Category: General-2

Aerospace auditors are walking into 2026 with an unusual mix of certainty and ambiguity: certainty that the 9100-series will change, and ambiguity about how fast and how big the first wave will be. The International Aerospace Quality Group (IAQG) has been coordinating the next revision to align with the ISO 9001 update cycle, and industry communications increasingly describe a staged approach, with smaller, earlier adjustments followed by a more comprehensive alignment once ISO 9001’s revision is finalized.

QMII opines the practical question isn’t “What will the clause numbers be?” It is, what will organizations struggle to implement, what will certification bodies emphasize, and where will audit trails be weakest during transition? This article focuses on those revision trends—the direction of travel, so our clients, alumni and friends of QMII can sharpen their planning for changes in 2026 without waiting for every last editorial detail.

IAQG’s publicly shared planning materials describe a multi-year schedule that includes coordination drafts, dispositioning of comments, and balloting leading into publication aligned with ISO 9001’s release timing. In parallel, multiple industry briefings and consultants’ summaries describe two update tracks (a narrower-scope update followed by a larger revision tied closely to ISO 9001). ISO 9001 timing matters because it drives the backbone of the expected changes.

The ISO 9001 revision process reached a major milestone with the Draft International Standard (DIS) released on 27 August 2025, and several reputable sources project publication in late 2026 (often cited around September–October 2026 depending on the process steps).
That timing is important because AS9100 (and its next iteration being discussed in industry as “IA9100”) typically layers sector-specific requirements onto the ISO 9001 structure.

A consistent signal from ISO 9001 revision commentary is stronger emphasis on quality culture and ethical conduct, with leadership expected to do more than sign a policy statement. Even where the ISO changes are described as “editorial clarifications,” the interpretation by auditors and customers tends to be that culture and ethics must be demonstrated through governance and day-to-day decisions.

What this looks like in aerospace audits where organizations already operate under intense safety, airworthiness, and customer oversight is that “ethics” often shows up as:

• escalation pathways for quality/safety concerns.
• protections against retaliation.
• independence of quality from production pressure.
• decision records when delivery commitments conflict with conformity risk.

Therefore, the organizational emphasis and audit requirements for 2026 include and must consider:

• Leadership interviews become evidence-seeking, not conversational. Ask for examples where leadership chose quality over schedule/cost and how that decision was communicated and verified.
• Look for “quality culture instrumentation.” Are there measurable indicators beyond NCR counts (e.g., recurrence rates, escape metrics, employee reporting trends, first pass yield vs. risk hotspots)?
• Test the management review inputs. Culture/ethics themes should show up as risks, objectives, corrective action effectiveness, and resource decisions and not just as a slide with no follow-through.

Supply chain resilience becomes a first-class audit theme and an organizational need for aerospace organizations. Even before formal revisions, the market reality is pushing standards interpretation toward resilience, second sourcing, supplier continuity, counterfeit avoidance, and rapid response to disruptions. ISO 9001 revision commentary increasingly calls out supply chain disruptions and resilience as a clearer focus area.

In AS9100 Rev D, many organizations already struggle with “supplier control” as an administrative exercise (scorecards, approvals) rather than a risk-driven system. And AS9100’s established focus areas as counterfeit parts prevention, product safety, and configuration management tend to intensify supply chain expectations. Changes for 2026 include:

• Audit the supplier-control process as risk management. If a supplier is “high risk,” you should see enhanced controls: incoming verification strategy, escape mitigation, alternate routing, tighter change notification, and defined containment plans.
• Trace a disruption scenario. Pick one realistic event (material shortage, special process capacity loss, cyber incident at a supplier) and ask, what is the organization’s playbook? Who triggers it? What evidence exists that it’s been tested?
• Counterfeit prevention isn’t just training. Look for authenticated sourcing, traceability depth, suspect/unapproved parts handling, and supplier flow-down effectiveness (especially in distribution channels).

Risk-based thinking matures with this update and organizations as also auditors will be expected to distinguish “lists of risks” from risk-managed processes. AS9100 Rev D embedded risk-based thinking broadly, but many implementations still look like static risk registers that don’t change decisions. The direction of travel reinforced by ISO’s revision commentary is toward more explicit proactive risk management, including resilience and continuity. Therefore, the expected changes for 2026 include:

• Follow risk into planning and controls. Pick a top operational risk and verify it changed something tangible: inspection plans, process capability targets, staffing plans, supplier strategy, buffer stocks, verification methods, or design reviews.
• Verify risk competence. Who owns risk evaluation? Do they understand likelihood vs. detectability vs. severity? Are criteria consistent across functions?
• Test the corrective action loop. When a failure occurs, do they update risk controls to prevent recurrence, or just close an 8D?

Human factors and “work environment” evidence becomes more specific. The changes look at aerospace quality failures which are often human-system failures, fatigue, confusing work instructions, poor tool control, inadequate lighting/layout, rushed handoffs. AS9100 Rev D already signaled movement in this direction by requiring consideration of human and physical factors when planning the work environment. The changes for 2026 now include:

• Observe, then verify. Start on the floor. If you see error-likely conditions (visual clutter, ambiguous labeling, interrupted work, rework loops), then ask what the system does to prevent escapes.
• Training effectiveness over training completion. Ask operators to demonstrate critical steps and show how competence is maintained when changes occur (new revision levels, tooling changes, new materials).
• Shift handover is auditable. For critical processes, assess how information continuity is protected between shifts and between internal/supplier handoffs.

World is more and more into digitalization and data integrity becomes audit-critical, not “nice to have”. ISO revision discussions frequently highlight digital transformation and data-driven quality practices. In aerospace, that will collide with:

• eQMS workflows.
• digital inspection records.
• automated test systems.
• MES/ERP traceability.
• remote collaboration across the supply chain.

Therefore, the changes for 2026 will trend toward:

• Data integrity checks. Can the organization show controls for access, versioning, audit trails, backups, and cybersecurity-related risks for quality records?
• Software-enabled processes. If an app enforces a step (e-signature, validation gate), test whether it can be bypassed, and whether exceptions are controlled and reviewed.
• Analytics that drive decisions. If they claim, “we use dashboards,” audit one dashboard end-to-end, data source to transformation to interpretation to action and the result.

Climate and sustainability considerations creep into QMS context and risk. ISO 9001 gained climate change considerations via an amendment in 2024, and the 2026 revision discourse continues to treat climate as part of organizational context and risk. This doesn’t automatically mean “environmental management system” requirements but it does mean auditors may increasingly ask how climate-related disruptions affect:

• continuity of operations.
• supplier viability.
• infrastructure risks.
• regulatory/customer expectations.
• product conformity risks (materials, storage, transport).

So, in 2026 changes the organizations consider:

• Keeping it QMS-relevant. Organizations and the auditors are not just looking at ISO 14001 instead the focus is on how climate-related issues are captured in context, risks/opportunities, and planning.
• Look for materiality. For a site in a storm-prone region, do contingency plans and infrastructure maintenance reflect that reality? For temperature-sensitive materials, are storage/transport controls robust?

Therefore, what aerospace organizations and the auditors should do differently in 2026 is:

1. Treat transition readiness as an auditable system. Even before formal adoption dates, organizations will be working on readiness. Audit their change management discipline:

• gap assessment method and assumptions.
• controlled interpretation of drafts/briefings.
• documented transition plan with owners and milestones.
• internal communication and competence-building.
• “No surprises” engagement with customers and certification bodies.

Just having a plan without governance, will not work. With the updated standard governance is emphasized.

1. Increase the depth of process-based auditing. The more standards emphasize culture, resilience, and risk, the less value there is in document conformance audits. Go process-first:

• pick a critical product line or program.
• follow it from contract/design planning through purchasing, production, verification, shipment, and post-delivery feedback.
• sample change events (engineering changes, supplier changes, escapes).

1. Recalibrate “effectiveness” tests. The emerging expectations reward organizations that can show:

• fewer escapes and less recurrence.
• faster detection and containment.
• decisions that reflect risk prioritization.
• leadership actions that protect product safety and conformity under pressure.

A practical closing view on what will be hardest for organizations with the 2026 changes is that the most common weak points are likely to be:

1. Culture/ethics presented as slogans rather than measurable behaviors and governance.
2. Risk registers that don’t change controls, especially in supplier management and production planning.
3. Resilience talked about abstractly, with no tested scenarios or defined triggers/ authorities.
4. Digital records without strong integrity controls, especially across multiple systems and suppliers.
5. Human factors addressed implicitly (“our operators are experienced”) rather than through designed error-proofing and competency evidence.

—

This article was written by IJ, Principal Consultant at QMII. With extensive experience in ISO standards, auditing, and organizational transformation, IJ has guided global organizations in strengthening their management systems. His approach focuses on aligning ISO implementation with strategic business objectives to drive long-term performance improvement.

In this article on ISO 28000 I want to emphasize the audit focus areas based on what 2025 revealed and what auditors must prioritize in 2026 and beyond. The emphasis is from mere compliance to resilience leading to secure supply chains.

The year 2025 can be seen as a watershed moment for supply chain security management systems. Global supply chains were subjected not to one dominant crisis, but to a convergence of pressures, geopolitical instability, regulatory fragmentation, cyber intrusion, logistics disruption, and heightened stakeholder scrutiny. For organizations certified to ISO 28000, and for auditors charged with assessing conformity, this period exposed an uncomfortable truth, many supply chain security management systems were compliant in form, but brittle in practice.

As we look toward 2026 and beyond, ISO 28000 audits must evolve to meet these challenges. Agreed organizations must not wait for audits to ensure continual improvement, act on risks and to use the opportunities for improvement (OFI). However, this too is true that NCs (nonconformities) drive correction and CA (corrective action). As such audits play a minor part in providing inputs at the check stage of the PDCA (plan-do-check-act) cycle. Therefore, the question is no longer whether organizations have established a supply chain security management system, but whether that system is capable of sensing change, absorbing shocks, and adapting under stress. ISO 28001, as the supporting guidance standard, provides a valuable lens through which this shift can be framed, particularly in relation to risk assessment, security planning, and operational controls.

This article reflects on what audits in 2025 revealed and outlines the audit focus areas that will define credible, value-adding ISO 28000 audits from 2026 onwards. Let us first dwell on what 2025 taught the industry and look at the key audit lessons:

1. Risk assessments were static in a dynamic threat environment. Audits conducted during 2025 repeatedly identified a reliance on periodic, document-driven risk assessments. While these assessments were often well-structured and aligned with ISO 28000 Clause 4 (Security risk assessment and planning), they frequently failed to reflect rapidly changing threat conditions.

ISO 28001 emphasizes that risk assessment should be an ongoing process, responsive to changes in threat, vulnerability, and consequence. In practice, however, many organizations treated risk reviews as annual or biennial events, disconnected from real-time intelligence, incident trends, or geopolitical developments.

The lesson for auditors was clear, conformity to the process was present, but the intent of continual risk awareness was not fully realized.

2. Limited visibility beyond tier-1 suppliers. A second consistent audit finding in 2025 was the narrow scope of supplier security controls. Organizations could demonstrate security requirements for direct suppliers yet had little understanding or assurance of security practices deeper within the supply chain.

ISO 28001 explicitly recognizes the need to consider the full supply chain, including subcontractors and service providers, when establishing security plans and controls. Despite this guidance, audits revealed that supplier evaluation mechanisms often stopped at contractual clauses, with minimal follow-up, verification, or performance monitoring.

Security incidents originating in Tier-2 or Tier-3 suppliers highlighted the inadequacy of superficial supplier controls and reinforced the need for more robust assurance mechanisms.

3. Cyber risks were poorly integrated into the supply chain Security. Although ISO 28000 is not a cybersecurity standard, 2025 audits increasingly revealed that cyber vulnerabilities were among the most significant enablers of supply chain disruption. Cargo tracking systems, access control platforms, vendor portals, and logistics planning tools were all identified as potential attack vectors. With harmonized structure (HS) it was presumed that an integrated management system approach could answer this but organizations did not integrate ISO 27001 and ISO 28001 by and large.

ISO 28001 encourages organizations to consider all relevant threats to the supply chain, including those affecting information and communication systems. Yet audits frequently found a disconnect between physical security management and information security governance, with limited coordination between security and IT functions.

This gap did not necessarily result in formal nonconformities, but it raised serious questions about the effectiveness of the overall security management system.

4. Business continuity planning lacked supply chain realism. Many organizations could demonstrate alignment with business continuity frameworks and, in some cases, certification to ISO 22301 (Business Continuity). However, audits in 2025 showed that supply-chain-specific disruption scenarios were rarely tested.

ISO 28001 stresses the importance of preparedness and response planning based on realistic threat scenarios. Yet exercises involving port closures, border restrictions, supplier insolvency, or regulatory intervention were the exception rather than the rule. The result was a gap between documented preparedness and demonstrated capability, one that became increasingly visible to experienced auditors.

Based on these lessons from 2025 I think the audit focus areas for 2026 and beyond should consider:

1. Going from risk identification to risk intelligence. From 2026 onwards, auditors will need to place greater emphasis on how organizations maintain the ongoing validity of their risk assessments. ISO 28000 Clause 4, supported by ISO 28001 guidance, implicitly requires organizations to monitor changes that could affect supply chain security risks. Audits should therefore examine:

• The use of internal and external intelligence sources.
• Defined triggers for risk reassessment.
• Evidence that changes in risk lead to timely management action.

The audit question is shifting from “Do you have a risk assessment?” to “How do you know your risk assessment reflects today’s reality?”

2. Supplier security assurance, not just evaluation. ISO 28001 provides detailed guidance on supplier security planning, including differentiation based on criticality and risk exposure. In 2026, audits will increasingly probe how supplier security requirements are implemented, monitored, and enforced. Key audit considerations will include:

• Supplier segmentation and prioritization.
• Proportionate security controls.
• Evidence of supplier audits, self-assessments, or performance reviews.
• Corrective action and escalation when requirements are not met.

Supplier security must be demonstrable and sustained, not assumed.

3. Integration of cyber and physical security controls. Auditors should expect to see clearer alignment between ISO 28000 systems and information security frameworks such as ISO/IEC 27001. ISO 28001 supports this integration by recognizing information flow and system integrity as essential elements of supply chain security. Audit focus areas will include:

• Identification of cyber-enabled supply chain risks.
• Coordination between security and IT incident response.
• Protection of logistics data, tracking systems, and access controls.

While ISO 28000 audits will not become cyber audits, unmanaged cyber dependencies will increasingly undermine audit confidence.

4. Testing, exercises, and demonstrated preparedness. In 2026 and beyond, documented plans will carry less weight without evidence of testing. ISO 28001 places strong emphasis on preparedness, response, and recovery capabilities. Therefore, auditors should look for:

• Scenario-based exercises relevant to the organization’s supply chain.
• Participation by relevant internal and external stakeholders.
• Lessons learned and system improvements following exercises.

Preparedness is best demonstrated through practice, not paperwork.

5. Governance and leadership accountability. A notable trend emerging from late-2025 audits was increased attention to top management involvement. ISO 28000 requires leadership commitment, and ISO 28001 reinforces the importance of governance in sustaining effective security management. Audits in 2026 will increasingly examine:

• Management review outputs related to supply chain security.
• Resource allocation decisions.
• Evidence of board or senior leadership awareness of key risks.

Supply chain security is no longer solely an operational concern; it is a matter of organizational governance. Therefore, implications for auditors and organizations are:

1. For auditors, the coming years will demand deeper understanding of risk dynamics, supply chain complexity, and the convergence of physical and digital threats. Checklist-based auditing will be insufficient where resilience and adaptability are the true measures of effectiveness.
2. For organizations, ISO 28000 should be repositioned as a strategic risk management framework. Investment in intelligence, supplier assurance, and realistic testing will not only support certification outcomes but also strengthen operational resilience.

In conclusion I would say, based on QMII experience that what 2025 has taught us is that supply chain security management systems fail not because organizations lack procedures, but because those procedures are not designed for volatility. As we move into 2026 and beyond, ISO 28000 audits must therefore measure more than conformity, they must assess resilience.

ISO 28001 provides the guidance needed to make this transition. The challenge for both auditors and organizations are to apply that guidance with realism, discipline, and strategic intent.

—

This article was written by IJ, Principal Consultant at QMII. With extensive experience in ISO standards, auditing, and organizational transformation, IJ has guided global organizations in strengthening their management systems. His approach focuses on aligning ISO implementation with strategic business objectives to drive long-term performance improvement.

Aerospace will see a change in 2026 when AS 9100 comes as the revised and renamed standard IA9100 in 2026.  The International Aerospace Quality Group (IAQG) has been coordinating the next revision to align with the ISO 9001 update cycle, and industry communications increasingly describe a staged approach.

The updated ISO 9001 version is expected to be published this year (2026), toward September–October. That timing is important because AS9100 updated as IA9100 is expected toward the same time. This is because IA 9100 will continue to be typically providing sector-specific requirements latched to the ISO 9001 structure. And a consistent signal from ISO 9001 revision commentary is stronger emphasis on quality culture and ethical conduct, with greater expectations from leadership and their involvement. Even where the ISO changes are described as editorial clarifications, the interpretation by organizations, auditors and customers tends to be that culture and ethics must be demonstrated through governance and day-to-day decisions.

Looking at the 2026 version some of the changes on a clause-by-clause basis that organizations, auditors can expect are toward effective implementation proved by actual actions and results:

• 5.1 Leadership and commitment (especially how leadership drives culture and accountability).
• 5.2 Policy (is it lived or framed?).
• 9.3 Management review (outputs that change the system, not just minutes).

Supply chain resilience becomes a priority and a first-class audit theme. The ISO 9001 revision discourse also highlights supply chain disruption and resilience more directly. In aerospace, resilience is inseparable from product safety, counterfeit avoidance, special process control, and traceability. Therefore, what auditors should look for is, risk-tiered supplier controls that change inspection strategy, verification depth, and containment plans. Disruption playbooks, realistic scenario drills (material shortage, special process capacity collapse, cyber event at a supplier, geopolitical shipping impact). And the flow down effectiveness to see if customer/statutory requirements and key characteristics are properly transmitted and verified? These clauses are relevant:

• 8.4 Control of externally provided processes, products and services (supplier selection, monitoring, re-evaluation).
• 6.1 Actions to address risks and opportunities (supplier and continuity risks).
• 8.1 Operational planning and control (contingency thinking in operational control).

Counterfeit part prevention stays central for organizations and auditors will probe end-to-end traceability. Counterfeit prevention is already explicit in AS9100 Rev D operational controls, including planning and control for prevention of counterfeit or suspect counterfeit part use. In practice, many systems still over-rely on training and “approved supplier” lists while leaving gaps in distribution channels and returns/repairs. The changes relate to what auditors should look for (beyond training records) are authenticated sourcing and purchasing controls, traceability depth sufficient for risk and part criticality. Also, controls for suspect parts (segregation, reporting, disposition, customer notification where needed) and receiving verification strategy linked to supplier risk and history. This would mean looking at these clauses:

• 8.1 Operational planning and control (where counterfeit prevention is implemented in practice).
• 8.4 Supplier control (distribution risk, broker controls).
• 8.7 Control of nonconforming outputs (suspect parts containment and disposition).

The risk-based thinking matures in the revised standard and auditors must separate “risk lists” from risk-managed operations. A common failure mode today is a static risk register that doesn’t change controls. The ISO revision commentary continues to reinforce clearer expectations around risk, resilience, and communication of contingency-related topics. This would see risk changing the plan in terms of inspection, verification, staffing, supplier strategy, buffers, first-article strategy, special process oversight. Also, risk competence in terms of consistent criteria and decision rights. Corrective action feedback would be checked to see if major issues trigger updated controls and re-assessed risk? Therefore:

• 6.1 Actions to address risks and opportunities.
• 8.1 Operational planning and control.
• 10.2 Nonconformity and corrective action.

For human factors and “work environment” evidence becomes more specific (and more observable). Aerospace escapes are frequently human-system failures. AS9100 already expects organizations to determine and manage the work environment, including human/physical factors. In a revision climate emphasizing culture and effectiveness organizations will be expected to implement reality and link it to control design. Auditors will be required to observe these and audit them. This would mean looking for error-likely conditions (interrupt-driven work, ambiguous WI’s (work instructions), rework loops, poor 5S/tooling discipline) and competence effectiveness (can the operator explain critical steps and acceptance criteria?) as also, shift handover integrity for critical operations. The clauses applicable would be:

• 7.1.4 Environment for the operation of processes.
• 7.2 Competence / 7.3 Awareness.
• 8.5 Production and service provision (work instruction use, verification, tooling)

Another trend likely to be seen in IA9100 would be digitalization and data integrity becoming audit-critical, not “nice to have”. ISO 9001 revision commentary highlights digitalization and modern data-driven management. Aerospace auditors should therefore elevate scrutiny of digital records, e-signatures, MES/ERP traceability, (Manufacturing Execution System and ERP – Enterprise Resource Planning, traceability refers to the integrated digital record that tracks a part, from its raw material origin through every production step to final delivery) and automated test systems, and data transformations used for decision-making. Therefore, aerospace organizations should look for data integrity controls, access, versioning, audit trails, backups, retention and bypass risk to see can the required workflow steps be overridden without controlled authorization. Dashboard traceability to see from source system to transformation to metric  to decision to action and finally to the result:

• 7.5 Documented information (control of digital records).
• 9.1 Monitoring, measurement, analysis and evaluation (validity of metrics).
• 8.1 / 8.5 Operational control (system-enforced steps, automated verification).

Aerospace auditors in 2026 would therefore see an audit approach that fits the revision trends to audit “transition readiness” as a controlled process. Even before formal adoption dates, many organizations may consider starting aligning language and practices to see if they have a controlled gap assessment method, a revision/transition plan with owners and milestones, controlled internal communications and competence updates and disciplined change control over procedures and process controls. The clause anchors for this are:

• 3 Planning of changes.
• 5 documented information.
• 2 internal audit.
• 3 management review.

For the go process-first organizations will follow each product and follow the risk. The auditors will check this by picking one high-impact product line or program and trace it from contract/design planning to purchasing leading to production then verification and release as also post-delivery feedback. Sample at least one change event (supplier change, drawing revision, special process change, escape). The relevant clauses to do this would be:

• 4 process approach.
• 1–8.7 operations.
• 2 corrective action.

Elevation of effectiveness tests in 2026 would require audit conclusions to increasingly hinge on whether the system produces fewer escapes and less recurrence, faster detection and containment and pinpoints decisions that visibly reflect risk and culture commitments. Clause anchors for these would be,  9.1 performance evaluation and 10.2 improvement.

Based on the revisions expected in IA9100 2026 I could sum up for aerospace auditors a clause-based checklist (field-ready) with grounded evidence to perhaps be:

• 5.1 / 9.3: Show me a leadership decision where quality/product safety won over schedule—what changed afterward?
• 6.1 / 8.4: How do supplier risks change receiving inspection, verification, and contingency planning?
• 8.1 / 8.7: Walk me through your counterfeit/suspect part prevention and containment from PO to disposition.
• 7.1.4 / 7.2: What human-factor risks exist in this process, and what controls reduce error-likelihood?
• 7.5 / 9.1: Prove this KPI: data source, transformations, access control, and how it drove action.

Summing up I would guess the hardest for organizations would be to consider the most common weak points they will likely see are:

• Culture/ethics presented as statements, not governance and measurable behaviors.
• Risk registers that don’t change controls, especially in supplier management and production planning.
• Counterfeit prevention that’s not end-to-end, particularly in distribution and returns/repairs.
• Digital records without strong integrity controls, especially across multiple systems.
• Human factors handled informally, without designed controls and competence verification.

If auditors hold the line on evidence—governance, traceability, effectiveness—the transition to IA9100 can strengthen aerospace quality rather than just reshuffle terminology. IA9100 clause numbering and wording may evolve until formal publication. This article intentionally anchors to the stable ISO 9001 / AS9100 structure (Clauses 4–10) to remain usable throughout the transition.

—

This article was written by IJ, Principal Consultant at QMII. With extensive experience in ISO standards, auditing, and organizational transformation, IJ has guided global organizations in strengthening their management systems. His approach focuses on aligning ISO implementation with strategic business objectives to drive long-term performance improvement.

Undocumented processes are ubiquitous. They emerge when people invent expedient workarounds, when systems lag behind evolving operations, or when tacit knowledge simply lives in employees’ heads. While these informal processes can be efficient, they also create risk: inconsistent outcomes, poor control, hidden single points of failure, compliance gaps, and difficulty demonstrating due diligence to auditors or regulators.

Auditing undocumented processes requires a different skill set than checking documented procedures: you must be a careful investigator, an evidence‑first interviewer, a data sleuth, and a pragmatic synthesizer who delivers usable outputs (not just findings).

This guide provides a practical, step‑by‑step toolkit and templates internal auditors can use to surface, assess and help formalize undocumented processes.

Clarify objective, scope and value

Start by defining why the audit is needed. Objectives might include assessing control effectiveness, verifying compliance, validating corrective action, identifying business continuity risks, or preparing the process for formalization. Limit scope to one process or a narrowly defined subprocess so you can dig deep rather than skim many shadows. Articulate the value for stakeholders up front-demonstrate you’re there to reduce risk, not to police personalities or on an inspection round.

Identify the de-facto owners and stakeholders

Undocumented processes usually have a “de facto” owner—someone who runs the work daily but may not appear on org charts. Use interviews with supervisors, system logs, or simple triangulation (“who signs off on X?”) to find them. Brief stakeholders on the purpose, scope and expected outcomes of the audit; getting buy‑in reduces defensive behavior and improves access to evidence.

Use structured discovery frameworks

Adopt a concise process discovery tool such as SIPOC (Suppliers, Inputs, Process, Outputs, Customers) or PIPS (People, Inputs, Process, Systems). These one‑page frameworks help quickly establish boundaries, expected outputs and interfaces even without formal procedures. Create an initial draft map during the kickoff meeting—doing this collaboratively both gathers knowledge and signals your methodical approach.

Evidence‑first interviewing

When interviewing staff, ask for artifacts, not assertions. Use these techniques:

“Show me” requests: ask to see the last 3–5 completed cases, tickets, orders, change requests or emails that represent normal workflow.

Scenario probing: “Walk me through how you handled ticket #123 last Wednesday from start to finish.”

Document chase: request logs, timestamps, approvals, system entries, reconciliation files and any physical evidence (tags, manifests). Avoid leading questions. Record factual timelines and capture exact phrases when people describe exceptions or informal rules.

Transaction tracing: purposive sampling and end‑to‑end follow

Select a purposive sample of recent transactions—choose items that are typical, borderline, and exceptional. For each, trace the lifecycle: initiation, validation, approvals, handoffs, controls, exceptions, completion, and post‑action reconciliation. Use a transaction tracing worksheet (fields: ID, date/time, initiator, systems used, handoffs, controls observed, evidence located, anomalies). Tracing multiple items uncovers patterns: recurring workarounds, undocumented checkpoints, or missing reconciliations.

Silent observation and shadowing

Observe work in situ-silent shadowing during normal operations reveals deviations and shortcuts that people may not report. Rotate observations across shifts and workload peaks to see variability. Use time‑motion notes to capture durations, handoffs and informal controls. Observation is powerful for processes with a physical element (warehouse picking, handover logs, machine operator routines) and for revealing tacit knowledge.

Data analytics and system interrogation

Systems often hold the documentary evidence even when procedures do not exist. Extract logs, check non conformity logs and check it’s trends especially those non conformities that have been repeating, transactions, user access records, change histories, reconciliation files, and exception reports.

Simple analytics-pivot tables, sequence checks, duplicate detection, out‑of‑hours activity flags, and time‑to‑completion distributions—can corroborate interview findings or surface anomalies you didn’t see on the floor. Where permitted, use filters to find outliers and then trace those back to the people and steps that produced them.

Identify implicit controls and grade effectiveness

Not every control is written. List implicit controls you discover (segregation via separate systems, verbal supervisory checks, reconciliations, dual entry by different roles). For each control, evaluate:

Existence: is it consistently applied?

Evidence: is there a recorded trail?

Owner: who is responsible?

Frequency: how often is it performed?

Effectiveness: does it detect/prevent the related risk? Use a simple scoring matrix (Effective / Partially Effective / Ineffective) tied to risk impact and likelihood.

Map risks to controls and prioritize findings

Translate process gaps into risk statements (fraud, error, data integrity, regulatory noncompliance, single‑point‑of‑failure). Prioritize findings by risk severity and exploitability. For critical risks require immediate mitigation (temporary controls, access restrictions, segregation of duties) and escalate to management if necessary.

Produce a validated one‑page process map and Quick SOP

One of the highest‑value audit deliverables is a validated one‑page process map and a Quick SOP (3–8 steps). Draft these from your traces and observations, then review them with the de facto owner and SMEs in a validation meeting. The Quick SOP should include: purpose, scope, steps, responsible roles, key controls, evidence to retain, and critical timelines. This turns tribal knowledge into a usable artifact and accelerates formal documentation.

Report with practical, prioritized recommendations

Structure findings as: condition → criteria (what should be) → cause → effect/risk → recommendation → owner/timeframe. Prioritize quick wins (retain evidence, simple reconciliations, temporary segregation changes) and medium/long‑term fixes (formal SOPs, automation, redesign). Provide sample corrective actions and, where helpful, a template Quick SOP and transaction trace annexes so the process owner doesn’t start from scratch.

Ensure root‑cause focus and verification

Insist on root‑cause analysis for any significant nonconformity and require corrective actions with measurable success criteria. Avoid administrative closures—verification should be evidence‑based (data, subsequent traces, or direct observation). Schedule focused follow‑up audits or data checks to confirm effectiveness.

• Tools and templates (practical, lightweight)
• Keep tools simple and shareable:
• SIPOC/PIPS one‑page template
• Transaction tracing worksheet
• Observation/time‑motion log
• Quick SOP template (purpose, steps, owner, controls, records)
• Control effectiveness scoring matrix
• Data extraction checklist with suggested flags (duplicates, out‑of‑hours, missing reconciliations)
• Sample management reporting slide: heatmap of risks and status of actions
• Cultural and ethical considerations

Approach audits as collaborative improvement, not blame. Undocumented processes often evolved to solve real operational problems; acknowledge this and highlight where formalization will reduce risk without adding unnecessary bureaucracy. Protect confidential and personal data when handling records; comply with privacy rules and get consent from data owners where required. Use unannounced checks judiciously to reduce rehearsed responses but balance with respect for staff.

From audit to durable change

Audits of undocumented processes should not stop at reporting. Drive transition from Quick SOPs to formalized procedures by linking findings to training, process redesign, automation projects, and management review. Measure success with KPIs tied to the process (exceptions per 100 transactions, time to complete, number of post‑transaction corrections) and track trends post‑implementation.

Conclusion

Auditing undocumented processes demands investigative rigor and practical empathy. By combining structured discovery (SIPOC), evidence‑first interviewing, transaction tracing, observation, data analytics and lightweight deliverables (one‑page maps and Quick SOPs), internal auditors can convert tribal knowledge into auditable controls, reduce risk, and add immediate operational value. The result is a process that’s safer, more consistent, and ready for formal quality, compliance or continuity governance.

I recently completed an integrated audit that addressed multiple standards (RC14001, ISO 9001, FSSC 22000, RSPO, and HALAL). Auditing this way is especially valuable for organizations that operate under more than one framework, because it helps reduce duplicated effort, save resources, and create better alignment across business goals, without making the management system feel like a burden to the people using it 

In a recent webinar, I discussed how to run a more effective management review, and why an integrated approach can give leadership the kind of insights and decision-ready information they actually value. In this article, I’ll build on that theme by sharing practical strategies for integrated audits and how organizations can use them to stay compliant, improve performance, and keep multiple standards working together as one system.

Why Organizations Integrate Management System Audits

Management systems are a great way to bring structure to how a business operates. Without that structure, it can often feel like the organization is constantly fighting multiple fires. A process-based approach helps bring order to the chaos by making it easier to understand the context the business operates in, set clear goals, identify risks, and put plans in place that can be implemented, monitored, and reviewed.

For many organizations, the push to implement multiple management systems is mainly market-driven. Customers, regulators, or industry schemes may require certification as a condition of doing business. A smaller number of companies adopt management systems simply because they recognize the value, even when certification isn’t required. The problem is that management systems are often implemented in a piecemeal way, as new requirements arise. For example, a company may already have ISO 9001 in place, then a new requirement for ISO 45001 comes along. Instead of integrating the new standard into the existing system, a separate ISO 45001 “system” gets built alongside it.

When integrated management systems are implemented well, the benefits are significant. They reduce duplication, improve alignment, and make the system easier for people to use. And when the system is easier to implement and maintain, it naturally improves buy-in and strengthens commitment across the organization.

Common Structures Across ISO 9001, 14001 & 45001

What makes the ISO standard easier to implement is the harmonized structure used by ISO in developing the standards. This approach starting in 2013 has made it easier to integrate owing to the similar unified clause structure. The standards now also follow the flow of the PDCA cycle with the standards laid out in the plan – implement – performance evaluation and improvement approach. 

The common clause structure allows for a better integrated manual without the need for a cross-reference matrix. Additionally organizations can now maintain a common risk register, conduct integrated audits, plan a common management review, have one policy (ensures no conflicts with other policies) and a common documentation approach. 

Planning an Integrated Audit Program

Planning an integrated audit program may at first seem challenging especially with finding resources that can audit to the multiple standards in one audit. Let us first look at the approach to a good audit program. 

A good audit program goes beyond meeting the minimum requirements. Often I come across organizations that do audits just once a year. The justification is that there is QC in place, site walk-throughs by safety, operational inspections and regulatory/customer audits. Organizations must keep in mind that the scope of each of these may be different from that of an internal audit. While it may appear that various inspections and audits are being performed, the lens through which the system is being looked at may be very different. 

For example in an inspection the focus is only on the output of a process and whether the output is conforming or not. In regulatory audits the focus is on regulatory requirements and compliance not necessarily on the process performance. Internal audits focus on process effectiveness and move beyond conformity. Based on the risks associated with a process the leadership must determine the interval at which they want to audit each process. 

For internal audits it is best to audit a few processes every month or every other month and then to conduct a system audit once a year.

Process-Based vs Clause-Based Integration

The ISO standards promote a process-based and risk-based approach to internal audits. While it may seem easier, or even more logical at first, to conduct a clause-based audit, it is often not very effective. The main reason is simple: it doesn’t paint the whole picture.

When we audit a process, we can assess conformity to multiple clauses at the same time, within the real flow of work. That is where integration becomes practical. There are a few situations where a clause-based approach may still make sense, such as when auditing leadership commitment to the system, or when reviewing how documented information is created, updated, and controlled across the organization.

A process-based approach allows the auditor to connect the dots between contextual risks, the planning done to address those risks, the controls and actions implemented, and the evaluation of effectiveness. Building on this, auditors can also assess how well the process is actually working in practice, not just whether the organization can point to a procedure that says it exists.

Risks of Poorly Integrated Audits

As stated at the start of this article, one of the biggest challenges in conducting integrated audits is having the internal resources who are competent across multiple standards. Many of our clients, especially those working with smaller budgets, find themselves trying to hire that one person who understands everything, and can audit everything. In reality, that’s a unicorn find.

Organizations generally have two options to address this.

The first is to outsource internal audits to an auditing organization or auditor who already has experience across multiple standards. In many cases, the provider will assign a team of auditors with the competence to cover the relevant requirements. Depending on the scope, this could be a team of two, or even four. Of course, the more auditors involved, the higher the cost.

The second option is to build internal capability by training the organization’s own audit team across the required standards. This does involve investment in the individuals selected, but it also creates long-term value. QMII typically recommends training a minimum of 10% of the workforce as internal auditors, up to a total of 10 auditors. This creates a strong pool to choose from and also supports more objective and impartial auditing.

QMII’s modular training approach helps organizations build audit capability quickly, without needing to put people through a full 4–5 day lead auditor course for every standard. Running an in-house auditor course can also create economies of scale and allows the training to be more customized to the organization’s own processes and risks.

Building Integrated Audit Capability

Integrated audits don’t fail because the standards are difficult. They fail because the organization does not have enough people who can confidently audit across the scope. The key to building integrated audit capability is to stop thinking of auditors as “ISO 9001 auditors” or “ISO 14001 auditors” or “ISO 45001 auditors” and start developing auditors who understand process performance, risk-based thinking, and system effectiveness. Once that foundation is strong, adding additional standards becomes far easier.

The goal is not to create a team of “super auditors.” The goal is to build a pool of competent internal auditors who can look at a process and understand how it supports quality outcomes, environmental controls, and worker safety all at the same time. When an organization can do that, integrated auditing becomes practical, consistent, and sustainable.

A good way to start is by building capability around the process approach. This means training auditors to follow the workflow, understand inputs and outputs, ask the right questions, and confirm that controls are working as intended. In many organizations, this is where the biggest value is gained, because audit conversations move beyond “show me a procedure” and into “show me how the process is managed.” This is exactly where QMII adds value. Our training is designed to build real audit skill, not just theoretical knowledge of clauses. 

Ultimately, when audit capability is built the right way, integrated audits stop being a burden and start becoming a value adding tool. They provide leadership with better insight, stronger confidence in controls, and a clearer view of where the system needs to improve before problems grow into incidents, complaints, or nonconformities.

AS 9100 is applicable to any organization as a choice but is often a business demand. Aerospace is a vast field and has major and minor players. Does it therefore imply that tier 2 and tier 3 suppliers should go through the same documentation burden as a primary aerospace organization? This is a dilemma faced by tier 2/3 suppliers. I have often thought about this. This short article based on QMII experience is specifically written for AS9100 Tier-2/3 Suppliers and how they can maintain the balance between control and still maintain agility and meet the requirements of the standard.

Tier-2 and Tier-3 aerospace suppliers face a unique dilemma, the need to meet AS9100’s rigorous expectations while working with limited resources and tight delivery schedules. Customer flow-downs, documentation demands, and special-process scrutiny can quickly overwhelm small teams. The key challenge is achieving effective control without unnecessary bureaucracy, preserving the agility that keeps smaller suppliers competitive. This special article is aimed at this need of the tier 2/3 suppliers.

The supplier’s challenge in aerospace quality comes from the aerospace customers bringing layers of requirement complexity, unique quality clauses, FAIR specifics (First Article Inspection Report, and the broader process called First Article Inspection (FAI), special-process certifications, customer portals, and documentation formats. These customer-specific expectations often exceed the base AS9100 standard and force Tier-2/3 suppliers to interpret, prioritize, and integrate a landscape of varied demands. Without a structured approach, they risk creating bloated systems that satisfy auditors on paper but hinder production flow.

Understanding AS9100 Clause 8 – operational controls is therefore essential. Clause 8 is the operational heart of AS9100, setting expectations for planning, process control, risk mitigation, and configuration management. It emphasizes that conformity comes from effective planning and controlled execution, not from sheer volume of documents. Suppliers must ensure that personnel have the right information at the right time, that processes are validated where outcomes cannot be fully verified after the fact, and that changes are managed with discipline. For small suppliers, the goal is implementing these controls proportionally to risk, not copying OEM (original equipment manufacturers)-level tier 1 systems.

Minimum-Viable Risk (MVR) must be considered as a pragmatic interpretation of AS9100. AS9100 demands risk-based thinking, but many small suppliers interpret this as “more forms” instead of “better decisions.” MVR provides a method to match controls to actual consequences. It prevents systems from becoming document-heavy while maintaining the safeguards needed for aerospace.

Basic MVR principles include:

1. Identifying what can truly go wrong (escape, defect, missed requirement).
2. Assessing the severity of consequence.
3. Matching control strength to risk severity—not habit or tradition.
4. Eliminating duplicate or ritualistic checks.
5. Documenting the rationale for proportional controls.

MVR (monitoring, verification, and reporting) is simplicity with discipline and is the heart of AS9100 done well. It includes applying MVR to special processes without gridlock. Special processes, like welding, heat treat, coatings, NDT (nondestructive testing), bonding pose inherently higher risks because results cannot be fully verified after production. However, small suppliers can maintain strong control without drowning in paperwork. They should control inputs, not layers of signatures. Validate equipment capability, freeze key parameters, ensure personnel competency, and maintain controlled settings. Excess signatures do not improve quality, controlled inputs do.

The tier 2 and 3 suppliers should build process ownership. Escapes in special processes usually stem from incorrect settings, outdated drawings, or tribal knowledge. An escape is a defect that leaves your organization and reaches the customer. A single-point accountability model, owned by the welding lead, NDT supervisor, or coating tech reduces error pathways better than multiple inspectors. Also, use of one-page critical parameter sheets condenses travelers into one-page sheets listing key variables, limits, and required verifications. This approach focuses on what actually matters to conformity.

Another important organizational priority of tier 2/3 suppliers (AS 9100 clause 4.4.1) is to right size the QMS to their risk level. AS9100 allows flexibility, and small suppliers should embrace it. Not every process requires the same level of documentation, inspection, or validation.

• Low-risk machining or simple assembly can rely on straightforward checks.
• High-risk special processes need tighter controls, but not excessive forms.
• Different supplier tiers have different expectations; Tier-3 machining houses need far less documentation than Tier-1 system integrators. 
• A right-sized QMS is efficient, compliant, and scalable.

Then there is the use of practical supplier evaluation methods. Supplier oversight does not have to involve 12-page questionnaires or annual onsite audits. AS9100 encourages objective, data-driven oversight:

• On-Time Delivery (OTD).
• NCR (non-conformity report) and escape trends.
• Responsiveness to containment.
• Corrective action effectiveness.

This approach is more reliable than generic forms and lets purchasing focus on high-risk, high-impact suppliers.

Then there are the common audit weaknesses in tier suppliers. QMII’s audit experience reveals recurring issues across Tier-2/3 organizations:

• Manuals copied from templates that do not match actual practice.
• Weak configuration control, especially in revision management.
• Inconsistent traceability in special processes and outsourced steps.
• Internal audits that check boxes instead of evaluating system effectiveness.
• Training records that prove attendance but not competency.
• Excessive documentation without actual operational control.

These weaknesses stem not from lack of effort, but from systems that were built to “pass audits” rather than ensure reliability.

Using MVR to reduce escapes and customer returns. Most escapes involve incorrect flow-downs, poor configuration management, or over-reliance on manual documentation. MVR shifts focus from detection to prevention, reducing escapes by simplifying controls and strengthening process discipline. Early requirement clarification, targeted training, and controlled process inputs all contribute to fewer customer complaints and more predictable performance.

As an example, perhaps a recommendatory timeline from QMII for consideration could be for a Tier-2/3 implementation blueprint (90 Days) would be three phased. Phase 1 – Diagnose (Weeks 1–3).  Map critical processes, identify friction points, and assess risk using MVR. In Phase 2 simplify (Weeks 4–8), streamline travelers, create one-page control sheets, and combine competency and training logs. Finally in Phase 3 – reinforce (Weeks 9–12), clarify process ownership, audit for effectiveness, and pilot new controls. This, I think, builds a lean, compliant AS9100 system with predictable output.

In conclusion and as a call to action I would say a streamlined, risk-aligned AS9100 system allows Tier-2/3 suppliers to maintain compliance without sacrificing agility or productivity. By matching control depth to risk, strengthening special-process discipline, and using data-driven supplier monitoring, organizations can reduce escapes, satisfy customers, and maintain competitive flow.

For suppliers looking to strengthen their capability, QMII offers AS9100 auditor training that emphasizes process-based auditing, practical system improvement, and real-world risk management—equipping teams to build QMSs that are both compliant and efficient.

In some organizations QHSE functions and the associated management system are seen merely as compliance requirements and not as a value add to the system. As such, budgets allocated to QHSE programs are viewed as an overhead. Since they are viewed as not directly contributing to the bottom line.

Mature organizations realize the impact QHSE programs have on a system. A conforming service or product means lesser returns, greater customer satisfaction, better employee morale, lower operating costs and better governance. The cost of not having an effective QHSE program is much higher. 

However often it is left up to the QHSE program managers to justify their budgets and in some cases the program itself. In an organization I was supporting, the QC function tried to get rid of the QA program completely, citing it was redundant. Here is where having good metrics can justify the value add the QHSE and Internal Audit Functions provide.

Why “Audit Value” Is Under Scrutiny in 2026

When perceived as merely a compliance check box the internal audit can seem an expensive proposition. There are many other means of oversight within the organization including leadership ‘GEMBA’ walks, inspections, supervisor oversight and a plethora of other audits including customer audits. 

Attempting to go beyond the bare minimum to merely meet a requirement, increases internal audit budgets. Justifying high overhead costs to an investor or stakeholder that is taking away from the profit margins may be challenging for leadership. 

Internal audits are meant to sample the system to assess its continuing effectiveness. Note sample. Not to guarantee its effectiveness. When a regulatory audit identifies an issue that was missed by an internal auditor the board and others may question the effectiveness of such programs. They may fail to recognize that the scope and objective of the two audits may have been different. 

The Shift from Compliance Audits to Performance Audits

Internal Audit functions began in the financial world in the 16th century. They expanded to focus on quality outputs during the World Wars. At the time the focus was merely on ensuring a quality output with little focus on the process. Ever since system thinkers have been trying to change the mindset about audits with little progress.

Traditional Compliance-Driven Audit Models

Traditionally, as stated above, audits were about ensuring compliance and conformity. Little importance was given to the amount of scrap, waste or rework. Customer satisfaction was the goal and many a time with impact on the efficiency of the process. During the wars it did not matter how many products were non-conforming so long as they were identified and segregated.

Audits were merely about ensuring the requirement was met. This has since changed.

Modern Performance-Driven Audit Models

Internal audits now focus on the continuing adequacy, suitability and effectiveness of the system. The goal of management systems has changed from being a reactive tool to being a proactive approach to identifying and managing risks to the system. Standards now ask organizations to assess the context of operations, risks to meeting objectives and action taken to ensure that the objective can be met.

Audits thus use a risk based approach to this planning to ensure that the the system is performing as expected and will continue to do so.

Defining “Value” in an Internal Audit Context

So what is meant by a value-added audit? It is one that uses a risk based approach to sample the controls and resources in the system. Based on this sample, the auditor is assessing the effectiveness of the system (think people, processes and their interaction) to manage risks. 

Auditors accept that non-conformities and new risks may arise. They assess if the system will catch it timely and address it to ensure that the possibility of it impacting the system now and in the future is minimal.

Value is added by assessing process efficiency in meeting process and system objectives. In eliminating process waste. Finally audit outputs must provide insights to leadership on the state of the system. How is my system working? What are the risks? Where is it robust and where is it fragile? 

KPI Categories for Internal Audit Functions

Effective internal audit KPIs should reflect more than activity counts, grouping measures into categories that show how audits manage risk, improve processes, support compliance, and contribute to business performance.

Risk Management KPIs

Risk management KPIs evaluate how well internal audits identify, assess, and help reduce significant organizational risks before they escalate into issues.
Example: Cost of impact of high-risk audit findings if not timely identified.

Process Effectiveness KPIs

These KPIs focus on whether audit activities lead to measurable improvements in process performance, consistency, and control effectiveness over time.
Example: Reduction in repeat findings for the same process across successive audits.

Compliance Stability KPIs

Compliance stability KPIs track trends in regulatory findings and external audit results to indicate whether controls are becoming more reliable and sustainable, not just temporarily fixed.

Example: Year-over-year decrease in major nonconformities raised during external audits.

Business Impact KPIs

Business impact KPIs translate audit outcomes into tangible value, such as cost avoidance, downtime reduction, or improved decision-making, helping leadership see audits as a business enabler rather than a compliance exercise.
Example: Estimated cost savings from audit-driven corrective actions that prevent production delays or rework.

Linking Audit KPIs to Management System Performance

Organizations may find it challenging to find appropriate KPIs since you may not know the exact cost of the non-conformity unless it occurs. A general approximation can be made with assumptions outlined.

ISO 9001 – Quality Performance Indicators

Audit KPIs under ISO 9001 should demonstrate how audits contribute to consistent product and service quality, process control, and customer satisfaction.

Example: Reduction in customer complaints linked to corrective actions arising from internal audit findings.

ISO 14001 – Environmental Performance Indicators

For ISO 14001, audit KPIs should reflect how effectively audits identify environmental risks, compliance gaps, and opportunities to reduce environmental impact.

Example: Decrease in environmental incidents or permit deviations following audit-driven improvements.

ISO 45001 – Safety Performance Indicators

ISO 45001 audit KPIs should show how audits support hazard identification, risk reduction, and safer working conditions.

Example: Reduction in near-miss recurrence after audit findings addressing unsafe conditions or behaviors.

Why Most Audit Functions Fail to Demonstrate Value

As with all other processes, the internal audit function too should have a process objective that can be made measurable and should be based on the framework set in the policy. Read clause 6.2 read in conjunction with clause 5.2 of the ISO management system standards.
Often this KPI is merely the performance on an annual audit. Not even the outcome of the audit. Just that the audit was completed. This is because the audit is merely seen as an annual ritual that must be completed.
Without effective KPIs the value of the internal audit function cannot be highlighted to leadership and they cannot perceive the cost savings or rather the low investment costs for the high returns!

Building KPI-Driven Audit Programs – A System Approach

Defining Audit Objectives

Organizations must outline what it is that they want the audit program to achieve. Think beyond just compliance. An example of this may be “To provide timely insight to leadership on system risks and opportunities”

Mapping Processes

Based on this objective, now map the audit program to the processes within the system based on contextual issues impacting the system (example high turnover, supply chain issues, etc.). Use this as a basis to develop a risk based approach to performing internal audits. This would include the frequency of audits (some processes would get audited more than once a year based on risk), the selection of the audit team, the sample size and the duration of the audit.

Selecting Meaningful Indicators

With the audit objective achieved the program manager can now begin to select meaningful indicators of how the audit program has added value to the system. How it goes beyond checking for compliance and now identifies risk proactively

The Role of Auditor Competence in Measuring Value

As stated in the paragraph above the selection of the audit team is a critical step in the internal audit function. The organization must consider the competence of the auditor and select them based on the criteria outlined in ISO 19011. The auditor must then be assessed at some interval to determine their continuing competence.
Auditors must be impartial and objective and use a processes based approach to auditing. They must have the ability to perform analytical thinking, keeping their biases and prejudices at bay. Further the auditor must have the ability to frame good audit questions that seek to dive deeper and get a true picture of the functioning of the system.

How QMII Trains Auditors to Deliver Measurable Value

QMII’s auditor training focuses on developing professionals who can evaluate system effectiveness, identify real risk, and communicate insights that drive meaningful management action.

Process effectiveness auditing – Auditors are trained to assess how processes actually perform in practice, not just whether procedures exist, using evidence that links controls to outcomes.

Risk-based audit training – QMII emphasizes risk-based thinking so auditors prioritize what matters most to the organization, aligning audit focus with strategic, operational, and compliance risks.

Real-world audit case analysis – QMII training includes real audit scenarios and failures, helping auditors recognize systemic issues, weak signals, and unintended consequences that checklists often miss.

Executive-level reporting skills – Auditors learn how to translate audit findings into clear, focused insights that leadership can act on, rather than just a completed check-off list.

2026 and Beyond – The End of “Tick-Box” Auditing

Internal auditing can no longer survive as a compliance ritual measured by audit completion alone. As this article shows, audit functions that fail to quantify risk reduction, process effectiveness, compliance stability, and business impact will continue to be viewed as overhead, despite the very real cost of unmanaged risk, waste, incidents, and poor governance.

The future belongs to performance-driven, risk-based audits that provide leadership with clear insight into how well the management system is working, where it is fragile, and where it creates value. When supported by meaningful KPIs, competent auditors, and systems-aware training, internal audits move decisively beyond tick-box conformity and become a strategic tool for resilience, improvement, and sustained organizational performance.

Right-Sizing TSMS Under Subchapter M

The onset of regulatory requirements causes organizations to rush their efforts to ensure compliance within the deadline issued. Management systems while enabling compliance are not intended solely for compliance. Their primary purpose is to provide a framework for the organization to meet leadership objectives using a systemized approach. Additionally it is meant to act as a preventive tool so that organization can proactively manage risks. 

The requirements for Towing Safety Management Systems or TSMS were similarly met with organizations rushing to document (perhaps over-document) everything! Many implemented the TSMS just to pass an audit and keep records of “compliance”. The management system failed to reflect actual practices and thus created a burden of paperwork for those on board. Especially with small tow boats with limited crew this has created more problems. Further the system does nothing to improve safety in any way. 

The documentation (TSMS) now leads to further problems during audits because the written TSMS does not reflect the TSMS actually lived on board. Despite good intentions inconsistencies arise and COI deficiencies are identified. Management systems designed around the “as-is” enable organizations to develop an operationally realistic TSMS that matches how the company actually works and makes it easier to maintain. 

The Compliance Trap in Subchapter M Auditing

Subchapter M was intended to usher in a new era of safety within the towing vessel industry. This followed many years of regulatory development and was the result of an increase in accidents and incidents involving tow boats. However as with many regulatory requirements the focus has been merely compliance while work continues as normal. When a view of the management system equating compliance is taken then leadership ashore and on board tend to merely “fix” or “prepare” the system for internal and external audits.

Personnel forget that audits are merely a sampling of the system and not a comprehensive review. In some cases auditors tend to conduct the audits more like inspections than audits. They become merely a review of the paperwork then an assessment of actual practices on board. Auditors must verify the crew’s understanding of the system. However, in an effort to pass audits records are updated the day before, only the most well-versed crew members are presented to the audit team and practices are limited to the minimum so the auditors do not have much evidence.

Compliance focused audits therefore may fail to uncover the systemic causes of repeated deficiencies. 

Understanding the Audit Requirements in $138.315

One of the biggest misconceptions I see among operators is their understanding of what $138.315 actually expects during an internal audit. Many assume the regulation is asking for a paperwork confirmation exercise of “show me the TSMS manual, show me the forms,” and that’s enough to satisfy Subchapter M. But $138.315 is far more purposeful than a documentation review. It requires an internal evaluation that verifies two things: that the TSMS is implemented and that it is effective. This distinction is where operators fall short.

The regulation expects internal evaluations to be evidence-based, meaning the auditor must look beyond the binder and confirm that what is written actually reflects what happens on the vessel and in day-to-day operations. Operators often assume that if the forms are filled out and the policies exist, they are compliant. But $138.315 is explicitly tied to the idea of system performance, not paperwork completion. A beautifully formatted SMS means nothing if the crew doesn’t understand it or if the vessels operate differently from what the manual describes. This is why TSMS audits under Subchapter M must go deeper than document checks. 

Subchapter M is not trying to make life harder for operators. It is designed to ensure the TSMS reflects reality and results in safer, more reliable operations. When internal audits focus on objective evidence rather than documentation alone, they fulfill the intent of the regulation and help operators find the issues before the Coast Guard or TPO does.

Using Data to Drive Audit Priorities

As a preventive tool the management system must provide the leadership with the evidence needed to make data driven decisions. This is where well set KPIs provide the leadership with inputs needed to determine if the system is being implemented effectively as planned and to identify trends for timely action. The KPIs including near-miss trends, machinery downtime, and incident reports enable the organization to target audit areas. Not to solely focus on the problem areas but to take a deeper dive into these areas.

Internal auditors may use statistical based sampling to develop their audit plan. Such an audit plan is then a risk based plan that allows for a deeper dive in certain areas. Additionally the company may determine the need for special audits outside of the normal periodic timeframe. Operators however do not need to wait for an audit to take action on data trends. “Repeat offenders” (tasks, equipment, vessels, crew behaviors) when identified through trend analysis can be acted upon immediately. 

A key role is played here in the checklists that auditors use. Audit checklists should primarily consist of open ended questions that begin the conversation. Auditors then build on these based on the answers they receive. If auditors do not have follow on questions but merely stick to their documented checklist then the audit becomes more of an inspection. Further auditees know what to expect and prepare the system accordingly. 

The Designated Person’s Role in Effective Oversight

In a maritime management system the designated person or DP plays a critical role in the success of the system. The DP is the key interface between the shore management and the vessel management. Subchapter M requires the DP to effectively manage the TSMS on board beyond signing forms or attending audits. 

The DP has a responsibility for the safety on board and for the implementation of the TSMS. To this effect they have to monitor the safety on board. To achieve this they may get insights from  audit reports, NCRs, and trend data to inform management decisions. The DP plays a critical role in ensuring corrective actions address root causes, not generic retraining or re-documentation. Effective and timely communication can help alleviate the issues on board in a timely manner and ensure that leadership is aware of the risks on board as also those ashore. A strong DP presence is instrumental in strengthening TSMS integrity.

Common Pitfalls and How QMII Helps Fix Them

One of the most consistent problems we see across the industry is the use of overly complex, copy-paste TSMS manuals that don’t reflect how the company actually works. Templates look impressive, but they create confusion, inconsistencies, and ironically, more COI deficiencies. Add to that audits performed by untrained personnel who rely on generic compliance checklists, and the result is a system that appears documented but is barely implemented. Corrective actions often close the immediate symptom but never address the underlying cause, which is why the same issues show up year after year. Weak closeout documentation and thin evidence trails only compound the problem when a TPO or Coast Guard officer asks for proof.

QMII’s approach built on over 39 years of experience enables our team to create and deliver customized solutions to our clients. Our training equips auditors to verify systems, not just paperwork, and to ask the kinds of questions that reveal true implementation and effectiveness. We help operators right-size their TSMS so it matches their operations. This includes leaner manuals, clearer processes, and forms that crews can actually use. Through gap assessments and coaching, we strengthen corrective action practices, reinforce the importance of objective evidence, and help organizations build a TSMS they can sustain. The end result is a system that reduces COI deficiencies because it’s built on operational reality, not borrowed documentation.

Conclusion & Next Steps

Internal audits remain a critical tool for leadership to use in determining the state of their system. It further must also help reduce COI deficiencies. However, this is only possible when the audit team is skilled, people aware of the audit, the audit objective and checklists enable to auditor to determine the focus areas of the audit. Right-sizing the TSMS leads to better crew engagement and safer operations.

Operators must formally train their internal auditors and QMIIs auditor training course has been specially designed for maritime clients. The instructors too come with a varied background in the maritime industry. In conclusion operators must consider shifting from a mindset of “audit for compliance” to “audit to improve the system.

—

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.

ISO 9001 internal audits are most valuable when they move beyond compliance checking to actively drive performance improvement. Properly designed and executed, internal audits validate that the quality management system (QMS) is effective, reveal systemic weaknesses, surface opportunities, and provide input for management decisions that raise process outcomes and customer value.

It is best to start with purpose and planning. Audits should be risk‑based and aligned to business objectives and scope: critical processes, high‑risk activities, recent changes, customer complaints, and past nonconformities merit higher audit frequency. Define clear objectives for each audit (e.g., verify effectiveness of corrective actions, assess process performance against KPIs, confirm readiness for certification). Use a rolling schedule that balances coverage with depth rather than mechanical clause ticking.

Adopt a process‑and‑evidence mindset. Auditors trace the process flow from inputs through controls to outputs and outcomes. Instead of focusing on whether a procedure exists for the organization, an auditor must ask whether the process delivers the intended result and how that is measured. Review objective evidence — records, performance data, trend charts, work observations and interviews — to test effectiveness. Ask probing questions such as “How do you know this control is working?” and “What evidence shows improvement over time?”

Make auditor competence and approach central. Auditors require process knowledge, risk awareness, data‑analysis skills and good interviewing techniques. Internal auditors should act as impartial investigators and constructive consultants: identifying root causes and suggesting practical corrective or improvement actions rather than assigning blame. Cross‑functional auditing helps expose interdependencies and spreads good practices across the organization.

Emphasize root‑cause analysis and corrective action effectiveness. When nonconformities are found, require structured root‑cause methods (5 Whys, fishbone) and corrective actions that target systemic causes with measurable success criteria and timelines. Verification of effectiveness is essential — closures should be evidence‑based (data, subsequent audits, or implemented controls), not merely administrative sign‑offs.

Link audit findings to performance metrics and management review. Audits should feed quantifiable insights into management review: trends in KPI performance, recurring issues, risk exposures, and results of corrective actions. Management should use this input to prioritize resources, approve improvement projects, and adjust objectives. Tracking audit‑driven improvements against business outcomes (reduced defects, faster delivery, higher customer satisfaction) demonstrates audit ROI and motivates continued engagement.

It is imperative to use data and tools to enhance impact. Data analytics, control charts, exception reporting, and audit management software increase audit efficiency and enable evidence‑based conclusions. A well-prepared checklist focuses on performance indicators—not just mere clause compliance; this is to ensure consistency while preserving investigative flexibility.

Cultivate a culture that views audits as opportunities and not as a factor to intimidate. Communicate that audits are aimed at learning and strengthening processes. Celebrate instances where audits uncover improvements or where process owners implement effective corrective actions. A no‑blame, improvement‑oriented culture increases transparency and cooperation.

Measure audit program effectiveness. Useful indicators include the decline in recurring nonconformities, the percentage of corrective actions verified effective, time to close actions, and improvement in audited process KPIs. Regularly review and refine the audit program itself based on these metrics.

To sum up, ISO 9001 internal audits that improve performance are planned around risk and business impact, executed with process focus and competent auditors, emphasize root‑cause, corrective action and measurable verification, leading to effective management decision‑making process. When integrated with data analysis and a culture of continual improvement, the internal audit becomes a strategic tool that drives sustained and measurable enhancement of quality and organizational performance.

—

About the Author

This article was written by Anjalika Singh, President at QMII. Over the years she has developed a sharp intuitive sense combined with strong operational and training management skills, making her a key asset in QMII’s consulting and training initiatives. Her work focuses on practical lead-auditor training and helping organisations adopt ISO and industry-specific management systems in a way that delivers business value.

I take pride on my experience as I work with our maritime clients emphasizing the personal perspective from both below and above the surface of this ocean. My view of the ISM Code is shaped by a life at sea. I spent good 22 years of the early part of my career in the Indian Navy, eventually commanding two F-class submarines and later serving on India’s first nuclear submarine a Charlie II. After leaving the Navy, I served for a decade as Master in the mercantile marine. Then as a VP in the second largest ship registry, the Liberian Flag for 3 years and now as the leader of the QMII team. I have seen safety management from the control room of a submarine and from the bridge of a merchant ship, in fair weather and in crisis. These experiences have convinced me that a Safety Management System only works when it is lived by the people who must make decisions in real time, far from shore support.

I still remember standing on the bridge of a merchant vessel, facing commercial pressure to sail on schedule while weather and equipment concerns suggested otherwise. The manuals and procedures were on board, but what mattered in that moment was whether the company truly backed me and my Master’s judgment. That is where the real test of any SMS lies, not in what is written, but in the support given when difficult decisions must be made.

Having sailed for many years, I know how isolating a tough decision at sea can feel. A good DPA is not just a name in the manual but a trusted voice on the other end of the line, someone the Master can call at 0200 hours and speak openly with. When that relationship exists, the SMS becomes real; when it doesn’t, the paperwork quickly loses relevance on board.

After a lifetime at sea and many years working ashore with companies to implement the ISM Code, and finally leading QMII for over two decades in training, auditing and consulting in management systems, I remain convinced of one thing that the Code itself is not the problem. The real issue is whether we choose to make the SMS a living system that respects the realities of those at sea. When shore and ship learn to listen to each other through the SMS, we honor not just compliance requirements, but the professionalism and lives of the people who sail our ships.

More than 25 years after the ISM Code became mandatory, the International Safety Management (ISM) Code is still too often treated as a paper exercise. Shore offices produce manuals, checklists and forms; ships receive them, file them, and do their best to keep up. The result is a familiar complaint from both sides, “The system is for auditors, not for us.”

Yet the ISM Code was never intended to create a paperwork gap between shore and ship. It was meant to bridge that gap by providing a common safety language and a shared framework for decision-making. When understood and implemented as a living system, the Safety Management System (SMS) becomes exactly that bridge. I always recollect the curt observation by Justice Sheen post the sinking of the Herald of Free Enterprise: “…. I see a disease of sloppiness at every level of the hierarchy….”. His direct pointer at having a management system brought us the ISM Code connecting to the SOLAS.

The ISM Code’s original Intent was to have a system that connects people. The ISM Code’s purpose is clear: to provide an international standard for the safe management and operation of ships and for pollution prevention. The Code defines the Safety Management System as a structured and documented system enabling company personnel to implement the company’s safety and environmental protection policy effectively.  From the beginning, the Code placed both shore and ship within the same system. Company objectives in section 1.2 of the ISM Code include:

• providing safe practices in ship operation and a safe working environment,
• assessing risks to ships, personnel and the environment and establishing safeguards, and
• continuously improving safety management skills of personnel ashore and aboard ships.

These are not separate objectives for two separate worlds. They are shared obligations, achievable only when the SMS genuinely links the office and the vessel.

So where then does the gap come from? Despite this intent, many organizations experience a shore–ship divide in their SMS.

• On shore, staff may focus on satisfying external auditors, producing beautifully formatted procedures that look good in a DOC audit but are hard to use in real operations.
• On board, crews often experience the SMS as extra work: duplicative checklists, complex forms, and procedures that do not reflect the realities of weather, port pressure and human limitations.

When this happens, several symptoms appear:

• “Cut-and-paste” risk assessments that no one believes in.
• Non-conformities written in audit language instead of operational language.
• Masters and Designated Persons Ashore (DPAs) communicating mainly for certification, not for learning.

The result is an SMS that is formally compliant but functionally weak—it exists on paper but not in daily decision-making. The SMS must be a living system. To bridge the gap, we must return to a simple idea, the SMS is not a manual. It is the way the organization manages risk and work, documented so it can be repeated, audited and improved. A living system has several characteristics:

• Owned by users, not by paperwork Procedures and checklists are written in the language of the people who use them. Crew and shore staff participate in their development and revision. Guidance documents are concise, operational and easy to find.
• Fed by real feedback The Code requires procedures for reporting accidents and non-conformities, and for internal audits and management reviews as functional elements of the SMS. In a living system, these are not compliance rituals but mechanisms for learning. Near misses, hazardous observations and improvement suggestions from crew are actively encouraged, analyzed and acted upon.
• Adaptable, not frozen, clause 12 of the Code calls for review and evaluation of the SMS.
  A living SMS changes in response to new risks, technology, trade patterns and lessons learned. Revision is continuous, not something done hurriedly before an audit.
• Transparent roles and communication The Code requires defined levels of authority and lines of communication between shore and shipboard personnel. In a living system, these lines are not just organograms—they are trusted relationships. Masters feel supported, not second-guessed. The DPA is accessible, respected and known by name, not just as a title in the manual.

 The DPA then should be the human bridge. Perhaps the most powerful bridging mechanism in the ISM Code is the requirement that every company designate a person or persons ashore with direct access to the highest level of management (ISM Code clause 4).

In many organizations, the Designated Person Ashore (DPA) becomes either:

• a paper coordinator, chasing signatures and tracking audits, or
• a firefighter, reacting to incidents and port state control findings.

To make the SMS a living system, the DPA must instead function as a system integrator:

• Listening systematically to ship feedback and ensuring it reaches senior management.
• Challenging shore practices that create unrealistic demands on ships.
• Ensuring that risk assessments and procedures reflect actual operations, not office assumptions.
• Facilitating honest discussions after incidents—not searching for blame but for system weaknesses.

In short, the DPA should be the voice of the ship in the boardroom and the voice of the system on the ship.

The companies should plan practical steps to bridge the shore–ship gap. Companies that wish to transform a static SMS into a living one can take several practical steps as to co-create procedures with ship staff by involving the masters, officers and ratings when developing or revising procedures. I call it capturing the “as-is” of the system in preference to throwing the ‘baby with the bath water” by simply adopting a template. Pilot new checklists on board before formal approval. Ask: “does this help you do the job safely under time pressure?” If not, redesign. Management systems are not etched in stone. They should be open, flexible and adoptable to change.

Train to be competent and for understanding, not just for compliance. Move beyond “read and sign” familiarization. Use case studies, incident reviews and simulations that connect ISM clauses with real operational dilemmas. Emphasize why a procedure exists, not just how to follow it.

Most importantly, simplify and prioritize. The ISM Code specifies functional requirements, not thickness of manuals. Focus on critical operations and major risks; remove redundant or overlapping forms. A smaller, well-used SMS is better than a massive, ignored one. While doing this, also strengthen feedback loops. Make incident and near-miss reporting simple and non-punitive. Provide feedback to the crew on what was learned and what changed as a result. When people see that speaking up leads to improvement, not punishment, the system comes alive.

Remember data drives risk and trends and makes an organization proactive. Use data—and stories. Combine quantitative indicators (deficiencies, delays, injuries) with qualitative insights (crew narratives, master’s reviews). This blended view gives a more complete picture of safety performance and culture.

A change from compliance culture to learning culture must be brought in to create an environment for quality, safety, security and continual improvement. Port State Control statistics show that ISM-related deficiencies remain among the most frequently reported issues worldwide. This suggests that many SMSs still operate at a minimum compliance level. Bridging the shore–ship gap means moving toward a learning culture, where:

• Deviations are signals to improve the system, not just to correct the individual.
• Masters are empowered to exercise their overriding authority and supported by the shore organization with resources on as needed basis.
• Top management sees the SMS not as a cost, but as an asset that protects people, ships, reputation and the marine environment.

In conclusion I would repeat that making the Code work as intended is the need. Not just talk but walk the talk. The ISM Code gave the maritime industry a powerful framework. It defined objectives, clarified responsibilities, and required a documented Safety Management System (SMS) that connects shore and ship. The challenge now is not to “comply” with the Code, but to realize its intent.

When the SMS is treated as a living system—owned by its users, nourished by feedback, continually adapted and genuinely connecting shore and ship—it becomes what the Code envisioned:

• a bridge between management and operations,
• a driver of safety and environmental protection, and
• a practical expression of the company’s values at sea and ashore.

The choice is ours: an SMS that exists for certificates, or an SMS that saves lives, protects the environment, and unites shore and ship in a common purpose.  

—

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.