Calculating Audit Time

How do you determine the number of audit days needed for an organization?

On the path to ISO certification or accreditation, you will undergo external audits by your selected registrar (certification or accreditation body). Audit time is determined by the size, complexity, risk, and nature of an organization. An accredited registrar will use the guidelines and requirements set forth by the International Accreditation Forum (IAF) to consider these factors and determine time required to audit clients.

The ISO 17021:2015 table below represents the guidelines provided by IAF to be used for calculating Audit Days based on number of employees.

When complexity, risk, and nature of the organization being audited are factored into the equation, the audit time listed in this table may be adjusted. IAF provides additional guidelines and requirements for considering these factors.

Every certification or accreditation body will have their own process for determining audit time, but will need to account for these factors based on IAF requirements to maintain accreditation.

Audit time may fluctuate between the initial, surveillance and re-certification audits. A certification/accreditation body could determine after an initial audit that more or less time is required for the surveillance audit.

Audit time may include remote auditing techniques such as web meetings, teleconferencing, and electronic verification of the client’s processes. This is not uncommon for certification and accreditation bodies, especially for stage one audits.