V5 Ultimate
Quality · The complete guide

ISO audit

TL;DR

An ISO audit is an independent, evidence-based evaluation against ISO management-system requirements, performed internally, for customers, or by accredited certifiers, under ISO 19011 and ISO/IEC 17021-1 to confirm conformity, effectiveness, and continual improvement.

Reviewed · By V5 Ultimate compliance team· 2,601 words · ~12 min read
AI · Explain it for MY operation

How does ISO audit apply to your shop floor?

Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.

Your scale

01What is an ISO audit?

An ISO audit is a systematic, independent, and documented process for gathering objective evidence and comparing it to the requirements of an ISO management-system standard. The overarching principles for planning and conducting management system audits are set out in ISO 19011, and the rules for bodies that provide certification audits are codified in ISO/IEC 17021-1. The output is a conclusion on conformity, effectiveness, and the capability of the system to support intended outcomes and continual improvement.

Audits are classified by who performs them and for what purpose. First-party audits are internal and confirm the organization’s own processes meet requirements. Second-party audits are performed by customers or their agents to verify supplier capability and control of outsourced processes. Third-party audits are conducted by accredited certification bodies and result in certification if conformity is demonstrated and maintained through the surveillance cycle.

The audit approach is evidence-driven. Auditors triangulate documents, interviews, and observations, and they sample records proportionate to risk and process criticality. Conclusions are based on conformity to specific clauses, the effectiveness of controls in achieving policy and objectives, and the maturity of corrective and preventive action. A well-scoped audit examines process interactions, not isolated procedures, aligning with ISO’s process and risk-based thinking.

For regulated manufacturers, ISO audits often run alongside statutory inspections or product-specific assessments. However, the audit remains focused on the management system standard chosen by the organization, and it does not substitute for legal compliance checks. Audit outcomes should feed governance processes, including periodic management review and prioritized improvements within the quality plan.

02Scope and applicability across industries

ISO audits apply to the full family of management-system standards. ISO 9001 sets generic quality management requirements across industries. ISO 13485 is purpose-built for medical devices and related services, aligning with risk management, design and development controls, and traceability expected by health authorities. ISO 27001 focuses on information security, ISO 14001 on environmental management, and ISO 45001 on occupational health and safety. Many organizations operate integrated management systems and pursue combined audits to reduce duplication.

In health products, ISO 13485 audits have heightened significance because the standard is referenced by numerous jurisdictions, and for Europe its certification frequently underpins device conformity assessments carried out by a Notified Body under Regulation (EU) 2017/745. The 2024 amendment to ISO 13485 sharpened expectations around software validation and post-market surveillance alignment, which directly influences audit planning and sampling strategies.

In pharmaceuticals, an ISO 9001 audit complements, but does not replace, cGMP inspections. Many companies adopt ISO 9001 and ICH Q10 to structure a pharmaceutical quality system, using audits to verify management controls, technology transfer, and continual improvement. Food, cosmetics, and chemicals sectors similarly use ISO audits to systematize compliance and demonstrate control of outsourced processes, supplier oversight, and data integrity across their operations.

While the audit criteria differ by standard, the mechanics are consistent: define audit objectives and scope, assess conformity and effectiveness, report findings with objective evidence, and require timely correction and corrective action proportionate to the risk. Certification bodies must apply impartiality safeguards and competence criteria for each technical area, ensuring auditors understand both the standard and the industry context.

Where multiple standards are in play, integrated audits must avoid superficial clause-by-clause checks. Effective auditors test process performance, interfaces, and controls common to all standards—such as document management, competence, risk assessment, and improvement—then probe standard-specific controls with appropriate depth.

Organizations preparing for or maintaining certification should align internal audit programs to the same scope, including sites, processes, and exclusions, so surveillance and recertification proceed without scope disputes or sampling surprises.

For 13485 programs, see the ISO 13485:2024 amendment. If your products require EU conformity assessment, coordinate ISO 13485 audits with your Notified Body planning to ensure evidence is reusable.

03How certification audits run in practice

Certification audits follow a defined cycle under ISO/IEC 17021-1. An initial certification consists of a Stage 1 review and a Stage 2 on-site assessment. Stage 1 verifies readiness by reviewing documented information, locations, scope, and process maturity. Stage 2 tests implementation and effectiveness, samples processes and records, and issues nonconformities against specific clauses. Once certified, the organization undergoes periodic surveillance audits, typically annually, and a full recertification audit at the end of the cycle.

Audit programs are risk-based. High-risk processes, regulated steps, and recent change hotspots receive greater time and deeper sampling. Multi-site organizations may be eligible for sampling models, but the certification body must justify representativeness and adjust when risk increases. Remote and hybrid techniques are permitted where effective and where confidentiality, security, and authenticity of records are preserved.

Planning materials should include scope, applicable standards, objectives, audit criteria, locations, process list, sampling strategy, and a time budget that reflects complexity and risk. Evidence handling includes controlled access to documents, interview scheduling across shifts, and traceability of sampled records. Strong document control minimizes search time and reduces the chance of incomplete evidence.

PhaseWho LeadsPrimary ObjectivesTypical OutputsIndicative Duration
Stage 1 (Readiness)Certification BodyConfirm scope, sites, processes, and document readiness; assess audit preparedness and legal interfacesStage 1 report, readiness gaps, Stage 2 plan0.5–1.5 auditor-days per site
Stage 2 (Initial Certification)Certification BodyEvaluate implementation and effectiveness; sample processes, records, and interfacesNonconformity list, audit report, certification decision inputs1–5 auditor-days per site (risk-based)
Surveillance (Year 1)Certification BodyVerify continued conformity and improvement; focus on changes and high-risk areasSurveillance report, updated NC status0.5–3 auditor-days per site
Surveillance (Year 2)Certification BodyConfirm ongoing effectiveness; follow-up on actions and metricsSurveillance report, scope confirmation0.5–3 auditor-days per site
RecertificationCertification BodyComprehensive reassessment of system performance over the cycleRecertification report, new certificate decisionSimilar to Stage 2, risk-based

04Key requirements and the evidence auditors test

Auditors test two things: conformity to the clauses of the standard and effectiveness of the management system to achieve intended outcomes. They expect to see a coherent process landscape, defined responsibilities, risk-based controls, competence and training, document and record control, and an improvement engine that addresses nonconformities, incidents, and trends. Policies, objectives, and key performance indicators must be deployed and reviewed at planned intervals, and corrective actions should be proportionate to risk and verified for effectiveness.

Core evidence includes the context and scope statement, process maps, risk assessments, documented procedures where required by the standard, records of monitoring and measurement, internal audit reports, and management review outputs. Objective evidence is triangulated through interviews, observation of work being performed, and sampling of records across shifts, sites, and time windows. Traceability from requirements to records is essential when sampling design transfer, change control, or batch release.

For ISO 13485, auditors typically probe design and development controls, production and service provision, validation and revalidation of processes where output cannot be fully verified, cleanliness and contamination controls, device file completeness, and risk management aligned with ISO 14971. Post-market surveillance and vigilance feedback must flow into risk controls and design maintenance. In ISO 27001 audits, controls are tested against the risk treatment plan and Annex A measures, verifying effectiveness rather than merely the presence of a policy.

Well-run systems show a closed-loop improvement process. Nonconformities are analyzed for root cause, corrective actions are implemented on time, and effectiveness checks confirm sustained control. See the guide on CAPA and the glossary entry on process validation to understand how auditors evaluate these mechanisms in practice.

05Auditor competence, impartiality, and sampling rigor

ISO 19011 defines auditor competence as the demonstrated ability to apply knowledge and skills to achieve intended results. Competence spans audit principles, techniques, and the specific management system standard being assessed, as well as sector knowledge to understand process hazards and control measures. Certification bodies operating under ISO/IEC 17021-1 must qualify auditors for each technical area and maintain records of education, training, experience, and continual professional development.

Impartiality is non-negotiable. Certification bodies must have structures to identify and manage conflicts of interest, separate consulting from auditing, and protect the audit process from commercial pressures. Auditors are required to exercise professional skepticism, maintain confidentiality, and base conclusions solely on verifiable evidence. Witness audits and office assessments by accreditation bodies verify that these controls are functioning.

Sampling must be sufficient to reach a reliable conclusion on conformity and effectiveness. The sampling plan accounts for process complexity, risk, shift coverage, seasonal variation, and recent changes. In multi-site schemes, the certifier justifies the sample size and selection based on homogeneity and central control. Where elevated risk is identified—such as critical nonconformities, major changes, or product recalls—the sampling depth increases or site coverage expands accordingly.

Remote audit techniques are acceptable when they provide equivalent assurance. This requires secure access to records, real-time communication for interviews, and the ability to conduct virtual tours or screen-based demonstrations. If equivalence cannot be achieved, the auditor must defer parts of the audit or perform them on-site. All evidence must remain traceable to the sampled records and retained per the organization’s retention policies.

06Common pitfalls and misinterpretations

A frequent error is treating audits as paperwork checks. ISO auditors evaluate whether processes achieve intended results, not just whether procedures exist. If an organization cannot link risks, controls, and performance metrics, auditors will challenge effectiveness. Similarly, over-scoping or under-scoping the certification can create persistent nonconformities and confusion during surveillance, especially when outsourced processes or remote sites are weakly controlled.

Another pitfall is superficial corrective action. Closing a nonconformity with a quick fix and no root cause analysis, action verification, or effectiveness check will invite recurrence and escalate findings. Management review minutes that list updates without evidence of decisions, resource allocation, and follow-through signal a governance gap. In regulated settings, failure to maintain validated states for computerized systems and special processes undermines both ISO and statutory expectations.

Data handling also trips teams up. Evidence must be controlled, authentic, and complete. If records are reconstructed after the fact, if sampling is biased, or if access control is inconsistent, auditors will question reliability. Remote audits magnify these risks when screen shares replace physical observation. A clear plan for secure evidence sharing, audit trails, and retrieval speed is essential.

Organizations can avoid these missteps by embedding risk-based thinking into internal audits, testing the same processes certification auditors will probe, and reviewing trend data and improvement effectiveness before surveillance visits. Strengthen record governance using the practices outlined in data integrity by design to ensure evidence stands up under scrutiny.

07Relation to inspections and neighboring frameworks

ISO audits and regulatory inspections serve different purposes but overlap in practice. An FDA inspection or a competent authority visit evaluates compliance with laws and regulations, while an ISO audit evaluates conformity with a voluntary standard. In medical devices, ISO 13485 certification supports a broader conformity assessment but does not replace regulatory requirements under the EU MDR or comparable country regimes. In pharmaceuticals, ISO 9001 and ICH Q10 strengthen the quality system around cGMP but do not substitute for statutory inspections.

Second-party audits are central to supply-chain governance. Customers assess suppliers for capability, capacity, and control of outsourced processes, especially where materials or services are high risk. Criteria often combine ISO clauses with contract requirements and regulatory expectations for data integrity, change notification, and traceability. Well-structured programs reduce incoming defects, stabilize lead times, and improve compliance posture across tiers.

International cooperation influences audit practice. PIC/S promotes harmonized GMP inspection systems and provides guidance that informs audit expectations in life sciences. ICH Q9 and Q10 embed quality risk management and pharmaceutical quality systems that many auditors leverage when judging effectiveness. Across sectors, the process approach, risk-based thinking, and continual improvement are universal anchors that link ISO audits with neighboring frameworks.

For organizations pursuing integrated strategies, align ISO audit cycles with regulator-facing activities to avoid duplicated efforts. Where customer and certification audits overlap, agree on shared sampling or sequencing to minimize disruption while preserving impartiality and evidence integrity.

To dive deeper into risk-focused audits in regulated supply chains, see cGMP third-party audit and the entry on supply chain risk management.

08Planning a risk-based internal audit program

Internal audits should mirror certification depth and focus, while retaining the agility to probe emerging risks between surveillance visits. Start by mapping processes, interactions, and risk levels. Then allocate audit time to higher-risk, change-heavy, and historically weak areas. Ensure coverage of all requirements over the cycle, but do not distribute time evenly by default. Risk and performance should drive sampling intensity and auditor deployment.

Competence matters. Assign auditors with the right technical background and independence from the processes they assess. Calibrate audit questions to evidence of effectiveness—outputs, controls, and metrics—rather than checklist conformance alone. Build interviews across functions and shifts so you can trace requirements from top-level policies to point-of-work practice and back to records. Use dry runs before certification to validate that evidence retrieval times and owner handoffs are workable.

Structure reporting so that findings are risk-ranked, root causes are analyzed, actions are specific and time-bound, and effectiveness checks are planned. Management should review trend data and systemic themes, not just isolated events. Lean on digital tools for scheduling, notes, and evidence collection to shorten cycle time and strengthen traceability. Field teams benefit from guided checklists and offline capture using mobile audits when connectivity is scarce.

  • Define scope, objectives, and risk-based priorities for the year
  • Assign competent, independent auditors and avoid conflicts
  • Publish an audit calendar that covers all processes and sites
  • Prepare sampling plans and evidence retrieval pathways
  • Report findings with risk ranking, clear owners, and due dates
  • Verify effectiveness and close the loop through governance

09Digital evidence, remote auditing, and record controls

Auditing digital systems requires clear rules for authenticity, integrity, and availability. Auditors test whether electronic records and signatures are controlled, attributable, contemporaneous, original, and accurate. They expect secure role-based access, tamper-evident audit trails, and validated configurations for systems that store critical records. Evidence must be retrievable promptly and traceable to who did what, when, and why.

Remote or hybrid audits can be effective when confidentiality and security are maintained. Organizations should provide controlled portals, time-bound access, and sanitized datasets where necessary, ensuring the evidence remains representative. Video walk-throughs, screen-sharing, and remote interviews must allow auditors to observe the process, not just read documents. Where remote methods cannot achieve equivalent assurance, plan on-site follow-up.

When the scope includes regulated records, align controls with applicable electronic records and signatures rules. Confirm validated states, segregation of duties, and change control for configurations that impact data integrity. Maintain a record map that links each sampled requirement to its authoritative data source to avoid confusion between drafts, exports, and official records.

Ensure your audit working papers protect confidential information and personal data. Restrict copies of raw evidence, watermark extracts where needed, and log access to shared repositories. Retention of audit records should follow both the standard’s expectations and legal requirements for your sector and markets.

If the audit tests electronic records subject to 21 CFR Part 11, align access control, audit trails, and signature binding with your validation package. See the 21 CFR Part 11 feature area for controls common to life-science systems.

10How V5 Ultimate supports ISO audit readiness and execution

V5 Ultimate operationalizes ISO 19011 principles within daily work. Teams build risk-based audit programs, schedule and conduct audits, capture evidence in context, and route findings to responsible owners. Time-stamped records, immutable audit trails, and lineage views connect requirements, processes, and sampled outputs, so auditors can see objective evidence without scavenger hunts. During certification, Stage 1 readiness is accelerated by centralized scope statements, process maps, and legal interfaces.

For nonconformities, V5 enforces closed-loop actions with risk ranking, root-cause templates, verification steps, and effectiveness checks. Management receives dashboards that consolidate audit status, action aging, and trend analysis to support governance. When audits touch regulated records, V5 supports access control, electronic signatures, and audit-trail review consistent with data integrity expectations, helping teams prove both conformity and effectiveness at surveillance and recertification.

Field auditors use guided forms and offline capture to document interviews, observations, and samples. Evidence is linked to processes, sites, and clauses, enabling fast retrieval and coherent narratives in final reports. Shareable, read-only portals reduce document handling risk for external auditors while preserving confidentiality and chain of custody. Integration with notifications and tasking ensures owners close actions on time with clear accountability.

To prepare efficiently, start in the Audit Readiness workspace, then execute and track with reporting that mirrors certification body expectations. Whether you operate ISO 9001, ISO 13485, ISO 27001, or an integrated system, V5 provides consistent controls for planning, sampling, evidence, and improvement.

Frequently asked questions

Q.What is the difference between Stage 1 and Stage 2 in an ISO certification audit?+

Stage 1 verifies readiness by reviewing scope, documented information, site preparedness, and legal interfaces. Stage 2 tests implementation and effectiveness through sampling, interviews, and observation, and it generates nonconformities and the certification decision inputs.

Q.How often are surveillance audits performed after certification?+

Most certification cycles include annual surveillance audits and a full recertification audit at the end of the cycle. The frequency and duration are risk-based and depend on changes, performance, and past nonconformities.

Q.Can an ISO audit be conducted remotely?+

Yes, when remote methods provide equivalent assurance and protect confidentiality, security, and data integrity. If equivalence cannot be achieved, specific parts should be deferred or completed on-site.

Q.Do ISO audits replace regulatory inspections?+

No. ISO audits assess conformity to voluntary management-system standards, while inspections assess legal and regulatory compliance. They are complementary, and ISO audits can strengthen readiness for inspections.

Q.What evidence do auditors rely on most?+

Auditors triangulate documents and records, staff interviews, and direct observations of work. They sample proportionate to risk and expect traceability from requirements and procedures to actual outputs and performance metrics.

Q.How are nonconformities graded and closed?+

Nonconformities are typically graded as major or minor based on risk and systemic impact. Closure requires correction, root cause analysis, corrective actions, verification, and an effectiveness review within agreed timelines.

Primary sources

Further reading

Explore this topic

ISO audit sits inside this topic cluster in our glossary. Every neighbour is one click away.

See ISO audit working on a real shop floor

V5 Ultimate ships with the ISO audit controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.