ISO certification is one of the most widely recognized markers of operational quality and reliability in business. Founded in 1946 with delegates from 25 countries, the International Organization for Standardization (ISO) now represents 162 countries and develops standards across industries ranging from manufacturing and information security to environmental management and food safety.
For organizations pursuing ISO certification, audits are how compliance is verified. Understanding the different types of ISO audits, who conducts them, and what each one is meant to achieve is essential for any organization preparing to be certified or maintain its certification status.
This guide explains the three main types of ISO audits, the methods used to conduct them, and how organizations can prepare effectively.
ISO audits fall into three categories, each serving a distinct purpose in the certification and improvement process.
Internal audits are conducted by an organization on itself, either by employees trained in audit methodology or by a third-party consultant acting on the organization’s behalf. The goal is to assess the strength of the organization’s quality management system against ISO standards, identify gaps, and surface improvement opportunities before an external auditor arrives.
Internal audits are required by most ISO standards (including ISO 9001) as part of ongoing certification maintenance. A well-run internal audit program reveals weaknesses early, drives continuous improvement, and significantly reduces the risk of nonconformities being flagged during external review.
Common internal audit findings include inconsistent process documentation, gaps between written procedures and actual practice, missing records of corrective actions, and unclear accountability for quality outcomes.
External audits, sometimes called second-party audits, are conducted by an outside organization that has a stake in your compliance. The most common scenario is a customer auditing a supplier to verify that the supplier meets contractual quality requirements. External audits can also be conducted by a parent company assessing a subsidiary, a regulator verifying industry compliance, or a consulting firm hired to provide an independent assessment.
External audits typically focus on specific areas of the quality management system that matter to the auditing party. A customer audit, for example, may concentrate on the supplier’s process for handling that customer’s specific orders, materials, or specifications. Findings from external audits are usually shared with the audited organization and used to drive improvements in the supplier-customer relationship.
Certification audits are conducted by an accredited third-party certification body to determine whether an organization qualifies for ISO certification. Passing a certification audit is the ultimate goal for organizations pursuing formal ISO status.
Certification audits typically happen in two stages. The Stage 1 audit is a documentation review where the auditor evaluates the organization’s quality management system on paper to confirm it meets the standard’s requirements. The Stage 2 audit is the on-site assessment, where the auditor verifies that the documented system is actually being practiced across the organization.
After initial certification, organizations are subject to surveillance audits (typically annually) to confirm continued compliance, and recertification audits (typically every three years) to renew the certification.
Audits can be carried out in three primary formats, each with its own advantages and limitations.
On-site audits are the traditional format and remain the most thorough. The auditor visits the organization’s facility, observes processes in real time, interviews personnel, reviews records, and examines evidence directly. On-site audits typically take one to several days depending on the size and scope of the organization.
Remote audits have become widespread, conducted via video conferencing, screen sharing, and electronic document review. Remote audits offer flexibility and lower travel costs but are less effective for verifying physical processes, observing factory floors, or assessing on-site conditions. They work best for documentation-heavy reviews and smaller scopes.
Self-audits are organization-led assessments using audit checklists or templates, often as part of an internal audit program. They can also be requested by customers as a low-cost alternative to formal external audits, with the supplier completing a structured questionnaire and submitting evidence.
Most organizations use a combination of formats over the course of a certification cycle, with on-site audits for initial certification and high-stakes assessments, remote audits for routine surveillance, and self-audits for ongoing internal compliance.
Whether facing an internal, external, or certification audit, the preparation steps are largely the same.
Build and maintain consistent documentation that accurately reflects how work is done. Auditors look for alignment between written procedures and actual practice, not just well-written manuals.
Establish a regular internal audit cadence so issues are surfaced and corrected before external auditors find them. Quarterly or semi-annual internal audits are common.
Train front-line teams on the relevant ISO standards. Auditors will interview operators and team members directly, and weak responses from front-line staff often signal a quality system that exists on paper but not in practice.
Track corrective and preventive actions rigorously. Open or unresolved nonconformities from previous audits are a major red flag for certification auditors.
Treat audits as improvement opportunities, not pass-or-fail events. The most effective quality management systems use audit findings to drive continuous improvement rather than minimizing them.
Internal audits are conducted by an organization on itself to assess its own quality management system, while external audits are conducted by outside parties such as customers, regulators, or certification bodies. Internal audits are designed to find and fix issues before they become problems. External audits are designed to verify compliance with specific requirements, often with consequences attached such as contract continuation or certification status.
A small business certification audit typically takes one to two days on site, while a large multi-site organization may require a week or more. Internal audits are usually shorter and can range from a few hours to several days depending on scope. Remote audits typically take less time than equivalent on-site audits because of reduced travel and observation overhead.
Most ISO standards require internal audits at planned intervals, but they do not specify a frequency. Common practice is to conduct internal audits quarterly or semi-annually, with the entire scope of the quality management system covered at least once per year. Higher-risk processes are often audited more frequently than routine ones.
A failed certification audit typically results in nonconformities that the organization must address before certification is granted. Major nonconformities require corrective action and a follow-up audit before certification can be issued. Minor nonconformities may allow the organization to be certified contingent on submitting a corrective action plan within a specified timeframe. Most organizations that fail an initial audit successfully achieve certification within a few months after addressing the findings.
Need help preparing for an ISO audit or building a quality management system that holds up to certification? Adonis Partners helps manufacturing and operations teams design, deploy, and sustain the processes and standards required for ISO compliance and continuous improvement.
Ben has deployed CI programs to organizations and also lead quality organizations through ISO 9001:2015 and ISO 14001:2015 deployments as a Director of Quality. He has deep experience with Fortune 500 companies like Bayer, Siemens, Danaher, Ecolab, and Medtronic. He is deeply passionate about improvement and creating learning and improving environments.
