What Value Do You Get From an External ISO Audit? Certification Body Speaks

Posted by Craig Thornton

You are often looking at certification to ISO standards from your own point of view.

However, we get audited by an organisation called a Certification Body (CB). What are their views on ISO certification? What value do we get from them?

In this video series we are going to look at certification from the CB's point of view.

We were lucky enough to have Leon Michailidis from Equal Assurance join us at our annual Mango Partner Conference in Perth this year. He discussed some interesting topics around auditing.

In this first video of the series, Leon addresses how value can be added to the audit process.  He looks at two aspects; the process approach, and auditor competence.



Process Approach

One of the hot topics around certification at the moment is the process approach.

Some people may be familiar with Annex L. This is the high-level management system structure, which was established by ISO to drive consistency across all management system standards. 

Leon is an engineer by trade, so he didn't see anything else but process.

So, when Annex L, he "felt like this was being told how to breathe" – he didn’t understand why no one understood it.

But what he's learnt now is that you’ve got process drivers and requirement drivers. When he gets audited by JAS-ANZ as an accredited body, you need to map both drivers in a matrix.  For example, competency is a process driver and design is a requirement driver. Workplaces don’t always have separate buckets where competencies go in one section, and design processes go in another. All they do is do work to transform inputs into outputs, with certain flows around how that occurs. Because of this, it’s a challenging matrix to match process with requirements. 

Using the example of a process to on-board a new employee. The process could be:

  • Pre-employment medical
  • Employee arrives
  • Induction conducted 
  • Payroll and admin sorted
  • Buddy training commences

As you are going through these stages, you have to be mindful that there’s a requirement for awareness, a requirement for internal communications, and a requirement for competency and training.

As you are flowing through that process, you have to be checking the requirements. 

This is hard for requirement based auditors. It is hard for the tick-and-flick auditors that turn up and say “show me your policy, management review, and internal audit”. 


Auditor Competence

Auditor competence is another hot topic within certification at the moment.

All the management standards that govern us, are dealing with competence for quality, health & safety, environment, food safety and more. 

There is a stronger focus on the technical knowledge. So for example, with food safety, it's not just knowing the processes but having technical knowledge in sectors such as biological impacts, and pathogens.

The other area Leon discusses is the expectation that the CB Auditor has business acumen.

If you look at the more traditional auditor, you might have a welding inspector that thought “This QA stuff isn’t bad”.  Who then got qualified, got a job in the QA department, became an auditor, and then looked into the safety side of stuff. Then 10 years later, you have this person who has become an auditor, but how much business experience do they have? Can they read a balance sheet? Can they stand up in front of 200 people and talk about leadership? 



  1. The Process Approach is driven by Annex L
  2. JAS-ANZ has an expectation for the process approach 
  3. The Process Approach to certification can be difficult for requirement-based auditors
  4. Auditor competence means there is now a stronger focus on technical knowledge 
  5. Business Acumen is starting to be an expectation for the top end client 

Tags: ISO 9001 certification, ISO 27001 Certification, ISO Certification, Certification Body, process approach