ISO 9001:2015 makes it clear that an organisation remains responsible for conformity to requirements even when processes are outsourced. Certification audits must therefore evaluate not only the organisation’s internal activities, but also the control and effectiveness of externally provided processes.
ISO 9001:2015, Clause 8.4.1 requires that the organisation ensure externally provided processes, products and services conform to requirements. The organisation must determine controls to be applied to those outsourced processes.
ISO 9001:2015, Clause 4.4.1 further requires the organisation to determine processes needed for the quality management system and their application throughout the organisation, including outsourced processes.
For a third-party certification audit, sufficient objective evidence must be obtained to demonstrate that:
Outsourced processes are effectively controlled
The organisation’s quality management system achieves its intended results
Why option C is the best decision:
Proceeding with the audit in Bolivia and including all ABC personnel and all outsourced processes ensures that the certification audit:
Covers the full scope of the QMS, including outsourced production, maintenance, procurement, and HR activities
Allows direct evaluation of how ABC controls and manages its external providers in the location where those processes are actually performed
Provides sufficient objective evidence to support a valid certification decision
Reviewing only internal audits or auditing only planning activities would not provide adequate assurance of conformity for a high-risk, core operational activity such as lithium extraction.
Why the other options are not acceptable:
A: Auditing only the Planning function would exclude core operational and support processes that are within the scope of the QMS.
B: Reviewing internal audit results alone is insufficient for a third-party certification audit and does not replace direct assessment of outsourced processes.
D: ISO 9001 explicitly allows outsourcing of processes; the organisation remains responsible for control, not prohibited from outsourcing.
ISO-aligned conclusion:
In a third-party ISO 9001 certification audit, outsourced processes that are within scope must be audited, either directly or through appropriate controls. In this scenario, auditing the outsourced processes in Bolivia is necessary to ensure a complete, credible, and compliant certification audit.
