Select Page

ISO 9001 Audit Types and How They are Executed

Audits fall into one of two categories, internal or external, and they may be conducted in three different ways; on-site, remotely or self-audit. The three basic auditing methods include:

  • On-site audits are performed in full days. The number of days needed for an audit depends on several factors including size, complexity, risk and nature of an organization. The International Accreditation Forum (IAF) has provided guidelines for registrars to calculate audit time.
  • Remote audits may be performed via web meetings, teleconferencing or electronic verification of processes. Remote audits are less common and typically not as effective as on-site audits.
  • Self-audits do not always mean an internal audit. A self-audit can be requested of your customer to eliminate the need for them to use their resources and still offer some assurance that you are meeting requirements. 

Audit Types

Internal audits are a self-examination of your organization’s QMS and are performed on-site. The internal auditor must be independent of the area being audited to ensure objective results. (It is recommended to have more than one auditor to ensure no one is auditing his or her area of responsibilities.) Internal audits are an ISO 9001 requirement and they are critical to the success of your QMS. (We offer internal audit training to ensure your internal auditors are able to perform an effective internal audit as well as an audit checklist to help guide your internal auditors on covering all areas of your QMS.)
External audits include customer, supplier, certification and surveillance. A customer audit is where an existing or potential customer audits your organization to verify you can or are meeting their requirements. When you are the customer auditing an existing or potential supplier, it is called a supplier audit. Supplier audits can be one of the methods used to meet the requirements around control of external providers (ISO 9001:2015 8.4).
A certification audit is the audit your selected registrar will conduct to verify conformance against the ISO 9001 standard before they issue your official ISO 9001 certificate. Certification audits will often be broken up into stage one and stage two audits. The stage one audit is performed to determine an organization’s readiness for the stage two audit. Often, the stage one audit will be conducted remotely to not spend additional costs on travel for the auditor. If the auditor determines you meet the minimum criteria for the stage one audit, your organization will proceed with the stage two audit. Stage two audits will always be on-site audits. This is where the auditor will interview your staff and review your documented information (procedures, records, etc.) to verify you are meeting all the ISO 9001 requirements. Certification audits are typically conducted every three years. 
Once you are certified, your registrar will check-up on you using surveillance audits to verify you are still upholding your QMS and the ISO requirements. Surveillance audits are very much like certification audits, with the exception that they are not issuing or re-issuing a certificate. These are typically conducted by your registrar annually. 

How will auditing change under the latest revision of ISO 9001?

The most significant changes between the ISO 9001:2008 and 2015 standard include the concepts of risk-based thinking, context of the organization and new Leadership requirements. You can expect that your auditor will be looking to see that you meet these requirements just the same as they will be confirming you meet all the other requirements. This is why it is important when you are beginning your journey towards ISO 9001:2015 certification that you have a gap analysis performed to identify any potential nonconformities you may have in these areas so that you can address these gaps before your certification audit.

Key tools for audit implementation:


ISO 9001 All in One Package