Module 5: Audit Models and Structures – Team-Based and Site-Based Certification Approaches #
Audit Models for ISO Certification: Team-Based vs Site-Based Structures #
Audit Types Based on Audit Team or Scope
1. Joint Audit #
Definition:
An audit conducted by two or more certification/auditing bodies on a single auditee.
Characteristics:
- Common, when a client is subject to certification by multiple CBs.
- Each auditing organization assigns its own auditors.
- May be due to cross-border certifications or accreditation requirements.
Example:
A Malaysian site is certified by both a local CB and an international CB (e.g. DQS and TÜV SÜD) for different markets. They conduct the audit jointly to save time and ensure consistency.
Benefits:
- Reduces duplication
- Harmonizes results from multiple CBs
- Better coordination in international or regulatory contexts
2. Combine Audit #
Definition:
An audit where two or more management systems are audited together at the same time, but with individual outputs (i.e. reports and certificates).
Characteristics:
- Systems are not fully integrated.
- Audit is conducted simultaneously, reducing audit burden.
- Results are documented separately.
Example:
A plantation is audited for ISO 9001 and ISO 45001 at the same time, but gets two separate reports and two certificates.
Benefits:
- Saves time and cost
- Allows partial integration of systems
- Flexibility in certification timelines
Limitation:
- Duplication in documentation and audit findings
- No synergies between systems beyond scheduling
3. Integrated Audit #
Definition:
An audit of a fully integrated management system covering multiple ISO standards, resulting in one report and one certificate.
Characteristics:
- One management system aligned to multiple standards.
- Audit planning, execution, findings, and reporting are fully integrated.
- Integrated audit team reviews common and standard-specific requirements in a unified way.
Example:
An organization integrates ISO 9001, ISO 14001, and ISO 45001 into a single management system and undergoes an integrated audit covering all requirements in one go.
Benefits:
- Unified system improves consistency and efficiency
- Single point of control
- Reduces redundancies in processes and documentation
Limitation:
- Requires strong internal alignment of processes and documentation
- Audit complexity increases, requiring multi-skilled auditors
Audit Types Based on Organizational Structure
4. Single-Site Audit #
Definition:
An audit performed on an organization operating from a single location, where all processes are implemented.
Characteristics:
- All departments and processes under one physical or virtual roof.
- Simpler audit scope and planning.
- Often seen in SMEs or local companies.
Example:
A logistics company operating only from a central warehouse in Selangor is audited for ISO 9001.
Benefits:
- Easier audit planning
- Direct engagement with all functions
- Lower complexity
Limitation:
- May not reflect scalability or diversified operations
5. Multi-Site Audit #
Definition:
An audit of a multi-site organization under a single management system, coordinated by a central function, with multiple permanent/temporary/virtual sites.
▪️ Multi-Site Without Sampling #
All sites are audited.
Used when:
- Sites perform different processes
- Sector or regulatory requirement exists
- Client requests it
Example:
A manufacturing group has different factories (e.g. electronics, plastics, metalwork), each with unique processes.
Benefit: Full visibility
Limitation: Higher cost and effort
Multi-Site with Sampling #
Selected sites are audited based on similarity and sampling logic (as per ISO/IAF guidance).
Conditions:
- All sites operate under one management system.
- Sites perform similar activities (e.g. same SOP, same risk profile).
- Central function must manage the whole system.
Sampling Calculation:
Uses √n formula or per DQS table (e.g., 9 sites = audit 3)
Example:
Retail chain with 25 stores across Malaysia; 5 sampled annually, central HQ audited every year.
Benefits:
- Efficient
- Representative of the system
- Lower audit cost
Limitation:
- Not allowed in IATF 16949, AS9100, etc.
- Not suitable if site variability is high
Additional Multi-Site Variant:
| Type | Description |
| Extended Site | E.g., warehouse or lab nearby to main site, not performing core processes. Treated as part of parent site. |
| Campus Site | Multiple units on same premises with different addresses. Can be grouped as one site. |
| Virtual Site | Fully online operation (e.g., design company in cloud environment). Treated as a single virtual site. |
| Unmanned Site | Not permanently occupied (e.g., satellite monitoring station). Tied to parent site for audit purposes. |
| Temporary Site | E.g., construction site for a limited time. Audited if significant to scope. |
Summary Comparison Table #
| Audit Type | Auditing Entities | Management System | Sites Covered | Report/Certificate |
| Joint Audit | Multiple CBs | One or more | One auditee | Separate reports or joint |
| Combine Audit | One CB | Separate systems | One location | Separate reports/certs |
| Integrated Audit | One CB | Integrated system | One or more sites | One report/certificate |
| Single-Site | One CB | One system | One location | One report/certificate |
| Multi-Site | One CB | One system with CF | Multiple sites | One certificate + annex |