The external audit process consists of a 3-year cycle. It starts with the initial audit(obtaining the certificate). This is followed by two surveillance audits. At the end of this cycle, the recertification audit determines whether the certificate is renewed and the organization enters a new 3-year cycle. This audit is conducted by a Certifying Body (CI). A CB is an external, independent body that determines whether the organization meets the standard(s) to be certified. This CB is supervised and controlled by the Accreditation Council (RvA).
Preliminary research
The external audit cycle starts with the preliminary audit. During the preliminary audit, an auditor (from the CB mentioned above) investigates whether the management system has been implemented effectively and efficiently. This is done by means of, among other things, a document review, which checks whether all the mandatory documentation is present. They also meet the organization and its representatives and review some processes. During the preliminary examination, documents are not yet assessed in terms of content, but rather the presence of mandatory documentation is examined. After the preliminary audit, the organization receives a report with the auditor's findings, which also describes whether the organization is ready for the certification audit.
Certification audit
The certification audit focuses on the practical operation of the management system. By conducting interviews, viewing documents and observing the daily activities of the organization, the auditor tests whether processes conform to the management system. After the certification audit, the auditor determines whether the organization is eligible for the certificate. Afterwards, the auditor also provides a report in which all findings are described in detail.
Surveillance audit
Now that the certificate is obtained, the work is done. Right? Certainly not! For this, read our article"Maintenance after certification, essential?" After obtaining the certificate, during the following 2 years the auditor will check whether the processes and the management system continue to meet the standard. The two surveillance audits do not involve a full audit of the management system, but will assess by means of pre-planned random checks whether the organization may continue to maintain the certificate.
Recertification audit
The ISO certificate has a validity of 3 years. After the 3rd year, the validity of the certificate would expire, however, there is the possibility of recertification. The auditor then comes again to check the entire management system, in which the same steps are gone through as during the certification audit.
In short, the entire audit cycle is a mouthful. Hopefully this article has given you more clarity on what to expect when your organization goes for certification.
In our white paper, we take you step by step through our implementation process.
