An external ISO certification audit is a formal assessment conducted by an accredited third party certification body to determine whether your organisation meets all requirements of your chosen ISO standard. It is not an inspection, it is not adversarial, and it is not designed to catch you out. However, it is rigorous. The auditor will examine your management system with the same technical depth and scrutiny that would be applied to any business critical process. This article walks you through exactly what happens during each phase of a certification audit, what auditors look for, and what you need to do to present your organisation in its best light.
On this page
Understanding the Three Stages of ISO Certification
ISO certification audits unfold in three distinct phases, and understanding each one removes much of the mystery and anxiety. The audit process is not designed to be a surprise. In fact, the entire structure ensures that your organisation has multiple opportunities to demonstrate compliance before any final decisions are made.
The initial stage is called the Stage 1 or desk audit. This typically occurs weeks before any auditors set foot in your facility. The auditor reviews your management system documentation, policies, procedures, and quality manuals remotely. The purpose is straightforward: to confirm that your documented system meets the requirements of the standard you are pursuing. If critical documentation gaps are found at Stage 1, you will be notified immediately and given time to address them. No organisation passes Stage 1 without at least some minor documentation issues. The auditor is looking for evidence that you understand the standard and have documented processes that, if followed, would result in compliance.
Stage 2 is the on site audit where auditors spend typically one to three days (depending on your organisation's size and complexity) physically present in your workplace. This is where the real assessment happens. Auditors will interview staff, observe processes in action, review records, and test whether the system you documented actually exists and functions as described. They examine whether people do what the procedures say they should do, and whether that activity actually produces the intended results.
The final stage is called Stage 3 or the post audit phase. Within a defined timeframe after Stage 2, usually 30 to 90 days, any nonconformities or corrective actions that were raised must be addressed. Once these are satisfactorily closed, your certificate is issued. Surveillance audits then occur annually or every two years, with a full reassessment every three years to maintain certification status.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesStage 1: The Documentation Review
Stage 1 typically begins 4 to 8 weeks before your scheduled on site visit. The certification body will contact your quality manager or management representative to request copies of your management system documentation. This is not a casual collection. The auditor will have a specific list of what they need to see based on the standard you are pursuing.
For ISO 9001, they will request your quality manual, procedures for key processes such as procurement, design (if applicable), production, delivery, and corrective action. They will ask for evidence that management review is documented, that internal audit processes are defined, and that customer requirements are being managed. For ISO 14001, they will request your environmental policy, aspects and impacts register, legal compliance register, and operational procedures for significant environmental activities. For ISO 45001, they will want your hazard register, risk assessment documentation, and occupational health and safety procedures.
The auditor is not reading these documents looking for perfect grammar or formatting. They are looking for evidence that you have thought through the standard's requirements and documented how you will meet them. A common mistake is assuming documentation must be polished and professional. In reality, clear and practical documents that reflect actual business operations are far more effective than elaborate manuals that do not match what happens on the floor.
During Stage 1, the auditor will identify gaps where documentation does not address specific standard requirements. These gaps become the focus of the Stage 2 audit. If gaps are severe (for example, your organisation has no documented procedure for managing a requirement that is mandatory under the standard), the auditor may ask you to provide additional documentation before Stage 2 proceeds. This is actually a courtesy. It gives you the chance to address fundamental issues rather than discovering them during the on site visit when there is no time to resolve them.
You should not wait passively for Stage 1 feedback. A week or two before the auditor is due to receive your documentation, conduct an internal review using the ISO standard itself as a checklist. Ask your team: have we documented how we manage this requirement? Can we show evidence that it is working? Where are the gaps? This proactive approach means you are not blindsided during Stage 1, and you have time to develop documentation before the on site visit.
Preparing for the On Site Audit: Stage 2
Stage 2 is scheduled typically 4 to 12 weeks after Stage 1 is completed. By this point, you should have received the auditor's Stage 1 report which outlines areas requiring clarification or further documentation. You will also have received an audit plan that specifies which processes will be audited, which departments will be visited, and how long the audit will take.
The audit plan is not negotiable, but it is worth reviewing with the certification body if it does not align with your organisation's structure. For example, if the auditor has planned to spend the entire three days looking at production and procurement but has allocated no time to review your design process (which is central to your business), raise this immediately. The auditor wants to spend time in areas where you have significant activity and risk. They will adjust the plan to match your actual operations.
Preparing your organisation for an external audit requires coordination across multiple areas. First, identify which staff will be interviewed and brief them on what to expect. Explain that auditors ask questions to understand how things work, not to trick them. Encourage honest answers. If someone does not know an answer, it is better to say so than to guess or make something up. Auditors are experienced at detecting inconsistencies between what different staff members say. If the purchasing manager says one thing and the procurement officer says something different, that raises a red flag.
Second, prepare your key records and evidence. Auditors will want to see recent examples of records that demonstrate your system is working. For ISO 9001, this might include recent customer orders, records showing how you identified customer requirements, inspection records, nonconformity reports, corrective action reports, and internal audit records. For ISO 14001, they will want recent monitoring records for significant environmental aspects, records of legal compliance checks, and evidence of environmental objective tracking. Organise these records so they can be accessed quickly during the audit. Nothing creates a worse impression than fumbling through filing cabinets for half an hour trying to find a simple record.
Third, brief your team on the audit process itself. Explain the opening meeting, what happens during interviews, what auditors mean by observation and record review, and what happens at the closing meeting. Uncertainty breeds anxiety. When staff understand the structure and purpose of an audit, they tend to relax and communicate more naturally.
Fourth, walk through your physical facilities and ensure they are in reasonable working order. This is not about creating a showroom environment. Auditors understand that real workplaces are not sterile. However, if your documented procedure says that all hazardous materials are stored in a locked cabinet and they observe hazardous materials scattered on a bench, that is a nonconformity. If your procedure requires that work instructions be visible at each workstation and they are not, that is a problem. Review your key documented procedures and ensure the physical environment matches what you have documented.
One frequently overlooked area is notice boards and communication materials. If you have documented that you communicate your environmental policy or safety objectives to all staff, ensure these are actually posted and visible. If you have documented that you conduct toolbox talks on safety (common under ISO 45001), ensure there is evidence of recent toolbox talks.
The Opening Meeting
The audit begins formally with an opening meeting attended by the lead auditor, any supporting auditors, your quality or management representative, and usually senior management. This meeting is rarely longer than 30 minutes, but it sets the tone for the entire audit.
The auditor will explain the audit scope (which areas are being audited), the audit criteria (which version of which standard is being assessed), the audit duration, the team's members and their roles, and the general schedule. They will explain what findings might be issued and what happens after the audit. They will also invite you to ask questions and to raise any significant changes that have occurred in your organisation since Stage 1.
This is your opportunity to flag anything relevant. For example, if you have changed suppliers, implemented new equipment, restructured your management team, or experienced any significant events (such as safety incidents or customer complaints), mention them now. The auditor will then ensure these areas receive appropriate attention during the Stage 2 audit.
The opening meeting is not adversarial. The auditor is not trying to catch you out or create an hostile environment. However, they are observing. They will note the professionalism of your response, whether your team seems prepared and knowledgeable, and whether there is genuine understanding of your management system or whether it feels like everyone has memorised responses without understanding them.
The Core Audit Activities: Interviews, Observation, and Record Review
After the opening meeting, the audit team begins systematically working through the audit plan. The three main methods auditors use to gather evidence are structured interviews, direct observation of work, and review of records and documentation.
Interviews are conducted with staff across different levels and functions. An auditor might interview the managing director about strategic direction and resources, a process owner about how a key process functions, and a frontline operator about what they actually do day to day. The auditor is not looking for perfect answers. They are looking for evidence that people understand their role in the management system and can explain what they do and why.
The most common interview mistake is over coaching staff. If someone has been drilled on exact answers before the audit, it becomes obvious quickly. Auditors ask follow up questions precisely because they want to hear genuine understanding, not rehearsed responses. An answer such as, "We follow our procurement procedure which requires three quotes for orders above $5,000 because we documented this to ensure we get competitive pricing and quality," is far more credible than, "The procedure says we need three quotes so we do three quotes."
Observation involves auditors watching processes in action. They might observe a production line, watch how a delivery is packed, attend a management meeting, or sit in on a customer service interaction. The purpose is to see whether the documented procedure matches actual practice. Auditors understand that no organisation follows every single procedure exactly as documented every single time. However, significant and consistent deviations are nonconformities.
Record review is the final major component. Auditors will examine records to verify that activities documented in procedures are actually being completed. For ISO 9001, they might review customer complaint records to verify that complaints are being investigated and closed. For ISO 14001, they might review environmental monitoring records to confirm that the frequency and methods match the documented procedure. For ISO 45001, they might review hazard identification and risk assessment records.
How auditors gather evidence that stands up to scrutiny relies on examining sufficient records across a time period to establish patterns. A single missing record might be an oversight. Multiple missing records across several months indicates a systemic problem.
Types of Findings: Nonconformities and Observations
During the audit, the auditor documents their findings. It is important to understand the different types of findings because each carries different weight and consequences.
A major nonconformity is a complete failure to meet a requirement of the standard, or a systematic failure to implement a documented procedure. For example, if your ISO 9001 system requires documented management review quarterly but there is no evidence of any management review meetings in the past twelve months, that is a major nonconformity. Another example: if your documented procedure requires that all customer complaints be recorded and investigated, but you have no system for recording complaints (they are just discussed verbally), that is major.
A minor nonconformity is a failure to fully meet a standard requirement, but one that is isolated or does not indicate a systemic problem. For example, if you have documented that all completed products are inspected before delivery, but you find one instance in recent weeks where an order was shipped without documented evidence of final inspection, that is minor. Another example: if your environmental monitoring procedure requires records to be maintained for two years but you have only maintained records for eighteen months, that is minor.
An observation is not a nonconformity at all. It is a comment where the auditor has noticed something that does not rise to the level of non compliance but might be worth considering. For example, an auditor might observe, "Your procedure requires monthly safety meetings but staff we interviewed were not aware of what was discussed at the last meeting. You may want to consider better communication of meeting outcomes." Observations are helpful feedback, not failures.
Understanding this distinction matters because your certification decision depends on how many and what type of nonconformities are found. An organisation cannot be certified with major nonconformities. Minor nonconformities must be closed within a set timeframe (usually 30 to 90 days) before certification is granted. Observations require no formal closure.
The Closing Meeting
At the conclusion of Stage 2, the audit team conducts a closing meeting with your organisation. The auditor will summarise the findings, discussing any major or minor nonconformities, observations, and areas of positive performance. They will also outline the next steps, which are corrective action and report issuance.
The closing meeting is typically where organisations first learn whether they will be certified. If no major nonconformities are found, the auditor will confirm that certification is recommended, subject to satisfactory closure of any minor nonconformities. If major nonconformities are found, the certification will be conditional or deferred, and you will need to address the major issues before certification can be granted.
This is not the time to argue with the auditor about findings or to try to negotiate the severity of a nonconformity. That is unlikely to be productive. Instead, listen carefully, ask clarifying questions to ensure you understand exactly what was found and why, and take detailed notes on what the auditor expects to see as evidence of closure.
Stage 3: Closing Nonconformities and Achieving Certification
After Stage 2, you will receive a formal audit report detailing all findings. Within the timeframe specified (typically 30 to 90 days), any minor nonconformities must be closed and any major nonconformities must be resolved. The auditor will review your corrective action evidence and determine whether it adequately addresses the root cause and prevents recurrence.
Managing corrective actions after an ISO audit requires a practical approach focused on root cause analysis, not just quick fixes. If a nonconformity exists because a procedure was not being followed, the corrective action cannot simply be, "We will follow the procedure now." You need to understand why the procedure was not being followed and address that root cause. Was it a training issue? A resource constraint? A poorly designed procedure? Once you have identified and addressed the root cause, you need to verify that your corrective action is actually working.
Once the auditor is satisfied that all nonconformities have been adequately closed, your certificate is issued. This typically occurs within a few weeks of closing all findings. Your certificate will state your organisation's name, the standard you are certified against, the scope of certification (for example, "design and manufacture of automotive components"), the certification date, and the expiry date (usually three years from issue).
The Role of the Lead Auditor
Throughout all stages, you will interact with a lead auditor. This person is responsible for planning the audit, leading the audit team, and making the final assessment about nonconformities and certification recommendation. A lead auditor's day to day work involves planning audits, gathering evidence, documenting findings, and communicating outcomes.
Lead auditors are highly experienced. They have typically conducted hundreds of audits and have deep knowledge of the standard they are assessing against. They understand industry norms and are not looking for perfection. They are looking for evidence of a genuine management system that is being implemented and that is delivering the intended outcomes.
If you have concerns during the audit, the lead auditor is your point of contact. If you believe something has been misunderstood or a finding has been incorrectly classified, it is appropriate to raise this professionally during the audit. However, understand that the auditor's assessment is based on ISO standard requirements and certification body procedures, not negotiation.
Common Issues and How to Avoid Them
After conducting hundreds of audits, certification bodies see patterns. Certain mistakes appear repeatedly. Understanding these helps you avoid them.
The first is over documentation. Organisations sometimes create elaborate manuals that do not reflect actual practice. Auditors see this immediately when they observe the work area or interview staff. Your documentation should describe how your organisation actually works, not how you think you should work in a perfect world. If your procedure is not being followed consistently, either change the procedure to match reality or fix the processes to match the procedure. Do not create a gap.
The second is insufficient evidence. Some organisations have documented procedures but have not kept records demonstrating that they are being followed. For example, your ISO 9001 procedure might require that customer complaints be investigated and closed, but there is no log of complaints and no investigation records. Records are critical. Without them, you cannot prove that your system is working.
The third is staff who are unprepared. If the auditor interviews a supervisor and they cannot explain their role or their responsibilities, that is a problem. This is not about perfect answers. It is about genuine understanding. Ensure your key staff understand their part in your management system and can explain it in their own words.
The fourth is unrealistic scope. Some organisations achieve certification for a scope that does not match their actual business. For example, a manufacturing company might state their certification scope as "manufacture, assembly, and installation" but then fail to conduct installation activities. When the auditor observes that installation is not actually happening, questions arise about the scope definition. Ensure your certification scope honestly reflects the activities you perform.
The fifth is confusing documented procedures with how work actually happens. This is especially common in smaller organisations where formal procedures may be newer than the informal ways people have always worked. Ensure everyone understands the procedure and follows it. If the procedure is not realistic, change it before the audit.
Post Certification: What Happens Next
Once certified, your organisation must maintain its management system. Surveillance audits occur annually or every two years depending on your certification body's protocols. These are shorter audits (typically half a day to one day) focused on whether your system is still functioning and whether there have been significant changes.
At the three year mark, you undergo a full reassessment audit that is as comprehensive as your initial Stage 2 audit. This is an opportunity for the certification body to verify that your system is still robust and has evolved with your business. Many organisations find that their three year audit is more efficient than their initial audit because they are now experienced with the standard and their system is mature.
One important point: certification status depends on maintaining your system. If your organisation undergoes significant changes, such as acquisition by another company, relocation, major process changes, or leadership changes, inform your certification body. These changes may trigger additional audit activities to verify that your system is still compliant.
Audit Workshop offers accredited ISO Lead Auditor and Internal Auditor training that prepares you for every stage of external certification audits. Our courses are Exemplar Global recognised and delivered online for working professionals.
