Audits: the what, when, and how
Preparing for an external audit can feel overwhelming, especially if it’s your first certification audit and you aren’t sure what to expect.
In this article, NQA Regional Assessor (also known as a ‘management system auditor’) Karen Whitby walks us through the audit journey step-by-step. Expect valuable insight from a trusted expert – and new-found confidence to book your certification audit.
Your certification audit, minus the stress
So, you have an external audit coming up… but have no idea what it involves.
My first piece of advice is to breathe. The modern-day approach to auditing with certification bodies like NQA is geared towards client-auditor relationships rather than nerve-racking trial-and-error.
Our goal is to help you feel at ease (and is one of the main reasons our clients use NQA for all their certification audits!).
Before we begin: keeping you on track from start to finish
It’s vital to keep clients posted throughout the certification audit process.
Every audit comes with a full report (with a copy emailed to you for reference), and a unique audit number. The number offers extra clarity – should you need to discuss the audit with your management system auditor or certification body.
Also, NQA and other certification bodies, under their accreditation with UKAS, have the reports from each audit checked by the Head Office Technical Team. This ensures that all the requirements have been thoroughly reviewed.
Without further ado, let’s start going through each stage of the external audit process.
Stage 1: double (and triple)-checking your documents
The first stage – no matter the audit purpose or intended certification – is a document review. This initial audit can happen off-site or remotely, and it ensures your business meets the various management system requirements.
Document reviewing is a simple process. The auditor runs through a checklist clause by clause, confirming you have everything in place (with evidence to show for it).
You might be interested to know that the common standards now follow Annexe SL, which makes it easier for businesses to implement and integrate different standards. Don’t worry, though, understanding the intricate nature of Annexe SL isn't required for certification!
Stage 2: proving your management system works (after 3 months)
The next stage is an evidential audit, reviewing the management system with a fine-tooth comb. It samples everything detailed in Stage 1 to ensure the management system is robust, with plenty of proof.
This 3-month timeframe tends to give enough time for you to grow an adequate sample size. It may vary, though – with some of the reasons Stage 2 happening within or beyond 3 months including:
The management system is mature (< 3 months) or relatively new (> 3 months)
The client faces time demands from their customers or a particular tender
Management system review checklist
Now you know when Stage 2 happens, we can move on to some of the documents and records they might review. It may involve:
Non-conformance reports (NCRs)
This part of the external audit will also look at the operational side of your business. It varies depending on the standard but often includes the following documents and records:
Design and development reviews
Contract reviews for customers and sales
Verification of purchased products
Stage 2 goes beyond paper documents and records, too. Your management system auditor may want to inspect the following via a site walk:
Physical manufacturing, assembly, and services
IT infrastructure and security protocols
- Health & safety and/or environmental factors
If your Stage 2 evidential audit is a success, good news: your business is officially approved for certification!
On the other hand, your business may not be approved for certification. Should this happen, your auditor will provide recommendations and rearrange another audit to confirm implementation and whether the business now meets the standard.
NQA top tip: Use the audit checklist above as a guide. You can find out exactly what you need to prepare from your auditor.
Stage 3: friendly check-ins (after 1+ year)
Stage 3 is all about surveillance auditing, which makes sure your business keeps to the standards relevant to its certification.
A surveillance audit captures the operational aspect of your business with a review of your management system. This stage is broken down into 2 parts:
Surveillance 1 (Surv 1) – approx. 1 year after Stage 2/certification
Surveillance 2 (Surv 2) – approx. 1 year after Surv 1
The surveillance audit stage varies from business to business and standard to standard. For instance, the first surveillance audit may focus solely on X, whereas the second surveillance prioritises Y. Either way, your auditor will let you know what to expect beforehand.
Stage 4: recertification (after 3 years)
After 3 years of being certified, it’s time for a management system auditor to pay your business another visit.
A recertification audit is the final part of the certification audit cycle. It will likely take place for a similar length of time as Stage 2 (the evidential audit), though this depends on the:
Recertification looks different for every business, which is why it's always a good idea to stay in touch with the awarding certification body. Your management system auditor will be more than happy to guide you through the specific requirements.
NQA top tip: Remember to tag us on social media when you get recertified. You can find NQA on Facebook, Twitter, and LinkedIn.
Final thoughts from Team NQA
There you have it: our A-Z guide to external audits, including the how, what, and when. We understand how confusing – and even intimidating – your first audit can seem, but we hope this article gives you the confidence to apply for accreditation.
If your business is eager for certification, why not browse our standards today? NQA takes pride in open communication, efficient auditing, and more for an unmatched client experience.