Track lessons — you are at 11 of 12

Lesson 11 of 12

How to Prepare for an External Audit

4 min

The email landed Sunday morning on the desk of the quality manager at a facilities maintenance company in Riyadh: the certification body had confirmed the audit date — stage 1, five weeks out. In a familiar scene, the office turns into a nocturnal beehive: printing records, chasing signatures, "updating" documents all at once.

In another scene entirely — at the facility that built its system day by day — the same news lands like a reminder of a routine maintenance appointment.

The difference between the two scenes isn't luck; it's understanding what will actually happen, and what the auditor really asks for. Let's walk the whole journey.

The certification journey: from stage 1 to recertification

Certification is granted by an independent certification body, and its audit follows a fixed path worth knowing well:

  1. Stage 1 — documentation readiness: The auditor reviews your system's documents: scope, policy, risk assessment, objectives — and confirms that an internal audit and a management review have actually taken place before their visit. Usually one day, sometimes done remotely. The output is a list of gaps to address and a decision on whether you're ready for stage 2.
  2. Stage 2 — implementation evidence: Weeks later, a deeper on-site audit: walkthroughs, interviews, record sampling, and the governing question: is what's written actually being done? Certification is granted or withheld based on the outcome.
  3. Surveillance audits — annual follow-up: Certification is valid for three years, and during that period the body visits once a year with a lighter audit that samples part of the system and confirms it's still working.
  4. Re-certification: In the third year, a comprehensive audit renews certification for a new cycle.

Read this rhythm carefully: the certification body won't see you once and disappear — it will come back every year. That's why a "campaign" style of preparation is a strategic loser even when it succeeds once.

Stage 2 day: what the auditor actually asks for

At the Riyadh company, the day opened with a short kickoff meeting: the plan, the scope, and the walkthrough schedule. Then the auditor asked, roughly in this order, for:

  • The hazard register, asking: how did you assess the risks of rooftop work on the new client project?
  • Training records for a sample the auditor chose personally: five technicians by name — not the sample you had prepared.
  • The latest internal audit, its findings, corrective actions, and closure status, plus the minutes of the latest management review and its decisions.
  • Incident records and their investigations, and inspection certificates for critical equipment.

Then the auditor went down to the field and asked a technician on a ladder: "If you saw a hazard right now, what would you do?" That answer weighs more with the auditor than a complete file, because it reveals whether the system is alive on the ground or trapped on paper.

Findings are classified: a major nonconformity — a systemic failure that halts certification until it's addressed and verified; a minor nonconformity — a limited failure where certification is still granted alongside a corrective action plan reviewed at the next visit; and observations for improvement. It's the same classification you already know from what is a nonconformity — nothing new to fear.

The final weeks: organizing, not building

If your system genuinely works, real preparation happened all year long, and the final weeks are only about organizing:

  1. Run an internal audit covering the full certification scope, and close its findings — or document plans to close them; an openly documented gap is easier for the auditor to accept than a hidden one.
  2. Make sure a recent management review took place with full inputs and documented decisions.
  3. Go through your evidence clause by clause: does every implemented clause have current evidence that can be pulled up in a minute?
  4. Brief the team — not to script them, but so everyone knows their role, where to find what concerns them, and that honesty with the auditor is the facility's stated policy.

Common mistakes

  • The last-two-weeks documentation campaign: twenty minutes, all dated the same month. The auditor reads dates before content — and this is the unmistakable fingerprint of a paper-only system.
  • Coaching workers with scripted answers: the first follow-up question exposes the memorization. Once the auditor's trust breaks at one point, it casts doubt on everything seen before it.
  • Hiding gaps: the auditor trusts a facility that knows its flaws and is addressing them more than one that looks "perfect" on paper — and if a hidden gap is discovered, it turns a minor nonconformity into a major one.

In goiso

The compliance surface is your external-audit readiness board exactly as it stands, with no extra prep required: every clause is color-coded — green for conformant with evidence, amber for missing evidence, red for nonconformant, gray for excluded from your scope — and the readiness ring gives you the honest percentage, not the optimistic one. Before the visit, work through amber and red clause by clause: see how to track standard clauses and how to turn a clause green. And if the evidence sits with a colleague, request it directly from the clause card instead of chasing it by email — uploading it closes the request and turns it into evidence right there.

Summary

  • The path is fixed: stage 1 (documentation readiness), then stage 2 (implementation evidence), then annual surveillance and recertification every three years.
  • The auditor picks their own samples, and weighs a field worker's answer as much as the records.
  • Honesty is a strategy: a documented gap with a remediation plan beats claimed perfection.
  • Real preparation is a system that works all year; the final weeks are just tidying up.

You got certified — and this is where the real test begins, not ends. Next: the continual improvement cycle and how to sustain it.