What auditors actually look for in a management system

Many organisations approach an audit feeling well prepared. The documents are in order, the quality management system is up to date, and the last audit went smoothly. Yet some still end up with non-conformities they didn’t anticipate. Others pass — but are left with an uneasy sense of how close it was.

The reason is often not a lack of documentation. Rather, it is a misunderstanding of what auditors actually look for in a quality management system audit. In other words, an audit is not primarily about whether procedures exist, but whether the system works in practice.

This is perhaps the most common one. The organisation has written down its procedures, uploaded them to a system, and considers the job done. But a procedure that sits in a quality management system is not the same as a procedure that is followed in practice.

An auditor examining non-conformity handling in a quality management system audit does not simply ask whether the procedure exists. They ask who is familiar with it, when it was last used, what happened the last time a non-conformity arose, and whether it was actually handled as the procedure describes. The answer to the first question rarely determines the outcome.

Approval at the previous audit is a snapshot, not a permanent state. ISO 9001, 14001, 45001 and 27001 are all built around the principle of continual improvement. This means that at the next audit, the auditor is not only checking whether you meet the requirements today — but also whether you have followed up on what was identified last time.

In short, a certification that is not maintained quickly becomes a certification that is not deserved.

The standards apply regardless of size. A small organisation may have simpler systems and fewer procedures than a large one — that is entirely legitimate. Nevertheless, the auditor still expects that what exists is actually used and followed up. Size is therefore no excuse for a lack of ownership of your own quality management system.

An audit against ISO 9001, 14001, 45001 or 27001 is not a document review. It is an examination of whether the quality management system works in practice — and whether the organisation truly practises what it preaches.

Auditors use documentation as a starting point, but what they are really looking for is evidence that the system is in use. This happens through interviews with staff at various levels, review of logs and records, and tracing incidents from start to finish.

One important point that many underestimate: auditors do not only speak with the quality manager or senior leadership. They may just as easily stop a random employee in the corridor and ask whether they are familiar with the non-conformity procedure, what they would do if they spotted a problem, or who they would report it to. The answers from that employee carry at least as much weight as those from the person who has been preparing for weeks.

• Can you show me a non-conformity that was logged in the last three months — and tell me what happened afterwards?
• Who is responsible for this procedure, and when was it last reviewed?
• Have you carried out a management review in the past year — what was decided, and what has been followed up?
• How do you know that employees are aware of and following this procedure?
• Can you show me documentation that this risk has been assessed and addressed?

Notice that none of these questions can be answered with ‘yes, we have a procedure for that’.

A common misconception is to treat documentation as the primary objective of an audit. It is not. Documentation is evidence that something has been done, decided or assessed.

A well-written procedure that has never been followed is weaker evidence than a simple routine with clear traces of actual use. Logs, recorded non-conformities, minutes from management reviews and updated risk assessments are what auditors use to judge whether a quality management system is alive.

This also means that gaps in documentation are rarely the biggest problem. The biggest problem is the gap between what is documented and what actually happens.

All four standards place explicit requirements on management engagement. This is not something that can be fully delegated to the quality manager or HSE manager and then forgotten.

Auditors will typically examine whether management is aware of the organisation’s significant risks and environmental aspects, whether a meaningful management review has been conducted, whether objectives have been set and followed up, and whether resources have genuinely been made available to run the system.

It is worth highlighting one specific trap that many organisations fall into: the management review is conducted as a brief meeting where the quality manager presents a summary and management nods along. No decisions are made, no actions are documented, and the meeting is forgotten by the following week. For an auditor, this is not a completed management review — it is a meeting that happened to have the right name.

A quality manager who carries the entire system alone, without genuine management commitment, is a red flag in an audit — regardless of how good the documents are.

Auditors are not looking for perfection. But they are not impressed by a system that never records anything either.

A quality management system with no non-conformities is not a sign that everything is going well — it is a sign that the system is not being used. In practice, auditors want to see a certain volume of recorded non-conformities, ideally spread across different types and departments. This shows that reporting happens systematically rather than sporadically, and that a culture of speaking up genuinely exists within the organisation.

What auditors view most positively is non-conformities that have been recorded, followed up and closed in a way that demonstrates the organisation has learned something. That is what continual improvement looks like in practice.

The organisations that perform best in audits are not necessarily those with the most documentation. They are the ones that can answer questions about what actually happens — and demonstrate it.

Review your non-conformity and improvement log and make sure that cases have been closed and followed up. Check that documents with a defined review cycle have actually been reviewed. Go through the minutes from your management review and assess whether decisions have been documented and acted upon. Also speak with employees who use the procedures day to day. If they do not know what the procedure says, that is a systemic problem — regardless of how well the document is written.

Underlying much of what is described here is a fundamental requirement: that the organisation actually knows which documents are current, who is responsible for them, and that they are up to date. Without this, it is difficult to answer an auditor’s questions credibly — even if the underlying practice is sound.

A system like Certain QMS is built precisely to provide this overview: clear ownership, controlled publishing and traceability that makes it possible to document not only what is current, but how it has developed over time. It is not a guarantee of passing an audit — but it removes one of the most common stumbling blocks.

The best way to approach an audit is not to rehearse answers, but to know your own quality management system well enough to talk about it naturally. Auditors are not out to catch anyone out. They are examining whether the organisation is managed in a way that enables it to deliver on its commitments — to customers, employees, the wider community and society.

Organisations that understand what auditors actually look for in a quality management system experience audits as useful. Others experience them as threatening. The difference rarely lies in the documents.