AS9100 Audit Types and How They are Executed

There are two main categories of audits: internal and external. Audits are a key component for becoming ISO certified and you must have internal auditors and be audited by external parties in order to become AS9100 certified. Below we will break down the different ways audits can be conducted and discuss internal, external, and certification audits.

The three ways audits can be conducted are:

• On-site audits are performed in full days. The number of days needed for an audit depends on several factors including size, complexity, risk, and nature of an organization. The International Accreditation Forum (IAF) has provided guidelines for registrars to calculate audit time.
• Remote audits may be performed via web meetings, teleconferencing or electronic verification of processes. Remote audits are less common and typically not as effective as on-site audits.
• Self-audits do not always mean an internal audit. A self-audit can be requested of your customer to eliminate the need for them to use their resources and still offer some assurance that you are meeting requirements.

Audit Types

Internal audits are audits that are performed by your organization and are a self-examination of your organization’s QMS, performed on-site. Internal audits have many benefits including preparing your organization for external audits. The internal auditor must be independent of the area being audited to ensure objective results. (It is recommended to have more than one auditor to ensure no one is auditing his or her area of responsibility.) Internal audits are an AS9100 requirement, and they are critical to the success of your QMS. (We offer internal audit training to ensure your internal auditors are able to perform an effective internal audit as well as an audit checklist to help guide your internal auditors on covering all areas of your QMS.)

Internal audits will be used to assess conformity, evaluate effectiveness, and identify opportunities for improvement. When you perform an internal audit, you will be able to compare your quality management system to the requirements and understand if there are any non-conformances. This will allow you to correct your QMS and ensure that your organization will meet the requirements for the external auditor and allow for certification.

External audits include customer, supplier, certification, and surveillance. A customer audit is where an existing, or potential customer, audits your organization to verify you can or are meeting their requirements. If you are auditing an existing or potential supplier, we consider this a supplier audit. Supplier audits can be one of the methods used to meet the requirements around control of external providers (AS9100 Rev D Section 8.4).

A certification audit is the audit your selected registrar will conduct to verify conformance against the AS9100 standard before they issue your official AS9100 certificate. Certification audits are most often broken into two stages. Stage one audit is performed to determine an organization’s readiness for stage two of the audit. Stage one is oftentimes conducted remotely in order to not spend additional costs on travel. If the auditor determines you meet the minimum criteria for the stage one audit, your organization will proceed with the stage two audit. Stage two audits will always be on-site audits. This is where the auditor will interview your staff and review your documented information (procedures, records, etc.) to verify you are meeting all the AS9100 requirements. Certification audits are typically conducted every three years. 

It is important you understand the scope of your QMS. A common reason for failing a certification audit is that organizations exclude areas of the management system which they do not perform in-house.

After certification, your registrar will check-up on you periodically using surveillance audits to verify you are still upholding your QMS and the ISO requirements. Surveillance audits are very much like certification audits, with the exception that they are not issuing or re-issuing a certificate. These are typically conducted by your registrar annually.