This is a common question alongside ‘What does an audit do?’ – put simply, it’s about checking that what’s supposed to happen is happening, not just in terms of rules being followed but also in the effectiveness of processes and systems, for example, are they delivering the results we expect them to deliver?
For more information, see our video ‘What is an Audit?‘
A policy is a high-level document/statement that is required by all management system standards. It is the top-management level document of the MS, which needs to be prepared and approved by top management to define its overall intentions and directions regarding Quality (ISO 9001), Environment (ISO 14001) etc.
A procedure is a specified way to carry out a process or an activity, that may be documented or not. Take purchasing, for example, it comprises a series of activities: selecting, evaluating, and approving suppliers, raising purchase orders, and verifying that the received goods or services meet requirements. The key personnel will need to know how to go about performing the tasks and any points of authorisation. They might be briefed on this and/or given a document to follow.
For more information on policy v’s procedure see our blog.
A process converts inputs into outputs (or results); and a procedure dictates how the process will be carried out.
For instance, we may all have different ways of making a cup of tea but the process always starts with the tea and water (input) and the result is always a cup of tea (output).
Auditing can be very rewarding as it enables you to meet many different people and learn about different ways of working. Some auditors are salaried (typically with the larger certification bodies) whereas some auditors work in a freelance capacity, where they might also do consultancy and training. This can provide interesting variety of work.
An internal auditor collects evidence of conformity by interviewing personnel, reviewing documented information, and observing process activities. While doing this they may identify nonconformities or flag potential issues.
As an auditor, you must have the ability to ask good questions relevant to the criteria being audited against. And just as you would in any normal conversation, you must listen to the answers as they may inspire you to ask further questions you may not have considered. In addition, you must have good observation skills and the ability to check the details.
For more support, take a look at our ‘Audit Skills Workshop’.
Auditors need to be competent to carry out an effective audit. Certification body auditors will be required to achieve a Lead Auditor certificate and some supplier auditors may need to do the same. Internal auditors will typically attend an internal auditor course although some organisations like their auditors to achieve a Lead Auditor Certificate which will give them more in-depth knowledge of the Standard.
An internal audit is a process to check on the extent to which processes are conforming to requirements and are effective in producing the desired outputs. Internal Audits are an essential element of the PDCA (Plan Do Check Act) continual improvement cycle.
The ISO 14001:2015 Standard provides an internationally recognised framework for organisations to follow when implementing and managing an Environmental Management System (EMS).
ISO 14001 EMS is not limited to a specific industry; it can be adopted by any company that wishes to limit its environmental impact. It’s common for organisations with ISO 14001 certification to also audit against other management systems, such as ISO 9001 for quality management and ISO 45001 for occupational health and safety.
To learn more about Environmental Management Systems, see our ISO 14001 training courses.
ISO 13485 is a Quality Management System standard that follows ISO 9001 (QMS) with the medical devices and pharmaceutical industry’s additional statutory and regulatory requirements.
By following ISO 13485, organisations can put controls and mechanisms in place to ensure they produce medical devices safely. Many large medical device organisations will only work with ISO 13485-certified suppliers to ensure quality in their supply chain.
Take a look at our ISO 13485 training courses to find out more.
ISO 9001:2015 is an internationally recognised Quality Management System (QMS) Standard organisations use to improve business processes and performance. By following the ISO 9001:2015 framework, organisations can implement, audit, and maintain an effective QMS.
ISO 9001 certification is suitable for any business, of any size, in any industry. ISO 9001 is the most popular ISO Standard and is often the first management system choice for many organisations.
Take a look at our ISO 9001 training courses to find out more.
Organisations use the ISO/IEC 27001:2022 Standard to help run an Information Security Management System (ISMS) to ensure its information remains secure.
By following the ISO 27001 framework and achieving ISO 27001 certification, organisations demonstrate a commitment to the security of client and third-party data. ISO 27001 Information Security is often associated with the prevention of cyber-attacks, but potential risks can come from human and physical threats too.
Take a look at our ISO 27001 training courses to learn more about Information Security Management Systems.
It’s often thought that a Quality Management System is simply a quality manual, but this isn’t the case; this misconception is based on the older version of ISO 9001 (prior to the latest 2015 version), which required organisations to have a quality manual, giving quality professionals the impressions that the Quality Manual was the Quality Management System. But a QMS is far more than that; essentially, it is about people and processes working together to establish policy, set objectives, and then plan how to achieve them. Documented information such as manuals, procedures, templates, or even operational software supports this achievement. A QMS is designed to meet the requirements of customers primarily but also other interested parties such as legal authorities, industry bodies, and shareholders.
For more information, watch our video ‘What is a management System?‘.
ISO 45001:2018 is an Occupational Health and Safety Management System (OHSMS) Standard used by organisations to improve safety in the workplace and create better working environments. ISO 45001 was first released in March 2018, replacing BS OHSAS 18001 for Occupational Health and Safety.
To learn more, take a look at our ISO 45001 training courses.
OHSAS 18001 was a British Standard focused on occupational health and safety. In 2018 the Standard was superseded by an international standard, ISO 45001, which was aligned to the 10-clause structure (known as Annex SL) used in ISO 9001, ISO 14001 and ISO/IEC 27001.
Firstly, download the appropriate ISO Management System Standard from https://www.iso.org/store.html and then consider how you will become familiar with the Standard. This can be done through self-study and/or by attending a Foundation training course. After you have gained some familiarity with the Standard and the Plan Do Check Act continual improvement cycle, you can commence setting up your ISO management system.
Once the basic structure is in place, you can look to establish an internal auditing function which can be supported by an Internal Auditor Course (2 days) or a Lead Auditor Course (5 days) in the relevant ISO Standard – click to see course options. Selecting one of these would depend on the requirements of your organization and of your customers.
If you’d like help implementing a new management system, please contact us for support.
The time taken to implement an ISO Management System and gain an ISO Management System certificate is typically between 3 and 12 months, depending on the size and complexity of the organisation, as well as the existing knowledge of the ISO Management System Standard.
A Risk-based approach is an auditing principle that considers risks and opportunities to ensure audits are planned and conducted with a focus on activities that are important to the organization – i.e., those that might present higher risks than others. For instance, in an ISO 9001 QMS this would ensure there is appropriate focus on processes that are critical to customer satisfaction, whereas in an ISO 14001:2015 EMS, this would ensure there is appropriate focus on processes that have environmental significance.
For more support, view our Risk-Based Thinking workshop.
Documented information is a term used in ISO Management System Standards to include any information that is documented, and this can be in any media. In order to effectively control documented information, an organisation needs to know what “documents” are in the system (e.g., policies, procedures, process maps, manuals, etc.), that they are adequately protected and are accessible to those who need them. This would extend to historical “records” which can be used to demonstrate that activities took place (e.g., client communications, legal permits, inspections, audits, reviews etc.).
A Gap Analysis is when an organisation reviews its current performance against its future goals and highlights any factors that could prevent the goals from being achieved. A Gap Analysis report typically highlights what’s missing from the ISO management system – for instance when compared to an ISO management system standard. If the gap analysis is conducted by an internal specialist or external consultant, it could also include recommendations on how to resolve those gaps (each party would need to be mindful of independence if contributing to the internal audit programme).
At Batalas we can support you by conducting a Gap Analysis of your management system – view our Gap Analysis support page for more information.
Although a Supplier Audit is not typically a requirement of ISO Management System Standards, it can be a useful way of evaluating supplier capability, conformity, and performance. For instance, conducting an audit to see if a supplier has the capability to take on a new commission, is meeting contractual requirements, or is performing to contractual targets based on key performance indicators. A supplier audit comprises interviewing, observing and gathering evidence, and can be conducted by internal auditors or lead auditors. (Note: there may be organization or customer requirements in place that demand Lead Auditor status.)
For more support, view our Supplier Auditor course.
ISO 9001:2015 is an internationally recognised Quality Management System (QMS) Standard organisations use to improve business processes and performance. By following the ISO 9001:2015 framework, organisations can implement, audit, and maintain an effective QMS.
ISO 9001 certification is suitable for any business, of any size, in any industry. ISO 9001 is the most popular ISO Standard and is often the first management system choice for many organisations.
Take a look at our ISO 9001 training courses to find out more.
To achieve an ISO 14001 certificate, you need to learn what the Standard requires and ensure that you understand the key requirements of relevant environmental regulation and legislation. A well-structured EMS will address all of these and lead to continual improvement.
Organisations use the ISO/IEC 27001:2022 Standard to help run an Information Security Management System (ISMS) to ensure its information remains secure.
By following the ISO 27001 framework and achieving ISO 27001 certification, organisations demonstrate a commitment to the security of client and third-party data. ISO 27001 Information Security is often associated with the prevention of cyber-attacks, but potential risks can come from human and physical threats too.
Take a look at our ISO 27001 training courses to learn more about Information Security Management Systems.
ISO 13485 is a Quality Management System standard that follows ISO 9001 (QMS) with the medical devices and pharmaceutical industry’s additional statutory and regulatory requirements.
By following ISO 13485, organisations can put controls and mechanisms in place to ensure they produce medical devices safely. Increasingly, many large medical device organisations will only work with ISO 13485-certified suppliers to ensure quality in their supply chain.
View our ISO 13485 training courses to learn more.
ISO 45001:2018 is an Occupational Health and Safety Management System (OHSMS) Standard used by organisations to improve safety in the workplace and create better working environments. ISO 45001 was first released in March 2018, replacing BS OHSAS 18001 for Occupational Health and Safety.
To learn more, take a look at our ISO 45001 training courses.
Customers typically require their suppliers to be certified by a certification body that is accredited by UKAS, but what does this mean?
UKAS is the ‘United Kingdom Accreditation Service’; each country has its own equivalent accreditation body, and they all form part of the International Accreditation Forum (IAF) which is regulated by ISO. The purpose of the IAF is to ensure that the certification process will deliver the confidence needed for market acceptance. This relies on an accreditation body such as UKAS to effectively audit the certification body (against the ISO 17021 conformity assessment Standard).
So, by choosing to be audited by an accredited certification body, you are demonstrating that your management system conforms to the highest of global standards that could set you apart from a competitor. Although this is not technically a legal requirement, being audited by a body working outside of this structure may lead to contractual or reputational issues.
For more information, watch our video ‘Why use a UKAS-certified body’.
ISO Management System Audits by external Certification Bodies would usually take place at least once a year. ISO Management System Audits by internal auditors can be planned according to the needs of the organisation and its interested parties.
At Balatas, experience tells us that ISO Management Systems may be, or become, ineffective for any of the following reasons: lack of commitment from the leadership team, too much reliance on an external ISO consultant, a key member of staff leaving with all the knowledge, a new member of staff inheriting a legacy system that has become dated, creating excessive documentation which has led to a disconnect with personnel.
When this occurs, it can be a good idea to conduct a thorough review to firstly understand the issues (and their causes), and address them in a sustainable way. For more support, you may wish to consider an ISO Management System Assessment.
Firstly, request a copy of the certificate from your supplier (you might be able to view it on their website). The certificate should have both the details of the certification body AND the latest version of the official logo of the accreditation body (e.g., UKAS).
To verify that the certification body is accredited (e.g., by UKAS), you can visit the appropriate webpage for the accreditation body via the UKAS Certificate Checker.
There should be a corresponding statement on the website of the certification body – i.e., one that mentions their (UKAS) accreditation (each country has its own accreditation body; sometimes global organisations use the same accreditation body across all their locations).
The term “certification” or “registration” is relevant to your organisation, but you will probably want to be assessed by a certification body that has achieved accreditation. This will give your certificate much more credibility and it is possible that your clients will expect you to have accredited certification.
By subscribing, you consent to receive marketing emails from Batalas. Your data will not be forwarded to any third parties, and you can unsubscribe anytime. By clicking ‘Sign up’ you agree to the Terms and Conditions and Privacy Policy.
Are you a new auditor looking for ISO training advice? Or do you want to build on existing auditing skills to boost your career?
Whatever your need, our experienced and knowledgeable Batalas team can guide you on the right training path to help you reach your professional goals.
Batalas Ltd is a limited company registered in England and Wales. Registered number: 3736166. Registered office: Victoria House, 2 Grove Road, Fareham, PO16 7TE
© 2023 Batalas ltd, All Rights Reserved. Designed by Damteq®
Return
ISO 9001:2015 Foundation QMS
CQI | IRCA
An entry-level course which teaches an understanding of ISO 9001 QMS.
ISO 9001:2015 Internal Auditor QMS
CQI | IRCA
Discover how to conduct, report and follow up on an internal audit.
ISO 9001:2015 Lead Auditor
CQI | IRCA
Gain the knowledge and skills to manage internal, third-party, and supplier audits.
AS9100:2016 Rev D Introduction
A short online course that provides a basic overview of AS9100:2016 Rev D.
AS9100:2016 Rev D Foundation
CQI | IRCA
Discover the requirements of AS9100 and a Management System.
AS9100:2016 Rev D Internal Auditor
CQI | IRCA
Understand auditor responsibilities and how to conduct an internal audit.
AS9100:2016 Rev D Lead Auditor
CQI | IRCA
For new or existing auditors who wish to conduct internal, external and supplier audits.
MD-QMS ISO 13485:2016 Foundation
CQI | IRCA
Achieve an understanding of ISO 13485 and a Management System.
MD-QMS ISO 13485:2016 Internal Auditor
CQI | IRCA
Gain the knowledge and skills to conduct internal audits of a management system.
ISO 13485:2016 Lead Auditor
CQI | IRCA
Learn how to lead audits within an organisation or for third parties and suppliers.
ISO/IEC 27001:2022 Foundation
CQI | IRCA
Perfect for new auditors wanting to learn about ISO 27001 ISMS.
ISO/IEC 27001:2022 Internal Auditor
CQI | IRCA
Conduct internal audits of an Information Security Management System.
ISO/IEC 27001:2022 Lead Auditor
CQI | IRCA
Learn how to manage internal audits, plus third parties and suppliers.
ISO/IEC 27001:2022 Auditor Conversion
CQI | IRCA
Designed for existing lead auditors who want to audit against ISO 27001 ISMS.
ISO 14001:2015 Foundation
CQI | IRCA
Gain knowledge of an Environmental Management System.
ISO 14001:2015 Internal Auditor
CQI | IRCA
Learn how to carry out an internal audit against ISO 14001.
ISO 14001:2015 Auditor Conversion
CQI | IRCA
Perfect for existing lead auditors who want to learn ISO 14001 to expand their knowledge.
ISO 45001:2018 Introduction
Gain a basic understanding of ISO 45001 with this short online course.
ISO 45001:2018 Foundation
CQI | IRCA
Beginners course that teaches the requirements of ISO 45001 OHSAS.
ISO 45001:2018 Auditor Conversion
CQI | IRCA
For current lead auditors who wish to increase their knowledge by learning ISO 45001.
ISO 9001:2015 Management Overview
Understand the new responsibilities placed on managers in ISO 9001:2015.
Supplier Auditor Course
Learn how to conduct audits of new and existing suppliers effectively.
ISO 9001:2015 Risk-Based Thinking
Improve your knowledge and skills for effective risk-based thinking.
Audit Skills Workshop
Bring your team together with a fun and energetic team-building session.
Return
Audit Support
We have a wealth of experience working with ISO management systems and can assist auditors who require support.
Return
Resources
The latest news, course updates and video resources all in one place. Looking for help? Check out our frequently asked questions.
Return
Founded in 1962, we have over 60 years’ experience providing specialist consultancy and training in ISO/AS Management Systems.
Alternatively, use our Course Selector to find the perfect course for you: