Terminology for ISO 9001 Audits

Published January 18, 2021 by 4 min read

ISO 9001:2015 is the current standard for Quality Management Systems, as adopted by the International Organization for Standardization (ISO). Achieving ISO 9001 certification is a complex undertaking, and one significant part of that process is an audit of the organization’s entire environment.

Whatever those audit challenges are, pursuing ISO 9001 certification is a worthwhile goal. Compliance with the standard lets an organization demonstrate—to itself, to customers, to regulators, and to any other stakeholders—that the business takes its commitment to quality seriously. So a first step to achieving that certification should be to understand the terminology commonly used throughout the ISO 9001 audit process.

Audit. An ISO audit is a routine inspection performed by either internal employees or an external auditor. The goal of these audits is to assure that the business is following ISO 9001 requirements.

  1. Internal audit. This type of audit assesses an organization’s performance and implementation of its Quality Management System (QMS). An internal audit is usually performed by one or more employees within the company who have been trained on ISO 9001 standards and who know how to perform audits.
  2. External audit. An external audit is similar to an internal audit, except the auditor comes from a source outside the organization—typically from a registered audit firm certified to perform ISO 9001 work. The external audit is usually the official audit that determines a company’s ISO 9001 certification.

Audit findings. The findings of an audit (both internal and external) are the outcome or results of an audit following its completion.

  1. Internal audit findings. If an internal auditor finds that the business isn’t meeting ISO 9001 requirements (nonconformity), the audit team will present its findings to management so the business can adjust its QMS accordingly. If the internal audit finds that the business does meet ISO 9001 standards, the business will be encouraged to keep improving the QMS so it surpasses ISO 9001. 
  2. External audit findings. If an external audit concludes that the organization has, in fact, met ISO 9001 requirements, the organization is granted ISO 9001 certification. If the organization doesn’t meet 9001’s requirements, the external audit will deliver that news instead, and offer suggestions on how the business can resolve the issues preventing conformity.

Audit evidence. Audit evidence is what’s used to support the conclusions in an audit. This can include documentation such as records, statements, testing results, and more.

Audit criteria. The criteria of an audit are essentially a list of expectations the business must meet to pass the audit. In an ISO 9001 audit, for example, the audit criteria may include a series of policies that the company must have to be ISO 9001-compliant.

Audit program. The audit program lists the details surrounding an audit, such as the time it will take place, frequency of tests, and so forth. The audit program is usually developed between the auditor(s) and the chosen ISO 9001 lead (that is, the internal executive leading the ISO 9001 project).

Objective audit evidence. This is saved information, in the form of documentation and records. Objective audit evidence is required as a criterion for the ISO 9001 audit.

Outsource. Outsourcing is the act of contracting with an external organization to perform specific tasks on your behalf. For example, a business might outsource its internal audit function, IT security, data storage, accounting, or other business functions (all of which might be subject to an external auditor’s ISO 9001 review).

Performance. Performance is a measure of how well or poorly a particular job is happening. An example of this would be how efficiently tasks are being completed based on the time, resources, and finances used.

A performance evaluation is required to assess performance within an organization. ISO 9001 offers more information about performance evaluations in the following clauses:

  • 9.1 Monitoring, measurement, analysis, and evaluation
  • 9.2 Internal audits
  • 9.3 Management reviews

Performance indicator. Performance indicators are tools used for gauging how satisfied customers are, as well as how often the outputs are coming to realization.

Periodic. This term refers to how often something is done or completed. For example, audits are performed periodically (say, once every two years) to ensure the long-term success of an organization.

Review. Reviews usually come after assessments. They essentially are overviews of how a particular process went. They can be both internal and external.

  1. Internal reviews. Reviews can come after an internal audit and may be used to improve processes based on the feedback auditors provide. The internal review can be used to assure organizations satisfy ISO 9001 requirements before official audits and re-certification audits.
  2. External reviews. Reviews can come from a customer, and may mention how satisfied or dissatisfied they were with a specific product or service.

Accordance. If a business is in accordance with ISO 9001, that means that it has adequately or sufficiently conformed to ISO 9001 standards and requirements.

Certification. Gaining certification means that the organization has demonstrated that its QMS is in line with ISO 9001 standards.

Competence. Competence describes a company that’s able to meet an ISO 9001 requirement through its QMS or other processes.

Compliance. Similar to competence, compliance describes an organization that has successfully fulfilled a requirement for ISO 9001. Also known as conformity.

Concession. A concession is a type of special approval given to release a nonconforming product or service to a customer.

Continual improvement. This refers to the activities of a business that aim for the constant improvement or betterment of their internal systems and processes.

Corrective action.  This term describes an action that must take place to improve processes so they will meet ISO 9001 standards. Corrective actions are often related to the term continual improvement.

Non-conformance.  This term describes a process that doesn’t meet a requirement set out by the standard.

Re-certification audit. After an organization achieves ISO 9001 certification the first time, re-certification audits are performed (usually every three years) to assure that the organization continues to meet all ISO 9001 expectations. If new issues do come to light in a re-certification audit, the organization will then need to address those issues to maintain its ISO 9001 status. 

Verification. Verification is the final step in achieving ISO 9001 certification. It acknowledges that your organization has met the proper ISO 9001 requirements to be granted accreditation.

Although the audit process is time consuming and challenging, understanding the above terms helps you understand what it actually takes to become ISO 9001 certified. 

While this article was about the terminology surrounding the audit process, it might be prudent to explore all of the terminology surrounding ISO 9001 in general. Things like asset inventories, processes, systems, documentation, risk assessments, and many more will need to be closely scrutinized. Undergoing the ISO 9001 process may seem arduous, but it’s a crucial part of a healthy organization.

Source: https://www.iso-9001-checklist.co.uk/3-ISO-9001-terms-definitions.htm

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo