Recent ISO data shows a growing number of certificates being issued across all standards. A notable increase is especially seen in ISO 9001 (Quality Management), ISO 14001 (Environmental Management), and ISO 45001 (Occupational Health and Safety). Certification provides significant benefits in terms of ensuring quality and safety while reducing costs and risks to employees.
An ISO certification audit requires significant investment in preparation and resources. However, the up-front investment can minimize overall timeline to certification and minimize audit findings.
Furthermore, ISO certification value is immeasurable for demonstrating a commitment to manufacturing safe products in a safe environment.
When preparing for an ISO certification audit, it’s important to know what to prioritize, as well as what auditors look for when they visit.
Here we examine the most important places to focus, including tips for gathering documents, checking requirements and implementing corrective actions.
Gathering Your Documentation
Unfortunately, lack of documentation is one of the most common findings during an ISO certification audit. Therefore, the first major step in preparing for your ISO certification audit is to gather your documentation.
Often, notification bodies today will perform an offsite review of requested documentation ahead of time, with other items reviewed onsite. This belies the importance of having a system that provides anywhere, anytime, controlled access to documents.
Regardless of location, there are several areas to check to ensure your records are updated, including:
- Standard Operating Procedures (SOPs): SOPs should be documented for all processes. How do you make the product? What are your cleaning procedures? What do you do if you identify something out of specification?
- Employee Training: Auditors will likely ask to see training logs of random employees. Therefore, make sure your training logs are up to date for things like standard operating procedures (SOPs) and other critical-to-quality processes.
- Internal Audits: Auditors will want to see records of your internal audits. Furthermore, they will look for audit findings and any corrective actions resulting from the audits. In other words, auditors want to see that you perform internal audits regularly, and use those findings to make improvements.
- Corrective Actions: Auditors will likely want to see your system for tracking corrective and preventive actions (CAPAs). Items to pay attention here include open issues, critical issues that are overdue and repeat CAPAs.
- Quality Management Review: You should be performing a quality management review at least once annually. Here you’ll want to examine the entirety of your quality management system (QMS) and show continuous improvement documented in multiple areas.
An automated QMS provides a significant advantage when preparing your documentation for an ISO certification audit. Document management software saves time by centralizing records such as SOPs and training logs so you don’t have to track down paper documents.
Furthermore, a digital quality management system links processes like audits, nonconformance handling, employee training, and CAPAs to prevent process gaps. Finally, it sends auditors a better impression during the audit, demonstrating a systematic and competent approach to quality management.
Performing an Internal Audit and Gap Analysis
Once you have your documentation organized, you’ll want to perform an internal audit against the ISO standard requirements. This helps identify the requirements you don’t meet so you can prioritize corrective actions in advance of the ISO certification audit.
A best practice approach to internal audits and gap analysis is to:
- List all the requirements applicable to your organization
- Link each requirement to existing controls or documentation
- Identify any gaps where specific requirements don’t have a control
- Add new controls to fill those gaps with corrective action(s)
On a side note, whether or not you’re preparing for ISO certification, companies should still be performing internal audits on a regular cadence as a best practice. Of course, the timing depends on each company’s specific system.
Sometimes, organizations will conduct an internal audit on a different area each month. For example, you might audit a specific production line, your environmental, health, and safety (EHS) system, or your calibration process. Alternatively, other companies might choose to audit the entire system yearly, or portions of the system quarterly.
Here, the important thing is you conduct internal audits regularly, another area where an enterprise quality system automates the audit process. Not only does audit management software let you easily compare requirements against controls, but you can also link identified gaps directly to corrective actions.
Implementing Corrective Actions
After the internal audit and gap analysis, you’ll need to initiate corrective actions for any issues. Most importantly, make sure you’ve thoroughly documented your CAPAs. To auditors, if you don’t document it, it never happened.
Organizations can leverage a quality management system to document corrective actions, including:
- Assigning tasks and due dates to individuals responsible for investigation, implementation, reviews, and approvals
- Creating custom workflows to standardize how you route corrective actions and keep them on track
- Linking internal corrective actions back to specific audit findings so you can show auditors you’re actively addressing any identified problems
- Adding ongoing monitoring tasks to ensure corrections are effective and held in place
Corrective action software in the QMS helps standardize tracking, review, and approval processes, so problems don’t fall through the cracks. In this way, the QMS promotes continuous improvement and helps minimize findings during external audits.
Getting Your Facility Audit Ready
It’s essential to prepare both leadership and plant floor employees for an ISO audit. To an auditor, lack of leadership support is a red flag. Furthermore, the quality manager shouldn’t be the only representative during the audit. Here, all stakeholders should be involved, including production, the plant manager, and human resources. Auditors want to see that all leaders are committed to quality and holding their teams accountable.
Most auditors will also ask people in the quality chain basic questions such as:
- What does quality mean to you?
- If you have a question, what do you do?
- If you see something being made incorrectly, what do you do?
- What do you do if there’s a chemical spill?
If your staff knows the answers to these questions, then auditors will be likely to recognize that your organization facilitates a culture of quality. And, if you have your SOPs at the ready, you further enforce your commitment to the quality of products manufactured on the line.
Finally, while it may seem obvious, prepare the plant floor. It should be clean and tidy, with no obvious safety hazards and ample visual guides.
Preparing for an ISO certification audit takes time, but the investment you make will pay off in the long run. An organized approach to gathering documents, performing internal audits, and correcting problems is critical to minimizing findings and delays. The more connected and reliable your processes are, the fewer findings will result.
An automated QMS simplifies this process by placing all of the necessary data at your fingertips. When you can easily share documents, training records, internal audit data and corrective action records, you invite less scrutiny and make a better impression overall. The end result is a smoother ISO certification process, and strengthened processes to ensure quality and safety.
FDA alignment of quality system regulation (QSR) with ISO 13485
About the Author
Stephanie Ojeda is Director of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 15 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.