The ISO audit process often feels stressful because most teams don’t understand what auditors check or how audits run.
Auditors follow a set process. They verify that your procedures exist, staff follow them, and records prove it.
This guide explains the ISO audit process step-by-step. You’ll see how documentation reviews work, what happens during on-site audits, and how findings lead to corrective actions or certification.
TL;DR
- The ISO audit process checks whether procedures and records meet ISO requirements.
- ISO audits include internal, supplier, and external certification audits.
- Certification uses review, assessment, and annual surveillance audits.
- Most findings come from gaps between procedures and execution.
- TLM helps manage ISO audits, evidence, and corrective actions in one system across audit cycles.
What Is the ISO Audit Process?
The ISO audit process verifies compliance with ISO requirements. Auditors review documented procedures, records, and day-to-day operations to confirm the management system works as written.
Auditors don’t rely on opinions. They check evidence.
During an ISO audit, auditors check document control, internal audits, corrective actions, risk management, and management review activities.
They interview employees and observe business processes to confirm procedures are followed. Missing or incomplete evidence leads to nonconformities.
The process includes internal and external audits. Internal audits confirm readiness before certification. External audits include the certification audit and surveillance audits that verify ongoing compliance.
Who Conducts ISO Audits
ISO audits are conducted by qualified ISO auditors. For certification, those auditors work for an accredited certification body and act as independent third parties.
Their role is to verify that the organization’s management system meets ISO standards such as ISO 9001 or ISO 27001.
External auditors conduct the ISO certification audit, including the initial certification audit and surveillance audits.
They review documents, interview relevant personnel, and observe daily operations. Their findings determine whether the organization earns or keeps ISO certification.
Internal audits are handled by internal auditors within the organization. These first-party audits check readiness before an external ISO audit and surface issues early.
Internal audit findings support corrective actions and management review.
Types of ISO Audits
ISO audits fall into three categories: internal, supplier, and external audits. Your choice depends on certification goals, audit scope, and available resources.
Only external audits conducted through an accredited certification body can result in ISO certification.
Internal Audits (First-Party Audits)
An ISO internal audit is required under ISO standards. It reviews how the organization’s processes operate in practice, not how procedures describe them.
Internal audits often examine areas affected by recent changes or findings from previous audits.
Organizations usually follow a set internal audit schedule. Auditors use an internal ISO audit checklist to review records, controls, and procedures.
Results are captured in an internal audit report and reviewed during management review. That review leads to corrective actions before any external audit.
Internal audits also prepare employees. Staff who can explain their responsibilities internally tend to respond better during certification audits.
Supplier Audits (Second-Party Audits)
Supplier audits assess risk linked to vendors and external providers. These audits confirm whether suppliers meet contractual, quality, or security expectations.
A manufacturer may audit a component supplier to review quality controls. A technology company may audit a hosting provider to review security practices.
Supplier audits help reduce exposure tied to third-party dependencies.
External Audits (Third-Party Audits)
External audits determine certification status. A certification audit reviews the management system in full and can result in ISO certification. After certification, surveillance audits take place each year.
Surveillance audits review corrective actions, management review records, and system changes since the last audit. After two surveillance audits, a recertification audit repeats the cycle and renews certification.
The ISO Certification Audit Process
The ISO certification audit follows a fixed sequence. Each phase answers a specific question about your management system. Knowing what happens at each point helps with audit preparation.
Stage 1 Audit: Readiness Review
The Stage 1 audit confirms whether the organization’s management system is ready for a full certification audit.
Auditors review documented procedures, risk assessments, and records tied to the relevant ISO standard. They also confirm that internal audits and management reviews are in place and used.
This stage often takes place remotely. Auditors focus on documentation and system structure rather than daily execution.
Any gaps identified should be addressed before moving to Stage 2. Stage 1 also helps set the audit plan and audit schedule for the certification audit.
Stage 2 Audit: Certification Assessment
Stage 2 is the formal ISO certification audit. Auditors assess how the management system operates in practice.
They observe processes, interview employees, and review records to confirm procedures are followed consistently.
This stage evaluates corrective actions, internal audit results, and how risks are managed. Nonconformities may be issued.
Minor issues require correction. Major issues should be resolved before certification is granted.
Surveillance Audits: Maintaining Certification
After certification, surveillance audits take place each year. These audits review changes since the last audit, follow up on corrective actions, and confirm the system continues to meet ISO requirements.
After two surveillance audits, a recertification audit restarts the cycle.
ISO Standards Requirements for Certification
The ISO audit process stays consistent across ISO management system standards. Differences come down to the system under review and the risks auditors examine.
Each ISO compliance audit checks whether required policies and procedures are documented, followed in daily work, and reviewed by management. Below are common ISO standards that use this same certification process:.
- ISO 9001 (Quality management system): Audits examine how customer requirements are met and how nonconformities are addressed. Auditors review internal audit results, corrective actions, and management review records.
- ISO 27001 (Information security management system): Audits assess how information security risks are identified and managed. Auditors review access control rules, incident response records, and risk treatment decisions.
- ISO 14001 (Environmental management systems): Audits review how environmental obligations are identified and addressed. Evidence includes monitoring results, corrective actions, and compliance records.
- ISO 45001 (Occupational health and safety management systems): Audits examine how workplace hazards are identified and reduced. Auditors review risk assessments, training records, and incident follow-up.
Each standard addresses a different risk area, but the audit structure and certification process remain consistent.
How to Prepare for an ISO Audit
The only reason a company has to “prepare” for an ISO audit is because the data in their QMS has fallen behind current events and there would be non-conformances as a result.
If you are using a system like TLM, where daily or weekly emails remind users of assigned QMS tasks with a link to the web app for easy completion, “preparing” for an audit is a matter of an hour or two, instead of a week or two.
In fact, just last week, we helped one of our clients “prepare” for an audit, which took about 30 minutes. Their audit resulted in zero findings or recommendations.
The internal audit process during the year should result in a QMS that can be audited at any time. This is important for regulated companies like medical device manufacturers, as the FDA isn’t obligated to schedule their audits ahead of time, and might only give a one week notice when they do.
Conduct internal audits through an internal audit program that covers higher-risk areas and recent changes. Auditors will prefer to see that your audit program follows key processes, so that all the risks associated with sequence are being evaluated. This can include both the movement of materials and information and the responsibilities for these actions, for example.
Ideally, your QMS software will have built in tools that can link your documents to key business processes as well as to the sections of the ISO standards being addressed.
Internal audit results should flow into the management review process. That review assigns corrective actions and tracks them to completion.
The audit team should also review records related to statutory and regulatory requirements. This review matters in regulated areas such as medical devices or complex supply chains.
Employees involved in audited processes should understand their responsibilities. They should also know which procedures apply to their roles.
Consistent preparation reduces findings during certification. It also makes it easier to schedule surveillance audits after the organization becomes ISO certified.
Common ISO Audit Findings and Mistakes to Avoid
Most ISO audit findings point to execution problems. Auditors review whether documented procedures match how the organization’s operations run.
One common issue appears in the implementation process. Procedures exist, but staff follow different methods.
During a process audit, auditors spot these differences through observation and record review. That mismatch leads to nonconformities.
Corrective actions also trigger findings. Organizations document issues, but don’t show evidence that actions addressed the root cause.
Auditors expect records that show what changed and how repeated issues were prevented.
Internal audits create problems when the audit scope stays the same every year. Auditors expect coverage to change based on past findings and system updates.
Stay Audit-Ready With TLM
ISO audits start to unravel when audit work spreads across multiple tools. Evidence drifts away from ISO clauses, and follow-up depends on people remembering what to review next.
That’s where audits lose momentum.
TLM keeps the entire ISO audit process inside one audit management system. Organizations run recurring ISO compliance audits across multiple standards and locations without rebuilding context each cycle.
Standards like ISO 9001, ISO 13485, ISO 14001, and ISO 17025 stay organized in the same system. Past findings and corrective actions remain available during every future review.
Auditors record findings against ISO clauses. Each clause connects to the current procedure, supporting records, and earlier audit results.
Audit depth adjusts based on risk and prior findings. Repeated issues receive more attention, while stable areas require fewer questions.
Corrective actions remain linked to findings until they close. Management reviews track progress without chasing updates.
Dashboards show open findings, overdue actions, and upcoming audits across standards and locations.
TLM fits regulated environments such as medical devices, manufacturing, laboratories, and food safety.
See how your ISO audits would run inside TLM. Book a demo or start a 30-day free trial and manage your next audit in one system!
FAQs About the ISO Audit Process
What are the five steps in the audit process?
The ISO audit process typically includes planning, preparation, execution, reporting, and follow-up.
Auditors define the audit scope and objectives, review documentation, and assess how processes operate in practice.
Findings are documented, and corrective actions follow where required. The process ends once issues are addressed and verified.
What is an ISO audit checklist?
An ISO audit checklist is a structured list of questions mapped to the requirements of a specific ISO standard, such as ISO 9001 or ISO 27001.
You can use it to confirm that your procedures, records, and practices meet the clauses of that standard.
What are the seven auditable elements of ISO 9001?
The seven auditable elements of ISO 9001 are context of the organization, leadership, planning, support, operation, performance evaluation, and improvement.
Auditors review how these elements work together to control quality and meet customer requirements. Each element needs to show evidence through documented processes and records.
What are the three types of ISO audits?
The three types of ISO audits are internal, supplier, and external audits. Internal audits assess readiness and system health.
Supplier audits review risks from external providers, while external audits determine certification and ongoing compliance.
Can Internal Audits be conducted using AI?
Yes, but only if your QMS software has been properly designed with compliant AI support. Some AI providers will simply allow companies to load documents and not provide any accountability for the removal of obsolete procedures, making the accuracy of AI results suspect. The AI features in TLM ensure that only the latest revisions of documents are being used for AI results, which can include both general queries and compliance reviews against a specific standard. Here is a short video demonstrating TLM AI features in action.
Demos