ISO 9001 FAQ

The standard requires an Internal Audit to be carried out before an external audit is performed.

The Internal Audit must be carried out by a competent and objective auditor.

The auditor can be in-house (from the organization’s own staff) or an external consultant. If in house, it is important that the auditor is independent and has no prior or current involvement in the development and implementation of the QMS.

The Internal Audit review includes:

1. A documentation review of policies and procedures to confirm they adhere to the requirements of the standards
2. An evidence review through sampling and analysis to determine that the policies are being adhered to

Any findings from the Internal Audit must be tracked to resolution.

The internal audit is meant to be continuous throughout the certification period (3 years).

An external audit is essentially the same as an internal audit, except that the outcome is the acquisition of certification. 

The external audit starts with stages 1 and 2.

Stage 1: This consists of an extensive documentation review of your QMS program. This typically lasts a couple of hours to a day.

The outcome of Stage 1 is a list of findings (non-conformities) that need to be remediated before moving on to Stage 2.

Stage 2: Consists of an extensive review of evidence that supports the documentation provided during Stage 1 to confirm that the controls operate according to the ISO 9001 requirements. This takes a bit more time than Stage 1 and can last a couple of days to a week.

The outcome of stage 2 is a list of findings (non-conformities) that would need to be remediated before being recommended for certification.

An ISO 9001 certification is valid for three years.

ISO requires surveillance audits to be performed each year to ensure the QMS program and controls continue to operate effectively.