RKMS Group Logo
Book a Free Consultation

SME ISO Audit Checklist: How to Prepare for Your Next External Audit

ISO Audit Checklist

SME ISO audit checklist – three simple words that can turn audit panic into audit control.

For many UK SMEs, ISO external audits sit on a long list of competing priorities. Documentation may be scattered, people are busy doing the day job, and “ISO” can feel like a box-ticking exercise rather than a useful business tool.

The good news? Audits do not have to be stressful. With a clear, practical SME ISO audit checklist and a bit of structure, you can turn worry into confidence – and even use the audit to strengthen how your business runs.

This article walks you through a step-by-step SME ISO audit checklist you can use before each external audit.

Understanding Your ISO External Audit (in Plain English)

Before you dive into the details of audit preparation, it helps to be clear on what kind of audit you are facing and what the auditor is really there to do.

What Type of Audit Is Coming Up?

Most SMEs will see one of three types of ISO external audit in the UK:

  • Certification audit – Your first full assessment to achieve certification. Typically in two stages (Stage 1 “readiness review” and Stage 2 “full audit”).

     

  • Surveillance audit – A periodic check (often annually) to confirm your management system is still working and being used.

     

  • Recertification audit – A more in-depth review every few years (often three) to renew your certificate.

     

The level of scrutiny can vary, but the fundamentals of audit preparation are the same:

  • Have you defined how you work?

     

  • Are you following what you have defined?

     

  • Can you show evidence of this in practice during the ISO external audit?

What Your Auditor Is Really Looking For

It is easy to imagine the auditor as someone trying to “catch you out”. In reality, accredited auditors are there to confirm:

  • Conformance with the relevant standard(s) – e.g. ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (health and safety) etc. 

     

  • Alignment between process and practice – You do what your documents and procedures say you do.

     

  • A functioning management system – Not a dusty manual, but a set of processes that help you run the business.

     

They will expect to see:

  • Documents – Policies, procedures, process maps, risk registers, etc.

     

  • Records – Evidence that activities have actually happened (training records, maintenance logs, inspection reports, minutes of meetings, etc.).

     

If something is not perfect, this does not automatically mean you will “fail”. The key is to be honest, open and able to show how you address issues and improve.

The SME ISO Audit Checklist – Overview

Think of this ISO audit checklist as a structured walk-through of your management system. You are checking:

  1. Do we have the right things in place?

     

  2. Are they current and used?

     

  3. Can we demonstrate evidence if asked?

     

In this article, we will look at six key sections in your SME ISO audit checklist:

  1. Governance & leadership

     

  2. Documentation & records

     

  3. Processes & controls

     

  4. People, competence & awareness

     

  5. Risk, improvement & nonconformities

     

  6. Site, equipment & safety (where applicable)

     

You can work through each section with your team and mark items as:

  • ✅ Green – in place and working

     

  • 🟠 Amber – partly in place / needs updating

     

  • 🔴 Red – missing or not effective

Section 1 – Governance, Leadership and Scope

This part of your SME ISO audit preparation checks the foundations of your management system.

Confirm Your Management System Scope

Your scope statement defines what your ISO management system covers. Before an audit, confirm:

  • Is the description of your products/services still accurate?

  • Have you added or removed locations?

  • Have you significantly changed key suppliers, outsourced processes, or your legal structure?

If your business has changed but your scope has not, update it and ensure the change is documented and communicated. An unclear scope is a common issue in ISO audit preparation for SMEs.

Leadership, Policy and Objectives

Auditors will look for real leadership involvement, not just signatures.

Check:

  • Policy

    • Is your quality / environmental / health & safety policy current?

    • Is it communicated – for example, on noticeboards, intranet, induction material?

    • Could key staff explain the basic intent of the policy in their own words?

  • Objectives

    • Have you set measurable objectives relevant to your standard and your business? (e.g. on-time delivery, customer satisfaction, waste reduction, safety performance.)

    • Are you monitoring progress and reviewing results?

Evidence might include:

  • Signed policy with review dates

  • KPI dashboards or reports

Team meeting minutes where objectives are discussed

Management Review and Key Decisions

Management review is your formal check-in on the management system.

Before the audit, confirm:

  • Have you held management review meetings at the planned frequency?

  • Are there minutes or outputs showing discussion of performance, risks, opportunities and improvement?

  • Are actions clearly assigned and followed up?

Auditors often use management review minutes to understand how leadership oversees the system.

Section 2 – Documentation and Record Control

Next, make sure your documents and records are controlled and retrievable – a core part of any ISO audit checklist.

Core Documents Up to Date

Check that your key documents:

  • Reflect how you currently operate (not how you worked three years ago).

  • Show version control (issue number, date, author, approval where appropriate).

  • Are accessible to the people who need them.

This might cover:

  • Quality/environmental/H&S manual (if you use one)

  • Process maps or flowcharts

  • Standard operating procedures (SOPs) and work instructions

  • Forms and templates

If staff have created their own spreadsheets and “workarounds”, bring them into your controlled system or tidy them up. This is a very common SME audit preparation task.

Record Control and Retrieval

A simple but powerful self-check:

Pick three types of record an auditor is likely to request – for example,

  • a training record,

  • a calibration certificate,

  • a customer complaint.

Time how long it takes you to find each one.

If it is a struggle, you may need to improve how records are stored and indexed.

Look at:

  • Training and competence records

  • Maintenance and calibration records

  • Inspection and test reports

  • Incident/accident and complaint logs

  • Evidence of corrective actions

The goal is not a perfect system, but one where you can consistently find what you need during an ISO external audit.

Section 3 – Processes, Controls and Evidence in Practice

Standards talk about “process approaches” and “operational controls”. Practically, this means:

  • You know your key business processes.

  • They are defined, followed, and effective.

You can show evidence that they work.

Critical Business Processes Mapped and Followed

Focus on processes that matter most to your customers and to risk, such as:

  • Sales/quotation and contract review

  • Purchasing and supplier management

  • Operations / service delivery / production

  • Inspection, testing and release

  • Delivery and after-sales support

Ask:

  • Do we have clear process flows or procedures?

  • Do people actually follow them?

  • Are there any obvious gaps between “what we say” and “what we do”?

Where practice has evolved, update your documentation rather than forcing people back to an outdated method.

Internal Audits Completed and Actions Closed

Your internal audits are like a rehearsal before the external audit and should form part of your ISO audit preparation checklist.

Confirm:

  • Have you completed internal audits according to your plan?

  • Do reports clearly state what was checked, what was found, and any nonconformities?

  • Are corrective actions assigned, with deadlines and evidence of completion?

If there are open actions, make sure you can explain:

  • Why they are still open

  • What you are doing about them

When you expect to close them

Supplier and Outsourcing Controls

For suppliers and outsourced processes, auditors will look at how you ensure external inputs do not undermine your management system.

Check:

  • Do you have an approved supplier list, with criteria for approval?

  • Is there evidence of ongoing evaluation (e.g. supplier performance reviews, records of issues and how they were handled)?

  • Where processes are outsourced, do you have appropriate agreements, specifications or controls in place?

Section 4 – People, Competence and Awareness

Even the best-written procedures fail if people do not understand them. This is a key area in SME ISO audit preparation.

Roles, Responsibilities and Authorities

Ask yourself:

  • Are key roles (e.g. quality manager, health and safety coordinator, process owners) clearly defined?

  • Does everyone understand who is responsible for what?

  • Are responsibilities documented in job descriptions, organisation charts or role profiles?

Auditors may pick a process and ask staff who is responsible for certain decisions. The answers should align with your documentation.

Competence, Training and Records

For roles that affect quality, environment or safety:

  • Have you defined competence requirements (skills, experience, qualifications)?

  • Do you have training plans for new starters and existing staff?

  • Are training records complete and up to date?

This might include:

  • Induction records

  • Toolbox talks or briefing sessions

  • Certificates for licences or safety-critical roles

Evidence of refresher training

Staff Awareness of the Management System

Auditors often speak to people at different levels and ask simple questions such as:

  • “What do you do if a customer complains?”

  • “Where would you find the procedure for this task?”

  • “Who do you report a safety concern to?”

Before the audit, brief your teams:

  • Explain the purpose of the audit.

  • Reassure them it is not a test of individuals.

Remind them where key procedures are and who to ask if they are unsure.

Section 5 – Risks, Opportunities, Improvement and Nonconformities

ISO standards place strong emphasis on risk-based thinking and continual improvement, which should appear clearly in your SME ISO audit checklist.

Risk and Opportunities Register

Review your approach to risk:

  • Do you have a risk register or equivalent list of key risks and opportunities?

  • Is it up to date, reflecting recent changes in your business or context?

  • Are actions to address risks clearly assigned and reviewed?

You do not need a complex system; you do need a structured and consistent one.

Nonconformities, Complaints and Incidents

Auditors do not expect you to have no problems. They expect you to handle them effectively.

Check:

  • How do you log nonconformities, complaints, incidents and near misses?

  • Is there evidence of investigation and root cause analysis where appropriate?

  • Do you look for trends over time?

Being able to show patterns and what you have done about them is a strong positive signal.

Corrective Actions and Learning

A powerful part of audit preparation is gathering a few “before and after” examples:

  • A recurring defect that has been addressed

  • A customer complaint that led to a process change

  • A safety incident that resulted in improved controls

Have a couple of short stories ready that show how you learn and improve.

Section 6 – Site, Equipment and Operational Controls (Where Applicable)

For organisations with physical premises, equipment and on-site activities, the auditor will usually carry out a walkthrough.

Condition of the Workplace

First impressions matter.

Look at:

  • General housekeeping – clear walkways, tidy work areas, safe storage

  • Signage – safety signs, instructions, emergency exits

  • Use of PPE where required

Minor issues are normal, but obvious unmanaged risks can raise serious questions.

Equipment Maintenance and Calibration

Check that:

  • You have an up-to-date list of critical equipment.

  • Maintenance schedules are in place and records are available.

  • Where measurement or test equipment is used to assure quality, calibration records are current.

Operational Controls and Work Instructions

On the shop floor or in service delivery areas:

  • Are the latest work instructions available and being followed?

  • Are any checklists, forms or visual aids up to date?

  • Do staff know what to do if something goes wrong or out of specification?

How to Use the Downloadable ISO Audit Readiness Checklist

The article gives you the logic; the ISO audit checklist gives you the tool.

One-Pager Gap Scan

Start with a quick RAG assessment:

  • Go through each section of the checklist.
  • Mark each item Red, Amber or Green.
  • Step back and see where the biggest clusters of red/amber sit.

This gives you an immediate view of where to focus in your SME ISO audit preparation.

Prioritising Actions in the Weeks Before the Visit

Not everything can be fixed at once. Use the checklist to prioritise:

  • Issues that directly affect customer satisfaction or safety.

  • Gaps that are simple to close quickly (e.g. missing signatures, outdated version numbers).

Items that support the narrative you want to present to the auditor: “We know where we are, we are working on X, Y and Z.”

Using It for Future Surveillance and Recertification Audits

Do not treat the checklist as a one-off. Build it into your routine:

  • Use it ahead of internal audits.

     

  • Review it as part of management review.

     

  • Repeat the RAG scan before each surveillance or recertification audit.

Final Steps Before Audit Day

In the final day or two before your ISO external audit:

  • Confirm the agenda and timings with the auditor.

  • Make sure key people know when they may be needed.

  • Prepare a quiet room or reliable online meeting link.

  • Have your core documents and key records easily accessible.

  • Take a calm “walkthrough” of your site with the audit in mind.

Remember:

  • No organisation is perfect.

  • Audits are about conformance and improvement, not blame.

  • A structured SME ISO audit checklist gives you confidence and helps the auditor see your strengths as well as your gaps.

With a clear ISO audit checklist and a simple, honest story about how you run your business, your next external audit can become a useful health check rather than a source of anxiety.

Share

Book a Free Consultation Consultation Consultation Consultation

Get free advice and guidance tailored to your business needs

Book Your Free Consultation

Related Resources

Book a Free Consultation Consultation Consultation Consultation

Get free advice and guidance tailored to your business needs

Book Your Free Consultation