CLEO
← All resources

How to Prepare for an ISO 9001 Audit Without Losing a Month to It

A practical pre-audit checklist for small manufacturers — what auditors actually look for, where most shops fall short, and how to prepare without stopping production.

April 12, 202610 min read

An ISO 9001 audit is coming. Maybe it is a surveillance audit to maintain your certification. Maybe it is a customer audit. Maybe it is your first Stage 2 and you are trying to figure out how bad it is going to be.

Here is what to know: auditors are not trying to find reasons to fail you. They are verifying that you have a working system — not a perfect one, but a functioning one. Most audit findings come from a handful of predictable gaps that shops either do not know about or have let slip.

This guide gives you the checklist and the context. Work through it a few weeks before your audit and you will walk in with confidence.

What Auditors Actually Look For

Before the checklist, the mindset.

An ISO 9001 auditor is not looking for perfect procedures or pristine records. They are looking for evidence that three things are true:

  1. You say what you do. Your documented procedures describe how work actually happens in your shop.
  2. You do what you say. Your records prove that people follow those procedures.
  3. You improve when things go wrong. When a problem surfaces, you investigate it and fix it — not just once, but systemically.

Most audit findings happen because one of those three links is broken. The documentation does not match the practice. The records are missing or incomplete. The corrective actions are vague or never closed.

Keep that frame in mind as you work through the checklist below. You are not looking for gaps in the paperwork — you are looking for gaps between what you say and what you do.

The Pre-Audit Checklist

1. Your Quality Management System Basics

  • Quality policy exists and is signed. One page is fine. It should state your commitment to quality and continuous improvement. It needs an owner signature and a date.
  • Quality objectives are documented and current. What are you measuring? What are the targets? What is the current performance against each one? If the objectives have not been reviewed in the last 12 months, update them.
  • Roles and responsibilities are defined. Who is responsible for quality? Who has authority to stop a job? Org chart or a simple roles document is sufficient.
  • Management review has been conducted in the last 12 months. There needs to be a record of it — agenda, attendees, inputs reviewed, outputs decided. A meeting without minutes did not happen from an auditor's perspective.

2. Document Control

  • All controlled documents have revision numbers and approval signatures. Work instructions, procedures, forms — each one should show who approved it and when.
  • Current versions are what people are actually using. Walk the floor. Are the work instructions people are referencing the current approved versions? Auditors will ask to see the document someone is following and cross-reference it against your master list.
  • Obsolete documents are removed from use. If old versions are still on the floor, that is a finding. Pull them.
  • There is a process for updating documents when things change. When a customer changes a specification, or you change a process, what is the procedure for updating the documentation? Someone needs to own this.

3. Production Records and Evidence of Work

  • Job travelers or routers are complete and signed off. Each job should have a record showing what was done, who did it, and that it was inspected.
  • Inspection records exist for finished product. First article, in-process checks, final inspection — whatever your process requires. The record should show what was checked, what the results were, and who approved release.
  • Nonconforming product is identified and controlled. If a bad part is found, there should be a record of it — what it was, where it went, what the disposition was. "We throw it in the scrap bin" is not a controlled process.
  • Traceability works. Pick a recent job. Can you trace it from the customer order through production, inspection, and shipment? Can you tie it back to the material cert? If you cannot, the auditor will flag it.

4. Corrective Actions

This is where most small shops get caught. Auditors pay close attention to corrective actions — it is the most direct evidence of whether your system drives real improvement.

  • Every significant customer complaint has a corrective action. If a customer filed a complaint in the last 12 months and you cannot show a documented investigation, root cause, and corrective action — that is a major finding.
  • Corrective actions have owners and due dates. "Will investigate" is not a corrective action. A completed record should show what happened, why it happened, what was done, who was responsible, and when it was closed.
  • Root causes go deeper than "operator error." If your corrective actions consistently identify human error as the root cause, expect questions. What did you change in the system to prevent the same human error from happening again?
  • Effectiveness has been verified. Did the fix actually work? There should be a note in the record confirming follow-up — and the date it happened.
  • Open corrective actions are tracked. If corrective actions are sitting open with no movement, that is a finding. Close them or document why they are still open and what the new target date is.

5. Supplier Control

  • You have an approved supplier list. Each critical supplier should be listed with their approval status and what they are approved to supply. "We've always used them" is not documented approval.
  • Incoming inspection is defined and documented. What do you check when material arrives? Is it written down? Are receiving records being kept?
  • Supplier corrective actions exist for supplier-caused problems. If a supplier caused a quality issue in the last 12 months, is there a record of how it was handled?

6. Calibration and Measurement

  • All measurement equipment is listed. Calipers, gauges, torque wrenches, micrometers — everything used to make quality decisions should be on a calibration list.
  • Calibration is current for every item on the list. Check the stickers and the records. Auditors will pull a gauge off the bench and check.
  • Calibration records show traceability to a standard. Your calibration lab certificate should reference a national or international standard. If you calibrate in-house, you need a reference standard that is itself traceable.
  • Out-of-calibration events are handled. If a gauge was found out of calibration, is there a record of what you did — did you inspect recent product made with that gauge?

7. Training and Competence

  • Competence requirements are defined for quality-critical roles. What does someone need to know or be able to do before they run this machine or perform this inspection? Written down, not just understood.
  • Training records exist for each employee in quality-critical roles. The record should show what training happened, when, and who delivered it. An entry in a spreadsheet with a date and signature is sufficient.
  • New employees doing quality-critical work have records before they start. Auditors will ask about your onboarding process. "They watched someone do it for a week" needs to be documented somewhere.

8. Internal Audit

  • An internal audit has been completed in the last 12 months. This is an ISO 9001 requirement — you need evidence of at least one full internal audit per year.
  • Internal audit findings were addressed. If the internal audit found gaps, there should be corrective actions or documented responses for each finding.
  • The internal audit covered all clauses of the standard. An internal audit that only looks at production and skips document control or management responsibility is incomplete.

The Week Before the Audit

Walk the floor with fresh eyes. Bring someone who was not involved in the day-to-day preparation — a second pair of eyes finds things the person who wrote the procedures stops seeing.

Look for:

  • Obsolete documents still posted or in use
  • Gauges without calibration stickers, or with expired stickers
  • Work happening that is not described in any procedure
  • Jobs with incomplete inspection records

Brief whoever the auditor will interview. They do not need to memorize anything. They need to be able to describe, in their own words, what they do — and point to the documentation that describes it. "I check dimensions after every fifth part and record it here" is exactly the kind of answer auditors want to hear.

Pull your corrective action log and review every open item. Close what you can. For items still in progress, make sure the record shows current status and a realistic target date.

If You Find a Gap

Finding a gap before the audit is far better than having the auditor find it.

If you find a missing procedure, write a brief one and get it approved. It does not need to be long. It needs to describe the actual process accurately.

If you find corrective actions that were never properly investigated, do the investigation now and document it retroactively. Date everything honestly — auditors can tell when records were created the week before an audit, and back-dating records is a path to losing certification entirely.

If you find that your practice and your documented procedure do not match, update the procedure to match the practice — assuming the practice is producing acceptable results. Do not update the practice to match an outdated procedure just for the audit.

What CLEO Maintains Continuously

If you are using CLEO, most of this checklist is maintained automatically.

Every problem logged becomes a corrective action record. Every document has version history and an approval signature. Every audit is scheduled, tracked, and linked to findings. The audit trail captures every change, every sign-off, every effectiveness check.

The audit readiness checklist inside CLEO maps directly to what auditors look at — so you are not scrambling in the week before the audit to figure out where the gaps are.

But whether you use CLEO or a set of spreadsheets, the discipline is the same: keep the records current, close what is open, and make sure what you document matches what you actually do.

The Short Version

Four to six weeks before an ISO 9001 audit:

  1. Confirm your management review, quality policy, and objectives are current
  2. Verify all controlled documents are at the right revision and obsolete versions are gone
  3. Review your corrective action log — close what you can, document status on everything open
  4. Check calibration records for every measurement device
  5. Confirm training records exist for everyone in quality-critical roles
  6. Walk the floor with fresh eyes looking for gaps between documentation and practice

The audit is not a test of whether your quality system is perfect. It is a test of whether it is real.

Protect what you build.

CLEO handles your quality system so you can focus on making things. $99/month, all-inclusive.

Start for free