An ISO Management System Audit in basic terms is a check on conformity and effectiveness, which is measured against ISO Management System Standards (for example ISO 9001 quality, ISO 14001 environmental, ISO 27001 information security).
During an ISO audit, an auditor would typically:
- – verify that the management system conforms to the requirements of the relevant ISO standard
- – verify that the management system conforms to internal requirements such as policies and procedures
- – assess the level of effectiveness of processes and systems – i.e., the extent to which quality objectives are being met
- – be alert for any improvements that can be made to the system
This process would include verification that problems, issues, or nonconformities within the management system have been (or are in the process of being) addressed.
The definition of an audit comes from ISO 9000:2015 which relates to ISO 9001:2015 (quality management) and can also apply to the other management system standards:
“systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”
There are 3 main types of ISO Management System audit:
-
- – First Party Audit – also known as an internal audit. These audits are usually conducted internally by your own staff (that are trained to carry out internal audits), or they can be carried out by an external party on your behalf if you do not have the internal resources.
- – Second Party Audit – also known as a supplier audit. These audits are usually carried out by lead auditors with your organisation, and are designed to ensure that the companies that supply products/services to you are doing what they say they are doing. Again, these audits can be carried out by an external party if you do not have the internal resources.
- – Third Party Audit – also known as a certification audit. These audits are always carried out by a Certification Body auditor and are for the purpose of gaining certification to the relevant ISO standard by an approved (accredited) body.
If you are following an ISO Management System Standard, it is mandatory to conduct internal audits. An example of this can be found in ISO 9001:2015 under clause 9.2.1:
The organisation shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to:
- 1. the organisation’s own requirements for its quality management system
- 2. the requirements of this International Standard
b) is effectively implemented and maintained
In summary, without an audit of your ISO management systems, how can you demonstrate that things are working correctly and are being continually improved?