An ISO auditor is not trying to catch you out. That is worth saying first, because the dread that builds in the weeks before a surveillance audit assumes the opposite. The auditor’s job is narrower and more mechanical than the anxiety suggests. They are there to find objective evidence that your management system does what your documentation says it does. Almost every finding comes from the gap between those two things, not from anything hidden or clever.
Once you understand what an auditor is actually testing, preparation stops being a guessing game. This is a practical account of where auditors look, where findings cluster, and why the pattern is so consistent across UK construction and engineering businesses holding ISO 9001, 45001 or 14001.
The one thing underneath every question
Strip away the clause numbers and an audit comes down to a single loop. Say what you do. Do what you say. Show that you did it. The auditor tests the joins between those three.
The written system is the first part: your policies, procedures and the scope you have defined. The second is practice: what actually happens on site and in the office. The third is evidence: the records that prove the practice happened. A finding is raised when the auditor pulls on one part and finds it disconnected from the others. The procedure says inspections happen weekly, but the records stop in February. The policy commits to competence, but three operatives have no training record. The system describes a process nobody on site recognises.
This is why “having good documentation” is the wrong goal. A thick folder of well-written procedures is not evidence that the system runs. It is only evidence that someone wrote the procedures. Auditors learned long ago to look past the binder and ask for the record that proves the work happened, then to ask the person who did the work whether the documented process matches what they actually do.
Where findings actually cluster
This is not guesswork. Analysis of large samples of audit reports keeps returning the same result: nonconformities are rarely about missing documents. They are about how the system is run day to day. A review of close to twenty thousand ISO 9001 audit reports found the heaviest concentration of findings in three areas, resources, performance evaluation, and operation, with skills and competence management at the top of the list. The figures do not show businesses that fail to understand the standard. They show businesses where the system on paper has drifted away from the work on the ground.
Translated into the clauses an auditor works through, here is where the pressure lands.
People and equipment, Clause 7
The single most common finding across ISO 9001 audits is lapsed calibration records for monitoring and measuring equipment. Calibration schedules slip, new equipment arrives and never gets added to the programme, or records do not trace back to a recognised measurement standard. For a construction or civils business this means site instruments, gauges, torque tools and test equipment. If you measure something and the measurement matters, the auditor wants to see that the device was calibrated and that the calibration is current.
Competence sits in the same clause and generates almost as many findings. Tickets expire. A training matrix gets built once and never maintained. Someone is doing skilled work with no record that they were ever signed off to do it. The skills are usually there. The proof often is not.
Checking the system works, Clause 9
This clause covers monitoring and measurement, internal audit, and management review, and it is where mature systems still trip. Internal audits get done as a formality the month before the external visit, rather than as a genuine check through the year. Management review becomes a rushed annual meeting with thin minutes that no decision ever flows from. The auditor probes whether you actually use your own data to run the business. An indicator that sits in a spreadsheet nobody reads, guiding no decision, is not performance evaluation. It is a number.
Doing the work, Clause 8
Clause 8 covers operation, and for construction the part that draws findings most often is control of external providers. Subcontractor and supplier control. Can you show how you approve a firm before it comes onto a job, how you monitor its work, and how you re-evaluate it afterwards? The procedure usually exists. The evidence that it was followed for the subcontractor who poured last month’s slab is the bit that goes missing.
Fixing what went wrong, Clause 10
Corrective action is where good intentions fail quietly. A finding gets logged and closed, but without genuine root cause analysis. The symptom is patched, the cause is left, and the same finding returns at the next audit. An auditor who sees a corrective action log full of “retrained the operative” against repeating problems knows the system is treating symptoms. A complete record, from detection through root cause to verified effectiveness, tells them the opposite.
The construction problem: site versus office
Construction makes all of this harder for one structural reason. Evidence is generated on site and filed, if it is filed at all, somewhere else and later. The inspection happens at the cutting edge of the work, in weather, under time pressure. The record of it has to travel back to an office, a drive, an inbox or a system before it counts as evidence.
The test an auditor applies is brutally simple. They pick a job from a few months ago and ask for the record. The work was done well. The question is whether you can produce the proof. This is the audit-week scramble in miniature, repeated clause by clause across the visit. The businesses that struggle are not the ones doing poor work. They are the ones whose evidence is scattered and slow to assemble.
What has changed, and what is coming
Two things every UK business holding ISO 9001 should know now.
First, the climate amendment. In early 2024 ISO added a requirement to consider whether climate change is a relevant issue for your management system and the expectations of your interested parties. This is not a future change. Certification bodies are already checking it during scheduled audits. An auditor can reasonably ask how you have considered climate change in the context of your business, and “we have not looked at it” is a finding waiting to happen.
Second, the 2026 revision. A new edition of ISO 9001 is expected in late 2026, with a transition period of around three years after publication. The changes are evolutionary rather than a rebuild. The clause structure stays the same, with a stronger emphasis on quality culture, ethical behaviour and the role of leadership in continual improvement. You do not need to act today, but auditor conversations will increasingly reflect that language, and a system built well now will transition with little friction.
The pattern, and what to do about it
Step back and the message across every standard and every audit is the same. Auditors are not impressed by thick folders. They are testing whether your evidence is current, findable, and connected to the clause it serves. Three plain tests:
- Current. Does the record reflect what is happening now, not eighteen months ago?
- Findable. Can you produce it in the room, not after a week of searching?
- Connected. Does it map to the requirement the auditor is checking?
A business that can answer yes to those three walks an audit calmly, whatever the standard, whatever the year. A business that cannot ends up reconstructing evidence under pressure the week before the visit, which is precisely where findings are made. Tired people, late nights and missing records are a far better predictor of a poor audit than the quality of the underlying work.
This is the whole case for treating compliance as something you hold continuously rather than assemble annually. We have written about why compliance is the entire product, not a folder you open in audit season. The auditor’s three tests are, in the end, the same tests a well-run system passes every day, without anyone scrambling.
If you want to see how Slab keeps evidence current, findable and mapped to the clause it answers to, the walkthrough is here. The audit becomes a validation of a system that already works, rather than a deadline you build towards.