Exemplar Global certified courses from USD 99. Save while it lasts. Enrol today.

What Is a Certification Audit? A Plain English Guide for Quality Managers

AW

Team @ Audit Workshop

11 min read
What Is a Certification Audit? A Plain English Guide for Quality Managers

The Short Answer

A certification audit is an independent, formal assessment carried out by an accredited third party to determine whether your organisation's management system conforms to a specific ISO standard. If the audit concludes that your system meets the requirements, your organisation is issued an ISO certificate. That certificate is valid for three years, subject to ongoing surveillance.

It sounds straightforward, but there is a lot happening beneath that simple description. This article breaks down exactly what a certification audit involves, how it differs from other audit types, what auditors are actually looking for, and what happens when things do not go to plan.

Why Certification Audits Exist

ISO standards are voluntary. No law requires most organisations to hold an ISO 9001 or ISO 45001 certificate. But customers, government procurement panels, and tender processes increasingly ask for it. Certification provides independent verification that your system is not just documented, it is functioning.

The key word is independent. An internal audit conducted by your own team, or a gap analysis run by a consultant, cannot produce a certificate. Only an accredited certification body, sometimes called a registrar, can issue one. That accreditation comes from a national body such as JAS-ANZ in Australia, which ensures the certification body operates to consistent, internationally recognised standards.

This independence is what gives the certificate its commercial value. When a client or tender panel sees your ISO certificate, they know it was not self-awarded.

Become a certified ISO auditor
Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.
Explore Courses
Exemplar Global Recognised Training ProviderRecognised Training ProviderRTP No. 310970

The Two Stages of a Certification Audit

A first-time certification audit always runs across two stages. Understanding what each stage involves will save you a lot of anxiety when you are preparing.

Stage 1: The Documentation Review

Stage 1 is sometimes called a readiness review or desktop audit. The auditor reviews your documented management system to assess whether it is sufficiently developed to proceed to a full on-site assessment. They are checking that your system addresses the requirements of the standard, that your scope is clearly defined, and that mandatory documented information is in place.

Stage 1 is also when the auditor identifies any significant gaps that could result in a major nonconformity at Stage 2. If those gaps are substantial, the auditor may recommend delaying Stage 2 until they are addressed. This is actually useful information. It is far better to know about a structural gap before Stage 2 than to find out during it.

Stage 1 is typically conducted remotely, though some certification bodies prefer an on-site visit, particularly for larger or more complex organisations. The outcome of Stage 1 is a report that confirms readiness for Stage 2, notes any areas of concern, and sets the scope and focus for the Stage 2 audit.

For a detailed breakdown of what each stage involves, see our article on what happens at Stage 1 and Stage 2 of an ISO 9001 audit.

Stage 2: The On-Site Assessment

Stage 2 is the substantive audit. The auditor visits your site or sites, interviews personnel at multiple levels, reviews records and evidence, and observes operations. The purpose is to verify that your management system is not just documented but actually implemented and effective.

This is where most organisations feel the pressure. The auditor is not just ticking boxes against a checklist. They are following evidence trails, asking follow-up questions, and forming a judgement about whether your system genuinely drives the outcomes the standard requires.

A Stage 2 audit for a small to medium organisation typically runs one to three days. Larger organisations, multiple sites, or integrated management systems covering more than one standard will require more audit days. The number of days is calculated based on factors including the number of employees, the complexity of the processes, and the number of standards in scope.

What Auditors Are Actually Looking For

This is the question most quality managers ask, and the honest answer is more nuanced than a clause-by-clause checklist.

Certification auditors are looking for evidence of a functioning system. That means three things need to be visible: the system is documented, the system is implemented, and the system produces results.

Documentation

The standard requires certain documented information. Auditors will check that it exists, that it is current, that it is controlled, and that people who need it can access it. But documentation alone does not get you certified. It is the starting point, not the finish line.

Implementation

This is where many organisations stumble. They have a perfectly written quality manual and a set of procedures, but when the auditor interviews the warehouse team, nobody has heard of the procedure, or it does not reflect what actually happens on the floor. Auditors are trained to identify the gap between what is written and what is done. They do this through interviews, observation, and sampling records.

Effectiveness

The standard is not just asking whether you have a system. It is asking whether the system works. Are quality objectives being monitored and reviewed? Are nonconformities being investigated and corrected? Is management actually using the system to make decisions? Auditors look for evidence that the cycle of plan, do, check, act is genuinely operating, not just being performed for the audit.

Audit Findings: What Can Go Wrong

During a certification audit, the auditor may raise findings. These fall into distinct categories, and understanding them helps you respond appropriately.

Major Nonconformities

A major nonconformity is a significant failure to meet a requirement of the standard, or a situation where the management system has broken down in a way that undermines its integrity. A major nonconformity at Stage 2 means certification will not be granted until it is resolved. The organisation must submit a corrective action plan, and in some cases the auditor may need to return to verify the fix before the certificate is issued.

Minor Nonconformities

A minor nonconformity is an isolated gap or lapse that does not indicate a systemic failure. Certification can proceed with minor nonconformities, but the organisation must submit a corrective action plan within an agreed timeframe, usually 90 days. The corrective action is reviewed at the next surveillance audit.

Observations and Opportunities for Improvement

These are not formal findings requiring corrective action. An observation might flag a potential weakness that has not yet become a nonconformity. An opportunity for improvement is a suggestion from the auditor. You are not obliged to act on either, but experienced quality managers treat them as useful input rather than noise.

The Certification Decision

The auditor does not make the final certification decision on the spot. After the closing meeting, the auditor submits their report to the certification body for technical review. A separate reviewer checks the report for consistency and completeness. The certification body then makes the formal decision to grant, defer, or refuse certification.

In practice, if the Stage 2 audit concludes with only minor nonconformities and the auditor has recommended certification, the certificate is typically issued within a few weeks once corrective actions are accepted. The certificate will state the standard, the scope of certification, the certification body, and the validity period.

What Happens After Certification

Certification is not a one-time event. It operates on a three-year cycle with annual surveillance audits in between.

Surveillance Audits

Surveillance audits occur at approximately 12-month and 24-month intervals during the three-year certification cycle. They are shorter than the initial certification audit, typically one day for a small organisation, and they focus on key processes, previously raised nonconformities, and any areas of concern identified during the last audit. Surveillance audits verify that the system is being maintained and that it continues to meet the standard's requirements.

It is worth noting that surveillance audits are not just a formality. Certification bodies can suspend or withdraw a certificate if a surveillance audit reveals that the system has deteriorated significantly.

Recertification Audits

At the end of the three-year cycle, the organisation undergoes a recertification audit. This is a full reassessment, similar in scope to the original Stage 2 audit. It reviews the entire management system and considers performance over the three-year period. Successful recertification resets the three-year cycle.

For more detail on how surveillance and recertification fit into the cycle, see our article on what is a surveillance audit and how it differs from certification.

Certification Audit vs Internal Audit: The Key Distinction

This is a distinction that causes genuine confusion, particularly for people new to management systems. An internal audit is conducted by or on behalf of your own organisation. Its purpose is to identify gaps and drive improvement before an external assessment. A certification audit is conducted by an independent third party. Its purpose is to provide external verification that your system meets the standard.

Both types of audit follow similar methodologies. Both involve planning, evidence gathering, and reporting. But they serve different purposes and carry different authority. An internal audit finding, however well documented, does not produce a certificate. And a clean certification audit does not remove the obligation to keep running internal audits.

The two types of audit are complementary. Organisations that run rigorous internal audit programmes tend to perform better in certification audits because the gaps have already been found and addressed internally.

How to Prepare as the Quality Manager

If you are responsible for preparing your organisation for a certification audit, the following practical steps will serve you well.

  • Run a gap analysis well in advance. Identify where your system falls short of the standard's requirements before the auditor does. A gap analysis is not the same as an internal audit, but both are useful at different stages of preparation.
  • Complete your internal audit programme. The standard requires internal audits. If you arrive at a certification audit without evidence of a completed internal audit cycle, you are likely to receive a nonconformity on that basis alone.
  • Conduct a management review. Management review is a mandatory requirement. It needs to have happened, it needs to cover the required inputs, and it needs to produce outputs. Make sure the minutes are on file.
  • Talk to your people. The auditor will interview staff at various levels. Make sure your team understands the management system, knows where to find relevant procedures, and can explain their role in it. This does not mean coaching them to recite answers. It means making sure the system is genuinely embedded.
  • Have your documented information in order. Know where everything is. Auditors notice when a quality manager spends 20 minutes searching for a record that should take 30 seconds to locate.

For a thorough walkthrough of preparation activities, our article on how to prepare for a certification audit as the quality manager covers the full process in practical detail.

Choosing the Right Certification Body

Not all certification bodies are equal. Accreditation from a recognised body such as JAS-ANZ is the baseline requirement. Beyond that, consider the certification body's experience in your industry, the auditor competence they can deploy, their responsiveness, and their fee structure.

Cheaper is not always better. A certification body that assigns an auditor with no relevant industry experience may produce a less useful audit. The audit should generate genuine insight, not just a certificate. That said, the certificate itself needs to be from an accredited body to carry weight in tenders and procurement processes.

Our article on how to select the right ISO certification body for your organisation walks through the key considerations in detail.

Building Internal Capability Around the Certification Audit

One of the most effective things an organisation can do is invest in the internal audit capability of its own people. Quality managers who understand how certification auditors think, what they look for, and how findings are classified are far better placed to prepare their organisations and to respond when things do not go to plan.

Internal auditor training gives you the skills to run a credible internal audit programme. Lead auditor training goes further, giving you the methodology, the interview techniques, and the report writing skills to conduct audits at a professional level. Both are relevant for quality managers who want to be genuinely useful in the certification process, not just a coordinator on the day.

At Audit Workshop, our ISO 9001, ISO 14001, and ISO 45001 internal auditor and lead auditor courses are built around real audit practice, not theory. Founder Dilawar Laghari has conducted over 500 external ISO certification audits across Australia and internationally, and that experience is embedded in every course. If you are preparing for a certification audit or building the internal audit capability that makes certification sustainable, our training is designed for exactly that purpose.

Frequently Asked Questions

A certification audit is conducted by an independent, accredited third party to determine whether your management system meets the requirements of an ISO standard, resulting in the issue of a certificate. An internal audit is conducted by or on behalf of your own organisation to identify gaps and drive improvement. Both follow similar audit methodologies, but they serve different purposes and carry different authority. A certificate can only be issued by an accredited certification body, not by your internal audit team.
Start Learning

Ready to Build Real Audit Skills?

Join practitioners training with ISO auditors who've conducted 500+ external certification audits.

ISO 9001:2015 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 45001:2018 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 14001:2026 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
Exemplar Global Recognised Training Provider digital badge

Audit Workshop is an Exemplar Global Recognised Training Provider

Globally Recognised, Certified Training

Pass an Exemplar Global Certified course and you earn a Certificate of Attainment and an Exemplar Global digital badge. Audit Workshop graduates can apply for third-party Personnel Certification through Exemplar Global.

  • 12 months of Graduate certification
  • Access to Exemplar Global Community
  • Access to self-coaching assessment
  • Access to webinars, events, and online resources
Learn Anytime

No fixed schedule. Start, pause, and pick up exactly where you left off.

Instant Certificate

Download your digital certificate the moment you complete the course.

Practical Content

Every lesson is built from real-world ISO auditing experience.

Lifetime Access

Course materials are yours to keep and revisit long after you complete.