Logo of isobg.com
Development, implementation and maintenance of management systems
Dimitrovi Standard Ltd.
+359 877 688 688
EnglishEnglish

How to Prepare for an ISO 9001 Certification Audit | Guide
Quality Management

How to Prepare for an ISO 9001 Certification Audit (What External Auditors Expect)

by Dimitar Dimitrov |

“The big day” is approaching. The date for the ISO 9001 certification audit is marked on the calendar. For many organizations, this is a time filled with stress, anxiety, and frantic last-minute preparations. The truth is, the external audit doesn’t have to be an exam you dread, but rather a validation of your hard work and effort.

While the internal audit is your tool for self-check and improvement, the certification audit is the official confirmation from an independent party that your Quality Management System (QMS) meets the requirements of the ISO 9001 standard. It is the window through which your customers and partners see your commitment to quality.

In this article, we’ll look at the process from the auditor’s perspective. What do they actually expect to see? How do you prepare not just to “pass,” but to get the maximum benefit from the process? Let’s demystify the certification audit.

First: Internal Audit vs. Certification Audit

Before we proceed, it’s crucial to understand the difference between the two main types of audits:

  • Internal Audit: Conducted by your own trained employees (or a consultant on your behalf). Its purpose is internal improvement—to find nonconformities and opportunities before they become problems. This is your “dress rehearsal.”
  • Certification Audit (External): Conducted by a completely independent auditor from an accredited certification body. Its purpose is demonstrating compliance—to confirm to the world that your QMS meets the standard.

A successful certification audit is almost always the result of well-conducted internal audits.

The Phases of the Certification Process (Stage 1 and Stage 2)

Certification isn’t just a single event; it’s a process that typically consists of two main stages:

Stage 1: Document Review (Readiness Review)

This is the initial review. The auditor focuses on the design and documentation of your QMS. They are looking for the answer to the question: “Does the organization have a system that, *on paper*, meets the requirements of ISO 9001?”

What is reviewed here:

  • The scope of your QMS (which activities and processes are included).
  • Your documented information—manual, key procedures, and work instructions.
  • Identification of processes and their interaction.
  • The Quality Policy and objectives.
  • Results from at least one full internal audit cycle and a management review.

The result of Stage 1 is a report that identifies any gaps or areas of concern that must be addressed before Stage 2. This is your chance to “fix” things without serious consequences.

Stage 2: On-Site Audit (Main Audit)

This is where the real verification happens. The auditor comes to your organization to verify that the QMS you described in Stage 1 is actually *functioning* in practice. The question now is: “Does the system work as described, and does it meet the standard?”

The auditor will gather objective evidence through interviews with employees at all levels, observation of processes, and review of records.

What Exactly Does an External Auditor Look For?

Auditors are trained to think in terms of processes and risk. They won’t check every comma but will focus on key areas to ensure your system is effective.

  1. Management Commitment: This is absolutely key. The auditor will want to speak with top management. Do they know the quality policy? Do they participate in system reviews? Do they provide resources?
  2. Risk and Opportunity Management: This is at the heart of ISO 9001:2015. The auditor will ask: “What risks to your processes have you identified? What are you doing to manage them?”
  3. Competence and Awareness: The auditor will talk to employees at random. They won’t “test” them, but will check if they understand how their work contributes to quality, what the objectives are, and what to do if something goes wrong.
  4. The “Golden Thread” – Traceability: The auditor will take one order (or project) and trace it through the entire system: from the customer inquiry, through planning, production/execution, quality control, to delivery and invoicing. They are looking for any “breaks” in the process.
  5. Management of Nonconformities and Improvement: What happens when a problem is found (whether from a customer complaint or an internal audit)? Do you have a process for corrective actions? The auditor wants to see that you are learning from your mistakes. In fact, having zero nonconformities is actually more suspicious!

5 Practical Tips for Successful Preparation

Preparation doesn’t mean “hiding” problems. It means being ready to show the real state of your system in the best possible way.

Pro Tip: The biggest mistake is trying to “trick” the auditor. They’ve seen it all. Be open, honest, and cooperative. If you don’t know something, say “I don’t know, I will check.”
  1. Hold a “Dress Rehearsal”: Conduct a full internal audit 1-2 months before the certification audit. Be brutally honest with yourselves. This is the best way to avoid common mistakes that lead to failure.
  2. Tidy Your “House”: Ensure all documentation is up-to-date, approved, and easily accessible. Archive old versions. Organize records (protocols, forms, reports) so you can find them quickly when asked.
  3. Prepare the Team (But Don’t “Drill” Them): Explain to employees what the audit is. Tell them not to worry. The most important thing is to answer honestly and concisely what they are asked, and to show what they actually do.
  4. Appoint an “Escort”: Designate one person (usually the quality manager) to accompany the auditor at all times. Their role is to facilitate the process, find the right people and documents, and take notes on everything the auditor says.
  5. Review Stage 1 Findings: Make sure all gaps identified during Stage 1 have been addressed and closed. This is the first thing the Stage 2 auditor will check.

What Happens After the Audit?

At the end of the audit (Stage 2), the auditor will hold a **closing meeting**. Here, they will formally present their findings. These can be:

  • Positive Findings (Best Practices): Things you do exceptionally well.
  • Opportunities for Improvement (OFI): Suggestions that are not mandatory but could improve your system.
  • Minor Nonconformities: A single lapse or failure to follow a procedure that does not systemically affect the outcome.
  • Major Nonconformities: A systemic failure, the absence of an entire process, or a failure to meet a requirement of the standard that poses a risk to the customer or the QMS.

If you only have minor nonconformities or OFIs, the auditor will recommend certification. You will need to submit a plan for corrective actions within a certain timeframe. If you have a major nonconformity, certification is withheld until you fix it and (sometimes) a brief follow-up audit is conducted.

Conclusion: The Certificate is the Beginning, Not the End

Receiving an ISO 9001 certificate is a huge achievement. It is official recognition of your commitment to quality. But it’s not the finish line. It’s the license to participate in the “race” of continuous improvement.

View the certification audit not as a threat, but as a free consultation from a highly qualified expert. It gives you an invaluable external perspective on where you are doing well and where you can become even better. Prepare well, be open, and use the results to drive your business forward.

To ensure your certification body is legitimate, always check that it is accredited by a member of the International Accreditation Forum (IAF).

Frequently Asked Questions

What is the difference between accreditation and certification?

This is key. Certification is when a Certification Body (like BSI, TÜV, LRQA) audits your company and confirms you meet ISO 9001. Accreditation is when a national Accreditation Body (like UKAS, ANAB, or EA members, part of the IAF) audits the Certification Body and confirms that *they* are competent to issue certificates.

How long does a certification audit take?

It depends heavily on the size of the company, the number of employees, and the complexity of the processes. Typically, Stage 1 is 1-2 days (often remote). Stage 2 can be from 2-3 days for a small firm to several weeks for a large international corporation. Your certification body will calculate this based on strict rules.

What happens if the auditor finds a “Major Nonconformity”?

If a major nonconformity is found, the auditor cannot recommend certification. The organization must analyze the root cause, take corrective action, and provide evidence. In most cases, a follow-up (shorter) audit is required to verify on-site that the problem has been effectively resolved.

Do we have to respond to “Opportunities for Improvement” (OFIs)?

No, you are not required to. They are not nonconformities and do not threaten your certificate. However, it is extremely good practice to review them seriously. They are a free consultation from an expert and are often the things that will be checked more closely at the next surveillance audit.

Improved Footer with Validation