1 September 2025

Certification audits are essential for companies to demonstrate their compliance, credibility, and continual improvement against recognized standards.

This can be a daunting prospect, and the mere thought of an audit can be enough to discourage businesses from seeking certification altogether. However, by preparing the right information and involving the right people, you can avoid the headache, strengthen your policies and procedures, and show your commitment to quality and continuous improvement.

For this insight, we invited three Control Union auditors for a roundtable discussion about the certification process and to best prepare for an audit. The participants are:

Peio Bachelet, Control Union France, Auditor for Bio energies, Carbon, and Agriculture
Rohitha Wickramasinghe, Control Union Sri Lanka, Auditor
Asiri Perera, Control Union Gulf Auditor for BRCGS, FSSC 22000, ISO 22000, 9001, 45001, GMP+FSA, HACCP, and sustainable tourism standards

What is the certification audit process?

Rohitha: “Firstly, we would arrange your audit date and a proposed audit plan. Advanced notice is normally around 2-4 weeks.”

Asiri: “However, surveillance or unannounced audits may also occur based on the certification scheme requirement.”

Peio: “In the scenario of a pre-arranged audit, the proposed audit plan enables you to consolidate all the necessary elements and involve the relevant operators within your business.”

Rohitha: “The audit itself is split into 2 stages, and takes around 1-3 days to complete, depending on the size of the company, number of sites, FTE, and certification scope. Stage 1 audits the adequacy of documented information and readiness for certification. If you are successful in this stage, 2-3 weeks later, you will undergo a Stage 2 Audit. At this stage, we would review your documentation, inspect your site, and interview your staff. If you are successful, you’ll receive a recommendation for certification. If not, we arrange a follow-up audit with you to allow you to make the necessary changes.”

Asiri: “The report from a successful audit, where certification is granted or maintained, may contain observations or minor non-conformities that require correction. However, an unsuccessful audit report will list critical major non-conformities, which you must address before a follow-up audit. It’s worth noting that some standards don’t allow for a follow-up audit within 6 months of the initial audit.”

Who needs to be involved from the client side to ensure a swift certification audit?

Peio: “Every operator involved in any part of the standard should participate in the audit. Generally, quality personnel are responsible for implementing certification systems, but support from commercial, operational, and management departments will always be beneficial to the smooth running of a constructive audit.”

Asiri: “That means top management, your compliance manager, and department heads should be getting involved.”

Rohitha: “Plus, some businesses have a scheme manager. For example, for a Quality Management System (QMS), this may be the Quality Head/Manager. For Information Security Management Systems (ISMS) or Privacy Information Management System (PIMS), this could be the Technical Manager.”

Asiri: “Whoever takes on the responsibility for the audit, they’ll need around 4-8 weeks of preparation time ahead of the audit. The actual timeframe will heavily depend on the complexity of the certification and the organization’s size, but you must allow sufficient time for internal reviews; staff briefing and training; and document preparation.