When an external certification auditor or internal audit team walks into your organisation to assess ISO 9001 compliance, they are not looking for perfection. They are looking for evidence that your quality management system actually exists, functions consistently, and delivers measurable outcomes. This distinction matters because many organisations invest significant effort in creating documentation that looks impressive but bears little resemblance to how work actually happens on the shop floor or in the office. Auditors are trained to spot this disconnect, and when they find it, the organisation receives nonconformities that delay certification and damage credibility.
On this page
Understanding What Auditors Actually Assess
ISO 9001 is structured around fourteen clauses that cover everything from context and leadership through to performance evaluation and improvement. However, auditors do not assess these clauses in isolation. They look for evidence that your organisation has implemented an integrated system where quality management is embedded into how decisions are made, work is planned, and results are monitored.
A competent auditor will examine whether your documented procedures genuinely reflect operational reality. For example, if your procedure states that all customer complaints are reviewed within two business days, the auditor will check whether this actually happens by reviewing complaint records, interviewing staff who handle complaints, and observing the process in action. If the procedure says one thing and reality shows something different, that is a nonconformity. The gap between documented intent and actual practice is one of the most common findings in ISO 9001 audits.
The auditor is also assessing whether your system is proportionate to your organisation. A manufacturing business with 500 employees and multiple production lines needs a different approach to documented procedures than a boutique consulting firm with eight staff members. ISO 9001 allows for this flexibility, but many auditors find that organisations either over document (creating administrative burden that no one follows) or under document (leaving critical quality decisions to individual discretion).
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesContext and Risk Management
Clause 4 requires your organisation to determine the issues that affect your ability to achieve the intended outcomes of the quality management system. This is where auditors look beyond quality to examine whether management understands the broader business environment. An auditor will review your documented context analysis to see whether you have identified relevant internal and external issues such as market changes, regulatory requirements, supply chain risks, and staffing challenges.
In practice, this means having documented evidence that management has systematically considered the environment in which the organisation operates. A manufacturing firm might identify supply chain vulnerabilities related to specific suppliers. A service organisation might identify regulatory changes or digital transformation trends. An auditor wants to see that these considerations have been documented and that they have influenced how quality objectives are set.
Risk based thinking is embedded throughout ISO 9001, and auditors will examine whether your organisation has genuinely adopted this mindset. This includes identifying risks to product or service conformity, risks related to external supplier performance, and risks to the effectiveness of the quality management system itself. Many organisations document generic risks that could apply to any business. A skilled auditor will probe deeper by asking questions such as: "How did you identify this risk? What data did you use? How do you know this risk is actually relevant to this organisation?"
Leadership Commitment and Engagement
Clause 5 requires top management to demonstrate leadership and commitment to the quality management system. Auditors examine this by looking at the evidence of management involvement. This is not about having a mission statement on the wall or an annual commitment to quality. It is about demonstrable actions that show management cares about the system and is willing to allocate resources to support it.
An auditor will review minutes from management review meetings to assess whether quality performance is discussed seriously or mentioned in passing. They will examine resource allocation decisions to see whether quality initiatives receive adequate funding and personnel. They will observe whether senior managers interact with the quality management system beyond formal audit events. In some organisations, the quality manager is isolated from senior management decision making, which signals that quality is not truly a priority. In others, quality considerations are woven into discussions about strategy, investment, and organisational direction.
Auditors will also assess whether management has established quality objectives and ensured that responsibilities and authorities are clearly defined. A common weakness is that quality responsibilities are assigned to the quality manager alone, when in reality, quality is everyone's responsibility. The auditor will look for evidence that quality objectives have been communicated to relevant staff and that people understand how their work contributes to achieving them.
Planning and Resource Management
Clauses 6 and 7 address actions to address risks and opportunities, and the provision of resources needed to support the quality management system. Auditors examine whether your organisation has a documented approach to planning that considers both quality and business objectives. This includes planning for infrastructure, environment, personnel, and knowledge management.
In the real world, many organisations struggle with this. A small manufacturing business might have excellent informal knowledge of how to run the operation, but when an auditor asks for documented evidence of how that knowledge is maintained and transferred when staff leave, the gap becomes apparent. The auditor will look for evidence of training records, competence assessments, and succession planning. They will also examine whether the organisation has identified critical knowledge and implemented systems to retain it.
Infrastructure is another area where auditors focus attention. This includes buildings, equipment, utilities, and information technology systems. The auditor will examine whether there is a maintenance programme in place, whether equipment is calibrated where required, and whether infrastructure problems are tracked and resolved. In organisations that have experienced rapid growth, infrastructure planning sometimes lags behind demand, and auditors frequently identify this as a risk to product or service quality.
Environmental conditions for work are also assessed. For manufacturing, this might include temperature and humidity control, noise levels, or lighting. For offices, this might include ergonomic workstations and access to systems. Auditors will check whether there is documented evidence of environmental monitoring where this is relevant to quality.
Process Management and Product Realisation
Clause 8 covers operational planning and control, including the management of externally provided processes and products. This is where many auditors spend significant time because this is where products and services are actually created. The auditor will examine your processes for identifying what customers need, controlling the design of products or services, managing suppliers, producing products or delivering services, and controlling non conforming products.
For customer focused organisations, auditors look for evidence that you have determined customer requirements and ensured that these are communicated internally. A common audit finding is that customer specifications are poorly understood by operational staff, leading to products or services that do not meet requirements. The auditor will interview production or service delivery staff and ask them to explain what the customer actually needs. If their answer is vague or contradicts the documented specification, there is a gap.
Design control is assessed where your organisation designs products or services. Auditors examine whether design inputs include customer requirements, regulatory requirements, and lessons learned from previous products. They will review design output records to see whether design decisions are documented and justified. They will also look at design review records to confirm that products or services have been evaluated before release to customers, and that design changes are controlled.
Supplier management is a major focus area. Auditors examine how your organisation evaluates supplier performance and ensures that externally provided products and services conform to requirements. This includes reviewing the criteria used to select suppliers, the frequency of supplier performance reviews, and how you manage supplier non conformances. Many organisations assume that having a quality clause in the purchase order is sufficient. Auditors will look for ongoing evidence of supplier management, not just a one time agreement.
Control of production or service delivery includes documented procedures for what is to be produced, how it is produced, who is authorised to produce it, and what quality checks occur during or after production. Auditors will walk the production floor or observe service delivery and compare what they see to documented procedures. Discrepancies between documented procedures and actual practice are very common findings.
Quality of Records and Documentation
Clause 8 also addresses the control of externally provided design and development services, production and service provision, and control of changes. What auditors consistently find is that documentation quality varies significantly across organisations. A well managed organisation has clear, current procedures that are actually used. A poorly managed organisation has procedures that are outdated, contradicted by newer procedures, or simply ignored in favour of informal practices.
Auditors examine the control of documented information to ensure that your organisation has a systematic approach to creating, updating, storing, and retiring procedures and other documents. Common findings include procedures that have not been reviewed for years, inconsistent naming conventions, uncertainty about which version of a procedure is current, and procedures that are not easily accessible to staff who need them.
Records are also examined in detail. Auditors will request records from various areas of the business and assess whether they are complete, legible, properly authorised, and retained for an appropriate period. A frequent finding is that records are incomplete or lack required approvals. For example, customer complaint records might lack documentation of the action taken, or purchase orders might not show evidence of supplier approval.
Performance Evaluation and Internal Audit
Clause 9 requires organisations to determine what needs to be monitored and measured, the methods to be used, when results should be analysed, and who is responsible. Auditors examine whether your organisation has defined meaningful quality metrics that actually reflect how well the system is performing. Many organisations measure what is easy to count rather than what matters most. For example, counting the number of customer complaints received tells you something, but it does not tell you whether you are addressing the root cause of complaints or whether customer satisfaction is improving.
Auditors will look at management review records to see whether the results of monitoring and measurement have been analysed and whether management has discussed trends, non conformities, customer feedback, and opportunities for improvement. Management review should not be a tick box exercise where a document is signed and filed. It should be a genuine discussion about whether the quality management system is achieving its intended outcomes and whether resources are allocated appropriately.
Internal audit is a critical area of focus because the quality management system must include regular, independent assessment of its own performance. Auditors will examine your internal audit programme to ensure that all areas of the organisation are audited systematically, that internal auditors have appropriate competence and impartiality, and that internal audit findings are documented and managed. A common weakness is that internal audits are performed by staff who report directly to the area being audited, compromising impartiality. Another common issue is that internal audit findings are not taken seriously or are not tracked to closure.
Customer Focus and Satisfaction
Throughout the audit, auditors assess whether your organisation is genuinely customer focused. This starts with understanding customer requirements and extends to managing customer relationship processes and determining customer satisfaction. Auditors will examine whether you monitor customer feedback, analyse complaints, and use this information to drive improvements.
A common audit finding relates to customer complaint handling. Auditors will review customer complaints to assess whether they have been investigated, whether root causes have been identified, whether corrective actions have been taken, and whether similar problems have been prevented in other areas. Many organisations respond to the complaint but do not use it as an opportunity to improve the system. An effective quality management system learns from each complaint and implements systemic improvements.
Nonconformities and Corrective Action
Clause 10 addresses improvement, including correction, corrective action, and preventive action. Auditors will examine whether your organisation has a systematic process for identifying non conformities, determining root causes, and implementing corrective actions that prevent recurrence.
A critical distinction that auditors look for is between correction and corrective action. Correction is the immediate action to fix a non conforming product or service. Corrective action is the systematic change to prevent the same problem from occurring again. Many organisations excel at correction but fail at corrective action. For example, they might rework a product or provide a refund, but they do not investigate why the problem occurred or implement changes to prevent similar problems.
Auditors will trace nonconformities from identification through investigation, corrective action implementation, and verification. They will ask whether the root cause analysis was thorough and whether the corrective action actually addresses the root cause rather than just the symptom. They will also examine whether management has ensured that corrective actions are implemented within defined timeframes and that effectiveness is verified.
Audit Workshop offers accredited ISO training across ISO 9001, ISO 14001, and ISO 45001 at Foundation, Internal Auditor, and Lead Auditor levels. Our courses are Exemplar Global recognised and designed for professionals who want both standard knowledge and practical audit skills.
