From Auditee To Auditor: A Guide To Understanding The Certification Process

My first experience of auditing was when I was a trainee accountant and I would go out to client offices and help the auditor to sample invoices and reconcile back to their ledgers or financial systems.

A change in career saw me supporting corporation tax and statutory accounts software. There was an ISO 9001 audit and I was selected to talk through the process of creating and managing the support tickets. I remember feeling really nervous and felt a lot of pressure on my then young shoulders!

Of course the audit went well, the auditor was friendly and my section of the audit passed with flying colours! After the audit I wondered why I had been so nervous, after all, I was only explaining how I did my job. It wasn't an exam and no trick questions! Worst case scenario, if there had been any non-conformances raised, it would have benefited my job in the long run.

I also came to realise that the audit was not passed by one person, it requires the whole company to do their part - whether that be following processes and procedures, policing them, or raising opportunities for improvement.

After that audit I was asked to look after the quality management system and I trained to be an internal auditor. I subsequently became Compliance Manger, responsible for ISO 9001, 27001 and     20000-1. After three years I decided to become a Regional Assessor for NQA, so I completely understand how daunting and stressful the auditing process can be. To make this a little less so, let me give you an overview of what to expect during the certification process.

The Certification Process

Preparation

About 4-6 weeks before your scheduled audit, the auditor will introduce themselves and provide an audit plan for the duration of the audit. The plan will include the mandatory clauses (4-10) that need to be audited during every visit and also some processes and the Annex A controls for ISO 27001.

This is an opportunity to ensure the right people are available to be audited and times booked in diaries, so everyone can plan their work accordingly and not feel pressured or stressed, if asked on the day of the audit itself. As auditors, we know that you are running a business and we accommodate this as much as we can, so don't think the audit plan is rigid, there is flexibility as long as everything is covered at some point during the visit.

Whilst reviewing the audit plan it is useful to consider what evidence can be shown for that part of the audit, for example, Annex A control 7.14 - Secure disposal or re-use of equipment, I'd be looking to verify that storage media containing confidential information had been wiped securely and destroyed, evidenced by the asset register being updated, maybe a ticket raised for the asset to be wiped and a secure disposal certificate that is WEEE and EU

GDPR compliant. I'd also look at any relevant documentation such as, policies, procedures, or internal audit reports.

Having this information accessible allows the audit to run more smoothly and less stressful. There is a common misconception that auditors are looking for problems and nonconformities to raise, that having more time during the audit will give a greater opportunity to find issues, this is wrong. Our role is to confirm compliance to the standards, and we do this by seeking evidence. If time is wasted, it can result in nonconformities being raised due to lack of evidence or an increase in the audit time and potentially days required, to ensure all mandatory clauses are covered.

On the Day

Regardless of the type of audit, each visit will start with an opening meeting.

This is to do formal introductions of everyone involved in the audit, confirm the standard being audited, the scope and whether there are any exclusions. Confidentiality is also discussed along with any health and safety requirements. Then the audit plan is reviewed and reiterated that it's a sample audit. If you have any concerns with the audit plan, it is best to raise these straight away so they can be discussed and mitigated in the best way.

Types of Audit

Stage One Audit

A stage one audit is to assess whether your company is ready for the full audit assessment to ascertain whether you can be certified to your chosen standard. It's an opportunity to gain an understanding of your company, the context of the business and a chance to review key documents and procedures to ensure they meet the requirements of the standard. If it is felt that they do not meet the requirements, this will be explained and noted within the audit report, an "Area of Concern" (AoC) will be raised. Opportunities for improvement are also raised as AoC's at this stage. These AoC's need to be reviewed and actioned before the Stage two audit, otherwise the Stage two audit will not lead to certification.

It is highly recommended to have a copy of the applicable ISO standard to refer back to and any relevant supporting standards, for example ISO 27002:2022 can be used as a reference for determining and implementing controls for information security risk treatment for ISO 27001:2022.

Stage Two / Recertification Audit

These audits cover all clauses and controls, so are longer in duration. They also include the processes within the scope of the certification.

Again, there will be an opening meeting to explain the plan for the audit, details of which would have been sent beforehand. As all aspects need to be covered, the length of time spent on each clause, control and process maybe less than during a surveillance audit.

The sample audit is to find evidence of compliance and offer opportunities for improvement.

During the audit the Lead Auditor will keep everyone up to date with findings or concerns. These will always be fully explained and discussed to ensure interpretation of evidence is correct. The Lead Auditor’s decision is final but there is an appeals process if you disagree with the assessment.

Once an audit is completed there is a closing meeting, with all stakeholders invited. The meeting is to confirm the standard audited, the scope of the audit and the final assessment and recommendation for certification. Any findings are discussed, along with the process to get them resolved.

Findings for audits, other than Stage One, include:

Major nonconformities – a significant failure to meet the requirements of the ISO standard, a more serious deviation from the intended results of the management system than a minor nonconformance, or multiple minor nonconformities that demonstrate a systemic problem or a failure to maintain conformance of the standard. For example, failure to perform regular backups. These have to be resolved within 10 days and may require a Special Visit to ensure that effective corrective action and root cause removal have been completed, before a certificate can be issued.

Minor nonconformities – a failure to meet the requirements of the ISO standard, that does not significantly impact the management system, generally, these are isolated incidents that are easily fixed. For example, missing or incomplete documentation. Resolutions are to be evidenced within 90 days.

Each nonconformance is to be documented on a Corrective Action Plan (CAP’s Form) and details how the nonconformance is to be addressed, the root cause removal and the evidence to confirm that this has been completed. As mentioned, a special visit may be required to verify the corrective action has been effective. This needs to be completed before a certificate can be issued, or reissued, for a recertification audit.

Another finding is an OFI, or opportunity for improvement. These are recommendations for improvement that should be logged in the OFI register and considerations documented. They do not necessarily need to be implemented, although reasons should be documented for review during the next external audit.

After the Audit

Once the audit is complete, the Lead Auditor has 48 hours to produce the full audit report. Any concerns or queries about the report should be fed back to the auditor as soon as possible. The audit report is sent for technical review and once this has been completed and any nonconformities addressed, usually within two weeks, the certificate is issued.

Audit Cycle

Once you have received your ISO certificate, you enter into the three year audit cycle. The annual audit verifies the management system is being maintained and remains compliant to the ISO standard.

The first audit after certification is Surveillance One, the second Surveillance Two and the third is known as the recertification audit.

At each audit the mandatory clauses need to be covered, over the three years, all processes and controls need to be audited. These are noted in the three-year matrix at the end of the audit report and are a guide as to what will be covered during the upcoming audits, though this can change as long as over the three years, all aspects are covered at least once.

Summary

Planning is key to getting the most out of your audits. Ask questions, the audits are for you to get assurance that your processes are working. While auditors cannot provide consultancy, they can suggest opportunities for improvement.

The audit process is designed to obtain evidence for conformity, not to catch you out. Enjoy the process and remember that auditors understand you’re running a business too and they’ll be as flexible as they can.

After the audit, addressing nonconformities promptly and effectively is crucial. This not only ensures compliance but also helps in continuous improvement of your processes. Remember, audits are a valuable tool for enhancing the overall quality and efficiency of your operations as well as providing assurance with certification for the ISO Standard.