7 Critical Steps to Pass Audits

There are 7 Critical Steps to Pass Audits. Carina takes your through these steps.


7 Critical Steps to Pass Audits - During the past 15 years of my career, I was fortunate to be in various assurance positions to provide surety to boards and executive teams about global projects and the performance of these projects. I managed enormous budgets and had to account for every dollar, pound, euro etcetera spend on each project. These projects were always under scrutiny from the project sponsors, and this required an evidence trail to support the internal and external reporting on these projects as well as payment milestones to be signed off by the clients.

As an international ISO standards trainer, advisor, and auditor, I have seen many companies struggling with the connection between the operationalisation of projects and keeping a current and valid evidence trail to ensure the success of management system implementation.

The article I am writing here will give you a short synopsis of the basic requirements to succeed with any combined assurance audit you will face in your career. Please use this article and template as part of your management system toolbox to ensure success for your business, your team and you.

Criticality of Documentary Evidence

To assist me in my preparations for audits I have adopted two methodologies to assist me in my analytical thinking as well as to structure evidence gathering into 7 critical steps to pass audits. These two methodologies are:

  • P2ST2
  • Audit Evidence Reliability Model (AERM)

Each one of these methodologies will be explained below.

P2ST2 Methodology

This methodology addresses five categories of resources to generate audit evidence.

These five resources are documented in the table below:

Control TypeDescription
PeopleRefers to human resources
ProcessesRefers to administrative controls i.e., policies, procedures, etc
SystemsRefers to systems that rely on the manual input of data by a user
ToolsRefers to physical tools required i.e., vehicles, buildings, equipment, etc
TechnologiesRefers to technologies that do not require the manual input of data, and rather make use of artificial intelligence or machine learning technologies i.e., facial recognition on CCTV, speed cameras, etc.

Audit Evidence Reliability Model (AERM)

This model addresses the reliability of audit evidence.  See the diagram below:

Audit Evidence Reliability Model - AERM
Audit Evidence Reliability Model - AERM

7 Critical Steps to Pass Audits - Structure Documents

The sections below will describe what is critical to provide as evidence in an audit.

Context of Organisation

To understand the context of the organisation it is crucial to understand the environment that the organisation functions in.

The following five documents are mandatory requirements as evidence:

  • Internal context analysis
  • External context analysis
  • Risk criteria
  • Stakeholder analysis
  • Scope document

Leadership and Commitment

Leadership support is demonstrated by visible leading and setting the tone for governance in any organisation.

The following three documents are mandatory requirements as evidence:

  • Policy
  • Roles and Responsibilities
  • Delegation of authorities


Planning actions to address risks and opportunities in the organization.

The following three documents are mandatory requirements as evidence:

  • Risk register
  • Objectives
  • Quality Manual


An organisation supports a management system by making resources available with the necessary competencies and training as required.

The following seven documents are mandatory requirements as evidence:

  • List of Resources (P2ST2)
  • Training Plan
  • Competency certificates
  • Awareness plan
  • Communication plan
  • Document management plan
  • Master List of Documents (MLoD)


The organisation’s planned actions to implement/achieve objectives. This is the most critical clause in any standard and it changes from standard to standard.

The following three documents are mandatory requirements as evidence:

  • Operational plans
  • Results of risk assessments
  • Results of risk treatments

We are busy developing a unique Master List of Documents for the following standards:

  • ISO 9001 Quality Management System
  • ISO 18788 Security Operations Management System
  • ISO 22301 Business Continuity Management System
  • ISO/IEC 27001 Information Security, Cyber Security, Protection of Information Management System
  • ISO/IEC 27032 Cyber Security Management
  • ISO/IEC 27701 Privacy Information Management System
  • ISO 31000 Risk Management
  • ISO 37001 Anti-Bribery Management System
  • ISO 37301 Compliance Management System


Performance management drives the achievement of objectives. This is where performance links to the context of the organisation, the risk management, the planning, and the operations.

The following twelve documents are mandatory requirements as evidence:

  • Monitoring procedure
  • Measurement procedure
  • Analysis procedure
  • Evaluation procedure
  • Results of monitoring, measurement, analysis, and evaluation
  • Internal audit programme
  • Internal audit plan
  • Internal audit reports
  • Management review procedure
  • Management review agenda
  • Management reviews attendance
  • Management review report/minutes


Continual improvement drives a future-proof organisation. This builds resilience to ensure that every organisation can deliver the products and services to its customers.

The following three documents are mandatory requirements as evidence:

  • Nonconformity and Corrective Actions Procedure
  • Nonconformity and Corrective Action Forms
  • Nonconformity register

Free Template Download

Complete the form on this page and we will send you a FREE Generic Master List of Documents Template as part of our 7 Critical Steps to Pass Audits. You can also Contact Us through our other channels.


Over my career of 35 years plus I have been audited and I have conducted audits across the globe.  I have seen the stress and challenges that organisations are in when I arrive as the 3rd party auditor, and my question is always Why do they stress so much? Aren't they organised? Aren't they structured? Don't they have a strategy? Don't they know about the 7 Critical Steps to Pass Audits?

If they have this and they follow the simple steps, I have explained in this article you should not be in stress. You should be looking forward to using this as a bragging opportunity to demonstrate your drive to succeed and to provide your various teams in your organisation with to demonstrate their drive for the objectives of the company.

Being audited can seem daunting but passing an audit can be a breeze with the "correct" documented information as evidence.

Be on the lookout for the next articles we will send out with a Master List of Documents (MLoD) for specific standards.

We will use this information to contact you about this enquiry only and not for marketing purposes.
Share the Love

3 Responses

Leave a Reply

Table of Contents

[jetpackcrm_form id="2" style="cgrab"]

More Quality Articles

What is risk? There’s a lot of research into all types of risk, but in my experience, I have found that most people and organisations don’t completely gras…
Introduction Enterprise Risk Management (ERM) is describing a Risk Matrix (ERM Risk Matrix) as a tool for ranking and displaying risks by defining ranges for consequ…
What is a Compliance Management System (CMS)? For organizations seeking growth and long-term success, adhering to compliance obligations is not an option, is a must…
What is ISO 18788? ISO 18788 specifies the requirements and provides guidance for organizations that conduct or contract security operations.Moreover, it provide…
Information Security Management Network segregation is the tool used for dividing a network into smaller parts which are called subnetworks or network segments. Yo…
Information Security Management The popularity of the terms “data controller” and “data processor” has sharply increased in recent years. In part because of the sig…
The ability to predict what the future holds and choosing effectively among varying alternatives lies at the centre of contemporary societies and organizations. Ri…
“Food Safety” refers to the prevention, elimination and control of foodborne diseases at the stage of consumption. In a globalized world, the impact of food safety ha…
Six Sigma Benefits Reducing Waste Improving Time Management Increase Customer Loyalty Boost Employee Motivation Higher Revenues and Lower Costs Six Sigma has prov…
As the threat of energy-resource depletion has emerged, the global demand for energy is increasing constantly. Provided that billions of people still have no access…
Is your Business protected against a breach of data and software? Are you Internationally Certified to be able to prevent hackers from stealing your organization’s v…
The education industry has gone through tremendous changes over the last decades in terms of educational opportunities, teaching methods, availability of reading…
The Three P(’s)illars of Sustainability The concept of the “triple bottom line” was firstly introduced in 1994 by John Elkington, with the idea of organizations pre…
A politically inclined attack or just a ‘simple’ lack of security awareness? Whatever the case, the cyber-attack that hit Marriott was huge. This was the joint second…
%d bloggers like this: