Table of Contents
ISO audits are important to maintain conformance and drive continual improvement. Regular audits ensure your business meets ISO standards, identifies potential risks, and continually improves operational efficiency.
An ISO audit offers a structured process to evaluate whether a management system conforms to a chosen ISO standard. This could be any Management System Standard, be it ISO 9001 for Quality Management, ISO 14001 for Environmental Management, or ISO 45001 for Occupational Health and Safety, etc.
Internal and Certification audits are equally important for maintaining conformance and optimising business processes.
Risk ZA specialises in ISO consulting and pre-certification auditing services, offering transfer of knowledge and expertise, to help businesses master internal audits and confidently achieve certification.
What is an ISO Audit?
An ISO audit can apply to an entire organisation or it may be applied to a specific function, process or production step. Some audits serve an administrative purpose —such as reviewing documentation, risk assessments, or performance—while others verify conformance to a chosen ISO standard.
The primary purpose of conducting audits is to ensure that the organisation’s management system conforms to established standards, legal and other requirements, as well as the organisation’s own internal policies.
Additionally, audits verify that these systems are effectively implemented and maintained.
All these steps are designed to determine the extent to which the audit criteria are fulfilled. The ISO 19011:2018 Guidelines for Auditing Management Systems clearly illustrate the process flow for managing an audit programme in accordance with the Plan-Do-Check-Act (PDCA) cycle.
Beyond compliance, audits serve as a management oversight tool, offering valuable insights to guide strategic decision-making. To support this, it is essential to collect and verify sources of information, ensuring that audit evidence is valid, reliable, and can be used as a credible point of reference. Comparing audit evidence against set criteria is a fundamental aspect of achieving audit objectives.
The formal definition of an ISO audit is found in ISO 19011:2018 Guidelines for Auditing Management Systems, which is:
“the systematic, independent and documented process for obtaining audit evidence (records, statements of fact or other information which are relevant and verifiable) and evaluating it objectively to determine the extent to which the audit criteria (a set of policies, procedures or requirements) are fulfilled.” ISO 19011:2018 – Guidelines for Auditing Management Systems.
Download our guide “Tips for Achieving a Successful Internal Audit” to gain in-depth insights and take the first step towards refining your audit processes.
Learn more about the systematic process of conducting an internal audit to evaluate if your business meets ISO standards.
Types of ISO Audits
There are three main types of ISO audits:
- Internal audit (First-party)
- External / supplier audit (Second-party)
- Certification audit (Third-party)
Internal and external audits help maintain an effective management system, drive continuous improvement, and ensure long-term conformity with ISO standards.
Internal audits help organisations to proactively refine their processes, while external audits—such as Supplier and Certification audits—provide validation, credibility, and certification that strengthens stakeholder confidence.
Internal Audit - First-party Audit
An Internal Audit is conducted on a process or set of processes to ensure they meet the organisation’s internal requirements. Internal Audits evaluate the effectiveness of the Management System.
These audits critically review your company and how it operates. They identify weaknesses and provide an opportunity to improve the effectiveness of risk management, operational performance, control and governance processes. By conducting an internal audit, a business can implement corrective actions before entering an external review.
The internal audit is a requirement of all management system standards and can therefore affect the outcome of a third-party Certification Audit.
Objectives of an Internal Audit
- Ensure that processes align with internal requirements.
- Evaluate the effectiveness of the management system.
- Evaluate operational performance.
- Identify areas for improvement and the need for corrective actions.
- Reduce the risk of non-conformities during second or third-party audits.
Benefits of an Internal Audit
- Proactive risk management – Detect and address issues before they turn into problems.
- Process optimisation – Optimise workflows and improve resource utilisation.
- Employee engagement – Encourage a culture of continual improvement.
Internal Audit VS Gap Analysis
In short, a Gap Analysis identifies discrepancies between current practices and ISO Management System Standard(s) requirements, while Internal Audits verify the conformance and effectiveness of the management system.
- Internal audits are usually recurring and systematic; they are a required activity for ISO management system conformance.
- A gap analysis can be a one-time or periodic exercise, depending on the organisation’s specific needs and goals.
To learn more about the similarities and differences between an internal audit and a gap analysis, read our blog post “Internal Audit vs Gap Analysis – What is the difference?”.
Pre-Certification Audit
Before diving into ISO certification, it can be useful to conduct a pre-certification audit. This is typically an internal audit or review, which serves as a self-assessment.
The pre-certification audit allows the business to evaluate conformance with ISO standards and ensure they are fully prepared for the initial certification audit.
By identifying potential gaps and areas for improvement, organisations can strengthen the management system, avoid costly delays, and increase the likelihood of a successful certification outcome.
Objectives of a Pre-Certification Audit
- Verifies that the management system meets ISO standard requirements.
- Ensure that the management system aligns with internal and external requirements.
- Evaluate the effectiveness and suitability of the management system.
Benefits of a Pre-Certification Audit
- Audit simulation – Ensure adequate preparation ahead of Certification Audit.
- Filling the gaps – Identify and resolve gaps, inconsistencies, or conformance issues before the Certification Audit.
Download our guide “Tips for Achieving a Successful Internal Audit” to gain in-depth insights and take the first step towards refining your audit processes.
Learn more about the systematic process of conducting an internal audit to evaluate if your business meets ISO standards.
Supplier Audit - Second-Party Audit
A second-party or Supplier Audit is valuable for strengthening a company’s supply chain and verifying that suppliers meet or exceed predetermined requirements. These are typically conducted by a customer or business partner and assess adherence to contractual and industry-specific requirements.
A supplier audit can prevent quality, environmental or health and safety issues from reaching your customers.
Objectives of a Supplier Audit
- Ensure that processes align with external requirements.
- Evaluate the effectiveness of the management system.
- Evaluate customer satisfaction.
- Identify areas for improvement and the need for corrective actions.
- Reduce the transfer of risk onto your customers.
Benefits of a Supplier Audit
- Provide confidence – Verifies that supplier meets predetermined requirements.
- Proactive risk management – Prevents transfer of risk through the supply chain.
- Promotes reputation – Strengthen business reputation and relationships.
Download our guide “Risk-Based Approach to Auditing an ISO Management System”.
Learn more about how a risk-based audit considers both risks and opportunities while placing focus on what matters.
Certification Audit – Third-Party Audit
Third-party audits are conducted by a Certification Body (CB). These audits offer an independent assessment of the management system’s conformance with the chosen ISO Standards’ requirements.
If the organisation successfully passes the audit, the CB will issue a certificate of conformity for the specific standard. This is what is called ISO Certification and is valid for 3 years, from date of issue.
Objectives of a Certification Audit
- Verifies that the management system meets ISO standard requirements.
- Ensure that the management system aligns with internal and external requirements.
- Evaluate the effectiveness and suitability of the management system.
Benefits of a Certification Audit
- Market competitiveness – Strengthens business reputation and opens new business opportunities.
- Demonstrate Commitment – Builds trust and confidence with customers, stakeholders, and regulatory bodies.
- Customer trust – Increase your organisation’s credibility and secure new business.
- Continual Improvement – Identify areas for improvement and the need for corrective actions.
- Proactive risk management – Detect and address issues before they turn into problems; Reduce the transfer of risk onto your customers.
When ISO Certification is performed by an accredited Certification Body, the certificate is recognised internationally.
Certification Audit Cycle
Third-party or Certification Audits are part of a continuous cycle of improvement. They require proactive management and ongoing surveillance audits.
The Certification Audit cycle consists of multiple ‘sub-audits’, including an Initial Certification Audit, Surveillance Audits and Re-Certification Audits.
Initial Certification Audit – Stage 1 and Stage 2
Your INITIAL CERTIFICATION AUDIT consists of Stage 1 and Stage 2 audits, which assess the conformance of the entire management system. We consider this to be ‘Year 0’ in the ISO Certification Audit Cycle.
Surveillance Audit
SURVEILLANCE AUDITS are partial system audits conducted by a Certification Body. They aim to assess ongoing conformance and identify areas for improvement.
A surveillance audit is typically smaller than the initial audit and offers an opportunity to hone in on further detail within the management system.
These audits are conducted in years 1 and 2 after initial certification and each year between Recertification Audits.
Recertification Audit
In Year 3 (and in every 3rd year of the audit cycle) your system will undergo a RECERTIFICATION AUDIT. This is another comprehensive, full-system audit intended to confirm the ongoing conformance of the management system.
After successfully passing your Recertification Audit, you will receive a new ISO Certificate with updated validity dates.
Download our guide “Tips for Achieving a Successful Internal Audit” to gain in-depth insights and take the first step towards refining your audit processes.
Learn more about the systematic process of conducting an internal audit to evaluate if your business meets ISO standards.
What Types of ISO Auditors are there?
There are three main types of ISO auditors: an internal auditor, an external/supplier auditor and a lead auditor.
Essentially, the Lead Auditor conducts or heads up the entire audit process, the Internal Auditor reviews within the company, and the Supplier Auditor examines external vendors/suppliers.
Regardless of the type, auditors should possess skills like keen attention to detail, excellent time management, ethical conduct, adaptability, critical thinking, problem-solving ability, and leadership skills.
Internal Auditor
An Internal Auditor reviews specific areas and processes of an organisation’s operations to identify potential risks and areas for improvement, focusing on internal controls and Management System conformance.
Roles and Responsibilities of an ISO Internal Auditor
- Evaluate conformance and suitability of processes and internal controls.
- Independent of the area being audited to ensure objective results.
- Reports to internal management, highlighting areas for improvement.
- Helps prepare an organization for external (supplier and certification) audits.
Expertise & Qualifications of an ISO Internal Auditor:
- Knowledge of and/or expertise in the specific ISO standard they are auditing.
- Detailed knowledge of the company’s processes and internal controls.
- Proficiency in audit methodologies and techniques.
- Ability to identify potential risks within processes related to the ISO standard.
- Objective, impartial and independent when conducting an audit.
Do you need to be registered as an ISO internal auditor?
ISO internal auditor registration is not explicitly required by the ISO standards, meaning an organization can technically perform internal audits without formally registered auditors. It is however highly recommended to have trained and qualified internal auditors to ensure the effectiveness of the audit process and meet best practices.
To gain a formal registration as an ISO internal auditor, you’ll need to complete a registered training course, gain relevant experience, and develop auditing skills.
Supplier auditoR
A Supplier Auditor evaluates a supplier’s management system against the relevant ISO standards, validating their ability to consistently deliver on the required outcomes.
The supplier auditor identifies areas for improvement and ensures compliance with the buyer’s specific procurement requirements, all while maintaining objectivity and providing constructive feedback to the supplier.
Roles and Responsibilities of an ISO Supplier Auditor:
- Evaluates conformance, suitability and effectiveness of the supplier’s processes and Management System.
- Independent party not directly associated with the business undergoing the audit.
- Reports internally to the procurement or discipline-specific department (quality, environmental, etc.), outlining the supplier’s compliance status.
- Communicates identified findings and documented evidence of non-conformities to the supplier.
Expertise & Qualifications of an ISO Supplier Auditor:
- Knowledge of and/or expertise in the specific ISO standard they are auditing.
- Proficiency in audit methodologies and techniques.
- Ability to identify potential risks within processes related to the ISO standard.
- Objective, impartial and independent when conducting an audit.
Tap into our various Internal and Supplier Auditor training courses to gain the necessary skills and competence for conducting internal audits. Learn more via ISO Services: Training
Ready to become an Internal or Supplier Auditor?
Tap into our various Internal and Supplier Auditor training courses to gain the necessary skills and competence for conducting internal audits. Learn more via ISO Services: Training
Click on the respective icon to view the synopsis.
Enrol in training via the button below.
Lead Auditor
An ISO Lead Auditor is a skilled (and sometimes registered) auditor who is responsible for overseeing and conducting the entire audit process. Lead Auditors have typically undergone advanced auditor training that includes an in-depth understanding of a discipline-specific standard.
Unlike a general auditor, a Lead Auditor takes on a leadership role in planning, executing, and reporting on audits while ensuring compliance with relevant standards. The lead auditor guides the audit team during any type of audit – including internal, supplier, or certification audits.
Their role goes beyond simply assessing conformance; they also play a crucial role in driving organisational performance by identifying opportunities for improvement and ensuring that corrective and preventive actions are effectively and timeously applied.
Lead Auditor registration is possible through an auditor registration body (like SAATCA), and typically requires successful completion of a registered Lead Auditor course, followed by obtaining qualifying audit experience.
When individuals register as a lead auditor, they demonstrate an advanced skillset and may become more sought after by Certification Bodies and companies in highly regulated industries.
Roles and Responsibilities of an ISO Lead Auditor:
- Defines audit objectives and ensures an unbiased, systematic audit process.
- Compiles and leads the audit team, guiding them through the audit programme.
- Identifies potential risks within processes related to the ISO standard.
- Reviews audit evidence and determines conformance or nonconformance.
- Finalises reports and communicates findings and conformance status directly with internal management, the procurement or discipline-specific department, the supplier, or the certification body.
Expertise & Qualifications of an ISO Lead Auditor:
- Objective, impartial and independent when conducting an audit.
- Highly knowledgeable in the specific ISO standard they are auditing.
- Highly proficient in audit methodologies and techniques.
- A detail-oriented team leader.
Ready to become a Lead Auditor?
Dive into one of our Lead Auditor training courses to obtain the advanced skills and competence necessary for being the team lead during audits.
Click on the respective icon to view the synopsis.
Enrol in training via the button below.
Observers and Technical Specialists
ISO Audits sometimes include more than just the core audit team—observers and technical specialists may participate. Each member of the audit team has a distinct yet carefully managed role and must uphold confidentiality at all times.
Observers are there to witness and take notes but do not question auditees or influence findings. Technical specialists, on the other hand, provide expert input on specific technical issues but still operate under the direction of the lead auditor.
Clear planning and thorough briefings ensure these additional participants enhance the audit without causing confusion or delays.
Roles and Responsibilities of Observers and Technical Specialists
How does an observer fit into an ISO audit?
Observers offer oversight and transparency. They watch and listen without asking questions or impacting decisions. Observers are subject to lead auditor’s discretion and must maintain confidentiality.
How does a technical specialist fit into an ISO audit?
Technical Specialists provide in-depth expertise in specific technical areas. These individuals typically advise the lead auditor on technical details, but do not conduct the audit. Technical specialists are limited to their area of expertise and are bound by confidentiality.
Planning & Briefing
When observers and/or technical specialists are planned members of an audit, it’s important to define and communicate their roles early on. Things like confirming the scope of work, expected involvement and emphasis on confidentiality are key. Non-participation for observers and the appropriate input channels for specialists must also be clear.
During the Audit
Observers must refrain from direct interaction with auditees or audit team members; all queries must go through the lead auditor.
Technical specialists should only provide insights to the lead auditor, who decides if, how, and when to involve the auditee.
Audit Reporting
Observers typically do not contribute to the final report.
Technical specialists may offer insights, recommend improvements or identify nonconformities, but the lead auditor finalises all decisions.
Download our guide “Risk-Based Approach to Auditing an ISO Management System”.
Learn more about how a risk-based audit considers both risks and opportunities while placing focus on what matters.
How to Prepare for an ISO Audit
Mistakes That Affect ISO Audit Outcomes
By addressing these common pitfalls, organizations can improve audit readiness and maintain ISO conformance with confidence.
1. Skipping Pre-Audit Reviews
Neglecting pre-audit checks can lead to unnecessary nonconformities. Reviewing processes, documentation, and records in advance helps identify and fix gaps early.
2. Poor Employee Preparedness
Untrained employees pose a risk to the conformance of the Management System. Ensure relevant staff receive adequate training and that they clearly understand their role/s, their involvement in key processes, and how to respond confidently to auditors.
3. Neglecting Internal Audits
Internal audits are not just a formality—they help identify risks, improve processes, and ensure readiness for external reviews. Treat them as a means to strengthen conformance and work on continual improvement.
4. Incomplete or Outdated Documentation
ISO certification requires accurate, maintained and accessible documentation. Missing or outdated documentation and records can result in nonconformities and audit failures.
5. Ignoring Previous Nonconformities
Recurring issues signal ineffective corrective action. It’s important to track and retain evidence of corrective actions – in particular, after closing any minor or major nonconformity.
Steps to Take Before an ISO Audit
Step 1: Set clear audit objectives.
Define the audit’s scope and the processes or departments that need to be assessed.
Step 2: Verify resource availability
Ensure that all necessary resources, tools, and key staff members are available and ready for the audit.
Step 3: Plan audit day logistics
Organise the audit program logistics, including scheduling interviews with staff members, preparing meeting rooms, and ensuring that materials and equipment are readily available.
Step 4: Ensure documentation readiness
Prepare all ISO-related documentation—policies, procedures, and reports—making sure they’re current and available.
Step 5: Engage leadership
Involve top management in the audit process to demonstrate commitment to the ISO management system. Guide them during audit preparation and through the audit process.
Step 6: Review risk management plans
Verify the alignment of your risk management framework with ISO standards. Be ready to show how risks are assessed and mitigation strategies are in place across different parts of the business.
Step 7: Review corrective actions
Ensure all previous nonconformities have been resolved and corrective actions fully implemented.
Step 8: Pre-Audit Training
Hold pre-audit training sessions to ensure employees understand ISO requirements, their roles, and how to interact with auditors.
Step 9: Prepare for auditor questions
Review processes with your team and demo typical audit scenarios so they can confidently navigate the audit and answer questions from the auditor.
Step 10: Foster a positive audit environment
Encourage a transparent and cooperative atmosphere to facilitate better communication with the audit team.
ADDITIONAL TIPS:
When preparing for external audits, like a supplier or Certification review, it can be helpful to conduct a pre-audit review – offering a mock-audit scenario for your team to run through.
A pre-audit review, self-assessment or mock audit not only simulates the external audit but can also allow you to catch and resolve potential nonconformities before the actual audit. Moreover, you can more easily identify gaps, refine responses, and ensure audit readiness.
Download our guide “Tips for Achieving a Successful Internal Audit” to gain in-depth insights and take the first step towards refining your audit processes.
Learn more about the systematic process of conducting an internal audit to evaluate if your business meets ISO standards.
Conclusion
ISO audits are not just about achieving ISO conformance; they are also a powerful strategic tool for ensuring continual improvement and business growth. By understanding the audit process, avoiding common mistakes, and preparing effectively, you can confidently navigate the audit process and even achieve ISO certification.
Working With Risk ZA Group
Risk ZA Group offers training, consulting, pre-certification audits and software designed to ensure your ISO Management System is a valuable business tool.
Our expert-led training ensures your team is competent and empowered with the ISO knowledge they require; we also produce some of the very best internal, supplier and lead auditors in the world.
Tapping into our consulting and/or auditing services ensures that your team and your management system are geared up for a successful ISO Certification audit outcome.
Where you’re challenged by ISO’s requirements on documentation, you can tap into our various software solutions, promoting governance, risk and compliance (GRC).
Let us assist you with your ISO conformance, operational efficiency, and long-term success. Contact the Risk ZA Group team today at +27 (0) 31 569 5900 or +44 (0) 203 728 6179 or send an email to enquiries@riskza.com.
Like what you read? Share this blog post on your preferred social media platform: