In a certification audit, Stage 1 is a documentation and readiness review that checks whether your management system is designed and ready to be audited, while Stage 2 is the full onsite audit that checks whether the system is actually implemented and working. Stage 1 looks at the design; Stage 2 looks at the performance. Stage 1 rarely raises formal nonconformities; Stage 2 decides whether you are certified.
The two-stage structure is not a formality the certification body invented. It exists so problems get caught while they are cheap to fix, before the big, expensive, decision-making audit. Understanding what each stage is for is the difference between a smooth Stage 2 and a scramble.
What happens in Stage 1?
Stage 1 is the readiness review. The auditor's job is to determine whether you are ready for Stage 2, not to certify you. It is often shorter than Stage 2, commonly one or two days, and increasingly conducted remotely because much of it is a review of documents and records.
In Stage 1 the auditor typically:
- Reviews your management system documentation and the scope of certification.
- Checks that key required processes exist, for example your internal audit program and management review.
- Confirms you have started generating records, that the system has been running long enough to produce evidence.
- Evaluates your site and site-specific conditions, and talks with your people to gauge readiness.
- Plans the Stage 2 audit: scope, timing, and areas to focus on.
Crucially, Stage 1 normally does not result in nonconformities, because you are not yet formally claiming full conformity. If the auditor finds gaps, they are usually written up as improvement requests or areas of concern, not nonconformities. Those must be addressed before Stage 2; ignore them and they turn into nonconformities at Stage 2 that can cost you the certificate.
What happens in Stage 2?
Stage 2 is the main event: a comprehensive, onsite audit to confirm your management system is fully implemented and effective against the standard. Where Stage 1 asked "is it designed and ready?", Stage 2 asks "is it actually being done, everywhere, and does it work?"
In Stage 2 the auditor:
- Walks the floor to see how work is really performed versus how it is documented.
- Interviews employees at all levels to confirm they understand their roles and the quality policy.
- Samples objective evidence of conformity: calibration records, training logs, corrective actions, nonconformance handling, customer requirements.
- Audits each process against the standard's requirements and your own procedures.
- Records findings, including any nonconformities, and recommends a certification decision.
Findings at Stage 2 are graded. A minor nonconformity typically needs a corrective-action plan but does not block certification on its own. A major nonconformity, a whole requirement missing or a systemic breakdown, must be corrected and verified before the certificate can be granted. The certification body, not the auditor alone, makes the final decision after an independent review of the audit results.
Why are certification audits done in two stages?
Two stages exist because it is far cheaper to find a gap in a one-day document review than to fail the full audit that decides your certificate. The structure is not optional folklore, it is built into the international rules for the bodies that issue certificates.
Certification bodies operate under ISO/IEC 17021-1, the standard for bodies providing audit and certification of management systems, which requires the initial certification audit to be conducted in two stages. Stage 1 establishes readiness and plans Stage 2; Stage 2 evaluates implementation and effectiveness. This is why the process is consistent whether you are certifying to ISO 9001 an environmental standard, or a food-safety scheme: the accreditation rules behind the certificate demand it.
| Fact | Detail | Primary source |
|---|---|---|
| Two-stage requirement | Initial certification audit must be conducted in two stages | ISO/IEC 17021-1 |
| Accreditation oversight | Accreditation bodies oversee certification bodies internationally | IAF |
| What Stage 2 confirms | Full implementation and effectiveness of the management system | ASQ, ISO 9001 |
How long is the gap between Stage 1 and Stage 2?
The gap has to be long enough to fix what Stage 1 surfaced, but not so long that things drift. A common window is a few weeks to a couple of months. Under the accreditation rules, if too much time passes the certification body may have to repeat Stage 1, because the readiness picture goes stale. Practically, you want just enough time to close the improvement requests from Stage 1 and gather any missing records, then go straight into Stage 2 while the system is fresh and running.
How do you prepare so Stage 2 goes smoothly?
Most of a smooth Stage 2 is earned before Stage 1 even happens. The system has to be genuinely running, not assembled the week before, because Stage 2 hunts for evidence that it works over time.
- Run the system long enough to make records. You cannot show an effective management system with no history. Have real internal audits, a completed management review, and corrective actions on the books before Stage 1.
- Complete a full internal audit cycle. Audit your own processes against the standard first and fix what you find. An internal audit is a dress rehearsal for Stage 2 and the single highest-value preparation.
- Hold a management review. Evidence that leadership reviewed the system, its performance, and its risks is a requirement auditors specifically look for.
- Close every Stage 1 improvement request. Treat each one as a nonconformity waiting to happen. Fix it, document the fix, and have the evidence ready to show at Stage 2.
- Make sure people can speak to their work. Auditors interview operators and supervisors, not just the quality manager. Staff should know the quality policy and how their job connects to it, not recite it, understand it.
- Have evidence findable, not buried. Calibration records, training logs, and corrective actions should be retrievable in minutes. An auditor's confidence drops fast when a simple record takes twenty minutes to locate.
- Prepare an honest scope and process map. Make sure what you claim to certify matches what you actually do, so nothing at Stage 2 comes as a surprise to either side.
What happens after Stage 2?
Passing Stage 2 is not the finish line, it is the start of a cycle. Once any nonconformities are cleared and the certification body's independent review is done, the certificate is issued, typically valid for three years. During those three years the certification body returns for periodic surveillance audits, usually annual, to confirm the system is still running and improving, and a full recertification audit closes each cycle. Certification is a live commitment, not a one-time trophy, which is exactly why the system has to be genuinely lived rather than staged for one audit. A well-kept QMS platform is what keeps the evidence current between visits instead of rebuilt before each one.
What are the common mistakes going into Stage 2?
The failures repeat, and they trace back to treating certification as a paperwork exercise:
- Building the system for the audit, not the work. A binder written to satisfy an auditor, with the floor doing something different, is exposed the moment the auditor interviews an operator.
- Ignoring Stage 1 findings. Improvement requests are a free preview of Stage 2 nonconformities. Not closing them is choosing to fail later.
- No real history. A system stood up two weeks before Stage 2 has no internal audit, no management review, and no corrective actions to show. Effectiveness cannot be faked with fresh paper.
- Records nobody can find. If proving conformity means a twenty-minute filing-cabinet hunt, the auditor samples more and trusts less.
- Coaching people to recite. Staff parroting the quality policy word-for-word without understanding it reads as exactly what it is, and auditors probe past it.
- Scoping the certificate wider than reality. Claiming processes or sites you have not truly brought under the system invites findings on the parts that were never ready. Certify what genuinely runs, then extend scope later.
The through-line for both stages is the same: certification rewards a system that genuinely runs. The plants that sail through Stage 2 are the ones whose evidence, internal audits, corrective actions, training and calibration records, is a natural byproduct of daily work rather than something assembled for the visit. Capturing that evidence as structured, searchable data as the work happens, which is what Harmony does on the floor is what turns audit prep from a fire drill into pulling up records you already have. See a connected floor in our customer story and note that the readiness Stage 1 checks is itself a form of risk-based thinking: fix the gaps before they cost you.