As part of the certification body application process, organizations need to communicate their overall employee count. The employee count includes full-time employees, part-time employees, subcontractors, seasonal employees and temporary employees. From your employee count, the certification body will need to determine your organization’s effective employee count.

The number of audit days in the table above is your base time. This time can go up or down depending on your risk level and any discounts you may qualify for.

Certification bodies are allowed to allocate up to 20% of the on-site audit to off-site audit activities. This can include audit preparation activities, such as writing the audit plan and removing audit documentation, audit report writing time and closure of any nonconformances.  The maximum allocation of 20% is not typically given though, as this would eliminate any on-site report writing time that the auditor may have. What is typically seen is 10% for on-site report writing and 10% of the overall audit time allocated for off-site audit activities, such as developing the audit plan, finalizing the audit report / nonconformity reports and follow-up actions for approving corrective actions. By allocating approximately 10% of the on-site time to off-site activities, organizations can typically avoid having any additional time added for review of corrective actions. 

Some certification bodies will automatically allocate a certain amount of off-site time. Other certification bodies won’t include this initially, but may add time later if time needs to be added to close out any nonconformances.

From this base time, audit time may need to be adjusted based on the risk level.

Risk levels are generally identified as low, medium or high risk. The difference between a low risk and a high risk organization with the same employee count is approximately double in overall audit man-days.

When reviewing your quote, be sure you understand the risk level applied to your organization and that you agree with it. If for some reason you do not agree with the risk level, discuss this with the certification body to see if there is a way to provide justification to get it reduced.

Risk levels are broken down as follows: (taken from the IAF MD 5 document)

High Risk 

Where failure of the product or service causes economic catastrophe, or puts life at risk. Examples include but are not limited to: 

Food; pharmaceuticals; aircraft; shipbuilding; load bearing components and structures; complex construction activity; electrical and gas equipment; medical and health services; fishing; nuclear fuel; chemicals, chemical products and fibres. 

Medium Risk 

Where failure of the product or service could cause injury or illness. Examples include but are not limited to: 

Non load bearing components and structures; simple construction activities; basic metals and fabricated products; non-metallic products; furniture; optical equipment; leisure and personal services. 

Low Risk

Where failure of the product or service is unlikely to cause injury or illness. Examples include but are not limited to: 

Textiles and clothing; pulp, paper and paper products; publishing; office services; education; retailing, hotels and restaurants.

ISO Certification bodies are allowed discount the base audit days up to 30% of the times established from the QMS audit day table above.

The percentage discount applied is often subjective and varies. Most organizations are able to qualify for a discount in some way. An experienced consultant will be able to walk you through how to uncover any opportunities to obtain them. 

Examples for discounts may include 

• low complexity of activities, 
• maturity of management system, 
• exclusions to standard requirements (no design for ISO 9001), 
• very small site for the number of personnel, 

The potential reasons to increase or decrease audit time can be found in the IAF MD-5 mandatory document. Again, rely on your ISO Consultant to guide you through the process of getting the most competitive pricing on certification.

Audit of an integrated management system could result in increased time, but if often results in a reduction of time. When a reduction to the audit time is applied, it cannot exceed 20% from the starting point. 

In other words, if your organization is looking to get certified to multiple standards, certification bodies are able to offer discounts. Typically, the greater the integration between the standards sought, the greater the discount. 

An integrated audit assumes that an auditor, qualified in all of the standards being integrated, will conduct one audit for all applicable standards.

ISO Certification Bodies are required to use the following table when determining the reduction of audit time for an integrated audit approach:

Integration discounts and requirements are outlined in the IAF MD-11 IAF Mandatory Document for Application of ISO 17021 for Audits of Integrated Management Systems (IMS).

ISO Certification Bodies are allowed to offer up to a 20% discount for integrated standards. However, this discount only applies to each standard that is beyond the first standard. For example, if a company is getting certified to ISO 9001 and ISO 14001, the integration discount will only apply to one of those standards, not both. If a company is getting certified to ISO 9001, ISO 14001 and ISO 45001. Two out of those three standards can receive the integration discount. 

When offering an integration discount, ISO Certification Bodies are typically looking to ensure companies have a single integrated approach for the following, at a minimum:

• Documentation system, including instructions and records
• Communication
• Training / Competency
• Vendor approvals
• Policies and Objectives
• Internal audits
• Management review
• Corrective actions
• Continual improvement

The key to it all is to understand the certification body requirements so that you can receive the most cost-effective and value-added audit for your money.

So what does this all look like? Let’s take a company who is interested in getting ISO 9001 certified and let’s assume the following:

• 75 employees
• Low risk
• They do not perform design functions
• They have many employees doing the same simple task

Based on the table above, the base time for 75 employees is 6 days total for the Stage 1 and Stage 2 audit. 

The Stage 1 audit is simply a documentation review to ensure your ISO 9001 Quality Management System meets the standard requirements. In essence, it’s a readiness check to ensure you are prepared for your true ISO 9001 certification audit. 

The Stage 2 audit is your true ISO 9001 certification audit. This is where the auditor comes in and audits your processes, interviews employees and verifies records to ensure you are in conformance to the ISO 9001 standard requirements. 

The Stage 1 audit time is typically 1/3 of the overall audit time, with the stage 2 audit being 2/3 of the overall audit time. 

Based on this, without providing any discounts, the Stage 1 audit time would be 2 days and the Stage 2 audit time would be 4 days. 

Since we know this company is low risk, we don’t need to add any time to the base audit time. However, since this company is not design responsible and they have many employees performing the same simple task, we can provide a discount. Remember, the max discount allowed is 30%. Typically for a no design discount, certification bodies will provide a 20% discount.  Now, for the justification that many employees perform the same simple task, a 10% discount can be given for the full 30%. This comes out to 4.2 days. Audit days need to be rounded up to the nearest quarter day. This would bring the audit time to 4.25 days. Also, remember that up to 20% of the audit time can be allocated to off-site audit activities. This equates to 3.5 days on-site and 0.75 days off-site. When we break this down for the Stage 1 and Stage 2 audits, we typically get something like this:

Stage 1 Audit: 1 day on-site and 0.25 days off-site

Stage 2 Audit: 2.5 days on-site and 0.5 days off-site