Why Clause 4.2 Gets Audited Poorly
Clause 4.2 is one of those requirements that looks straightforward on paper but trips up auditors regularly. The standard asks organisations to identify interested parties and understand their needs and expectations. Simple enough. But in practice, most of the clause 4.2 evidence auditors encounter is a one-page list that has not been touched since the initial certification, with generic entries like customers, regulators, and employees and nothing meaningful beneath them.
On this page
That is not conformity. That is box-ticking. And as an auditor, your job is to tell the difference.
This article is a practical guide to auditing interested parties under clause 4.2 of ISO 9001, ISO 14001, and ISO 45001. The clause sits within the same High Level Structure across all three standards, so the auditing approach transfers well. Where differences exist between standards, particularly around which interested parties are prioritised, those differences are worth noting and are covered below.
What Clause 4.2 Actually Requires
Before you can audit it well, you need to be clear on what the clause demands. Clause 4.2 requires organisations to:
- Determine who the relevant interested parties are
- Determine the relevant requirements of those interested parties
- Monitor and review information about those interested parties and their requirements
That third point is the one most organisations miss entirely. The standard does not ask for a static list. It asks for an ongoing process of monitoring and review. When you sit down with a quality manager and ask how often the interested party register is reviewed, a blank look or a reference to the last management review three years ago is a red flag.
It is also worth noting that clause 4.2 does not require you to meet all interested party requirements. It requires you to determine them. Whether and how the organisation responds to those requirements is addressed elsewhere in the management system, particularly through risk-based planning in clause 6.1. The distinction matters when you are writing findings.
The Difference Across ISO 9001, ISO 14001, and ISO 45001
The wording of clause 4.2 is consistent across the three standards, but the context of each standard shapes which interested parties are most significant and what their requirements look like in practice.
ISO 9001
Under a quality management system, the most prominent interested parties tend to be customers, regulatory bodies, and supply chain partners. Customers are the obvious ones, and most organisations handle customer requirements reasonably well through contracts and specifications. The gaps tend to appear with regulators, industry associations, and internal stakeholders like employees and shareholders. Ask the organisation how they track changes in regulatory requirements relevant to their products or services. If the answer is vague, that is worth pursuing.
ISO 14001
Environmental management systems attract a broader and sometimes more politically sensitive range of interested parties. Community groups, environmental regulators, neighbours of a facility, non-government organisations, and future generations are all legitimate interested parties under ISO 14001. The 2026 revision of ISO 14001 has also strengthened the link between interested parties and compliance obligations, so the interested party register now needs to connect more explicitly to the legal register. If you are auditing an ISO 14001 system, check whether the organisation has identified interested parties who have legal standing to impose requirements, and whether those requirements have flowed through to the compliance obligations register.
ISO 45001
ISO 45001 is the one standard where a specific interested party is elevated above all others. Workers are not just one entry on a list. The standard treats worker participation and consultation as a foundational element of the system. When auditing clause 4.2 under ISO 45001, you should be asking whether workers themselves have been involved in identifying what their needs and expectations are, not just whether management has listed workers as an interested party. That distinction is significant. Auditing clause 4.2 from the perspective of worker primacy is a useful lens to apply throughout the entire OH&S audit.
Building Your Audit Approach for Clause 4.2
Clause 4.2 is a context clause, which means it feeds into almost everything else in the management system. A weak or superficial interested party determination will show up downstream in risk planning, objectives, communication, and management review. That is actually useful for an auditor, because it means you can triangulate. If the interested party register is thin, look for evidence of that thinness in the risk register, in management review inputs, and in how communication is planned.
Start With the Register
Ask to see the interested party register or equivalent document before you start interviewing. Review it for:
- Completeness. Are all plausible interested parties represented, or is the list suspiciously short?
- Specificity. Does each entry include actual requirements, or just a label like customers want quality products?
- Currency. When was the register last reviewed? Is there evidence of that review?
- Linkage. Do the requirements listed flow through to other parts of the system?
A register with fifteen entries, each with a specific requirement and a date of last review, is a much more credible document than a register with five generic entries and no review date. Neither is automatically conforming or nonconforming, but the detail tells you where to probe.
Interview the Right People
Clause 4.2 is a top management and senior leadership responsibility. The people who determine interested parties should understand the business environment, the regulatory landscape, and the strategic direction of the organisation. When you interview top management about context, clause 4.2 is a natural part of that conversation.
Ask questions like:
- How did you decide who your relevant interested parties are?
- Have any interested parties changed in the past twelve months? How did you find out?
- What are the most significant requirements from your regulators right now?
- How do you keep track of changes in what your customers expect?
Listen for specificity. Vague answers about staying in touch with the market or keeping an eye on regulations suggest the process is informal and undocumented. That is not necessarily a nonconformity on its own, but it is a prompt to dig further.
Test the Monitoring and Review Process
This is where most organisations fall short. Ask specifically how the organisation monitors and reviews information about interested parties and their requirements. Look for:
- A defined frequency for reviewing the register
- Evidence that reviews have actually happened, such as meeting minutes, version history on the document, or management review records
- A process for capturing changes, such as new regulations, shifts in customer expectations, or emerging community concerns
- Evidence that changes have actually been captured and acted on
If the register has not changed in three years and the organisation operates in a sector that has experienced regulatory change, supply chain disruption, or community pressure in that time, you have a strong basis for a finding. The standard requires monitoring and review. A static document is evidence that monitoring and review is not happening.
Common Nonconformities Against Clause 4.2
Based on real audit experience, the following are the most frequently raised findings against clause 4.2:
Incomplete Identification of Interested Parties
Organisations often identify obvious interested parties and stop there. A construction company might list clients, employees, and WorkSafe but omit subcontractors, local councils, community members near the site, and industry bodies. Whether the omission is significant depends on the context. If a subcontractor has specific safety requirements that affect the organisation's OH&S system, omitting them from the interested party register is a genuine gap.
Requirements Not Determined
Listing interested parties without capturing their requirements is only half the job. The standard requires both. An entry that says employees with no accompanying requirements is incomplete. What do employees require? Safe working conditions, fair treatment, clear communication, access to training? These are determinable requirements and they should be in the register.
No Evidence of Monitoring or Review
This is the most common finding. The register exists but there is no process for keeping it current and no evidence that it has been reviewed. If the management review minutes do not reference interested parties, and the register has no version history, the monitoring requirement is not being met.
Disconnection from the Rest of the System
Interested party requirements should inform risk planning, objectives, and communication planning. If the register lists a regulatory requirement that does not appear in the compliance obligations register or the risk register, that disconnection is worth raising. It suggests the clause 4.2 process is being treated as a standalone compliance exercise rather than as genuine input to the system.
What Good Looks Like
To calibrate your audit, it helps to know what a well-managed clause 4.2 process actually looks like. Here is a realistic example from a mid-sized manufacturing company operating under ISO 9001 and ISO 14001.
The company maintains an interested party register that is reviewed annually as part of the management review process, with ad hoc updates triggered by significant events such as new legislation, a major customer complaint, or a change in the regulatory environment. The register includes:
- Customers, with requirements drawn from contracts, specifications, and customer satisfaction data
- The state environmental regulator, with specific licence conditions listed as requirements
- Local council, with requirements relating to noise, traffic, and planning conditions
- Employees, with requirements including safe working conditions, training, and clear communication of roles
- Shareholders, with requirements around financial performance and legal compliance
- Suppliers, with requirements around payment terms and clear specifications
Each entry links to a relevant clause or process in the management system. The register is reviewed at management review, and the minutes record that the review took place and whether any changes were identified. In the most recent review, a change in a customer's environmental reporting requirements was captured and flowed through to an update in the communication plan and a new monitoring requirement in the EMS.
That is a living document connected to a real process. That is what conformity looks like.
Linking Clause 4.2 to the Rest of Your Audit
One of the most effective ways to audit clause 4.2 is to use it as a thread that runs through the entire audit. Once you have reviewed the interested party register, you can test whether the requirements identified there have actually been addressed in the system.
For example:
- If a regulator is listed as an interested party with specific legal requirements, check the compliance obligations register and the legal register to confirm those requirements are captured
- If customers are listed with quality or delivery requirements, check whether those requirements are reflected in quality objectives, customer satisfaction monitoring, and contract review processes
- If employees are listed with safety requirements, check whether those requirements have informed the hazard identification process and the OH&S objectives
- If community groups are listed as interested parties, check whether the communication plan includes external communication and whether there is evidence of actual communication
This approach turns clause 4.2 from a tick-box exercise into a genuine audit thread. It also helps you build a stronger, more connected finding if something is wrong, because you can show that the gap in interested party determination has had downstream consequences in the system.
For a broader view of how to audit the context clauses together, the article on auditing context of the organisation provides a useful framework that covers clauses 4.1, 4.2, and 4.3 as a connected group.
Writing a Finding Against Clause 4.2
If you identify a genuine nonconformity against clause 4.2, writing it clearly is important. The finding needs to state what the requirement is, what the evidence shows, and why there is a gap. Avoid vague findings like the interested party register is incomplete. Be specific.
A well-written finding might read:
Clause 4.2 requires the organisation to determine the relevant requirements of interested parties and to monitor and review information about them. The interested party register, version 1.0 dated March 2022, has not been reviewed or updated since initial certification. The register does not include the state environmental regulator, despite the organisation holding an environmental licence with specific discharge conditions. No evidence of monitoring or review of interested party requirements was found in management review records for the past two years. This represents a failure to maintain the ongoing monitoring and review process required by clause 4.2.
That finding is specific, evidence-based, and clearly linked to the clause requirement. It gives the organisation a clear basis for corrective action. For more guidance on writing findings that hold up, the article on common ISO 9001 clause 4 nonconformities covers the typical patterns auditors encounter across the context clauses.
Tips for Internal Auditors Auditing Clause 4.2
If you are an internal auditor rather than a certification auditor, the approach is the same but the dynamics are different. You know the organisation, which is both an advantage and a risk. The advantage is that you understand the context well enough to spot gaps. The risk is that familiarity can make you less critical.
A few practical tips for internal auditors:
- Do not assume the register is current just because it exists. Check the review date and compare it against known changes in the organisation's environment
- Ask colleagues in different functions who they think the key interested parties are. If their answers differ significantly from the register, that is a sign the register is not grounded in operational reality
- Use management review as a natural trigger to review clause 4.2. If interested parties are not on the management review agenda, raise it
- If your organisation has gone through a significant change, such as entering a new market, acquiring a business, or facing new regulation, check whether the interested party register has been updated to reflect that change
Preparing to Audit Clause 4.2 in a Lead Auditor Course
If you are preparing for a lead auditor course and wondering how much depth you need on clause 4.2, the answer is: more than you think. Clause 4 is consistently underestimated by candidates who focus their preparation on the operational clauses. In practice, certification auditors spend meaningful time on context and interested parties because weaknesses there cascade through the entire system.
Understanding how to audit clause 4.2 effectively, including how to test the monitoring process, how to trace interested party requirements through the system, and how to write a credible finding, is a core auditor skill. It is also the kind of practical, applied knowledge that distinguishes a good auditor from someone who has simply memorised the standard.
If you want to build that kind of practical auditing capability, the courses at Audit Workshop are designed around real audit scenarios and taught by an auditor with over 500 external certification audits behind him. The internal auditor and lead auditor courses for ISO 9001, ISO 14001, and ISO 45001 all cover clause 4.2 in the context of a full audit, not just as a standalone topic. You can explore the available courses at auditworkshop.com.








