Surveillance Audit

What is an ISO 9001 Surveillance Audit?

Early on, when you are implementing a Quality Management System (QMS) using the requirements of ISO 9001:2015, you will need to talk to a certification body to find out what you need to do to certify your management system as compliant with the requirements. During your discussions you will be told about the documentation audit, the certification audit, and the cycle of surveillance audits until your recertification audit; but, what does all of this mean? Here’s how this works.

How do certification and the certification audit cycle work?

The three-year certification cycle is used for companies certified against ISO 9001, although there are some modifications possible as described below. When you have implemented your QMS and are having your first certification, you will start with a documentation audit. This is where an auditor from your certification body will review all of your documentation, and compare it to the ISO 9001:2015 standard requirements, to verify that what you have documented meets the requirements of the standard.

Once the documentation is confirmed, you will schedule your certification audit. This is where the certification body will perform an on-site audit of all of your QMS processes, and then issue your ISO 9001:2015 certification (when you have completely addressed any corrective actions that were found). You will then have on-site surveillance audits for the next two years, until your re-certification audit on the third year of your cycle, which will start you into the next three-year cycle. Most certification bodies conduct one surveillance audit a year, but this could be more often if you negotiate this between your organization and your certification body.

Below is a graphic of how this works, with the link back to the surveillance audit after the re-certification. As long as you are maintaining your current certification with the same certification body, you will not need to go back to the certification audit. However, if you change certification bodies or your version of the ISO 9001 standard (as companies are now changing from ISO 9001:2008 to ISO 9001:2015), you will then have a transfer audit. This is much like starting back at the certification audit step, where a full audit is performed and then old certificates are withdrawn and new certificates are issued.

What is specific about a surveillance audit?

So, you are probably asking what the difference is between the surveillance audit and the certification/re-certification audits. All three are on-site audits done by the certification body, will have corrective actions issued that need to be addressed, and will have an audit report issued to your company as a record of the audit. The difference is the number of hours devoted to processes in the audit.

For the certification/re-certification audit, the certification body auditors will look at the implementation of every process within your QMS to check for conformance to the ISO 9001 standard, as well as your company documentation, process effectiveness, and continual improvement. This audit will often take several auditors many days to complete, depending on the size of your company and the number of processes within your QMS.

By comparison, the surveillance audit will spend less time on only some portions of your QMS processes, rather than everything. They will start each time by looking at your key processes (such as management review, internal audit, and corrective actions), and will then only look at some of the remaining processes within your QMS. They may also only look at a portion of the whole organization, such as only one out of two production lines, or even only certain sites chosen by the auditors, rather than multiple sites. There is a recommended rule to use a square root of all possible locations; for example, if there were a total of 16 retail stores in the scope of the certification, then at least four should be audited in a surveillance audit.

Since the auditors will be spending less time on fewer of your QMS processes, these surveillance audits will take less time to perform than the original certification audit. The goal for the certification body is to audit all of the processes and business sites at least once within the QMS during the two-year surveillance cycle.

Don’t lose sight of why you have certification body audits

Since the surveillance audit does not look at all processes, some people start to think that these audits are less important than the certification audit, but this is not the case. Just because the certification body won’t spend much time auditing a specific process during an upcoming surveillance audit doesn’t mean you can just ignore this process yourself. You still need to perform your internal audits for all processes as per your audit schedule, and make any corrections or improvements that you find necessary. It is also important to remember that if a major non-conformance found during a certification audit is not addressed, you can still lose your certification.

Your certification body audits are there to bring a different set of eyes on your processes than you would have for your internal audits. By having an outside observer, who has seen other companies and has different experiences than people in your company, you can find different improvement opportunities than you would if you only audited on your own. Use the information from your surveillance audit reports to help focus your improvements, but don’t lose sight of other improvements you are making.

What questions to expect on the ISO 9001 certification audit?

After you have created and implemented a Quality Management System (QMS) using the ISO 9001:2015 standard requirements, you will need to have a third-party certification body perform a certification audit to declare that your QMS is in compliance with the standard. This is the only way that you can claim compliance with the standard and gain the benefits that come from advertising that you have a QMS.

This can be a nervous time for the employees of a company, especially if they have never been audited by people from outside of your company before. Even those who have become comfortable with internal audits can be nervous of outside auditors. So, what will the auditors ask when they come into your company for the first certification audit?

What will the auditor ask?

There are many ways that an auditor will try to find the answers to their questions, including review of records, observing employees, and interviewing employees. While it is not possible to record every question that might be asked, it is helpful to know the main questions they are trying to answer and some ways they might query the information:

1. Is every clause in the standard addressed? While most of this is answered in the documentation audit (when the auditors look at the documented procedures that your company has and compare them to the standard to make sure that each meets the requirements of ISO 9001), some procedures are not documented. When this happens, the auditors will try to find out how these undocumented processes are done in order to compare them to the requirements. They may ask questions like: “Tell me how this process is done,” “Show me how you do this process,” or some other demonstration like this. This will give them the information needed to verify that the process you are doing meets the ISO 9001 requirements.
2. Are the processes consistent? While some minor variations between operators may be acceptable, such as the order that a form is completed in, the outcomes of the process need to be consistent in order for it to be effective. If an auditor watches three purchasing employees create a purchase order and each uses a different set of steps to accomplish the task, and the outcomes of the purchasing process are very different such that errors could be made, then it may be determined that the inconsistent process is problematic.
3. Have all processes been reviewed? After seeing that all necessary processes and procedures are in place, the external auditors will want to make sure that you have done your job and started the process of reviewing your QMS – this is called the internal audit process. The auditors will ask to see the internal audit schedule and evidence that internal audits were completed, check that internal audit records such as audit reports are in place, and make sure that findings were issued, addressed, and followed up.
4. Have you implemented corrective actions where needed? Part of addressing any findings from the internal audits, or other findings of systemic non-conformances, is the corrective action process. How has this process been implemented? Are your corrective actions done in a timely fashion? How well do you verify that your corrective actions have been effective to prevent the recurrence of a problem? Expect that you will need to go through several of your closed corrective actions to show this.
5. How have you implemented risk-based thinking? As a new focus of the ISO 9001:2015 version, this is certain to be an area of questioning by certification auditors. How have you started to include risk assessment into all the areas needed, such as contract acceptance and design? How have you adapted the old preventive action process for addressing risk?
6. Has management review of the system been completed? Another area of third-party auditor concern focuses around how well your senior management are involved in reviewing the outcomes of the QMS in order to address any needs, such as assignment of resources to address deficiencies. Expect your management review to be scrutinized, and be able to show the results of the review. Were resources assigned because of the review? Was everything reviewed? Were problem areas a focus of the review?
7. How have you prepared for improvement? One of the main focuses of the QMS is continual improvement, and this needs to be planned for. Although you may not have a lot of improvement tasks completed, the auditors will expect that you have plans in place to do so. What improvement do you expect to happen? What are your quality objectives, and how well are you tracking them for improvement? Can you identify where you expect improvement to be accomplished?

Make the certification audit easier by preparing your employees

It is important to remember that auditors are trying to verify compliance, not to find something wrong. In general, the auditor just wants people during the audit to give the information they know without making something up, and if they need to look up a particular piece of information, that is acceptable. In the end, the auditor just wants to be able to demonstrate that what was planned to be done was done.

We are all nervous of the unknown, and this is especially true of employees who think that they may be in trouble by giving the wrong answer to a question in an audit that they can’t even prepare for. Let your employees know what the auditors might ask, and the information they are trying to access, and it will be much easier to respond on the day of the audit. This is the best preparation you can do.