Most organisations implementing ISO standards face a critical moment: they need to understand where they stand before they can move forward. That moment typically involves either a gap analysis or an audit, and these two tools are often confused or used interchangeably by people who don't work in quality management. This confusion costs organisations time, money, and credibility. A gap analysis and an audit are fundamentally different activities with distinct purposes, methodologies, and outcomes. Understanding the difference is essential whether you're a quality professional, a compliance officer, or someone responsible for implementing management systems.
On this page
Understanding Gap Analysis
A gap analysis is a systematic evaluation that compares your organisation's current state against a desired future state. In the context of ISO standards, the desired future state is typically compliance with a specific standard's requirements. The gap analysis identifies what you have in place, what you're missing, and the steps required to close those gaps. It's fundamentally a planning tool.
The primary objective of a gap analysis is to establish a baseline understanding of compliance status before implementation begins or before a certification audit occurs. An organisation conducting a gap analysis against ISO 9001, for example, would examine each clause of the standard and honestly assess whether the organisation has processes, procedures, and evidence that meet those requirements. Where a requirement is not met, that's a gap.
Gap analyses are typically informal assessments. They can be conducted internally by your own team, often with input from external consultants who bring expertise in standard requirements. There is no prescribed format, no independent verification, and no certification body involvement. The assessment is confidential to your organisation. You might use a simple spreadsheet to record gaps, or you might engage a consultant to conduct interviews and document findings in a detailed report. The rigour depends entirely on how much detail you need and what budget you have available.
Consider a manufacturing organisation planning to implement ISO 9001. The quality manager might conduct a gap analysis by walking through each clause and asking: Do we have a documented quality policy? Yes. Is it communicated to all employees? Partially. Do we have defined processes for design control? No. For supplier management? Yes, but documented informally. Each finding becomes a gap that needs addressing before the organisation is ready for certification. This exercise takes a few weeks of internal effort, costs very little, and immediately shows where resources need to be invested.
Gap analyses are most useful when you're at the beginning of an implementation journey or when you're assessing readiness for an external certification audit. They give you control over the timeline, allow you to fix problems privately, and help you prioritise implementation work. No external body is involved, so there's no judgment, no official findings, and no pressure. You set the pace and the standards.
What an Audit Actually Is
An audit, by contrast, is a formal, systematic, and independent examination of conformance to requirements. ISO defines an audit as a documented activity performed to obtain objective evidence and assess whether specified requirements are fulfilled. Several key words matter here: formal, independent, objective, documented, and specified requirements.
Audits come in several forms. An internal audit is conducted by personnel within your own organisation and is a requirement under ISO 9001, ISO 14001, and ISO 45001. A certification audit (also called a third party audit) is conducted by an external certification body to determine whether your organisation is eligible for ISO certification. A second party audit is conducted by a customer or stakeholder organisation. All audits follow a consistent methodology outlined in ISO 19011, the standard for auditing management systems.
An audit has scope, objectives, and audit criteria defined at the outset. The auditor or audit team gathers objective evidence by interviewing personnel, reviewing documentation, observing processes, and examining records. Evidence is collected systematically according to an audit plan. The auditor makes professional judgments about whether evidence demonstrates conformance to the stated audit criteria. Findings are documented formally, often categorised as nonconformities (failures to meet requirements), observations (areas of concern that don't constitute nonconformities), or opportunities for improvement. A formal audit report is produced and provided to the auditee.
A certification audit is particularly rigorous. The certification body's auditors are trained, qualified, and assessed against specific standards. They must be independent of the organisation being audited to ensure objectivity. The audit is conducted according to ISO 19011 principles. The auditor gathers evidence to either confirm that your management system meets the standard's requirements or identify nonconformities that must be addressed. The certification body uses this audit evidence to make a determination about whether to award certification.
The internal audit requirement under ISO 9001 Clause 9.2 illustrates why audits matter. Your organisation must conduct regular internal audits to verify that your management system conforms to your own requirements and to ISO 9001. These audits must be independent (the auditor should not audit their own area), planned, scheduled, and documented. The findings must be reported to management. This is not a casual review; it's a formal assessment with defined methods and outcomes.
Key Differences in Purpose and Intent
The most fundamental difference between a gap analysis and an audit lies in their purpose and who benefits from the assessment. A gap analysis is diagnostic and preparatory. You conduct it to discover what work you need to do before you're ready for external assessment. The primary beneficiary is your own organisation. You use the findings to direct implementation efforts. There's no external judgment and no consequences beyond your own planning.
An audit, particularly a certification audit, is evaluative and evidential. It's conducted to determine whether you actually meet the requirements, not whether you plan to meet them. The primary beneficiary is the certification body (and through them, the customers and stakeholders who rely on your certification). The audit findings have real consequences: if nonconformities are found, you may not receive certification, or if you're already certified, your certification may be suspended or withdrawn. This creates accountability and credibility that a gap analysis cannot provide.
A gap analysis is future focused. It asks: "What do we need to do?" An audit is present focused. It asks: "Have we actually done it?" This distinction matters enormously in practice. During a gap analysis, you might say, "We don't have documented procedures for design control yet, but we plan to implement them next quarter." That's a useful finding for planning purposes. During a certification audit, if those procedures aren't in place, that's a nonconformity. Plans and intentions don't satisfy audit criteria; actual implementation does.
The confidence level differs too. A gap analysis conducted by your own team gives you a baseline understanding, but it carries bias. You might be overly optimistic about what you're doing well, or overly focused on areas you know are problematic. You might not fully understand all the nuances of the standard. An audit conducted by a trained, independent auditor gives you objective assessment. The auditor has no vested interest in your implementation and applies consistent criteria across all organisations.
Methodological Differences
Gap analyses and audits follow different methodologies, which reflects their different purposes. A gap analysis typically involves reviewing your current documentation and processes against the standard's requirements, often using a simple checklist or scoring system. You might score each requirement as "met", "partially met", or "not met". Some organisations use a percentage score: 80 percent of ISO 9001 requirements are implemented, 15 percent partially, and 5 percent not yet implemented. This gives you a quick baseline and helps prioritise work.
An audit follows a rigorous, formally documented process. The auditor develops an audit plan that specifies the scope, timing, frequency, and personnel to be interviewed. The auditor develops detailed audit procedures and checklists if needed. During the audit, the auditor gathers objective evidence: records that demonstrate conformance, interviews that verify understanding and implementation, and observations that confirm processes are working as described. All findings are documented with specific references to the standard, to the organisation's own procedures, and to the evidence gathered.
An internal audit conducted under ISO 9001 requirements must be scheduled and planned, conducted by qualified personnel who are independent of the function being audited, and documented formally. The results must be reported to management. This is far more structured and formal than a typical gap analysis, which might be conducted over a few weeks by whoever has time available.
Timing is another methodological difference. A gap analysis is typically a one time or occasional activity. You conduct one when you're planning implementation or before a certification audit. An audit, by contrast, is ongoing. Internal audits must be conducted regularly. Certification audits are conducted initially and then through surveillance audits every year or two. This continuous audit activity means that conformance is assessed systematically over time, not just captured in a single snapshot.
Flexibility and Scope Considerations
Gap analyses offer considerable flexibility in scope and depth. You can assess all requirements of a standard, or you can focus on specific clauses you're uncertain about. You can assess your entire organisation, or just specific processes or departments. You might spend a week on a light gap analysis or several months on a detailed one. The scope depends entirely on what information you need and what resources you want to commit.
Audits have defined scope. An internal audit has scope defined by the annual audit plan and the specific audit schedule. You can't arbitrarily skip areas that are hard to audit. A certification audit has scope defined by the standard you're seeking certification against and the exclusions your organisation is allowed under that standard. For example, if your organisation has no design function, you may be able to exclude design control from ISO 9001's scope. But within the defined scope, everything must be audited.
This difference matters practically. If you're implementing ISO 14001 and you're particularly uncertain about aspects and impacts identification, you might focus your gap analysis heavily on that clause. You might spend minimal effort on clauses like communication, which you're confident about. That's perfectly sensible for planning purposes. But during a certification audit, the auditor will assess all clauses equally. They won't skip communication because you think you're good at it.
Evidence and Documentation
Gap analyses typically generate a summary report or a spreadsheet showing gaps and recommendations. The documentation might be quite informal: a list of findings and action items. You keep this documentation for your own use, to track implementation progress and remind yourself what work you've committed to doing. There's no requirement to document evidence in any particular way or to maintain records of the gap analysis itself.
Audits generate formal, detailed documentation. The auditor documents the audit plan, the audit procedures, and the evidence gathered. For each finding, the auditor records the standard requirement, the organisation's own requirement or procedure, the evidence examined, and the auditor's conclusion. If a nonconformity is identified, the auditor documents it in detail. All of this documentation is retained by the auditor and, in the case of certification audits, by the certification body. It becomes part of your audit trail and forms the basis for surveillance audits in future years.
When gathering audit evidence, auditors follow strict protocols to ensure objectivity and credibility. They verify information from multiple sources. They distinguish between objective evidence (records, observations) and subjective assessment (interviews, claims). A gap analysis might rely heavily on what you tell yourself you're doing. An audit verifies what you're actually doing through independent observation and evidence collection.
Cost and Resource Implications
A gap analysis conducted entirely in house costs almost nothing financially. It requires your own staff time, and for a small organisation, a quality manager might spend a few weeks walking through the standard and assessing your current state. If you engage an external consultant to conduct a gap analysis, you'll pay for their time, typically ranging from a few hundred to a few thousand dollars depending on depth and complexity.
Audits have significant cost implications, particularly certification audits. You'll pay the certification body's auditor fees, which in Australia typically range from 2,000 to 5,000 dollars or more depending on your organisation's complexity. You'll invest your own staff time in preparing for the audit, participating in interviews, and addressing any findings. The costs are substantial, but they're an investment in credibility and market access.
Internal audits, conducted by your own staff, have minimal direct cost. The investment is your personnel's time. If you involve external auditors for internal audits, you'll pay their fees. Some organisations use internal audits as a training and professional development activity, which can be cost effective when you're building the capability of your team.
When to Use a Gap Analysis
A gap analysis is most valuable in several specific scenarios. First, when you're planning to implement an ISO standard for the first time, a gap analysis helps you understand what work is ahead. It gives you confidence that you're ready for implementation (or shows you that you're not). Second, when you're planning to pursue certification and want to assess readiness before investing in the certification audit itself. You might conduct a gap analysis, address obvious gaps, and then engage a certification body for audit. Third, when you've had changes in your organisation, like a major restructuring or acquisition, a gap analysis helps verify that your management system still meets requirements.
Gap analyses are also useful for internal improvement without any external driver. Some organisations periodically conduct informal gap analyses against the standard to identify improvement opportunities. They're not mandatory, but they're a good practice for organisations that want to continuously improve their management systems.
When to Conduct Audits
Internal audits are mandatory under ISO standards. ISO 9001 requires internal audits to be conducted at planned intervals, typically annually at minimum. These audits are how you systematically verify that your management system is working. They're not optional, and skipping them leaves you non conformant.
Certification audits are conducted when you decide to pursue certification. You'll have an initial certification audit, and then surveillance audits during your certification period. If you want certification, you must go through this process. There's no way to shortcut it with a gap analysis.
Second party audits (customer audits) are sometimes mandatory based on your customer contracts. Some organisations require their significant suppliers to maintain ISO certification or to pass a second party audit. These are formal audits conducted by external parties to verify your conformance.
How Gap Analyses and Audits Complement Each Other
In practice, gap analyses and audits work best when used together strategically. A well planned implementation typically starts with a gap analysis to establish the baseline and identify priorities. You then conduct implementation work to close gaps. Before pursuing certification, you might conduct an internal audit to verify readiness. Then you undergo certification audit, which provides the external verification needed for certification.
If you're preparing your organisation for an external audit, it's smart practice to conduct an internal audit shortly beforehand. The internal audit acts as a final check, much like a dry run. It identifies any remaining issues that need attention before the certification auditor arrives. This isn't wasting time; it's being sensible about readiness.
For organisations that are certified and managing ongoing compliance, internal audits are the primary tool. They're conducted regularly and systematically to ensure the management system stays effective. Gap analyses might be conducted periodically when there are significant changes or when you want to assess progress toward improvement objectives, but they're not the routine mechanism.
Common Mistakes in Confusing These Two Activities
One common mistake is treating a gap analysis as if it provides the same assurance as an audit. An organisation might conduct a gap analysis, conclude they're 90 percent compliant, and believe they're ready for certification. Then during the certification audit, they discover that what they thought was compliant wasn't actually verified properly. Gap analysis is subjective and based on your own assessment. Audit is objective and based on independent verification. The difference matters.
Another mistake is expecting a gap analysis to have the same credibility as audit findings with external parties. If you're negotiating with a customer who wants assurance of your conformance, your internal gap analysis won't satisfy them. They want third party certification or at least a second party audit. The gap analysis matters for internal planning, but it doesn't give external parties confidence.
Some organisations skip gap analysis entirely and jump straight to certification audit, hoping the auditor will tell them what to fix. This is inefficient. A certification audit is not designed as a consulting tool; it's designed to verify conformance. If you arrive with significant gaps, you'll fail the audit and have to remediate and re audit. A gap analysis beforehand costs far less and saves time.
Finally, some quality managers confuse informal reviews with formal audits. You might conduct a quarterly management meeting where you review quality metrics and discuss whether processes are working well. That's useful, but it's not an audit. An audit follows defined methodology, generates documented evidence, and produces formal findings. Don't call something an audit unless it actually follows audit methodology.
Building Competence as an Auditor
If you're responsible for internal audits, you need proper training and competence. Becoming an ISO internal auditor requires specific training and demonstrated competence. You need to understand audit methodology, how to gather objective evidence, how to maintain independence, and how to report findings professionally. This is different from understanding the standard itself. You can understand ISO 9001's requirements without being able to audit effectively.
Internal auditor training teaches you how to plan audits, conduct interviews professionally, identify evidence gaps, distinguish between findings and problems, and document nonconformities clearly. It teaches you how to maintain auditor independence and objectivity. If you're going to audit your organisation's management system, you should have formal training. Most organisations expect their internal auditors to have completed a recognised internal auditor course.
If you're planning to become an external or lead auditor who audits other organisations, the requirements are more extensive. Lead auditor training and certification is an investment that qualifies you to audit professionally and gain recognition in the field. But even for internal audits within your own organisation, proper training ensures you conduct audits professionally and generate findings that actually drive improvement.
Audit Workshop offers accredited ISO auditor training at Foundation, Internal Auditor, and Lead Auditor levels for ISO 9001, ISO 14001, and ISO 45001. Our courses are Exemplar Global recognised and include practical exercises, case studies, and assessment support.
Practical Takeaways
Understand that gap analysis and audit are different tools serving different purposes. Use a gap analysis when you need to diagnose current state and plan implementation. Use an audit when you need to verify conformance and generate objective evidence. Use them in sequence: gap analysis first to understand what you need to do, then implementation, then audit to verify you've done it.
Recognise that a gap analysis is limited by bias and subjectivity. It's useful for internal planning, but don't mistake it for objective assessment. If external parties need assurance of your conformance, you need audit, not gap analysis.
Understand that if you're responsible for internal audits, you need proper training and methodology. Don't conduct reviews and call them audits. Audits follow defined processes and produce documented evidence. If you're going to do the job, do it properly.
Recognise that certification audit is a formal, rigorous process with specific rules and requirements. A gap analysis beforehand helps you prepare, but it doesn't replace the need for formal certification audit if you want recognized certification. The two activities serve different purposes, and both have value.








