking in some way or fails to deliver a quality service to your customer.

      In my experience too many companies are awarded a certificate even though they should have little or no chance of passing.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)