An Internal Audit helps a company ensure it has the proper controls, governance, and risk management processes in place. By nature, it’s an independent activity by a competent person or team that can present objective and impartial findings and make recommendations for corrective measures. A robust Internal Audit function can find and correct deficiencies/non-conformities quickly and limit costs to your company. While External Audits mostly focus on compliance risk, internal auditors have a wider range of responsibilities and different reporting requirements.

The objective of an audit is to determine whether a company carries out its processes in a systematic and controlled manner as stipulated in its policies and procedures, otherwise known as its Quality Management System, i.e. does it do what it says it should do.

Any Quality Management System needs to be audited at regular and planned intervals by an accredited Certification Body to provide information on whether the Quality Management System:

• Conforms to the business’s own requirements for its management system,
• Conforms to the requirements of the Management System Standard/s and
• Whether it is effectively implemented and maintained.

The difference between Internal Audits and External Audits is that one is done in preparation for the other one, i.e. identifying non-conformities and addressing them prior to a Certification Body’s Audit. Apart from this, Internal Audits are also mainly done to continually improve a company’s processes.

Audit reports (or a summary of the audits) should encompass information about:

• Problems and errors and actions are taken to resolve them
• Observations of risk
• Determination of appropriate actions, if any, and the results
• Opportunities for improvement

The truth is that internal audits are not only a necessary task to maintain ISO 9001 certification but a powerful tool for examining the company’s own quality management processes in detail. These audits can improve the effectiveness of the ISO 9001 quality management system and the efficiency of operational processes.

External audits are performed by an auditor (or team of auditors) who are appointed by your company’s preferred accredited Certification Body. The purpose of external audits is to verify that your ISO 9001 Quality Management System is effectively implemented. This enables your company’s Certification Body to issue an ISO 9001 certificate. External audits are no one-time event. Like Internal Audits, they are conducted at periodic intervals in order to verify if the Quality Management System continues to be fully maintained.

Certification is normally valid for three consecutive years. The first External Audit is often called an  “ISO 9001 Certification Audit”, i.e. 1^st year’s audit, and consists of Stage 1 and Stage 2 Audit, which basically means that the Stage 1 Audit is a Qualification Audit that qualifies you to be formally audited in order to become certified, i.e. Stage 2. The periodic or follow-up audits (the two years after certification) are typically referred to as “Assessment/Surveillance Audits”. This basically means that your whole Quality Management System and business processes are audited in Year 1 of your certification cycle of 3 years, i.e. Certification/Re-certification Audit, whilst during Years 2 and 3, your whole Quality Management System and processes are audited over 2 years, i.e. Assessment/Surveillance Audits.