Preparing for an ISO 9001 certification audit
ISO 9001 is the international standard for quality management systems, it provides a set of clauses which a company or organisation needs to follow if they want to achieve certification to the standard by an accreditation body. Preparing for an audit by an external accreditation body can be worrying, especially so if you are undergoing your very first audit, with concerns over whether your management system will meet the clauses and achieve or maintain compliance.
This article provides guidance on where to focus your efforts during preparations, what to expect during the audit and the approach to take if non-compliances are identified.
Your management system
It is easy to get lost in the clauses and terminology of the ISO 9001 standard, it is a document which can be ambiguous and which, as an international standard, can have confusing terminology.
Your management system does not need to use the same terminology as the standard but your management system does need to be robust and you need to know which parts of your management system relate to which clauses. Your management system documentation needs to be written in language which employees of the organisation will understand. Having a management system which is understood by the people who need to use it is far more important than trying to mirror or recreate the terminology used in the ISO 9001 standard.
Management system documentation is the collection of individual documents which together form your management system, this may include policies, manuals, procedures, work instructions, flow charts, forms and user guides.
Before any audit you must ask yourself two questions. Firstly, how do the people in my organisation access management system documentation and will they be able to access it if asked to do so by the auditor. Secondly, will they be able to understand the documentation when they do access it.
In order to make sure that the answers to both the above questions is yes you need to conduct training with the people to show them how to access the documentation and to gauge their understanding of the information contained.
Policy and Continuous Improvement Goals
The first step any auditor will take during an ISO 9001 audit will be to review your Quality policy and the goals your organisation has for improvement.
The Quality policy needs to be a written document which details a commitment to complying with ISO 9001 through operating a management system and further commitments to providing good services to your customers, developing your personnel and continuously improving the management system. The auditor will expect your policy to have been communicated to all personnel and to be visible to them through such means as noticeboards or an intranet. There also needs to be commitment to the policy from the highest levels of your organisation, the auditor will expect the policy to be signed or endorsed by the CEO, a director or company member of similar standing. The auditor will not expect employees to be able to recite the policy word for word but will have an expectation that they know where to find it. When the auditor interviews senior management they will have an expectation that these senior personnel have a good knowledge of what the policy says.
Within your policy you will identify key areas such as providing high levels of customer service, providing training to your personnel or handling non-conformity swiftly and effectively. The auditor will expect these types of statement within the policy to translate into measureable goals which are monitored. For example, your statements on customer service should translate into measureable goals on delivery or customer satisfaction. You need to know these links and be able to show how the goals are being monitored, discussed and communicated. Auditors will be especially interested in goals which are not being achieved and will want to know what is being done to rectify the outcome.
There are six mandatory procedures within ISO 9001, in order to comply with the standard you must have written procedures to satisfy these six clauses. Failing to have written procedures for these clauses will result in a major non-compliance.
The six mandatory procedures are:
- Control of non-conformance
- Preventive action
- Corrective action
- Internal audit
- Control of records
- Control of documents
How you produce the procedures is your choice, these do not need to be traditional procedure type documents and can instead be flow charts or could combine text with photos or graphics.
The Quality Manual
The Quality Manual is another mandatory requirement of the ISO 9001 standard and is something which the auditor will review extensively.
The Quality Manual is a written document which describes the scope of your management system and then explains how you intend to comply with the standard. The scope of the system is a statement of the services or activities which your management system addresses. Some organisations elect to cover only part of their activities within the management system.
Quality Manuals used to be lengthy documents which covered each clause in the standard but the requirement to do this changed in with the 2000 revision of the standard. Most Quality Manuals will now identify the scope of the management system, identify the types of document used in the management system and then provide a diagram which explains the relationships between the key components of the system.
Since the 2000 revision auditors have an expectation that the Quality Manual will contain a flow chart which details the interactions of the parts of the main parts of the system and documentation. If you cannot provide this then it will be considered a major non-compliance to the standard.
Your Quality Manual needs to be a controlled document with a document ID, revision status and issue date. Just as with the Quality Policy the auditor will not expect personnel to have extensive knowledge of the Quality Manual but will expect them to know how to access it if required.
The ISO 9001 has a requirement for the organisation to conduct internal audits in accordance with a written procedure. Before you audit you must be clear about the following:
- Your internal audit procedure. It is a mandatory requirement that you have a written procedure.
- Your internal audit calendar or schedule.
- Who the internal auditors are and how they've been trained. Are they independent from the processes they are auditing.
- How audits are recorded.
- How non-conformances identified during the audits are reported and then how resulting actions are agreed and tracked to completion.
- How internal audits are reported to senior management.
Your internal audits must evaluate both compliance with the ISO 9001 standard and compliance with internal procedures. If the external auditor selected a clause of the ISO 9001 standard and asked if an internal audit had addressed that clause could you demonstrate this?
There will be an expectation that the auditor can see at least six months of history of internal audits and the auditor will expect to see the action taken on any non-conformances raised during those audits closed out in a timely manner.
As your system becomes more mature the external auditor will expect to see some sort of risk-based selection process behind your audit schedule, i.e. the processes with most risk or worst performance become the focus.
Throughout the ISO 9001 standard there are clauses which require non-conformances to be handled in a structured manner. expect to have to demonstrate to the auditor how you record and handle the following types of non-conformance:
- Internal audit non-conformances
- External audit non-conformances
- Issues raised by external regulatory bodies
- Complaints from customers
- Non-conforming products (received from suppliers or which have been identified during your own processes)
- Internal non-conformances (raised by internal parties outwith audits)
The auditor will want to see at least 6 months of records of these demonstrating the non-conformance details, the investigation results, the actions taken and showing approved closure.
Equipment maintenance and calibration
During the audit the auditor will identify equipment or software which is in use which could affect your quality of service (e.g. temperature gauges, measuring equipment, verification software). As this equipment of software affects service quality the auditor will expect the equipment to be appropriately maintained and, if required, calibrated. Any equipment which measures a parameter which could affect quality needs to be calibrated.
Where equipment is calibrated the equipment must have some sort of physical marking to indicate it's calibration status. You must also be able to provide records which demonstrate the calibration status, i.e. calibration reports.
Where equipment is outwith calibration the auditor will expect it to be quarantined and suitably withdrawn from use.
With maintenance of equipment it is up to you to demonstrate that you have established maintenance routines and are applying these with associated records.
Process records are the records which people produce daily as a result of their work these could include quotations, order acceptances, contract reviews, picklists, route cards, inspection records, delivery tickets.
During the audit the auditor will expect to sample these records whilst in use. It is critical that that your personnel are using these records correctly and are not selecting to bypass all or part of the recording process. Conducting your own samples to verify that records are being completed fully and correctly.
The auditor may also wish to check how you ensure that records are retrievable so this could mean a sample of archive records being verified. Always ensure that you have an effective archiving system and that you understand how it operates.
The Management Review records are the golden ticket for any external auditor visiting your organisation, they will always review these records thoroughly. The ISO 9001 standard identifies areas which must be addressed during Management Review meetings and therefore seeing these records gives the auditor an insight into the inner workings of your organisation, how it is performing, how much focus is given to improvement and where the management system is going.
Check the ISO 9001 standard to ensure that your Management Review meetings are addressing the clause.
Check that the meetings are being thoroughly documented so that the auditor can see all areas are being addressed.
Be certain that any problems with the management system are reflected in these records and that the records address how you are going to deal with the problems.
If the auditor does not fully explain how their non-compliance system works then be sure to ask for details before the audit commences.
Typically there will be three levels of non-compliance as follows:
- A suggestion or prompt for a follow-up. This isn't strictly a non-compliance but is a warning that the auditor isn't fully satisfied with an area of the management system.
- Minor non-compliance. The auditor has identified something which needs to be resolved. This should not prevent your management system achieving or maintaining ISO 9001 certification.
- Major non-compliance. The auditor has identified an issue of non-compliance with the standard which is going to prevent your management system achieving or maintaining ISO 9001 certification.
It is important to understand these non-compliance levels so that you can discuss the level any non-compliances with the auditor during the audit as they are identified, this gives you a better opportunity to provide evidence to eliminate to reduce the severity of the non-compliances.
ISO 9001 audits rarely turn out to be as daunting as first feared.
Remember that the auditor is looking for a management system which meets your organisation's needs. Improvement culture and good knowledge of the management system within your personnel are going to impress and influence the auditor most of all.