Whether it concerns ISO 27001, ISO 9001, NEN 7510, or another certification, periodic audits are part of the process once a management system is in place. This applies to both internal and external audits. The initial external audit cycle in particular, can feel challenging, as it often resembles an exam where an external party evaluates whether processes, procedures, and controls are properly implemented and whether the organization complies with the requirements of the standard. This blog outlines key aspects to consider when preparing for an external audit, including defining the audit scope, setting up an audit program, ensuring sufficient knowledge among management system owners, and practical matters such as the audit room and the importance of a clear schedule.
Selecting an audit body
During the implementation of a management system, it is advisable to start identifying a suitable external audit body. There is choice between many providers. At minimum, ensure that the chosen party is accredited for the relevant standard. If needed, this can be verified via the national accreditation body. Clearly agree on audit dates, both internally and with the external party, to ensure that the right people are available during the audit.
Audit scope
During implementation, the scope of the management system should already be clearly defined and communicated to the certification body. This helps determine the required audit time and enables the organization to focus on the relevant processes within scope.
Audit program
Most standards require the creation of an audit program covering a three year cycle. This program defines what must be audited during each audit. For external audits, the exact content depends on the audit body. At minimum, specify whether it concerns an initial audit or a surveillance audit.
Knowledge of the standard
As the external audit approaches, it is advisable to review the applicable standard again. This refreshes knowledge and brings details back into focus. While reviewing, consider how requirements are documented and implemented, anticipate potential auditor questions, and take action if gaps are identified.
Audit planning
Several weeks before the audit, the external auditor will provide an audit plan. This plan outlines which topics will be assessed and when. Review the plan carefully and share it with key stakeholders. Add information about which employees should attend specific sessions. If scheduling conflicts arise, coordinate with the auditor. Adjustments are usually possible. Once updated, return the finalized plan to the audit body.
During the audit, actively follow the plan and ensure that participants join on time. This supports an efficient audit process.
Ensure documentation is up to date
Despite ongoing efforts to maintain the management system, documentation gaps can still occur. Verify in advance that all records are complete and up to date to avoid issues during the audit.
Explain the audit process to employees
For many employees, an audit is unfamiliar. Take time to explain what an audit involves and what is expected from participants. This may include attending sessions, providing evidence, or answering questions about responsibilities.
Some employees may be interviewed about their roles. It is important that employees understand relevant policies and can explain them with practical examples. For instance, an HR employee may explain how HR policies and the employee handbook are applied in practice. Employees may also be asked where such documentation can be found.
Ensure the right employees are present
Aligned with the audit plan, ensure that the appropriate employees are available at the right time. Block calendars in advance. Management participation is particularly important for demonstrating engagement, which is often reflected in the audit plan.
Maintain a clear schedule
This is a practical but important point. If you are responsible for coordinating the audit, minimize interruptions. Frequent disruptions during the audit reduce efficiency and create unnecessary friction.
Provide a suitable audit location
Ensure that a comfortable and appropriate space is available. Audit days are intensive, so a room with a proper table and seating is essential. Auditors may also need time to work independently, so provide space for this as well.
Consider in advance where lunch will take place. A change of environment can support focus and energy levels.
Access to facilities and systems
Ensure that the auditor has access to all relevant locations within scope. This may include server rooms or data centers, requiring prior arrangements.
Systems may also need to be reviewed during the audit, for example to verify access controls or data deletion practices. Ensure that the right personnel are available to demonstrate this.
Interested in how Protify can support during an audit? Get in touch to explore how your organization can be assisted.
