What Happens During an ISO Audit? A Simple Guide

Introduction

For many Singapore business owners, the ISO audit feels like the most intimidating part of the certification process. The idea of an external auditor scrutinising your operations can be stressful, especially if you've never been through one before. But audits are far more structured and predictable than most people expect. Once you understand what happens at each stage, the process becomes straightforward.

Stage 1 vs Stage 2 Audit

The ISO certification audit is conducted in two stages by an accredited certification body. Both stages must be passed before a certificate is issued.

Stage 1, Documentation Review
This is primarily a desk-based review. The auditor examines your management system documentation to check that it meets the requirements of the standard. They'll look at your quality manual (if applicable), procedures, policies, risk assessments, and objectives. The purpose is to confirm that your system is designed correctly before checking if it's actually working. Stage 1 may be conducted remotely or on-site, and typically takes half a day to a full day for SMEs.

Stage 2, Implementation Audit
This is the main event. The auditor visits your premises to verify that the documented system is being followed in practice. They'll interview staff, observe processes, review records, and check that corrective actions from Stage 1 (if any) have been addressed. For a typical Singapore SME, Stage 2 takes 1–2 days. At the end, the auditor presents their findings and recommends whether certification should be granted.

What Auditors Look For

Auditors aren't trying to catch you out. They're assessing whether your management system meets the standard's requirements. Here are the five main things they focus on:

1. Process consistency, Are you actually following the procedures you've documented? If your SOP says incoming materials are inspected, auditors will check inspection records to confirm it's happening.
2. Management commitment, Is top management involved? Auditors look for evidence of management reviews, resource allocation, and leadership engagement with the system.
3. Risk-based thinking, Have you identified risks and opportunities relevant to your business? The 2015 revisions of ISO standards emphasise proactive risk management over reactive corrective action.
4. Competence and training, Can your staff demonstrate they understand their roles within the management system? Auditors may interview operators, supervisors, and managers at random.
5. Continual improvement, Are you tracking performance, analysing data, and making improvements? Auditors want to see that the system is evolving, not static.

How to Prepare

Preparation doesn't need to be complicated. These five steps will put you in a strong position:

1. Run a thorough internal audit, This is your dress rehearsal. Treat it seriously and fix any issues found before the certification body arrives.
2. Complete your management review, Ensure at least one management review meeting has been conducted and properly minuted. This is a mandatory requirement across all ISO standards.
3. Check your records, Make sure training records, inspection logs, calibration certificates, and corrective action reports are up to date and accessible.
4. Brief your team, Staff don't need to memorise the standard, but they should understand their role, the company's quality/safety/environmental policy, and where to find relevant documents.
5. Don't over-prepare, Auditors can tell when responses are rehearsed. Honest, practical answers are better than scripted ones. If something isn't perfect, acknowledge it and show what you're doing to improve.

What If You Get Non-Conformities?

Non-conformities aren't failures, they're findings that need to be addressed. There are two types:

Minor non-conformities are isolated gaps that don't undermine the overall system. For example, a single missing training record or an overdue calibration certificate. You typically have 90 days to submit evidence of correction, and the auditor closes it out remotely. Minor NCs do not prevent certification, the certificate is still issued.

Major non-conformities indicate a significant breakdown. For example, an entire process operating without any documented procedure, or a complete absence of management reviews. A major NC means certification is withheld until you fix the issue and pass a follow-up audit. This typically adds 4–8 weeks to your timeline.

The good news: major non-conformities are rare when you work with an experienced consultant, because the gap analysis and internal audit stages are designed to catch these issues well before the certification audit.

Frequently Asked Questions

Can an audit be done remotely?

Stage 1 can often be conducted remotely, especially for service-based businesses. Stage 2 usually requires an on-site visit, though some certification bodies allow a hybrid approach where part of the audit is done via video conference. This became more common after COVID and is still accepted by most accredited bodies in Singapore.

What if my staff give wrong answers to the auditor?

Auditors understand that not everyone will have perfect answers. What matters is that staff demonstrate a basic understanding of their responsibilities and know where to find the relevant procedures. A honest "I'm not sure, but I'd check this document" is perfectly fine. Auditors are evaluating the system, not testing individual knowledge.

How often are surveillance audits after certification?

Surveillance audits happen once a year during the three-year certification cycle. They're shorter than the initial certification audit, usually half a day to one day for SMEs. The auditor samples different areas each time, so over three years the entire system gets reviewed. After three years, you go through a full recertification audit.