What Documents Do ISO Auditors Check During an Audit?

Why Document Review Is the Backbone of Every ISO Audit

If you have an ISO audit coming up and you are wondering what documents do ISO auditors check, you are asking exactly the right question. Document review is not a formality. It is the foundation of every certification audit, surveillance audit, and recertification audit. Before an auditor interviews your staff or walks your facility, they are already forming a picture of your management system based on what you have put on paper.

The short answer is that auditors check two categories of documented information: the documents that describe how your system works, and the records that prove it actually works that way. Both matter. Missing one category while nailing the other will still land you with a nonconformity.

This article walks through the specific documents auditors look for across the most common ISO standards, explains why each one matters, and gives you practical guidance on getting your documentation in order before audit day. If you want a broader understanding of the audit process itself, the beginner guide to common types of audits is a good starting point.

The Difference Between Documents and Records

Before diving into the specifics, it is worth clarifying this distinction because auditors treat them differently.

Documents are the instructions, policies, procedures, and plans that tell people what to do and how to do it. They are living things that get reviewed, updated, and approved. Examples include your quality policy, your scope statement, your procedures for handling customer complaints, and your risk register format.

Records are the evidence that those documents were followed. They capture what actually happened. Examples include completed audit reports, signed training records, customer complaint logs, corrective action forms, and meeting minutes from management reviews.

ISO standards use the term documented information to cover both. When an auditor asks for documented information, they want to see both the instruction and the evidence that it was carried out. Understanding what controlled documents are and how to implement them will help you manage both categories properly.

Core Documents Every ISO Audit Will Cover

Regardless of which standard you are being audited against, certain documents appear on every auditor's checklist. These are the foundational elements of any management system.

Scope of the Management System

The scope defines what your certification covers. It tells the auditor which parts of your business, which sites, which products or services, and which processes fall within the certified system. Auditors check this first because everything else is evaluated against it.

A vague or overly narrow scope will raise questions. If your scope says you provide software development services but the auditor finds you also provide ongoing support and maintenance, expect a conversation. Your scope needs to reflect reality. For a deeper look at how scopes work, the guide to Clause 4.3 on determining scope covers this in detail.

Policy Documents

Every major ISO standard requires a top-level policy. ISO 9001 requires a quality policy. ISO 14001 requires an environmental policy. ISO 45001 requires an occupational health and safety policy. ISO 27001 requires an information security policy.

Auditors check that the policy is documented, that it is appropriate to the organisation, that it includes a commitment to continual improvement, and that it is communicated to relevant people. They will also ask staff whether they are aware of the policy and what it means for their role. A policy that exists only in a folder nobody opens will not satisfy an auditor.

Organisational Context and Interested Parties

ISO standards based on the High Level Structure, which covers most modern standards, require you to document your understanding of internal and external issues that affect your system, and the needs and expectations of interested parties. This is often captured in a context analysis document or a SWOT-style register.

Auditors use this document to check whether your risks, objectives, and processes are grounded in real business context. If your context analysis mentions supply chain disruption as a key risk but your risk register does not address it anywhere, that inconsistency will be noted.

Risk and Opportunity Register

Risk-based thinking is central to all modern ISO standards. Auditors will ask to see how you have identified risks and opportunities, how you have assessed them, and what actions you have taken in response. This document does not need to be a complex spreadsheet. It does need to be current, relevant, and connected to your actual operations.

A risk register that was created during initial certification and never touched again is a red flag. Auditors expect to see evidence that it is reviewed and updated regularly.

Objectives and Plans

You need documented objectives that are measurable, monitored, and communicated. Auditors check that your objectives are consistent with your policy, that you have plans showing who is responsible for achieving them, what resources are needed, and how progress is tracked. They will then cross-reference your objectives with your performance data to see whether you are actually measuring progress.

Standard-Specific Documents Auditors Check

Beyond the core documents, each standard has specific documented information requirements. Here is a breakdown of the most common standards.

ISO 9001 Quality Management

For ISO 9001 audits, the documents most commonly reviewed include:

• The quality manual or equivalent system overview (not formally required but still common)
• Documented procedures for controlling nonconforming outputs
• Calibration records for monitoring and measuring equipment
• Customer communication records and complaint logs
• Design and development records where applicable
• Supplier evaluation records and approved supplier lists
• Internal audit programme and completed audit reports
• Management review minutes
• Corrective action records
• Training and competence records for staff in quality-critical roles

Auditors will trace a product or service through your system, a process called process tracing, and they will pull records at each step to verify the process was followed. If you manufacture components, they might start with a customer order and follow it through to delivery, checking records at each stage.

ISO 14001 Environmental Management

For ISO 14001 audits, auditors focus heavily on:

• Environmental aspects and impacts register
• Legal and compliance obligations register
• Environmental monitoring and measurement records
• Emergency preparedness procedures and drill records
• Waste disposal records and manifests
• Supplier and contractor environmental requirements
• Incident and spill records
• Competence records for staff with environmental responsibilities

The legal register is one area where many businesses struggle. Auditors want to see that you have identified every relevant environmental law and regulation that applies to your operations, that you have assessed your compliance with each one, and that you have evidence of that compliance. A generic list of laws without any assessment against your specific operations will not satisfy the requirement.

ISO 45001 Occupational Health and Safety

ISO 45001 audits place significant emphasis on worker participation and hazard management. Documents reviewed include:

• Hazard identification and risk assessment records
• Legal compliance register for WHS obligations
• Incident, near miss, and injury records
• Emergency response procedures and drill records
• Safe work method statements and job safety analyses
• Consultation and participation records showing worker involvement
• Contractor management records
• Return to work and rehabilitation records where applicable
• Competence and induction training records

Auditors will often speak directly with workers during an ISO 45001 audit to verify that the documented procedures match what actually happens on the floor. If your documented procedure says workers must complete a hazard assessment before starting a task but workers tell the auditor they have never done one, your documentation becomes evidence of a system that does not work.

ISO 27001 Information Security

ISO 27001 is one of the most document-intensive standards. Auditors will review:

• Information security risk assessment and treatment records
• Statement of Applicability showing which of the 93 controls are applicable and why
• Asset inventory and classification records
• Access control policies and user access review records
• Incident management logs
• Business continuity and disaster recovery plans
• Supplier security agreements
• Penetration testing and vulnerability assessment reports
• Security awareness training records
• Change management records

The Statement of Applicability is unique to ISO 27001 and is almost always the first document an auditor requests. It is the map of your entire information security control framework. If it is incomplete, out of date, or inconsistent with your risk treatment plan, the audit will not go well.

Records That Prove Your System Is Actually Working

Documents describe intent. Records prove execution. Auditors spend a significant portion of their time reviewing records, and this is where many businesses get caught out.

Internal Audit Records

Your internal audit programme and the completed audit reports are critical. Auditors check that you are auditing all processes within scope, that audits are conducted at planned intervals, that findings are recorded, and that corrective actions have been raised and closed out. A business that has only audited one or two processes in the past year, or where audit findings have no corresponding corrective actions, will face questions.

If you want to improve the quality of your internal audits before a certification audit, the article on how to run ISO internal audits that actually find problems gives practical guidance.

Management Review Records

Management review minutes are reviewed closely. Auditors check that top management is actively involved, that the review covers all required inputs (audit results, customer feedback, performance against objectives, resource needs, and so on), and that decisions and actions are recorded with owners and timescales. A one-page set of minutes that says “system is working well, no actions required” will not satisfy the requirement.

Corrective Action Records

Every nonconformity raised, whether from an internal audit, a customer complaint, an incident, or a previous external audit, should have a corresponding corrective action record. Auditors check that the root cause was identified, that the corrective action addresses the root cause rather than just the symptom, and that the action was verified as effective. Closing out a corrective action without verifying effectiveness is a common finding.

Competence and Training Records

For every person whose work affects the performance of the management system, you need records that demonstrate their competence. This typically includes job descriptions or competence profiles, qualifications and certificates, training records, and where relevant, records of on-the-job assessments. Auditors will cross-reference these against the roles they interview during the audit.

How Auditors Actually Use Documents During the Audit

Understanding what documents auditors check is only part of the picture. Knowing how they use those documents helps you prepare more effectively.

Auditors do not just read documents in isolation. They use a technique called sampling, where they select a document and then trace it through the system to verify consistency. For example, an auditor might select a supplier from your approved supplier list and then check whether there is an evaluation record for that supplier, whether any nonconformances were raised against them, and whether those nonconformances were resolved.

They also look for gaps between what is documented and what actually happens. This is why staff interviews are conducted alongside document review. If your procedure says a task requires two people to sign off but records only show one signature, the auditor will investigate further.

According to ISO 19011, the guidelines for auditing management systems, auditors are expected to collect objective evidence through document review, interviews, and observation. No single method is sufficient on its own.

Common Documentation Mistakes That Lead to Nonconformities

After years of conducting and preparing businesses for ISO audits, certain mistakes come up repeatedly.

• Documents that are out of date. A procedure that references a role that no longer exists, or a policy with a review date three years past, signals a system that is not being maintained.
• Records that cannot be located. If you cannot produce a record during the audit, the auditor must assume it does not exist. Disorganised filing systems are a practical problem, not just a procedural one.
• Documents that describe a perfect world. Procedures written to satisfy the auditor rather than reflect reality will be exposed the moment staff are interviewed or processes are observed.
• Incomplete corrective action records. Raising a corrective action and then not following through to verify effectiveness is one of the most common findings in surveillance audits.
• Legal registers that are generic. Copying a list of legislation from a template without assessing how each law applies to your specific operations does not meet the requirement.

If you are preparing for your first certification audit, the article covering 10 things to do before an ISO Stage 2 certification audit provides a practical preparation checklist that complements the document focus covered here.

Getting Your Documentation Ready Before the Audit

The best time to review your documentation is not the week before the audit. It is at least two to three months out. Here is a practical approach.

1. Map your documented information requirements. Go through the standard clause by clause and list every piece of documented information that is explicitly required. This becomes your baseline checklist.
2. Audit your own documents. Check that each required document exists, is current, has been reviewed within its defined review period, and is accessible to the people who need it.
3. Check your records for completeness. Pull a sample of records from the past 12 months for each key process. Are they complete? Are they consistent with your documented procedures?
4. Close out open corrective actions. Any corrective action that is past its due date needs attention before the audit. Auditors notice when actions remain open for months without progress.
5. Verify your legal register. If you have not reviewed your legal and compliance obligations in the past 12 months, do it now. Regulations change, and your register needs to reflect current requirements.

If you are unsure whether your documentation is genuinely audit-ready, an experienced ISO consultant can conduct a gap assessment and identify the specific areas that need attention before the certification body arrives. Choosing the right consultant matters, and understanding how to select the best ISO consultant for certification will help you make a good decision.

How CertBetter Can Help

If you are preparing for an ISO audit and want to make sure your documentation is in order, working with a qualified ISO consultant is the most direct path to audit readiness. At CertBetter, we connect businesses with vetted ISO consultants and accredited certification bodies across Australia and globally. You submit one form and receive up to three competing quotes from providers who have been verified for experience and credibility. The service is completely free for businesses seeking certification help. It is a straightforward way to find the right support without the usual guesswork.