After careful planning and diligent preparation, an organization is ready to achieve the goal of ISO certification. A certification body sends an auditor to verify that the organization’s management system is in place along with all necessary components: documentation, records, processes, etc. The auditor also compares how the main processes are functioning in practice with how they are described in the documentation. Upon verifying that nothing is missing and everything is working as it should, the auditor certifies the organization for a period of three years. Personnel who played key roles in achieving certification give one another a well-deserved pat on the back for reaching this key milestone.
At this point, the organization must resist a tendency to relax because, over the next three years, the certification body will be conducting a different kind of audit at regular intervals: a surveillance audit.
As the purpose of the certification audit was to verify that the organization initially qualified to become certified, subsequent surveillance audits will verify that the organization continues to be qualified to remain certified. By certifying an organization, the certification body is guaranteeing that the organization’s management systems will remain in place and continue to function during the entire three-year certified period. Thus, the certification body is actually obligated to check in at regular intervals, typically annually. If an organization becomes certified in January, for example, it can usually expect a surveillance audit each January for the next two years. After the third year, a recertification audit, instead of a surveillance audit, will be conducted, since the organization’s certification will then have expired.
The initial certification audit is limited in its ability to meaningfully evaluate how well a management system’s processes are working. These processes are new, perhaps only weeks old, and thus do not offer much useful data. The certification audit also has a broad focus, as auditors examine the documentation and implementation of each process of a given management system to verify compliance. This comprehensive approach leaves nothing out but also gives little emphasis to any particular process.
A surveillance audit provides an opportunity to focus more closely on results. Do the processes actually work, or not? At least a year’s worth of data is now available to give a much clearer picture. The surveillance audit will dig for answers to the following questions:
- Is the management system still operational and effective?
- Is compliance with the standard still being maintained?
- Is continual improvement being achieved?
- If the certification audit revealed any areas of concern, what is their status now?
To answer these questions, the surveillance auditor has the flexibility to focus on those portions of the management system that are most telling.
Internal audits are the obvious tool to prepare for a surveillance audit. An internal audit should make it readily apparent whether or not a management system is still operating effectively, as well as verify that it continues to conform to its ISO standard. The internal audit can also identify improvement initiatives and their supporting documentation. And an internal audit should reference any areas of concern from the initial certification audit to make sure that these have been properly addressed.
As surveillance audits demonstrate, achieving ISO certification is merely the beginning of a long-term project. While this will require ongoing work, it also helps to ensure that an organization continues to realize the benefits of its management system.