News

What does the external audit process look like?

Your organization has been busy recently setting up and implementing an ISO management system. The internal audit and management review have been conducted and the results have been neatly worked out. Action items are planned and have been assigned an owner. You're all set for the review. But how then? And what exactly is going to happen? In this article, we explain what the entire external audit process looks like and what you can expect.
This article was last updated on
9/12/2024

The external audit process consists of a 3-year cycle. It starts with the initial audit(obtaining the certificate). This is followed by two surveillance audits. At the end of this cycle, the recertification audit determines whether the certificate is renewed and the organization enters a new 3-year cycle. This audit is conducted by a Certifying Body (CI). A CB is an external, independent body that determines whether the organization meets the standard(s) to be certified. This CB is supervised and controlled by the Accreditation Council (RvA).

Preliminary research

The external audit cycle starts with the preliminary audit. During the preliminary audit, an auditor (from the CB mentioned above) investigates whether the management system has been implemented effectively and efficiently. This is done by means of, among other things, a document review, which checks whether all the mandatory documentation is present. They also meet the organization and its representatives and review some processes. During the preliminary examination, documents are not yet assessed in terms of content, but rather the presence of mandatory documentation is examined. After the preliminary audit, the organization receives a report with the auditor's findings, which also describes whether the organization is ready for the certification audit.

Certification audit

The certification audit focuses on the practical operation of the management system. By conducting interviews, viewing documents and observing the daily activities of the organization, the auditor tests whether processes conform to the management system. After the certification audit, the auditor determines whether the organization is eligible for the certificate. Afterwards, the auditor also provides a report in which all findings are described in detail.

Surveillance audit

Now that the certificate is obtained, the work is done. Right? Certainly not! For this, read our article"Maintenance after certification, essential?" After obtaining the certificate, during the following 2 years the auditor will check whether the processes and the management system continue to meet the standard. The two surveillance audits do not involve a full audit of the management system, but will assess by means of pre-planned random checks whether the organization may continue to maintain the certificate.

Recertification audit

The ISO certificate has a validity of 3 years. After the 3rd year, the validity of the certificate would expire, however, there is the possibility of recertification. The auditor then comes again to check the entire management system, in which the same steps are gone through as during the certification audit.

In short, the entire audit cycle is a mouthful. Hopefully this article has given you more clarity on what to expect when your organization goes for certification.

Find out what our implementation process looks like

In our white paper, we take you step by step through our implementation process.

Download Now
Kilian Houthuijzen
Commercieel Manager & Partner
085 773 60 05
To news overview
KAM Certifications is now Fendix

We are a partner of