Aug 1, 2020
The Cost of a Failed ISO Audit
In a global marketplace, international standards are essential to protecting consumers, companies, and their respective industries. The International Organization for Standardization (ISO), develops and publishes international standards to ensure products and services work how you would expect them to. With over 21,000 published standards, companies can become certified for nearly anything, ranging from quality and environmental management, to information security management.
With so many standards to be certified against, companies must choose the standard(s) they wish to be audited against appropriately and must prepare accordingly. Failure to do so could have varying ramifications and incur unnecessary costs. In this article, we discuss what happens in the case of a failed ISO audit, the consequences of non-compliance and the steps you can take when preparing for an ISO audit.
What Happens If I Fail an ISO Audit?
When companies fail their ISO audit, they have some extra steps to take before re-assessment. Depending on the severity of non-compliance, some businesses would need to make more adjustments than others resulting in additional spending. Depending on the level of non-compliance, re-assessment can cost as much as 60% of the original assessment.
Areas of non-compliance can be classified by severity:
Opportunity for improvement: singe lapse or isolated incident. This will not prevent certification but should be addressed to maintain compliance
Minor nonconformity: failure to completely comply with a requirement which is not likely to result in management system failure. This can prevent certification or re-certification but usually only if there are other areas of nonconformity
Major nonconformity: absence or total breakdown of a system designed to address a requirement, or several minor non-conformance related to the same requirement. This usually prevents certification
Fortunately, there is no direct penalty to a business when they are deemed non-compliant, but there are other potential repercussions. An ISO certification may be an industry or client specific requirement and failing to acquire it may have a lasting knock-on effect when getting to market.
After failing an ISO audit, a business will be given detailed information about the reasons for failure and actions required to address these reasons. This information identifies areas of nonconformity and should be used a guide for areas address before a follow-up or fresh audit.
Consequences of a Failed ISO Audit
The immediate consequences of a failed ISO audit are related to the cost of addressing areas of non-compliance. Most business that attempt ISO certification continue to do so after an audit failure, so the impact of failure depends on the action required to address non-conformances.
However, there are other risks from major conformances that prevent certification such as:
Regulatory noncompliance: business that operate in regulated industries may be required to have an ISO certification to operate
Service delays: services that depend on compliance may need to be delayed, or resources used to deliver services diverted to address areas of noncompliance. Delays in bringing products or services to market can be significantly costly
Reputational damage: not achieving or losing ISO certification can damage a business' reputation. Clients may be reluctant to do business, talent may be harder to recruit and internal morale may be affected
Common ISO Standards
ISO 9000: Built for organizations looking to improve the quality of their products or services, the ISO 9000 family addresses various aspects of quality management and contains some of ISO's best-known standards.
ISO 27001: Enables organizations of any kind to manage sensitive information. ISO 27001 provides companies with a framework to follow when creating and managing an information security system.
ISO 14000: Sets out criteria for an effective environmental management system and is designed for any type of organization. Measure and reduce your environmental impact while providing assurance to management, employees, and stakeholders
Preparing for ISO audits
ISO audits are extensive and thorough tests of compliance. They can also become relatively expensive depending on factors such as the scope and complexity of the audit and the size of the company. ISO 27001 for example, on average, companies can expect the certification process to cost $80,000 USD. With that in mind, it is crucial to be properly prepared to minimize the chance of failure. We have compiled a few steps you can follow when preparing for an ISO audit:
Initial preparations: to understand the ISO standard, access available guides and the standard itself, which is available to purchase. An ISO champion should then be appointed to lead the internal process. This champion can be appointed internally, or an expert can be recruited for the task.
Familiarizing the business: communicate the value of ISO certification to employees to involve them in the process from the beginning. This ensures buy-in and commitment across the organization.
Information security management: ISO certification is an organization-wide process which should be managed by senior leaders. Management should review objectives, policies, and critical areas of action to align the certification process with business goals.
Assessment and analysis: Gap analysis and risk assessment should be performed at the early stages to set the scope of implementation. It should assess risks, controls, and security vulnerabilities. This will act as a benchmark to measure progress and identify key areas of action. It also forms the basis a quality management system which is key requirement for certification.
Conduct an internal ISO audit: after actions, controls and quality management processes have been implemented, an internal audit should be conducted to test the business' preparedness. This will identify areas of non-compliance to address before an external audit. The audit can be conducted by an in-house auditor or a third-party expert.
Address the gaps: address any areas of non-compliance identified by the internal audit and repeat the process if required
The ISO audit process
ISO external audits are conducted by independent certification bodies, and consist of two stages:
Stage 1 audit: the first stage of the audit is a documentation review, where the auditor reviews processes and policies for compliance with the ISO standard. It is essentially a pre-assessment, where the auditor completes a high-level review of the business' ISMS
Stage 2 audit: the second stage is the certification audit, where the auditor conducts a thorough on-site assessment to establish whether the organization is compliant with ISO standards. The auditor will look for evidence that the organization is following documentation they reviewed in the first stage. The auditor will also review their checklist and provide direction about any areas of non-compliance. If the auditor determines the organization is compliant, they will recommend ISO certification
How to Manage ISO Audits
When it comes to managing your ISO audit(s), there are a range of software tools and third-party services that can help you throughout the process. Depending on the size of your company and scope of the project, tools are used in tandem with external experts.
Software tools: ISO audits require extensive documentation and evidence to demonstrate compliance to external auditors. ISO audit software can manage the control and review of audit-related documentation
Government, Risk and Compliance (GRC) software that integrates with quality management systems and other controls, to streamline information security processes. Most tools can integrate with existing systems and monitor information security from a single, centralized platform. They monitor and produce regular reports on critical areas from a centralized platform.
External consultants: expert consultants can guide businesses through the ISO certification process from start to finish. Consultants can be used to conduct assessment and risk analysis to identify areas of concern, assist in implementation of compliant processes and conduct internal audit to ensure compliance.
Summary
Becoming ISO compliant is a thorough process that demonstrates the recipient's commitment to improving quality, consistency, or security. Companies who are ISO certified will have successfully implemented industry best practices and can provide their partners and stakeholders with the assurance they require. Companies that have failed an ISO audit can repeat the certification process but may feel the financial and reputational repercussions. Fortunately, companies have multiple resources and tools at their disposal to decrease cost and reduce the chances of failing an audit.