RKMS Group Logo
Book a Free Consultation

ISO audit

ISO Audit Process: What Actually Happens During an ISO Audit

by

ISO Audit Process: Inside the Audit – What Actually Happens During an ISO Audit

ISO Audit Process

ISO audit process concerns trigger immediate anxiety for many organisations. Visions of intense questioning, endless documents, and the fear of “failing” are common — especially for first-time certification or newly appointed compliance leads.

The reality, however, is far less intimidating.

An ISO audit is a structured, professional review of your management system, not an interrogation or a test of individual performance. Once you understand the ISO audit process and what auditors are really looking for, much of the fear disappears.

This article walks you through exactly what happens during an ISO audit, what evidence auditors expect to see, and how to prepare and interact confidently — without overcomplicating things

What Is the ISO Audit Process – Really?

At its core, the ISO audit process is a conformity assessment. The auditor’s job is to verify that your management system:

  • Meets the requirements of the relevant ISO standard

     

  • Is implemented in practice (not just on paper)

     

  • Is effective in achieving its intended outcomes

     

Importantly, auditors are not there to catch people out. They are assessing systems and processes, not judging individuals or trying to create failures.

There are several types of ISO audits within the wider ISO audit process:

  • Certification audits (initial approval)

     

  • Surveillance audits (ongoing annual checks)

     

  • Recertification audits (typically every three years)

     

While the depth varies, the overall approach remains consistent and predictable.

The ISO Audit Process Explained Step by Step

ISO Audit Process: Before the Audit – Preparation and Planning

The ISO audit process begins well before the auditor arrives.

You’ll receive:

  • Confirmation of audit scope and standard

     

  • An audit plan outlining timing, areas to be reviewed, and key contacts

     

  • Requests for key documents (often in advance)

     

At this stage, preparation should focus on readiness, not perfection. Auditors expect to see a system that works — not one that was frantically polished the night before.

Good preparation within the ISO audit process includes:

  • Ensuring documents are approved and current

     

  • Checking records are available and accessible

     

  • Making sure staff understand their role in the system

     

What preparation is not:

  • Writing brand-new procedures just for the audit

     

  • Coaching staff with scripted answers

     

  • Trying to hide weaknesses

ISO Audit Process: Stage 1 Audit – The Readiness Review

For certification audits, Stage 1 within the ISO audit process is a readiness assessment, not a pass-or-fail event.

The auditor will typically review:

  • Your management system scope

  • Key policies and objectives

  • Risk assessments and planning processes

  • Legal or regulatory awareness

  • Internal audit and management review arrangements

The purpose of Stage 1 in the ISO audit process is to confirm that:

  • Your system is designed in line with the standard

  • You are ready to proceed to Stage 2

Any gaps identified at Stage 1 are there to help you prepare — not to penalise you.

ISO Audit Process: Stage 2 Audit – The Main Event

Stage 2 is what most people think of as “the audit” and represents the core of the ISO audit process.

It begins with an opening meeting, where the auditor:

  • Confirms the scope and agenda

  • Explains how findings are graded

  • Reiterates that the audit is based on sampling

From there, the ISO audit process follows a process-based approach. Auditors don’t check everything — they sample evidence to build confidence that your system works consistently.

Typical activities include:

  • Reviewing records and documents

  • Interviewing staff at different levels

  • Observing activities and site conditions

The auditor is constantly asking one key question:
 “Can this organisation demonstrate that it does what it says it does?”

ISO Audit Process: What Evidence Do Auditors Really Look For?

One of the biggest sources of confusion in the ISO audit process is the idea of “evidence”.

ISO auditors look for objective evidence, which usually falls into three categories:

  1. Records – completed forms, logs, reports, meeting minutes

  2. Interviews – staff explaining what they do and why

  3. Observations – seeing processes carried out in practice

Crucially, evidence within the ISO audit process must show consistency, not perfection.

ISO Audit Process: How Auditors Ask Questions

Auditor questions during the ISO audit process are typically open and neutral, such as:

  • “Can you show me how this process works?”

  • “What happens if something goes wrong here?”

  • “How do you know this is effective?”

The best approach for staff during the ISO audit process is:

  • Answer honestly and calmly

  • Explain what they actually do, not what the procedure says

  • Show evidence where possible

ISO Audit Process: Understanding Non-conformities Without the Fear

A non-conformity within the ISO audit process simply means a requirement of the standard has not been fully met.

They are usually categorised as:

  • Minor non-conformities – isolated or low-risk issues

     

  • Major non-conformities – systemic or high-risk failures

     

Non-conformities are not a judgement of competence and do not automatically mean certification failure. In most cases, they require corrective action to address the root cause and prevent recurrence.

Auditors also raise:

  • Observations

     

  • Opportunities for improvement

     

These are valuable insights, not criticisms.

ISO Audit Process: Common Mistakes and How to Avoid Them

Many problems in the ISO audit process arise from behaviour rather than system gaps. Common mistakes include:

  • Over-documenting processes that don’t add value

  • Treating the audit like an exam

  • Becoming defensive or argumentative

  • Trying to control every conversation

The most successful audits happen when organisations are:

  • Open and cooperative

  • Prepared but relaxed

  • Focused on showing real practices

ISO Audit Process: What Happens After the Audit?

The audit concludes with a closing meeting, a standard part of the ISO audit process, where the auditor:

  • Summarises findings

     

  • Explains any non-conformities

     

  • Outlines next steps and timelines

     

You’ll then receive a formal audit report. If corrective actions are required, these are typically submitted with evidence within an agreed timeframe.

Certification decisions are based on:

  • The effectiveness of your system

     

How issues are addressed — not whether they existed.

ISO Audit Process: How to Prepare Calmly and Confidently

The key to a successful ISO audit process is understanding that it is a review of your system, not a test of your people.

Preparation, clarity, and honesty go much further than last-minute fixes or excessive documentation.

Final Takeaway

When you understand the ISO audit process, know what evidence matters, and approach the audit professionally, it becomes a valuable tool for improvement — not something to fear.

Share

Book a Free Consultation Consultation Consultation Consultation

Get free advice and guidance tailored to your business needs

Book Your Free Consultation

Related Resources

Book a Free Consultation Consultation Consultation Consultation

Get free advice and guidance tailored to your business needs

Book Your Free Consultation

SME ISO Audit Checklist: How to Prepare for Your Next External Audit

by

SME ISO Audit Checklist: How to Prepare for Your Next External Audit

ISO Audit Checklist

SME ISO audit checklist – three simple words that can turn audit panic into audit control.

For many UK SMEs, ISO external audits sit on a long list of competing priorities. Documentation may be scattered, people are busy doing the day job, and “ISO” can feel like a box-ticking exercise rather than a useful business tool.

The good news? Audits do not have to be stressful. With a clear, practical SME ISO audit checklist and a bit of structure, you can turn worry into confidence – and even use the audit to strengthen how your business runs.

This article walks you through a step-by-step SME ISO audit checklist you can use before each external audit.

Understanding Your ISO External Audit (in Plain English)

Before you dive into the details of audit preparation, it helps to be clear on what kind of audit you are facing and what the auditor is really there to do.

What Type of Audit Is Coming Up?

Most SMEs will see one of three types of ISO external audit in the UK:

  • Certification audit – Your first full assessment to achieve certification. Typically in two stages (Stage 1 “readiness review” and Stage 2 “full audit”).

     

  • Surveillance audit – A periodic check (often annually) to confirm your management system is still working and being used.

     

  • Recertification audit – A more in-depth review every few years (often three) to renew your certificate.

     

The level of scrutiny can vary, but the fundamentals of audit preparation are the same:

  • Have you defined how you work?

     

  • Are you following what you have defined?

     

  • Can you show evidence of this in practice during the ISO external audit?

What Your Auditor Is Really Looking For

It is easy to imagine the auditor as someone trying to “catch you out”. In reality, accredited auditors are there to confirm:

  • Conformance with the relevant standard(s) – e.g. ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (health and safety) etc. 

     

  • Alignment between process and practice – You do what your documents and procedures say you do.

     

  • A functioning management system – Not a dusty manual, but a set of processes that help you run the business.

     

They will expect to see:

  • Documents – Policies, procedures, process maps, risk registers, etc.

     

  • Records – Evidence that activities have actually happened (training records, maintenance logs, inspection reports, minutes of meetings, etc.).

     

If something is not perfect, this does not automatically mean you will “fail”. The key is to be honest, open and able to show how you address issues and improve.

The SME ISO Audit Checklist – Overview

Think of this ISO audit checklist as a structured walk-through of your management system. You are checking:

  1. Do we have the right things in place?

     

  2. Are they current and used?

     

  3. Can we demonstrate evidence if asked?

     

In this article, we will look at six key sections in your SME ISO audit checklist:

  1. Governance & leadership

     

  2. Documentation & records

     

  3. Processes & controls

     

  4. People, competence & awareness

     

  5. Risk, improvement & nonconformities

     

  6. Site, equipment & safety (where applicable)

     

You can work through each section with your team and mark items as:

  • ✅ Green – in place and working

     

  • 🟠 Amber – partly in place / needs updating

     

  • 🔴 Red – missing or not effective

Section 1 – Governance, Leadership and Scope

This part of your SME ISO audit preparation checks the foundations of your management system.

Confirm Your Management System Scope

Your scope statement defines what your ISO management system covers. Before an audit, confirm:

  • Is the description of your products/services still accurate?

  • Have you added or removed locations?

  • Have you significantly changed key suppliers, outsourced processes, or your legal structure?

If your business has changed but your scope has not, update it and ensure the change is documented and communicated. An unclear scope is a common issue in ISO audit preparation for SMEs.

Leadership, Policy and Objectives

Auditors will look for real leadership involvement, not just signatures.

Check:

  • Policy

    • Is your quality / environmental / health & safety policy current?

    • Is it communicated – for example, on noticeboards, intranet, induction material?

    • Could key staff explain the basic intent of the policy in their own words?

  • Objectives

    • Have you set measurable objectives relevant to your standard and your business? (e.g. on-time delivery, customer satisfaction, waste reduction, safety performance.)

    • Are you monitoring progress and reviewing results?

Evidence might include:

  • Signed policy with review dates

  • KPI dashboards or reports

Team meeting minutes where objectives are discussed

Management Review and Key Decisions

Management review is your formal check-in on the management system.

Before the audit, confirm:

  • Have you held management review meetings at the planned frequency?

  • Are there minutes or outputs showing discussion of performance, risks, opportunities and improvement?

  • Are actions clearly assigned and followed up?

Auditors often use management review minutes to understand how leadership oversees the system.

Section 2 – Documentation and Record Control

Next, make sure your documents and records are controlled and retrievable – a core part of any ISO audit checklist.

Core Documents Up to Date

Check that your key documents:

  • Reflect how you currently operate (not how you worked three years ago).

  • Show version control (issue number, date, author, approval where appropriate).

  • Are accessible to the people who need them.

This might cover:

  • Quality/environmental/H&S manual (if you use one)

  • Process maps or flowcharts

  • Standard operating procedures (SOPs) and work instructions

  • Forms and templates

If staff have created their own spreadsheets and “workarounds”, bring them into your controlled system or tidy them up. This is a very common SME audit preparation task.

Record Control and Retrieval

A simple but powerful self-check:

Pick three types of record an auditor is likely to request – for example,

  • a training record,

  • a calibration certificate,

  • a customer complaint.

Time how long it takes you to find each one.

If it is a struggle, you may need to improve how records are stored and indexed.

Look at:

  • Training and competence records

  • Maintenance and calibration records

  • Inspection and test reports

  • Incident/accident and complaint logs

  • Evidence of corrective actions

The goal is not a perfect system, but one where you can consistently find what you need during an ISO external audit.

Section 3 – Processes, Controls and Evidence in Practice

Standards talk about “process approaches” and “operational controls”. Practically, this means:

  • You know your key business processes.

  • They are defined, followed, and effective.

You can show evidence that they work.

Critical Business Processes Mapped and Followed

Focus on processes that matter most to your customers and to risk, such as:

  • Sales/quotation and contract review

  • Purchasing and supplier management

  • Operations / service delivery / production

  • Inspection, testing and release

  • Delivery and after-sales support

Ask:

  • Do we have clear process flows or procedures?

  • Do people actually follow them?

  • Are there any obvious gaps between “what we say” and “what we do”?

Where practice has evolved, update your documentation rather than forcing people back to an outdated method.

Internal Audits Completed and Actions Closed

Your internal audits are like a rehearsal before the external audit and should form part of your ISO audit preparation checklist.

Confirm:

  • Have you completed internal audits according to your plan?

  • Do reports clearly state what was checked, what was found, and any nonconformities?

  • Are corrective actions assigned, with deadlines and evidence of completion?

If there are open actions, make sure you can explain:

  • Why they are still open

  • What you are doing about them

When you expect to close them

Supplier and Outsourcing Controls

For suppliers and outsourced processes, auditors will look at how you ensure external inputs do not undermine your management system.

Check:

  • Do you have an approved supplier list, with criteria for approval?

  • Is there evidence of ongoing evaluation (e.g. supplier performance reviews, records of issues and how they were handled)?

  • Where processes are outsourced, do you have appropriate agreements, specifications or controls in place?

Section 4 – People, Competence and Awareness

Even the best-written procedures fail if people do not understand them. This is a key area in SME ISO audit preparation.

Roles, Responsibilities and Authorities

Ask yourself:

  • Are key roles (e.g. quality manager, health and safety coordinator, process owners) clearly defined?

  • Does everyone understand who is responsible for what?

  • Are responsibilities documented in job descriptions, organisation charts or role profiles?

Auditors may pick a process and ask staff who is responsible for certain decisions. The answers should align with your documentation.

Competence, Training and Records

For roles that affect quality, environment or safety:

  • Have you defined competence requirements (skills, experience, qualifications)?

  • Do you have training plans for new starters and existing staff?

  • Are training records complete and up to date?

This might include:

  • Induction records

  • Toolbox talks or briefing sessions

  • Certificates for licences or safety-critical roles

Evidence of refresher training

Staff Awareness of the Management System

Auditors often speak to people at different levels and ask simple questions such as:

  • “What do you do if a customer complains?”

  • “Where would you find the procedure for this task?”

  • “Who do you report a safety concern to?”

Before the audit, brief your teams:

  • Explain the purpose of the audit.

  • Reassure them it is not a test of individuals.

Remind them where key procedures are and who to ask if they are unsure.

Section 5 – Risks, Opportunities, Improvement and Nonconformities

ISO standards place strong emphasis on risk-based thinking and continual improvement, which should appear clearly in your SME ISO audit checklist.

Risk and Opportunities Register

Review your approach to risk:

  • Do you have a risk register or equivalent list of key risks and opportunities?

  • Is it up to date, reflecting recent changes in your business or context?

  • Are actions to address risks clearly assigned and reviewed?

You do not need a complex system; you do need a structured and consistent one.

Nonconformities, Complaints and Incidents

Auditors do not expect you to have no problems. They expect you to handle them effectively.

Check:

  • How do you log nonconformities, complaints, incidents and near misses?

  • Is there evidence of investigation and root cause analysis where appropriate?

  • Do you look for trends over time?

Being able to show patterns and what you have done about them is a strong positive signal.

Corrective Actions and Learning

A powerful part of audit preparation is gathering a few “before and after” examples:

  • A recurring defect that has been addressed

  • A customer complaint that led to a process change

  • A safety incident that resulted in improved controls

Have a couple of short stories ready that show how you learn and improve.

Section 6 – Site, Equipment and Operational Controls (Where Applicable)

For organisations with physical premises, equipment and on-site activities, the auditor will usually carry out a walkthrough.

Condition of the Workplace

First impressions matter.

Look at:

  • General housekeeping – clear walkways, tidy work areas, safe storage

  • Signage – safety signs, instructions, emergency exits

  • Use of PPE where required

Minor issues are normal, but obvious unmanaged risks can raise serious questions.

Equipment Maintenance and Calibration

Check that:

  • You have an up-to-date list of critical equipment.

  • Maintenance schedules are in place and records are available.

  • Where measurement or test equipment is used to assure quality, calibration records are current.

Operational Controls and Work Instructions

On the shop floor or in service delivery areas:

  • Are the latest work instructions available and being followed?

  • Are any checklists, forms or visual aids up to date?

  • Do staff know what to do if something goes wrong or out of specification?

How to Use the Downloadable ISO Audit Readiness Checklist

The article gives you the logic; the ISO audit checklist gives you the tool.

One-Pager Gap Scan

Start with a quick RAG assessment:

  • Go through each section of the checklist.
  • Mark each item Red, Amber or Green.
  • Step back and see where the biggest clusters of red/amber sit.

This gives you an immediate view of where to focus in your SME ISO audit preparation.

Prioritising Actions in the Weeks Before the Visit

Not everything can be fixed at once. Use the checklist to prioritise:

  • Issues that directly affect customer satisfaction or safety.

  • Gaps that are simple to close quickly (e.g. missing signatures, outdated version numbers).

Items that support the narrative you want to present to the auditor: “We know where we are, we are working on X, Y and Z.”

Using It for Future Surveillance and Recertification Audits

Do not treat the checklist as a one-off. Build it into your routine:

  • Use it ahead of internal audits.

     

  • Review it as part of management review.

     

  • Repeat the RAG scan before each surveillance or recertification audit.

Final Steps Before Audit Day

In the final day or two before your ISO external audit:

  • Confirm the agenda and timings with the auditor.

  • Make sure key people know when they may be needed.

  • Prepare a quiet room or reliable online meeting link.

  • Have your core documents and key records easily accessible.

  • Take a calm “walkthrough” of your site with the audit in mind.

Remember:

  • No organisation is perfect.

  • Audits are about conformance and improvement, not blame.

  • A structured SME ISO audit checklist gives you confidence and helps the auditor see your strengths as well as your gaps.

With a clear ISO audit checklist and a simple, honest story about how you run your business, your next external audit can become a useful health check rather than a source of anxiety.

Share

Book a Free Consultation Consultation Consultation Consultation

Get free advice and guidance tailored to your business needs

Book Your Free Consultation

Related Resources

Book a Free Consultation Consultation Consultation Consultation

Get free advice and guidance tailored to your business needs

Book Your Free Consultation