Citation ISO Certification
Get A Quote Atlas logo - Red capital A logoLogin 0333 344 3646

ISO 9001 Audit

Introduction

If your organisation is certified to ISO 9001, or preparing to be, audits are a non-negotiable part of the journey. They’re how you prove that your quality management system (QMS) is working in practice, not just documented on paper.

For many businesses, the word audit can feel intimidating — but an ISO 9001 audit shouldn’t be something you dread. When it’s done properly, it’s simply a structured check that confirms your quality processes are working as intended and helping your business deliver consistently for customers.

An ISO 9001 audit is a formal assessment of how well your business meets the requirements of the ISO 9001:2015 Standard. It looks at how your processes are defined, followed, measured, and improved — across everything from leadership and planning to day-to-day operations.

For UK organisations, ISO 9001 audits play an important role in maintaining certification, supporting tender submissions, and demonstrating compliance with customer and regulatory expectations — including obligations under the Consumer Rights Act and Trading Standards requirements. They also provide valuable insight into risks, inefficiencies, and opportunities for improvement — often highlighting issues long before they turn into complaints or costly rework.

ISO 9001 audit at a glance

  • Standard: ISO 9001:2015
  • Audit types: Internal (first-party) and external (certification and surveillance)
  • Recognised audit stages: Stage 1, Stage 2, periodic surveillance audits, recertification audit
  • Key focus: Compliance, nonconformities, continual improvement
  • UK relevance: Supports tendering, regulatory confidence, and customer assurance, requirements, and expectations
  • Typical UK cost: Depends on size and scope

What is an ISO 9001 audit?

An ISO 9001 audit is a systematic, independent, evidence-based review of your quality management system against the requirements of ISO 9001:2015.

In simple terms, it checks three things:

  • What you say you do – your policies, procedures, and documented processes
  • What you actually do – how work is carried out day to day
  • What you can prove – records, data, and results that demonstrate control

Auditors don’t just look for documents. They follow real processes, may speak to staff, and sample evidence to confirm that quality controls are embedded into everyday operations — not just written down for audit purposes.

A well-run ISO 9001 audit focuses on:

  • Consistency in how work is delivered
  • Effective control of risks and changes
  • Clear responsibilities and accountability
  • Monitoring performance and customer satisfaction
  • Evidence of continual improvement

Audits are designed to highlight where your system is working well and where it could be strengthened. Many UK businesses use audit findings as a practical improvement tool — not just a certification requirement.

Types of ISO 9001 audits

ISO 9001 includes two main audit types, each serving a different purpose. 

Internal audits (first-party audits) 

  • Planned and carried out by your organisation or an independent internal auditor 
  • A requirement under ISO 9001 Clause 9.2 
  • Used to check compliance, test effectiveness, readiness, and prepare for external audits 
  • Should be objective, evidence-based, and focused on improvement 

External audits (third-party audits) 

  • Carried out by an independent certification body (like Citation ISO Certification) 
  • Required to achieve and maintain ISO 9001 certification 
  • Used to provide independent assurance to customers and stakeholders 
  • Include certification, and surveillance audits 
ISO certification, citation, quality management, compliance, professional standards, business excellence, ISO standards compliance, certified quality management system, professional certification.

Internal vs external audits – key differences

Area Internal audit External audit
Who conducts it Competent internal auditor or consultant Certification body auditor
Purpose Self-check and improvement Independent verification
ISO requirement Yes (Clause 9.2) Mandatory for certification
Focus System effectiveness and gaps Conformance to ISO 9001
Outcome Findings and corrective actions Certification decision
Frequency Planned by the organisation (at least one per year) Typically, annual surveillance
Use for tenders Indirect support Often explicitly required
Scroll

Why ISO 9001 audits matter for UK businesses

For UK organisations, ISO 9001 audits often support wider business and regulatory expectations, including:

  • Public sector and framework tenders
  • Customer assurance and supplier approvals
  • Trading Standards and consumer protection expectations
  • Supply chain credibility, particularly in regulated sectors
  • Competitive advantage by showing independently verified quality management

Regular audits help make sure your quality management system remains effective and relevant — even as your business, customers, or regulations change.

What affects ISO 9001 audit costs and duration?

It’s natural to want a clear figure when planning for an ISO 9001 audit — but in reality, there isn’t a single price that applies to every organisation. Audits are planned around how your business operates – including its size, structure, and scope.

Once these details are understood by your chosen certification body, the audit time and cost should be clearly defined and agreed upfront. For example, when you work with Citation ISO Certification, pricing is set out clearly at the start and fixed for the duration of your contract, giving you full visibility of your financial commitment from day one.

Understanding the factors that influence cost and duration can help you plan realistically and avoid surprises during the certification process.

Key factors that influence audit cost and timescale

The main factors that affect ISO 9001 certification costs and timescales include: 

  • Size of your organisation 
    Larger organisations typically require more audit time due to the number of people, processes, and locations involved. 
  • Scope of certification
    A narrow, clearly defined scope is quicker to audit than a broad or multi-site scope. 
  • Complexity of operations
    Highly regulated sectors typically require more audit time than low-risk environments.  
  • Maturity of your quality management system 
    Businesses with existing processes and records in place often move through audits more efficiently. 
  • Audit type
    Internal audits, initial certification audits, surveillance audits, and recertification audits all require different levels of time and depth. 
  • Choice of certification body 

Different certification bodies structure audit time, support, and what’s included differently, which can affect overall cost and experience.

ISO Certification team meeting for quality management and business compliance in a modern office setting.

ISO 9001 audit process

Whether you’re carrying out an internal audit or preparing for certification, understanding the process upfront helps take the pressure off and makes audits feel far more manageable.

 Internal audit process (first-party audit) 

Internal audits are a required part of ISO 9001 and play a crucial role in keeping your system healthy. Done well, they act as a safety net — helping you spot issues early, before they become customer problems or external audit findings. 

A typical internal audit process looks like this: 

  1. Planning the audit
    You decide what will be audited, when, and by whom. Audits should be planned around risk, meaning higher-risk or problem areas are reviewed more often. 
  2. Reviewing processes and documentation
    The auditor looks at relevant procedures, objectives, and records to understand how the processes put in place, are supposed to work. 
  3. Checking what happens in practice
    This is the most important part. The auditor will observe activities and sample records to confirm that procedures are being followed day to day. 
  4. Recording findings
    Any gaps, weaknesses, or improvement opportunities are documented clearly and objectively. 
  5. Corrective actions
    Where issues are found, actions are agreed to address root causes — not just symptoms. 
  6. Following-up
    Actions are reviewed to confirm they’ve been implemented and are working effectively. 

Internal audits should help identify issues early, reduce risk, and make external audits far more predictable. When handled properly, they’re one of the most practical tools you have for improving performance and reducing risk.

External audit process (certification and surveillance)

External audits are carried out by an independent certification body (like us) and provide objective assurance that your quality management system meets the requirements of ISO 9001. They’re required to achieve and maintain ISO 9001 certification.

The audit stages outlined below reflect the widely recognised ISO 9001 certification audit framework used across the UK. While the certification audit itself must remain independent, the way organisations prepare for it — and the level of support they choose to have in place beforehand — can vary. You can find out more about alternative accredited routes later on this page.

Stage 1 audit – readiness review

The Stage 1 audit is an initial, high-level check of what’s in place for your quality management system and whether there are any gaps that need attention before full assessment.

This typically look at:

  • Your defined scope and any exclusions
  • Key policies and documented processes
  • Awareness of ISO 9001 requirements
  • How risks and legal obligations are considered

Any gaps identified can then be addressed before the certification audit.

Stage 2 audit – certification audit

The Stage 2 audit is where certification is assessed.

During this stage, an auditor will:

  • Follow real processes across the business
  • Speak with people at different levels
  • Review records and performance data
  • Confirm alignment with ISO 9001:2015 requirements

If issues are identified, they’re categorised as nonconformities, observations, or opportunities for improvement.

Surveillance audits

Once certified, periodic surveillance audits take place to confirm that your system is being maintained and improved.

These audits are typically shorter and focus on:

  • Changes to the business or processes
  • Progress against quality objectives
  • How issues and improvements are managed

For organisations that keep their management system up to date, surveillance audits are typically low-stress and efficient.

Recertification audit

Some certification bodies may carry out a recertification audit every three years to renew your ISO 9001 certification.

This is a broader review of the system, but by this stage most organisations are very familiar with the process and well prepared.

Preparing for your ISO 9001 audit

Preparing for an ISO 9001 audit is about making sure your quality management system is ready to be reviewed and that the right information is easy to demonstrate on the day.

For most organisations, this means taking a structured look at how quality is managed, checking that key processes are up to date, and making sure people understand their role within the system. With a clear approach, preparation can be straightforward and reassuring rather than disruptive.

Key steps to prepare for an ISO 9001 audit

Ahead of an audit, it’s helpful to check a few key areas:

  1. Reviewing readiness against ISO 9001 requirements
    This may include a formal gap analysis or a structured readiness check, depending on where you are in your certification journey.
  2. Confirm your scope
    Make sure your scope accurately reflects your activities, services, and any justified exclusions.
  3. Review your quality policy and objectives
    These should be current, relevant, and understood by leadership.
  4. Check internal audits are up to date
    Internal audits should be planned, completed, and recorded, with actions addressed.
  5. Hold a management review
    Management reviews should consider performance, risks, issues, and opportunities for improvement.
  6. Close out corrective actions
    Any nonconformities or issues should be resolved or clearly managed.
  7. Brief your team
    Staff don’t need to know the Standard — just how quality applies to their role.
  8. Organise key records
    Make sure important documents and records are accessible during the audit.
  9. Sense-checking readiness through a mock or trial audit
    A mock audit can help familiarise people with the audit process and highlight anything that needs attention before the certification audit.

A simple ISO 9001 audit readiness checklist

Before your audit, ask yourself: 

Context and leadership 

1. Have we identified the context of our organisation and relevant interested parties?
2. Is the scope of our Quality Management System clear, accurate, and documented?
3. Are leadership roles and responsibilities for quality defined and understood?
4. Is our quality policy current and communicated where needed? 

Planning and support
5. Have we identified and reviewed risks and opportunities?
6. Are quality objectives measurable and monitored?
7. Do we have the resources needed to support the QMS?
8. Are training and competence records up to date?
9. Is documented information controlled and current? 

Operation
10. Are our core processes defined and followed in practice?
11. Are changes to processes managed in a controlled way?
12. Are suppliers and outsourced processes appropriately controlled?
13. Are customer requirements understood and consistently met? 

Performance and improvement
14. Do we review customer feedback and complaints?
15. Have internal audits been completed as planned?
16. Has a management review taken place?
17. Are nonconformities recorded and corrective actions managed?
18. Are opportunities for continual improvement identified and tracked? 

If most of these are in place, you’re in a strong position. Much of the stress around audits comes from uncertainty rather than the audit itself. Clear preparation, structured reviews, and practical support help reduce disruption and allow your team to focus on day-to-day work, even during audit periods. 

Certified ISO Quality Management Certification Team Meeting in Modern Office.

ISO 9001:2015 audit checklist (clauses 4–10)

Below is a practical ISO 9001:2015 audit checklist, structured around Clauses 4–10 of the Standard. It can be used to support internal audits, and certification audit preparation. 

To get the most value from it, this should be used alongside your own quality management system. This will help keep audit preparation relevant and the checklist focused on how your business actually works. 

The checklist focuses on what auditors typically review and the type of evidence they expect to see, rather than prescribing how your system should be designed. 

IOS 9001 clause Audit focus Typical evidence reviewed
Clause 4 – Context of the organisation Has the organisation identified its context and interested parties? Is the scope defined? Scope statement, context analysis, interested parties register
Clause 5 – Leadership Is leadership accountable for the QMS and quality policy? Quality policy, defined roles and responsibilities
Clause 6 – Planning Have risks and opportunities been identified and addressed? Are objectives set? Risk register, quality objectives, action plans
Clause 7 – Support Are resources, competence, and documented information controlled? Training records, document control logs
Clause 8 – Operation Are operational processes planned and controlled? Process maps, procedures, supplier controls
Clause 9 – Performance evaluation Is performance monitored and reviewed? KPIs, internal audit records, management reviews
Clause 10 – Improvement Are issues managed and improvements identified? Nonconformity records, corrective actions, improvement logs

Download the full audit checklist >

Scroll

Common nonconformities in ISO 9001 audits

Nonconformities identified during ISO 9001 audits are rarely about major failures. In most cases, they relate to gaps between what’s documented, what’s happening in practice, or how consistently processes are applied.

Understanding common audit findings can help you focus on the areas where businesses often slip up — and avoid those issues before they come up in your own audit.

Typical ISO 9001 audit findings

Some of the most common nonconformities seen in ISO 9001 audits include:

  • Processes not followed consistently
    Procedures exist, but day-to-day practice varies between teams or individuals.
  • Risks not reviewed or kept up to date
    Risks are identified once but not revisited as the business changes.
  • Quality objectives not measured
    Objectives are set but not monitored or reviewed regularly.
  • Internal audits missed or incomplete
    Internal audits haven’t been carried out as planned, or actions remain open.
  • Corrective actions not fully closed
    Issues are addressed in the short term, but root causes aren’t resolved.
  • Supplier controls not clearly defined
    Outsourced processes or suppliers aren’t reviewed consistently.

Most nonconformities are opportunities to strengthen the system. Addressed early, they help improve consistency and reduce the risk of customer issues later on.

Benefits of ISO 9001 audits

ISO 9001 audits aren’t just about achieving and maintaining certification, they can deliver big benefits for your business.

Regular audits help you:

  • Keep your ISO 9001 certification on track
  • Spot issues before they turn into customer problems and complaints
  • Improve consistency across teams and processes
  • Build confidence with customers and suppliers
  • Support tender and contract requirements
  • Embed continual improvement into day-to-day operations

For many UK businesses, audits also provide reassurance that quality is being managed properly as the organisation grows or changes.

Audits with Citation ISO Certification

While ISO 9001 audits follow a recognised certification framework, the experience of going through them can feel very different depending on the level of support you have in place.

With Citation ISO Certification, external audits form part of the overall ISO 9001 certification service. As an accredited certification body, we ensure the certification decision remains fully independent, while also providing consultancy support alongside the process. You can find out more about our ISO 9001 certification process and ISO 9001 costs here.

As with all ISO certifications, organisations are also required to carry out internal audits to review performance and identify improvements ahead of external assessment. When you work Citation ISO Certification, you’re not left to figure this out on your own. We provide support to help you plan and complete your internal audits, as well as follow up on any actions. This takes much of the pressure off your team and helps make the process far more straightforward and manageable than many businesses expect.

Our certification service includes full gap analysis and hands-on support to help you develop and refine your quality management system based on the findings. This helps you understand where your system already meets the requirements and where any changes may be needed before certification. Many organisations choose to have this type of support in place to prepare confidently — without affecting the independence of the certification decision.

FAQs

What is an ISO 9001 audit checklist?

What are the main ISO 9001 clauses audited?

What is the ISO 9001 audit process?

How long does an ISO 9001 audit take?

What is the difference between ISO 9001 and ISO 14001 audits?