External Audit Readiness: The Complete Evidence Checklist Before the Auditor Arrives
Between a facility's daily operation and the external auditor's visit lies a gap usually filled with manual scramble — nights spent gathering paperwork, signatures completed retroactively, and urgent calls two days before the appointment. This gap is not fate. The auditor is not looking for perfection; they are looking for a system that works, and for evidence that proves it works. Prepare the right evidence, in the right categories, weeks ahead of the date — and you walk into the opening meeting knowing what will be asked before it is asked.
This guide organizes your preparation into four stops: what the auditor does on day one, the evidence checklist across six categories, the "random sample" test, and what to do with the findings after they leave.
What Does the Auditor Do on Day One?
Whether the visit is an ISO certification audit by an accredited certification body, or an inspection by a regulator, day one usually follows a similar rhythm.
The Opening Meeting and the Site Walk
The auditor presents the audit scope, plan, and criteria, then asks for a walk around the site. The walk is not a courtesy — it is a first match between what your documents claim and what their eyes see. A fire extinguisher past its inspection date in the corridor reads, to them, as an unreliable maintenance record, and a blocked emergency exit opens a line of questions that will not end quickly.
The Records Sample
The auditor does not read everything; they pull a sample. Training files for three employees they choose, inspection reports for specific equipment, and one corrective action they trace from the report all the way to closure. The small sample judges the entire system — which is why preparing only the "expected files" is not enough.
Employee Interviews
They ask the maintenance worker about the work permit in their hand, the shift supervisor about the last evacuation drill, and the warehouse officer about handling hazardous materials. Confused answers tell them more than tidy files do.
The Evidence Checklist: Six Categories to Prepare Before the Visit
Gather your evidence into the following six categories, and assign each category a single owner who knows where every document sits and can produce it within minutes — because a long search in front of the auditor is a finding in itself.
1. Governance Documents
- The approved policy signed by top management, with the date of its last review.
- The system's scope and boundaries: the sites and activities covered, and the exclusions with their justifications.
- The matrix of roles, responsibilities, and authorities.
- Management review minutes — with inputs, outputs, and decisions, not a token attendance record.
- Objectives, KPIs, and their progress status up to a recent date.
If your audit is on an occupational health and safety system, review the Practical Guide to ISO 45001 Requirements to understand in detail what these documents cover.
2. Daily Operating Records
- Routine inspection reports, signed and dated at the moment of execution.
- Permits to Work (PTW) — closed ones archived, open ones tracked in the field.
- The risk assessment register, and its updates after every operational change or incident.
- Hazard observation reports and the actions taken on them.
3. Competence and Training
- The competence matrix: who needs which training, and when it expires.
- Valid certificates for critical work: welding, working at height, confined spaces, crane operation.
- Induction records for new employees and for contractors before they enter the site.
- Evidence of training effectiveness evaluation — not the attendance sheet alone.
4. Incidents and Corrective Actions
- The register of incidents and near misses, however small they seem.
- Investigation reports with root cause analysis, not a surface description of what happened.
- A complete CAPA log: every action with an owner, a due date, and closure evidence.
- Trend analysis: are the same causes recurring? And what did you do about it?
5. Equipment and Maintenance
- The critical asset register, its preventive maintenance plans, and their completion rates.
- Statutory inspection certificates for equipment subject to it: cranes, pressure vessels, elevators.
- Calibration records for measuring and test instruments.
- If your system covers energy management, measurement data is the foundation of your evidence — see the Steps to Build an ISO 50001 System.
6. Emergency Preparedness
- An emergency plan updated with correct names and numbers — not the names of employees who left two years ago.
- Evacuation drill records: the date, the evacuation time, the gaps, and the lessons learned.
- Inspection reports for emergency equipment: extinguishers, alarms, emergency lighting, assembly points.
- Evidence of coordination with external parties where required: civil defense and nearby medical facilities.
And if your visit is a regulatory inspection rather than a certification audit, start from your country's requirements before any international standard — the Occupational Safety Requirements in Jordan are a practical model for this path.
The "Random Sample" Test: The Truest Measure of Your Readiness
Try it before the auditor does. Pull a random employee — from any department — and ask them three questions: What is your role when you hear the alarm? Where is the nearest assembly point? How do you report a hazardous observation?
The auditor does exactly this, and for precisely this reason: documents can be prepared, but employee awareness cannot be prepared in a week. If the employee answers with confidence, your system is alive. And if they look to their supervisor for rescue, your documents are ink on paper — however tidy they are.
Repeat the exercise on the records: pick a random piece of equipment and ask for its full maintenance file. Pick an incident that occurred months ago and trace its corrective action all the way to the closure evidence. Every gap you find today is a finding you spared yourself on the auditor's report tomorrow.
Two Facilities Before the Same Auditor
The first facility manages its evidence daily: the inspection is documented at the moment of execution, the training is recorded on the day it is held, and the corrective action is closed with evidence, not a promise. When the audit date is set, nothing in its routine changes — the evidence already exists because it is a product of the work, not an activity layered on top of it.
The second facility may perform well in the field, but it documents in the final week. The result is a pattern every seasoned auditor knows: records with suspiciously close dates, signatures gathered in a single day, and employees coached on "the answers" two days before the visit. And the moment the auditor doubts one sample, they widen the sample — turning a tiring day into a harder week.
The irony is that the second facility usually exerts greater effort and reaps a worse result. The difference is not in the quantity of work, but in its placement: the first made documentation part of operation itself, so the audit became a reading of its reality rather than a test of its memory. This is the practical meaning of Living Compliance — readiness measured every day, not manufactured every year.
After the Visit: What Do You Do With the Findings?
The visit does not end with the closing meeting; it ends with a documented closure of everything observed. Follow five steps:
- Classify each finding. Major nonconformity: a systemic absence of a requirement or a breakdown in applying it. Minor nonconformity: an isolated failure that does not collapse the system. Observation or opportunity for improvement: it requires no mandatory action, but repeatedly ignoring it later turns it into a nonconformity.
- Analyze the root before you correct. "A fire extinguisher past its inspection date was found" is not the problem; the problem may be an inspection schedule with no defined owner. Treat the cause, not the symptom — otherwise the same finding returns at the next visit.
- Open a CAPA for every nonconformity. An immediate correction removes the existing condition, and a corrective action prevents its recurrence — each with an owner and a completion date.
- Close with evidence, not a statement. The phrase "done" is not enough; attach the new record, the photo, or the training minutes that prove the closure.
- Verify effectiveness after a while. Weeks after closure, ask: did the recurrence actually stop? Document your answer — it is the first thing requested at the follow-up visit.
Certification bodies usually require a correction plan within a defined deadline, and their decision may hinge — in cases of major nonconformity — on verifying the closure before recommending the grant or continuation of the certificate. The decision is always theirs; your role is to make your evidence speak for you.
Readiness Is a Daily State, Not a Season
The checklist above is not a "final week" project — it is a mirror of your daily operation. When the inspection is documented at the moment it happens, the corrective action is closed with its evidence, and the evidence is present before it is requested, the external audit becomes an ordinary visit rather than an exceptional event. This is what goiso was built for: a platform that manages your inspections, permits, corrective actions, and evidence in a single living record — so you measure your readiness before the auditor does.