Certification Audit Requirements
Certification audit requirements define the procedural, documentary, and competency-based conditions that an organization or product must satisfy before a conformity assessment body issues a formal certificate. These requirements span initial stage audits through ongoing surveillance and recertification cycles, and they apply across management system, product, and personnel certification schemes. Understanding the structural anatomy of audit requirements is essential for any organization navigating accredited certification under frameworks such as ISO/IEC 17021-1 or sector-specific federal programs.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
Certification audit requirements are the minimum conditions — procedural, evidentiary, and competency-based — that a conformity assessment body (CAB) must apply when evaluating whether a client organization's management system, product, or personnel meets a defined standard or normative document. The scope of these requirements is governed by the accreditation framework under which the CAB operates, the normative standard being certified against, and any sector-specific overlays imposed by regulators or scheme owners.
At the international level, ISO/IEC 17021-1:2015 (Requirements for bodies providing audit and certification of management systems) establishes the foundational audit process requirements for management system certification bodies. In the United States, accreditation bodies such as ANAB (ANSI National Accreditation Board) and A2LA (American Association for Laboratory Accreditation) enforce conformance to ISO/IEC 17021-1 as a condition of granting accreditation to CABs. Federal programs add additional layers: the Department of Defense's CMMC program, FDA's Quality System Regulation under 21 CFR Part 820, and USDA's National Organic Program each impose audit requirements that extend beyond baseline ISO frameworks.
The scope of a certification audit is not coextensive with the scope of the standard itself — it is bounded by the specific activities, sites, and processes the client organization has declared within its scope of certification boundaries. Any activity outside that declared scope is outside the audit's jurisdiction unless a scope extension is formally requested and evaluated.
Core mechanics or structure
A certification audit under ISO/IEC 17021-1 follows a sequenced structure divided into two mandatory stages for initial certification, followed by recurring surveillance and recertification cycles.
Stage 1 audit functions as a readiness review. The auditor examines the organization's documented management system, evaluates site-specific conditions, and assesses whether the client is prepared for Stage 2. ISO/IEC 17021-1, clause 9.3.1.2, specifies that Stage 1 must review the client's understanding of the standard's requirements, including key performance indicators and significant aspects, processes, and objectives. The Stage 1 report identifies any areas of concern that could constitute a nonconformity at Stage 2 and informs the audit plan timing — the gap between Stage 1 and Stage 2 must be sufficient for the client to address identified weaknesses, though no minimum period is mandated by the standard.
Stage 2 audit evaluates implementation and effectiveness. Auditors verify that documented processes are operationally active, that internal audits have been conducted, and that management review has occurred per the standard's requirements. Stage 2 must be conducted on-site unless the CAB can demonstrate that remote audit techniques provide equivalent confidence — a criterion tightened following guidance issued by the International Accreditation Forum (IAF) in IAF MD 4 (Use of Computer Technology in Auditing).
Surveillance audits occur at defined intervals — ISO/IEC 17021-1 requires at least one surveillance audit within 12 months of certification for three-year certification cycles. These audits do not re-examine all system elements; they focus on performance of key processes, internal audit results, complaint handling, and progress on previously identified nonconformities. The surveillance audits and recertification cycle creates a continuous evidence trail between initial certification and the three-year recertification audit.
Recertification audits restore the certification cycle and require a full system audit — not a partial review — to confirm sustained conformance and continued suitability of scope.
Causal relationships or drivers
Audit requirements at their present level of specificity emerged from documented failures in conformity assessment. The International Accreditation Forum's analysis of systemic certification failures — particularly in food safety (ISO 22000) and automotive quality (IATF 16949) — identified inadequate audit time calculation as a primary driver of superficial auditing. IAF MD 5 (Calculation of Audit Time) addresses this by establishing minimum audit time formulas based on employee count, shift patterns, and complexity multipliers, with mandatory time reductions capped at 30% for multi-site sampling (IAF MD 5:2019).
Regulatory pressure is a second driver. In sectors where certification underpins regulatory compliance — such as ISO 13485 for medical device quality management under FDA oversight, or AS9100 in aerospace under FAA supplier requirements — the consequences of audit failure extend beyond loss of certificate to potential enforcement action. The FDA's Quality System Inspection Technique (QSIT) framework, referenced in FDA's Compliance Program Guidance Manual 7382.845, directly parallels the element-based audit approach in ISO 17021-1, creating alignment pressure on CABs auditing medical device manufacturers.
Market access drivers compound regulatory ones. The European Union's CE marking requirements for regulated products reference EN ISO/IEC 17021-1 via the New Legislative Framework, making accredited certification a market access prerequisite in product categories from pressure equipment to personal protective equipment. Organizations seeking EU market access face audit requirements that are simultaneously voluntary (no criminal penalty for non-certification in many categories) and functionally mandatory (no market entry without the mark).
Classification boundaries
Certification audit requirements bifurcate along two primary axes: the object of certification and the regulatory versus voluntary character of the scheme.
Management system audits (governed by ISO/IEC 17021-1) evaluate whether an organization's processes conform to a systems standard — ISO 9001, ISO 14001, ISO 45001, ISO 27001, or similar. The audit object is the system, not a product or person.
Product certification audits follow ISO/IEC 17065 (Requirements for bodies certifying products, processes, and services) rather than ISO/IEC 17021-1. Audit mechanics differ materially: product certification typically combines type testing with factory production control audits, and the certificate attaches to a product model or batch rather than an organization's system. For a detailed breakdown, see product certification vs management system certification.
Personnel certification follows ISO/IEC 17024 and involves examination-based assessment rather than site audits in the conventional sense, though surveillance of certified persons may include workplace observation.
The regulatory vs voluntary certification axis creates a second classification boundary. Regulatory certification schemes — such as CMMC Level 2 under 32 CFR Part 170, or organic certification under 7 CFR Part 205 — impose audit requirements set by federal regulation, not solely by the standards body. Voluntary schemes derive their audit requirements exclusively from the normative standard and the CAB's accreditation obligations.
Tradeoffs and tensions
The core tension in certification audit design is between audit depth and audit efficiency. IAF MD 5 minimum audit times create a floor, but CABs operating in competitive markets face pricing pressure that can translate into auditor pressure to compress preparation, travel, and documentation review time without violating the minimum. Accreditation bodies conduct witness audits and file reviews precisely because this pressure is structurally predictable.
A second tension arises between auditor independence and auditor competence. ISO/IEC 17021-1 requires that audit team members have sector-specific technical competence for complex industries (aerospace, nuclear, medical devices). However, the pool of auditors who are both sector-competent and free from conflicts of interest with large industry players is finite. CABs operating in niche sectors must document impartiality analyses for every audit assignment — a requirement elaborated in impartiality requirements certification bodies.
Remote auditing creates a third fault line. IAF MD 4 permits remote techniques for portions of audits, but physical observation of production processes, infrastructure, and workplace conditions cannot be fully replicated by video. Scheme owners for construction safety, food processing, and manufacturing certification have issued sector-specific restrictions on remote audit proportions, creating an uneven patchwork across schemes.
Common misconceptions
Misconception: Passing a Stage 1 audit means an organization is certified.
Stage 1 is explicitly a readiness review, not a conformance determination. ISO/IEC 17021-1, clause 9.3.1.1, states that Stage 1 findings do not constitute a certification recommendation. Certification can only follow a completed Stage 2.
Misconception: A certificate covers all of an organization's operations.
Certificates cover only the scope declared and audited. An ISO 9001 certificate for a manufacturer's production facility in Ohio does not cover that same company's distribution warehouse in Nevada unless that site is explicitly included in the certified scope and audited accordingly.
Misconception: Surveillance audits are optional between recertification cycles.
ISO/IEC 17021-1, clause 9.6.1, mandates surveillance at planned intervals not exceeding 12 months from the certification date (for 3-year cycles). Failure to complete a required surveillance audit results in certificate suspension under clause 9.6.5, not a simple administrative lapse.
Misconception: An accredited certificate from one body is automatically recognized by all regulators.
Accreditation scope and regulatory recognition are distinct. A CAB may be ANAB-accredited for ISO 9001 but not recognized by the FDA's Accreditation Scheme for Conformity Assessment (ASCA) for medical device quality systems, which requires separate recognition under 21 CFR Part 820 criteria.
Checklist or steps (non-advisory)
The following sequence describes the structural phases of an initial management system certification audit under ISO/IEC 17021-1. This is a process description, not a prescription for any specific organization's preparation activities.
- Application and contract review — The CAB receives the client's application, confirms the standard and scope, verifies no conflict of interest exists, and issues a certification agreement.
- Audit program determination — Audit time is calculated per IAF MD 5 using employee count, site complexity, and any applicable sector-specific multipliers.
- Audit team assignment — Auditors are assigned based on documented competence for the sector; impartiality review is completed per ISO/IEC 17021-1, clause 9.1.4.
- Stage 1 audit execution — Document review, site evaluation, and readiness assessment are performed; a Stage 1 report is issued identifying concerns before Stage 2.
- Stage 1 to Stage 2 interval — The interval is set based on Stage 1 findings; the audit plan for Stage 2 is finalized.
- Stage 2 audit execution — On-site evaluation of system implementation, internal audit records, management review records, and operational controls is conducted.
- Nonconformity classification — Findings are classified as major or minor nonconformities per the CAB's documented criteria; major nonconformities require corrective action before certification can be recommended.
- Certification recommendation — The audit team lead submits the audit report and recommendation to the certification decision function, which must be independent of the audit team per ISO/IEC 17021-1, clause 6.2.
- Certification decision — A person or panel with no involvement in the audit makes the certification decision; a certificate is issued with defined scope and expiry.
- Certificate issuance and registration — The certificate is issued, the organization is registered in the CAB's publicly accessible database, and the first surveillance audit date is scheduled.
- Surveillance cycle — Surveillance audits are conducted at intervals not exceeding 12 months; findings are tracked against the certification record.
- Recertification audit — Conducted before certificate expiry, covering the full management system; if completed without major unresolved nonconformities, a new three-year certificate is issued.
Reference table or matrix
| Audit Type | Governing Clause | Frequency | Scope Coverage | Output |
|---|---|---|---|---|
| Stage 1 (Initial) | ISO/IEC 17021-1, §9.3.1 | Once, before Stage 2 | Readiness review; documentation focus | Stage 1 report; Stage 2 plan |
| Stage 2 (Initial) | ISO/IEC 17021-1, §9.3.2 | Once, per certification cycle | Full system implementation | Audit report; certification recommendation |
| Surveillance Audit | ISO/IEC 17021-1, §9.6.1 | ≥1 within 12 months of cert date | Targeted key processes | Surveillance report; nonconformity tracking |
| Recertification Audit | ISO/IEC 17021-1, §9.6.2 | Every 3 years | Full system re-evaluation | New certificate or suspension |
| Special Audit | ISO/IEC 17021-1, §9.6.4 | Triggered by complaint or significant change | Scope-specific | Audit report; potential scope revision |
| Transfer Audit | CAB-specific procedures | Upon client transfer from another CAB | Prior certification records + gap audit | Reissued certificate or new audit required |
| Standard/Framework | Audit Governance Document | US Accreditation Body | Primary Sector |
|---|---|---|---|
| ISO 9001:2015 | ISO/IEC 17021-1:2015 | ANAB, A2LA | General manufacturing, services |
| ISO 14001:2015 | ISO/IEC 17021-1:2015 | ANAB | Environmental management |
| ISO 45001:2018 | ISO/IEC 17021-1:2015 | ANAB | Occupational health and safety |
| ISO 27001:2022 | ISO/IEC 17021-1:2015 | ANAB | Information security |
| ISO 13485:2016 | ISO/IEC 17021-1 + FDA ASCA criteria | ANAB (ASCA program) | Medical devices |
| IATF 16949:2016 | IATF-specific rules + ISO/IEC 17021-1 | IATF-approved bodies | Automotive |
| AS9100 Rev D | SAE AS9104/1 | IAQG OASIS-registered bodies | Aerospace |
| USDA Organic (7 CFR Part 205) | USDA NOP regulations | USDA AMS-accredited certifiers | Organic agriculture |
References
- ISO/IEC 17021-1:2015 — Requirements for bodies providing audit and certification of management systems
- International Accreditation Forum (IAF) — Mandatory Documents including MD 4 and MD 5
- IAF MD 5:2019 — Determination of Audit Time of Quality, Environmental, and Occupational Health & Safety Management Systems
- ANSI National Accreditation Board (ANAB)
- American Association for Laboratory Accreditation (A2LA)
- FDA Compliance Program Guidance Manual 7382.845 — Inspection of Medical Device Manufacturers
- USDA National Organic Program — 7 CFR Part 205
- 32 CFR Part 170 — Cybersecurity Maturity Model Certification (CMMC) Program
- [ISO/IEC 17065:2012 — Requirements for bodies certifying products, processes