7 Critical Steps to Pass Audits

There are 7 Critical Steps to Pass Audits. Carina takes your through these steps.

7 Critical Steps to Pass Audits


7 Critical Steps to Pass Audits - During the past 15 years of my career, I was fortunate to be in various assurance positions to provide surety to boards and executive teams about global projects and the performance of these projects. I managed enormous budgets and had to account for every dollar, pound, euro etcetera spend on each project. These projects were always under scrutiny from the project sponsors, and this required an evidence trail to support the internal and external reporting on these projects as well as payment milestones to be signed off by the clients.

As an international ISO standards trainer, advisor, and auditor, I have seen many companies struggling with the connection between the operationalisation of projects and keeping a current and valid evidence trail to ensure the success of management system implementation.

The article I am writing here will give you a short synopsis of the basic requirements to succeed with any combined assurance audit you will face in your career. Please use this article and template as part of your management system toolbox to ensure success for your business, your team and you.

Criticality of Documentary Evidence

To assist me in my preparations for audits I have adopted two methodologies to assist me in my analytical thinking as well as to structure evidence gathering into 7 critical steps to pass audits. These two methodologies are:

  • P2ST2
  • Audit Evidence Reliability Model (AERM)

Each one of these methodologies will be explained below.

P2ST2 Methodology

This methodology addresses five categories of resources to generate audit evidence.

These five resources are documented in the table below:

Control TypeDescription
PeopleRefers to human resources
ProcessesRefers to administrative controls i.e., policies, procedures, etc
SystemsRefers to systems that rely on the manual input of data by a user
ToolsRefers to physical tools required i.e., vehicles, buildings, equipment, etc
TechnologiesRefers to technologies that do not require the manual input of data, and rather make use of artificial intelligence or machine learning technologies i.e., facial recognition on CCTV, speed cameras, etc.

Audit Evidence Reliability Model (AERM)

This model addresses the reliability of audit evidence.  See the diagram below:

Audit Evidence Reliability Model - AERM
Audit Evidence Reliability Model - AERM

7 Critical Steps to Pass Audits - Structure Documents

The sections below will describe what is critical to provide as evidence in an audit.

Context of Organisation

To understand the context of the organisation it is crucial to understand the environment that the organisation functions in.

The following five documents are mandatory requirements as evidence:

  • Internal context analysis
  • External context analysis
  • Risk criteria
  • Stakeholder analysis
  • Scope document

Leadership and Commitment

Leadership support is demonstrated by visible leading and setting the tone for governance in any organisation.

The following three documents are mandatory requirements as evidence:

  • Policy
  • Roles and Responsibilities
  • Delegation of authorities


Planning actions to address risks and opportunities in the organization.

The following three documents are mandatory requirements as evidence:

  • Risk register
  • Objectives
  • Quality Manual


An organisation supports a management system by making resources available with the necessary competencies and training as required.

The following seven documents are mandatory requirements as evidence:

  • List of Resources (P2ST2)
  • Training Plan
  • Competency certificates
  • Awareness plan
  • Communication plan
  • Document management plan
  • Master List of Documents (MLoD)


The organisation’s planned actions to implement/achieve objectives. This is the most critical clause in any standard and it changes from standard to standard.

The following three documents are mandatory requirements as evidence:

  • Operational plans
  • Results of risk assessments
  • Results of risk treatments

We are busy developing a unique Master List of Documents for the following standards:

  • ISO 9001 Quality Management System
  • ISO 18788 Security Operations Management System
  • ISO 22301 Business Continuity Management System
  • ISO/IEC 27001 Information Security, Cyber Security, Protection of Information Management System
  • ISO/IEC 27032 Cyber Security Management
  • ISO/IEC 27701 Privacy Information Management System
  • ISO 31000 Risk Management
  • ISO 37001 Anti-Bribery Management System
  • ISO 37301 Compliance Management System


Performance management drives the achievement of objectives. This is where performance links to the context of the organisation, the risk management, the planning, and the operations.

The following twelve documents are mandatory requirements as evidence:

  • Monitoring procedure
  • Measurement procedure
  • Analysis procedure
  • Evaluation procedure
  • Results of monitoring, measurement, analysis, and evaluation
  • Internal audit programme
  • Internal audit plan
  • Internal audit reports
  • Management review procedure
  • Management review agenda
  • Management reviews attendance
  • Management review report/minutes


Continual improvement drives a future-proof organisation. This builds resilience to ensure that every organisation can deliver the products and services to its customers.

The following three documents are mandatory requirements as evidence:

  • Nonconformity and Corrective Actions Procedure
  • Nonconformity and Corrective Action Forms
  • Nonconformity register

Free Template Download

Complete the form on this page and we will send you a FREE Generic Master List of Documents Template as part of our 7 Critical Steps to Pass Audits. You can also Contact Us through our other channels.


Over my career of 35 years plus I have been audited and I have conducted audits across the globe.  I have seen the stress and challenges that organisations are in when I arrive as the 3rd party auditor, and my question is always Why do they stress so much? Aren't they organised? Aren't they structured? Don't they have a strategy? Don't they know about the 7 Critical Steps to Pass Audits?

If they have this and they follow the simple steps, I have explained in this article you should not be in stress. You should be looking forward to using this as a bragging opportunity to demonstrate your drive to succeed and to provide your various teams in your organisation with to demonstrate their drive for the objectives of the company.

Being audited can seem daunting but passing an audit can be a breeze with the "correct" documented information as evidence.

Be on the lookout for the next articles we will send out with a Master List of Documents (MLoD) for specific standards.


3 Responses

Leave a Reply

Table of Contents

Enquire Now

Got questions? Let's help you find the answers.
By clicking "Submit" you agree to have read the Privacy Policy and agree to the terms. You can unsubscribe at any time by clicking the link in the footer of our emails.

More Quality Articles

A Decade of Excellence: Crest Advisory Africa Celebrates 10 Years of Empowering African Businesses
Crest Advisory Africa celebrates a decade of risk management excellence.
Crest Advisory Africa: A Trusted Partner for MSECB and PECB Services
Crest Advisory Africa partners with MSECB and PECB for comprehensive services.
Managing Disruption: The Importance of Business Continuity Management (BCM)
Business Continuity Management (BCM) is a proactive approach to managing disruption, helping businesses prepare for, respond to, and recover from disruptive even…
Crest Advisory Africa Attains PECB Platinum Level Partnership: A Milestone in Providing Exceptional Information Security and Risk Management Services
Crest Advisory Africa (Pty) Ltd attains PECB Platinum Level as an Authorised Partner, offering clients access to top information & services in information secu…
What is Risk?
What is risk? There’s a lot of research into all types of risk, but in my experience, I have found that most people and organisations don’t completely gras…
Book your Human Rights Audit for 2023
Book Your Human Rights Audit or Training.
BIA – How to Structure the Resource Analysis for a Business Impact Analysis
Introduction One of the processes within the Business Continuity Management System (BCMS) is the development of a Business Impact Analysis. I have experienced seve…
The ERM Risk Matrix: Modelling Fault
Enterprise Risk Management (ERM) relies on accurate ERM Risk Matrix for decision-making.