Resource guide

What Auditors Actually Check: Inside a Stage 2 Certification Audit

A certification body's view of the stage 2 audit: how auditors plan, sample and trace evidence, and what they check in each department.

A Stage 2 audit is not a tour and it is not a paperwork review. Auditors follow evidence through departments until they can judge whether the system deserves certification.

Key takeaways

  • Auditors sample processes, people and records against the declared scope.
  • Findings must be tied to objective evidence and a specific requirement.
  • The auditor recommends; the independent certification decision comes after review.
Most articles about certification audits are written from the auditee's side, guessing at what the auditor wants.
Here is how a stage 2 audit actually works: how auditors plan it, what they sample, and how they decide whether your system deserves a certificate.

Why stage 2 exists

Under ISO/IEC 17021-1 (the standard that governs certification bodies themselves), initial certification requires two stages. Stage 1 established that your documented system is ready. Stage 2 answers a different question: is the system implemented and effective? Documents told us what you say you do; stage 2 checks what you actually do.

Before the auditor arrives

Stage 2 audit day timelineHOW A STAGE 2 AUDIT DAY MOVESOpeningmeetingProcesssamplingSitewalkthroughInterviewsand recordsFindingsreviewClosingmeeting
REGISTER DIAGRAM / STAGE 2 AUDIT DAY

You will receive an audit plan: which processes and departments are audited, when, and by whom. Behind that plan sits work you don't see:

  • Audit duration is calculated, not negotiated. Accredited bodies determine audit days from your headcount, sites, processes and risk using IAF-mandated rules. If a certification body offers a suspiciously short audit, it is cutting corners the accreditation body would object to.
  • Auditor competence is matched to your industry. Auditors are qualified per technical scope: a food factory is audited by someone qualified in food, a contractor by someone qualified in construction.
  • The auditor has read your stage 1 output: your documentation, your weak spots, and any areas of concern flagged for special attention at stage 2.

The opening meeting

Short and structured: confirm the scope and audit plan, confirm confidentiality, explain how findings will be classified, agree guides and logistics, and state clearly that this is a sampling exercise. The absence of findings in an area does not mean absence of problems, and findings raised must be based on objective evidence.

How auditors actually work: the evidence trail

Auditors do not read your manual and tick boxes. They pick a thread and pull it. A typical trail in a manufacturing company:

  1. Pick a recent customer order.
  2. Check how the order was reviewed: did you confirm you could meet the requirements?
  3. Follow it into planning: work order, specifications, drawing revision.
  4. Onto the floor: is the operator working to the current revision? How were they trained for this task? Show me the competence record.
  5. The instrument used to check the part: calibration status, and what happens when an instrument is found out of calibration.
  6. A nonconformity raised on this order: how was the nonconforming product controlled? Root cause? Corrective action? Was it effective?
  7. Back to the KPI review: does management actually see this data?

One thread like that touches clauses 8.2, 8.5, 7.2, 7.1.5, 8.7, 10.2 and 9.1. That is the process approach: auditing how work flows, not how the binder is organised.

What gets checked, department by department

Top management. Not a courtesy meeting. Expect questions on strategic context, risks, why the objectives are what they are, resource decisions, and what management review changed this year. Leadership (clause 5) can only be audited by talking to leaders.

Sales / customer service. Order review evidence, handling of changes, customer complaints and what they triggered, customer satisfaction data and what was done with it.

Planning / operations. Process controls in live operation: current documents at the point of use, process parameters vs specifications, identification and traceability, handling of in-process failures. Auditors watch actual work: an operator bypassing a documented control is one of the most common sources of findings.

Warehouse / logistics. Preservation of product, condition and identification of stock, control of customer property, FIFO where relevant, quarantine of nonconforming or unverified goods.

Purchasing. Supplier evaluation criteria and evidence they are applied; what happens when a supplier fails; incoming verification records tied to real deliveries.

HR / competence. Sampled personnel from the audit trail: requirements defined, training delivered, effectiveness evaluated. Awareness: staff should know the policy exists, what the objectives mean for them, and their contribution to conformity.

Quality / management system. Internal audit programme and competence of internal auditors, corrective action discipline (root cause, not blame), calibration system, document control, and the management review record examined against every required input.

What auditors are trained to notice

  • Records too clean: identical handwriting, same pen, no corrections, filled in batches, a signal of retrospective completion.
  • Dates that don't line up: training completed after the work was done; management review minutes created after stage 1.
  • The "shadow system": the documented procedure on the server and the real method taped to the machine.
  • One heroic person who knows everything: a system that lives in one head fails clause 7 and fails the business.
  • Objectives with no data trail, and internal audits that never find anything.

Findings and the closing meeting

Every finding is classified and evidenced:

  • Major nonconformity: the system fails to meet a requirement in a way that undermines its capability: a required process absent, or a total breakdown of one (e.g. no internal audits performed).
  • Minor nonconformity: an isolated failure against a requirement that does not bring down the system.
  • Observations / opportunities for improvement: not failures; things worth attention before they become findings.

At the closing meeting the auditor presents each finding with its evidence and clause reference, confirms you understand them, and explains next steps and timelines for corrective action. There should be no surprises: competent auditors raise findings as they go.

Who actually decides

The audit team recommends; it does not certify. An independent technical reviewer at the certification body (someone not involved in your audit) reviews the audit report, findings and corrective actions, and makes the certification decision. ISO/IEC 17021-1 requires this separation to protect impartiality. Once granted, the certificate is valid for three years, maintained through surveillance audits.

The takeaway

A stage 2 audit is not an inspection of your paperwork; it is a structured test of whether your management system survives contact with reality. Companies that run their system honestly all year find stage 2 uneventful. Companies that prepare a performance find that auditors have seen every version of that performance before.


QSI Cert is a SAAC-accredited, SFDA-approved certification body based in Riyadh and Al Khobar.

FAQ

Common questions from this guide.

Under ISO/IEC 17021-1 (the standard that governs certification bodies themselves), initial certification requires two stages. Stage 1 established that your documented system is ready. Stage 2 answers a different question: is the system implemented and effective? Documents told us what you say you do; stage 2 checks what you actually do.

Auditors do not read your manual and tick boxes. They pick a thread and pull it. A typical trail in a manufacturing company: Pick a recent customer order. Check how the order was reviewed: did you confirm you could meet the requirements? Follow it into planning: work order, specifications, drawing revision. Onto the floor: is the operator working to the current revision? How were they trained for this task? Show me the competence record. The instrument used to check the part: calibration status, and what happens when an instrument is found out of calibration. A nonconformity raised on this order: how was the nonconforming product controlled? Root cause? Corrective action? Was it effective? Back to the KPI review: does management actually see this data? One thread like that touches clauses 8.2, 8.5, 7.2, 7.1.5, 8.7, 10.2 and 9.1. That is the process approach: auditing how work flows, not how the binder is organised.

Top management. Not a courtesy meeting. Expect questions on strategic context, risks, why the objectives are what they are, resource decisions, and what management review changed this year. Leadership (clause 5) can only be audited by talking to leaders. Sales / customer service. Order review evidence, handling of changes, customer complaints and what they triggered, customer satisfaction data and what was done with it. Planning / operations. Process controls in live operation: current documents at the point of use, process parameters vs specifications, identification and traceability, handling of in-process failures. Auditors watch actual work: an operator bypassing a documented control is one of the most common sources of findings. Warehouse / logistics. Preservation of product, condition and identification of stock, control of customer property, FIFO where relevant, quarantine of nonconforming or unverified goods. Purchasing. Supplier evaluation criteria and evidence they are applied; what happens when a supplier fails; incoming verification records tied to real deliveries. HR / competence. Sampled personnel from the audit trail: requirements defined, training delivered, effectiveness evaluated. Awareness: staff should know the policy exists, what the objectives mean for them, and their contribution to conformity. Quality / management system. Internal audit programme and competence of internal auditors, corrective action discipline (root cause, not blame), calibration system, document control, and the management review record examined against every required input.

Records too clean: identical handwriting, same pen, no corrections, filled in batches, a signal of retrospective completion. Dates that don't line up: training completed after the work was done; management review minutes created after stage 1. The "shadow system": the documented procedure on the server and the real method taped to the machine. One heroic person who knows everything: a system that lives in one head fails clause 7 and fails the business. Objectives with no data trail, and internal audits that never find anything.

The audit team recommends; it does not certify. An independent technical reviewer at the certification body (someone not involved in your audit) reviews the audit report, findings and corrective actions, and makes the certification decision. ISO/IEC 17021-1 requires this separation to protect impartiality. Once granted, the certificate is valid for three years, maintained through surveillance audits.

WHATSAPPMessage an auditor