What Happens If You Fail Your Audit

 

What Happens If You Fail Your Audit

It's not the end of the world. It's a chance to improve.

I've worked with several companies over the years and dealt with different individuals, different processes, and different levels of ISO 9001 understanding. However, when an organization is getting ready to apply for ISO 9001 certification, the question most often asked is: "Are we going to pass the audit?" Similar questions I've been asked are:

"How many of your clients have passed the audit?"

"How many of your clients failed the audit?"

And after I have conducted an internal audit, the usual question is, of course, "Did we pass?"

Those seem to be very simple questions and a yes or no should suffice, however the truth of the matter is that ISO 9001 audits don't have a grade, there is no pass or fail status or there is no pass or fail grade. 

Please visit our blog on the ISO Audit Results and Nonconformities for a detail explanation on what constitute an audit finding, or nonconformity.

Passing or failing an internal audit

Let's look at the case of internal audits. Internal audits are usually run by people from the organization, or often by consultants who issue an internal audit report containing audit findings, specifically nonconformities. If your company gets one or two nonconformities, will it pass the internal audit? The answer is that audits aren't pass or fail exercises. Basically, you will have done great even with two or five audit findings, or perhaps even 10. In all cases, you should see the results as great, because you have found some shortcomings in your company and now you are in a position where you can fix them. 

So the internal audit isn't a passing or failing matter, the purpose of the audit is to assess the degree of conformance to the audit standard and report the results of the audit in the audit report. The audit report will not indicate that the company passed or failed, but rather whether the company has a high degree of conformance or needs some improvement, which can be accomplished by taking appropriate actions to address the nonconformities.

Passing or failing an external audit

In the case of external audits, the same principles apply. You don't have a pass or fail grade. However there is a difference—whether it is an initial audit or a periodic audit, and whether there were major or minor nonconformities issued. 

Registrars have their own procedures, which establish how much time the organization has to respond to nonconformities. If the audit is a certification or initial audit, then there's a set time for responding to nonconformities. Failure to comply will result in the organization not being recommended for certification and ultimately not receiving their certificate. 

If the audit is a periodic audit, then again, there is a set time to respond to nonconformities. If the organization submits their response within that allotted time, then their certificate will continue in good standing. If the organization doesn't submit their responses in the allotted time, then they risk losing their certificate. In most cases, you have 30 days to submit your response to the registrar on how you will resolve the nonconformities.

Initial ISO 9001 audits without nonconformities

During the initial audit there are indeed worries whether the organization is going to pass or fail the audit and get its certificate. Let us explain that the certificate isn't issued immediately upon completion of the audit. When the registrar completes the initial or certification audit of the organization, they submit their report to the accreditation body who will in turn issue the certificate. Now this process can happen immediately after the audit or it can be done a few weeks later. It all depends on how many nonconformities the organization got during the audit. So if the accompany didn't get any nonconformities, then the registrar will feel comfortable recommending the company immediately for certification. They don't issue the certificate, they recommend. So again, if there are no nonconformities to follow up then the registrar will most than likely tell the organization during the closing meeting that they will be recommending them to be registered as an ISO 9001 organization, and then the accreditation body will issue the certificate a few weeks (or months) later. 

Initial ISO 9001 audits with minor nonconformities issued

The pictures changes when there are nonconformities. Here there is one question to ask, whether those nonconformities are major or minor. 

If there are nonconformities, the registrar won't recommend the organization for certification. However, if all the nonconformities are minor, they will say during the closing meeting that they will recommend the company for certification upon receipt and approval of written corrective action for all the nonconformities issued. So if the company got, for example, two, five, or seven minor nonconformities, the organization should feel great because if appropriate corrective action is submitted for review to the registrar, they will be recommended for certification. So if the registrar conducted the audit this week, and they leave you with a report and findings and you spend one or two days to come up with a corrective action plan for all those findings, you may be on your way to success. Once you submit your response to the registrar and they review and accept all your answers, they will at that point recommend your organization for certification. So it may not even be a week after the audit before you are recommended for certification. It just depends on how long you take to come up with the answers and how long it takes the registrar to review the corrective actions. 

Again, the audit was not pass or fail, just a matter of assessing the degree of conformity.

Initial ISO audits with major nonconformities issued

There is a third case, which is when there are major nonconformities. If there are major nonconformities issued during the initial certification audit, then most likely the registrar won't recommend the company for certification during the closing meeting. Not only will you have to submit your responses by e-mail, but most registrars will require a follow up audit, so they will need to come back to your organization and physically verify that the major findings have been taken care.

So that is the main difference. On minor nonconformities the company submits their corrective actions via e-mail and no follow up is required. On major nonconformities, the corrective action responses to the nonconformities are also submitted by e-mail, but in most cases the registrar is going to come back verify the corrective action implementation. They will schedule an audit follow up, which will probably take a day or so. If everything goes well and the responses to the nonconformities are verified, they should recommend the company for certification.

So once again, external audits aren't a case of pass or fail.  Even if you get major nonconformities, you should address them, issue the corrective action plan, send it to the registrar, make sure they approve it, and if you do so in a very expeditious way, the registrar will be in a position to schedule a follow-up audit shortly. When they come, if they see that the nonconformities have been taken care, they will validate the nonconformities, close them and subsequently recommend you for ISO 9001 certification.

Periodic ISO audits

Periodic audits conducted by the registrar differ slightly from initial audits. Besides the difference in audit time, the big difference is that the organization already has an ISO 9001 certificate. If the organization satisfactorily addresses all nonconformities issued—whether there are major and or minor—the registrar will keep their ISO certificate in good standing. Failure to address minor nonconformities may result in the nonconformities being elevated to a major category. Failure to resolve major nonconformities may result in the company being put on probation, and could go so far as causing them to lose their ISO certificate.

Final words

In essence, once the organization puts into action their preventive and corrective procedures, as well as their continual improvement process to correct nonconformities generated through the internal or external audit, they will receive or continue their ISO 9001 certification. No pass or fail grades, no good or bad remarks, ISO 9001 audits are basically just a great opportunity to continually improve the organization and its quality management system.

 

ABOUT THE AUTHOR

Miriam Boudreaux, an ISO 9001, ISO 27001, QMS, ISMS and Web Specialist, is the President of Mireaux Inc. a small consulting firm headquartered in Houston, Texas.

Boudreaux has held positions as Corporate Quality Director, Senior Quality Manager and Process Engineering Manager. She successfully led her companies through ISO 9001, ISO 14001, QS 9000 and TL 9000 certifications.

Boudreaux holds a Bachelor of Science Degree in Industrial Engineering from the University of Lima and a Master of Science Degree in Industrial Engineering from the University of Houston. She is a certified QMS and certified ISMS Auditor by the Registrar Accreditation Board. She is also a Certified Quality Engineer and a Certified Quality Manager by the American Society for Quality.

Miriam has served as an examiner with the Texas Award for Performance Excellence and has been in the 2003 - 2006 award cycles. She has also participated two times as a workshop speaker at the 11th and 12th International Conference on ISO 9000 held in Orlando, Florida.

Contact her at miriam@mireauxms.com.