All You Need to Know About ISO Certification: The Audit Process

In part one of my blog series, we looked at the costs associated with obtaining an ISO 9001 certification and revealed the actual cost of obtaining a certificate. This is often the “entry ticket” to being asked to quote new business. It’s typically not a huge sum of money, especially when compared to marketing/sales budgets for lead generation.
In this article, we’ll look at the certification audit process which provides the details behind the costs previously discussed.
Registrars will want you to complete an application to provide them with the information needed to create a quotation or service agreement and get you into their database. Typically, the information describes things such as organization name, address(es), contact details, etc.
Registrars usually want the following information:
  1. The scope of your quality management system that is being certified
  2. The number of full-time employees involved with the quality management system
  3. The NAICS codes(s) associated with the organization
There also may be other information gathered at this stage, or later in the process.
The scope of certification is usually the same as the scope of the quality management system which is required to be documented in ISO 9001:2015 (clause 4.3). It’s the scope, along with the number of employees, which helps determine the number of audit days (as described in the IAF MD-5 document). The NAICS code determines if the registrar is accredited in your industry.
Once the organization accepts its quote from a registrar, a contractual agreement is signed, which defines the rules associated with maintaining certification. Following this, the first audit can be scheduled.
This is a day-long planning and preparation activity usually conducted by the assigned auditor. It can be conducted on-site or virtually through online meetings and file sharing. Also known as a “readiness review,” this stage determines if the organization is ready for the compliance audit (Stage 2).
Typically, the auditor will confirm the details in the application:  scope, headcount and that the quality system has been in place and functioning for enough time to produce results. The auditor also will check to see if two key requirements have been implemented – internal audits (clause 9.2) and management review (clause 9.3).
The audit should result in a plan for Stage 2 and a report on the organization’s state of readiness, which could include indications of potential areas of non-conformity if not corrected. For example, if internal audits have not been done at the time of Stage 1 and no action is taken, that would result in a significant non-conformity and prevent certification. At this point, the organization may move forward with scheduling Stage 2 if there are no reasons to delay.
On successful completion of Stage 1, and frequently within 30-60 days, Stage 2 (also known as the “compliance audit”) is performed. This audit checks the actual implementation of the quality management system and whether it functions effectively to deliver customer satisfaction.
Any issues identified by the auditor are pointed out, discussed and, if valid, recorded as “non-conformities.” Depending on the nature of the audit findings, a recommendation for certification may or may not be made by the auditor to the registrar. It is the registrar who will award the certification. Upon successful completion of Stage 2 and award of an ISO 9001 certificate, the next audits begin.
For the first two years following certification, there will be an annual audit conducted to ensure the quality system is being maintained per the ISO requirements and as part of the certification agreement. The audit focuses on requirements that tend to indicate the quality system is functioning - internal audits, management review, any changes which have been made and customer feedback/complaints are the key elements. In the third year of certification the audit “cycle” is completed with the Triennial Reassessment Audit.
This audit is usually twice the duration of the surveillance audit. It focuses on the same agenda items plus what the organization has done to make improvements, as required by clause 10. Successful completion leads to repeating the cycle of surveillance audits.

The costs associated with these certification audits were described in part one of this three-part series. In addition to the day rate for each audit, all registrars charge fees. These can range from one-time charges for application processing, annualized fees for accreditation (under ANAB or similar) contract termination fees and reviewing an organization’s corrective action responses to audit non-conformities. These can range from $250 to $1,000 depending on the registrar. Some may also be negotiable or reduced if the organization is a small business. Check your agreement before committing to a specific registrar’s services.

To learn more about what’s involved in your organization becoming ISO 9001 certified, stay tuned! Future articles will cover the selection of a registrar and more.
There are two primary benefits associated with being ISO certified:  a competitive advantage and the discipline necessary for future growth. Many companies expect their suppliers to have some form of ISO certification. Suppliers without this certification are unlikely to even be considered for expanded work. To help companies be successful, The Center’s experts assist manufacturers in integrating their QMS/EMS objectives into their strategic and business plans. Take the first steps in the certification process by scheduling your free assessment today!
MEET OUR EXPERT: Andy Nichols, Program Manager
Nichols_A.jpgAndy Nichols, CQP FCQI brings 40 years of expertise in a wide variety of roles and industries, with a particular focus on management systems in manufacturing organizations. At The Center, Andy trains, consults and creates content covering many topics, including quality systems, information security, practical aspects of cybersecurity and business development. He has authored three books, “Exploding the Myths Surrounding ISO 9000 – A Practical Implementation Guide” (published by ITG, April 2013), “A Guide to Effective Internal Management Systems Audits (published May 2014) and “Implementing ISO 9001:2015 – A practical guide to busting myths surrounding quality management systems” (published October 2022).


Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at

Categories: Quality Management