I’ve worked with several companies over the years and dealt with different individuals, different processes and different levels of ISO 9000 understanding. However when an organization is getting ready to apply for ISO 9000 certification, the question remains: “Are we going to pass the audit?
Similar questions I have been asked are:
Those seem to be very simple questions and a yes or no should suffice, however the truth of the matter is that ISO 9000 audits do not have a grade, there is no pass or fail status or there is no pass or fail grade.
Please visit our blog on the ISO Audit Results and Nonconformities for a detail explanation on what constitute an audit finding, nonconformity or NCN.
Let’s look at the case of internal audits. Internal audits are usually run by people from the organization, or often times consultants who issue an internal audit report containing audit findings specifically nonconformities (NCN). If your company gets one NCN or 2 NCNs, will it pass the internal audit? The answer is that audits are not pass or fail exercises. Basically you will have done great even with 2 or 5 audit findings, or perhaps even 10. In all cases you should see the results as great, because you have found some shortcomings in your company and now you are in a position where you can fix them.
So the internal audit is not a passing or failing matter, the purpose of the audit is to assess the degree of conformance to the audit standard and report the results of the audit in the audit report. The audit report will not indicate that the company passed or failed, but rather whether the company has a high degree of conformance or needs some improvements (NCNs), which basically can be accomplished by taking appropriate actions to solve the NCNs.
In the case of external audits, the same principles as in Internal Audits apply. You do not have a pass or fail grade, however there is a difference, whether it is an initial audit or a periodic audits and whether there were major or minor NCNs issued.
Registrars have their own procedures which establish how much time the organization has to respond to nonconformities. If the audit is a certification or initial audit, then there is a set time for responding to nonconformities. Failure to comply will result in the organization not being recommended for certification and ultimately not receiving their certificate.
If the audit is a periodic audit, then again, there is a set time to respond to nonconformities. If the organization submits their response within that allotted time, then their certificate will continue in good standing. If the organization does not submit their responses in the allotted time, then they risk losing their certificate. In most cases you have 30 days to submit your response to the registrar on how you will resolve the NCNs.
During the initial audit there are indeed worries whether the organization is going to pass or fail the audit and get its certificate. Let us explain that the certificate is not issued immediately upon completion of the audit. When the registrar completes the initial or certification audit of the organization, they submit their report to the technical committee who will in turn review the report and issue the certificate. Now this process can happen immediately after the audit or it can be done a few weeks later. It all depends on how many NCNs the organization got during the audit. So if the company did not get any NCNs, then the registrar, will feel comfortable recommending the company immediately for certification. The auditors do not issue the certificate immediately, they recommend. So again, if there are no NCNs to follow up then the registrar will most than likely tell the organization during the closing meeting, that they will be recommending them to be registered as an ISO 9001 organization and then the Registrar will issue the certificate a few weeks (or months) later.
The pictures changes when there are nonconformities. Here there is one question to ask, whether those nonconformities are major or minor.
If there are NCNs, the registrar will not recommend the organization for certification however if all the NCNS are minor, they will say during the closing meeting, that they will recommend the company for certification upon receipt and approval of written corrective action for all the NCNs issued. So if the company got for example 2, 5 or 7 minor NCNs, the organization should feel great, in that if appropriate corrective action is submitted for review to the registrar, they will be recommended for certification. So if the registrar conducted the audit this week, and they leave you with a report and findings and you spend 1 or 2 days to come up with a corrective action plan for all those findings, you may be on your way to success. Once you submit your response to the registrar and they review and accept all your answers, they will at that point recommend your organization for certification. So it may not even be a week, after the audit before you are recommended for certification. It just depends on how long you take to come up with the answers and how long it takes the registrar to review the corrective actions.
Again, the audit was not pass or fail, just a matter of assessing the degree of conformity through the NCNs issued.
Now there is a third case which is when there are major nonconformities. If there are major NCNs issued during the initial certification audit then most likely the registrar will not recommend the company for certification during the closing meeting. Not only you will have to submit your responses by email, but most registrars will require a follow up audit, so they will need to come back to your organization and physically verify that the major findings have been taken care.
So that is the main difference. On minor NCNs the company submits their corrective actions over email and no follow up is required. On the major NCNs, the corrective actions responses to the NCNs are also submitted over email but in most cases, the registrar is going to come back to do the actual checking of the corrective action implementation. They will schedule an audit follow up, which probably will be a day or so and if everything goes well and the NCNs responses are verified, they should recommend the company for certification.
So once again, external audits are not a case of pass or fail. Even if you get major NCNs, you should address them, issue the corrective action plan, send it to the registrar, make sure they approve it -and if you do so in a very expedite way the registrar would be in a position to schedule a follow up audit soon. And if- when they come -they see that the NCNs have been taken care, they will validate the NCNs, close them and subsequently recommend you for ISO 9001 certification.
Periodic audits conducted by the registrar differ slightly from initial audits. Besides the difference in audit time, the big difference is that you are dealing with an organization that already has an ISO certificate. If the organization address satisfactorily all nonconformities issued –whether there are major and or minor NCNs- the registrar will basically keep their ISO certificate in good standing. Failure to address minor nonconformities may result in the NCNs being elevated to a major category. Failure to resolve major nonconformities may result in the company being put on probation up to and including losing their ISO certificate.
In essence, once the organization puts into action their preventive and corrective procedures as well as their continual improvement process in order to correct NCNs generated through the Internal or External Audit, they will receive or continue their ISO 9000 certification. No pass or fail grades, no good or bad remarks, ISO 9000 audits are basically just a great opportunity to continually improve the organization and its quality management system.