8 ways to fail an ISO audit in 2024
A common word of encouragement you'll hear from colleagues when they find out that you're facing an ISO audit: "Good luck!" Of course, luck isn't a great strategy when you're facing an ISO audit.
You should prepare in every way possible so that luck won't play into the results of your ISO audit. And one of the best ways to prepare is to learn from the mistakes of others.
Too many life sciences companies find themselves failing audits because they didn't pay enough attention to common nonconformities cited in ISO audits. So, we'll review the most common pitfalls of ISO audits, so you can avoid the same mistakes.
What is an ISO audit?
An audit is a third-party measurement of your organization against the basic quality standards outlined in each of the ten clauses of ISO 9001:2015. Many ISO requirements are just a minimum standard for quality. Ideally, an auditor will uncover a few opportunities for improvement before you’re certified instead of massive quality issues.
What is an ISO auditor?
An ISO auditor is a professional who specializes in conducting ISO audits. They are trained to evaluate and assess an organization's processes, procedures and operations against industry standards. ISO auditors have the ability to identify weaknesses within the organization and provide recommendations for improvement. This can help organizations increase their efficiency and improve their customer service. Additionally, ISO auditors can provide guidance and advice on how to ensure compliance with the ISO standard.
ISO auditors aren’t trying to trip you up or find tiny little reasons to fail your organization. Effective auditors show up with a goal of understanding your quality management system (QMS) and getting the evidence necessary to prove it operates at ISO 9001:2015 standards.
8 top mistakes in an ISO audit
Neither ISO or any certifying bodies publish data about pass/fail rates for certified organizations, or the top reasons why companies fail audits. However, based on first-hand experience and FDA observation data, it's crucial to avoid the following major issues.
1. Hiding CAPAs
The single-fastest way to fail ISO is to not use your system. If your company isn’t relying on your QMS for CAPAs, you’ll raise red flags during an audit. Trying to hide CAPAs is a surprisingly common occurrence.
CAPA is, in fact, the most common warning for FDA 21 CFR 820 noncompliance by a wide margin and that holds true for ISO as well.
Often, members of the upper management team don’t want to have too many CAPAs in the QMS because they think it can complicate audits by raising red flags. In other cases, leadership teams don’t want to put dirty laundry on display by documenting non-conformances, so they’ll try to get people to take corrective action off the radar.
ISO auditors definitely don’t care how many CAPAs an organization has. A company with very few CAPAs is, in fact, an automatic red flag. An auditor wants to see that you’re using the procedures you're supposed to be using. Auditors also understand that no good plan survives its first brush with reality. The most quality-driven organizations are continually updating and improving things and document every corrective or preventive action they take along the way.
2. Lack of proof of employee training
Training requirements are covered under the Competence Training and Awareness clauses of ISO 9001. These cover activities throughout the employee lifecycle to ensure the workforce is capable.
Organizations can fall short when ISO auditors request records of employee training. You need to be prepared to prove that each employee has completed training activities and follow-up trainings. Relying on department and team leaders to track employee training isn’t enough. You need centralized record keeping.
Training completion records are critical, but they’re also not the only component of competency and awareness you need to consistently document. Preparing for an audit means documenting every aspect of employee qualifications and awareness activities, including:
- Employee work evaluations
- Training test scores
- Certifications and degrees
- Performance reviews
- Job postings
- Position descriptions
- Employee resumes
- Training attendance
- Training course agendas
3. Not performing your own internal audits
You wouldn't sit a major test without revising, brushing up and taking a look at some past papers for inspiration.
In a similar way, an ISO internal audit is one of the best ways to insulate your business from the risk of failing the real deal.
Building a robust and consistent ISO internal audit program allows you to pinpoint weaknesses, compliance gaps and areas of improvement, then get to work on them before your actual external ISO auditor arrives.
An ISO internal audit is also a good way to standardize and strengthen your internal processes, ensuring duplicated, ambiguous or redundant steps are removed and that processes are effectively governed with standard operating procedures (SOPs).
WATCH THE WEBINAR RECORDING: Audits and inspections: how to drive a standardization strategy that sticks
4. Missing management resources
Your organization will struggle to gain certification or recertification if senior management doesn’t take ISO seriously. Management is key to driving continual improvement and a quality-driven culture. When management is on board, the QMS is part of business processes instead of a side project.
ISO 9001:2015 expanded and clarified the requirements for management responsibility. Unprepared or missing management can damage your QMS in many different forms, such as insufficient resources or employees who consistently operate outside the system. This is a top reason organizations fall short of certification.
5. Ineffective CAPA processes
CAPA is a critical component of QMS requirements under ISO 9001, FDA cGMP, and other standards. CAPA isn’t just a tool to correct quality issues or prevent repeated wastes. It’s a process for continuous improvement. CAPA can and should be initiated by QC findings, internal audits, and management review. Think of it as a model for process improvement which incorporates inputs, outputs, and risks.
There are two ways to get CAPA wrong. The first, as mentioned above, is trying to hide actions. The second is not digging deep enough to identify the source of the issue.
You are probably guilty of ineffective CAPA if investigations are usually closed quickly after being assigned superficial root causes like “human error.”
Effective CAPA happens when:
- Organizations invest in resources for strong CAPA, such as linked quality processes
- The organization’s culture promotes careful investigation instead of quietly covering up problems
- The culture embraces agility and continuous improvement
- CAPAs are monitored to ensure safeguards are effective
- CAPAs are initiated for non-conformances, process issues, and other QMS issues
6. Faulty document control
Document control is the process of controlling how documents are created, maintained, and accessed within the quality management system. ISO 9001 lists clear requirements for the control of documents with significant flexibility. To pass an audit, you DO NOT have to meet any confusing standards for labeling documents.
- ISO 9001 doesn’t include a checklist of required documents which require controls.
- ISO 9001 doesn’t require a certain number of approvals for documents.
- ISO 9001 doesn’t dictate requirements for document format or labeling.
What is required under ISO 9001, then? The standards are designed to create the right balance of flexibility and control for quality-driven organizations.
- A document can include paper and electronic files in a format that makes the most sense for your organization, including documents, spreadsheets, image files, or video.
- You need some way to easily identify documents. Some organizations choose a numbering system, but you might use metadata, document titles, or tags.
- Documents need to be approved by individuals with authority each time a document is updated.
- Auditors need to be able to identify the document version to determine if the most recent copy is being distributed.
- Documents need to be accessible at the point of use. Access should be limited to protect data integrity.
Document control can be extremely challenging if you're relying on paper systems or a homegrown series of file folders in the cloud. If you’re trying to do document control on your own, there’s a fair chance your ISO audit could reveal inconsistencies in how your documents are versioned or distributed.
Document control doesn’t need to be difficult. A quality document control software with strong features for ISO-compliant document control can simplify workflows for collaborative drafting, approval, version controls, and distribution at the point of work.
7. Using the 2008 management review agenda
Internal auditors have an opportunity to catch and correct a lot of mild non-conformance with ISO 9001 before an external auditor arrives on site. ASR auditors have found management review records which used the ISO 9001:2008 agenda, instead of the updated version. In other instances, auditors uncovered management review documents that were missing entire sections, such as risk mitigation or details on actions taken.
Your internal auditor needs to be detail-oriented and working off a checklist. Internal audits are the perfect time to fix small errors in your documents, such as outdated document versions or missing information.
8. Choosing the wrong eQMS
ISO 9001:2015 includes 10 clauses which are minimum standards for a quality management system. Adopting enterprise quality management software (eQMS) isn’t strictly required under ISO or FDA cGMP, but it’s a best practice. Software can significantly simplify your compliance with ISO requirements for document control, CAPA, linked quality processes, and employee training. The keyword here is CAN. The wrong eQMS software can actually make these components harder.
There are numerous reasons why the wrong eQMS can contribute to a failed audit. In some cases, companies take a generic QMS and try to make it fit ISO 9001 standards or FDA guidance by performing customization. This can either break the software or lead to processes that almost meet requirements--but not quite.
In other instances, companies get overenthusiastic and pick the most robust eQMS their budget can buy. Unfortunately, they find out their new software requires a full-time administrator and lots of custom code, or that it’s too difficult to use.
The right eQMS provides value from day one by making it easier for you to meet ISO 9001:2015 requirements from each of the ten clauses, from linked quality processes to document control, training, and risk management. It’s robust enough to meet all the requirements and simple enough that your staff comply because it makes their jobs easier.
How to maintain a state of ISO audit readiness
How do you know that you’re ready to pass an audit? Your best bet is to maintain a continual state of audit-readiness with regular internal audit efforts. Your internal investigations should use the same criteria as ISO auditors to uncover non-conformances. Follow up tirelessly with corrective/preventive action and commit to continual quality improvement efforts. The right tools and a commitment to quality-driven culture can help you avoid ending up on the ISO audit blooper reel.