What really is the purpose of a management system (MS)? As its basic expectation, the organization would like to produce confirming products and services. Yes, it would like to see continual improvement and by the repeated use of the PDCA (plan, do, check, act) cycle reduce the waste, improve ROI (return on investment), have less product returns, less dissatisfied customers and growth in its product sale. Toward this end a management system is created. So that the wheel does not have to be reinvented the ISO standards provide the clauses to enable create that MS. Sounds all great, but the question is with time auditors settle down checking that requirements of clauses are met by seeking proof in terms of backup paperwork. The MS soon becomes audit driven and auditors who lack this maturity become slaves of the clauses. They lose the maturity to audit if the MS is actually meeting the objectives based on the policy. For example, let us say, as an auditor you are auditing a world-class manufacturing facility. You walk in, and everything is immaculate. The quality manual is a meticulously detailed work of art, referencing every relevant ISO standard. You randomly pull a procedure, and it’s perfectly aligned with the corresponding clause. You ask for competency records and a training record appears instantly. It seems perfect. But is this organization truly capable of achieving its objectives consistently and improving over time, is a question not asked.
For years, audits (especially for certification) have often been focused heavily on clause compliance. An auditor arrives with a checklist. “Does your procedure meet Clause 8.6?” Check. “Have you addressed 9.1.2?” Check. It’s a binary system, a binary “yes” or “no” for conformance. The auditors often don’t even make the effort to see if as per ISO 9001 clause 8.6 the release of the product was carried out correctly. How many product returns took place. While ensuring conformance to standards it is important, mature auditors are increasingly recognizing that this approach alone is insufficient. A perfect checklist can sometimes mask a struggling, fragile organization. This is where the distinction between auditing to a standard (clause-based) and auditing for performance (capability-based) becomes crucial. The forthcoming ISO 9001 revision expected in September 2026 is not changing the fundamental requirements but is now insisting on better functioning of the management system. The limits of clause-based auditing without proof of the system actually producing a confirming product and or service are now clear.
The standards are well thought of, and these ISO standards are valuable tools. They provide a structured framework of best practices. Auditing against them is necessary, particularly for demonstrating minimum adherence and achieving certification. However, a clause-based audit often provides a limited view:
- By focusing only on documentation and not seeking proof of Implementation is a pitfall into which auditors fall. The organization might have a procedure (the “clause” says you need one), but is anyone actually using it? Is it effective? A compliant procedure that’s ignored yields zero real-world value.
- Clause based auditing makes auditing easy for auditors. However, it does not systematically give continual improvement. It encourages a check-box mentality where organizations might view auditing solely as an exercise in getting through the checklist without focusing on why these processes exist and how they contribute to results.
- This auditing to clauses gives a snapshot in time and misses out on resiliency. A compliance audit assesses the system “at the moment” of the audit. It doesn’t tell you if the organization can maintain that level of performance during periods of growth, stress, or market shifts.
- The clause-based auditing can often inadvertently reinforce silos. Clause-by-clause auditing can strengthen a departmental focus rather than a process-oriented one. You might audit the QA department’s compliance perfectly, but how do they interact with Engineering? With Purchasing? Do the departments work together as teams to achieve the organizational policy?
This cluses-based auditing is particularly the drawback of the certifying bodies. They need the proof to each clause and so need those check lists as evidence of what they audited for giving a certificate. Organizations using ISO 19011 for internal auditing should be focused on the true performance of their management system. The clauses should not become the masters. The clauses are the servants of the organization which help it meet objectives in a systematic manner. There is therefore a need for auditing to move toward capability assessment.
Mature auditors both internal and external (second and third party) recognize these limitations. They seek to understand not just if a standard is being met, but how capable the organization is of delivering value and achieving its strategic objectives. Assessing organizational capability involves a shift from asking, “Do you have a process for xxx?” to asking, “How effective is your capability for xxx?” This change in attitude is essential for auditors if the organizations are to use the audit inputs to drive their systems to conformity. A capability assessment looks beyond mere existence and focuses on factors like integration and context, the need to understanding the ‘why’.
Instead of just verifying that process descriptions exist (ISO 9001 clause 4.4), mature auditors ask how these processes are integrated to support the organization’s unique context (ISO 9001 clause 4.1) and the strategic direction. Does everyone in the organization understand how their role connects to the high-level goals and the external landscape? The need is to go from clause which asks show me your ‘context of the organization’ document to capability. Mature auditors would perhaps ask the process owner to walk the auditor through how the analysis of the business context directly influences organizations risk planning and, consequently, the operational processes.
There is need for future auditing to look at process effectiveness and performance. Just checking for the existence of monitoring and measurement (ISO 9001 clause 9.1) isn’t enough. A capability approach evaluates what is measured, how it’s analyzed, and most importantly, what action is taken. The maturity in an auditor needs him/ her to move from clause questions as do you have key performance Indicators (KPIs) per ISO 9001 clause 6.2 to seeking evidence by moving to questions and evidence indicating capability. Ask the organization to show the auditor how these specific KPIs (which are linked to your objectives) have helped you identify a problem area, leading to an improvement that resulted in measurable cost savings/quality increase.
Mature auditors look to ISO 9001 clause 7.2 competence and clause 7.1.6 organizational knowledge and should instead of reviewing training records (clause 7.2) which would be compliance should instead be assessing capability which involves understanding if the staff actually have the competence to perform their tasks and if that knowledge is shared and retained by the organization (clause 7.1.6). Therefore, from clause attitude of asking show me the training records for your machine operators the auditors would move to assessing capability by interviewing an operator and asking, can you explain the why behind this step? What would happen if this critical process parameter was out of tolerance? How do you ensure this critical operating knowledge isn’t lost when someone retires or leaves?
Mature auditors would need to look at leadership and organizational culture with a fresh look. This is perhaps the biggest differentiator. Compliance can often be achieved with minimal leadership engagement. Assessing capability requires evaluating the commitment of top management (clause 5.1). Do they promote a culture of quality, safety, and continuous improvement? Is “management commitment” tangible and felt throughout the organization? Here moving from clause wherein auditors asked to see minutes of the last management review meeting need to move to the capability assessment by asking to be shown the evidence where leadership has allocated resources specifically to address an identified strategic risk, resulting in a quantifiable change to operational capability. Perhaps asking leadership to provide evidence of how they encourage and process employee suggestions for improvement?
For mature auditing this shift matters. Mature auditors are pushing these boundaries because it delivers far greater value to the organization being audited and to its stakeholders. This change will drive real-world improvement. Compliance-based audits can identify deficiencies, but capability assessments identify opportunities for significant performance gains, cost reduction, and quality enhancement. The need is to enhances Business Resilience. A capable organization can adapt and respond to change more effectively than a merely compliant one. Evaluating capability helps identify potential weaknesses that compliance-based audits might miss, making the organization more robust.
Moreover, mature auditing elevates the audit function. Instead of an auditor focused only on clauses being a cost center, an auditor who can assess and provide insights into organizational capability becomes a strategic partner to management, adding real value to the business. Greater stakeholder confidence is the desirable outcome. Customers, regulators, and investors are increasingly looking for more than a certification certificate. They want assurance that the organization is robust, reliable, and capable of delivering on its promises. A mature audit providing an assessment of capability provides this greater assurance. That then is the path forward. Making this shift isn’t simple. It requires auditors to have not only deep knowledge of the standards but also a high level of business acumen, system thinking, and strong interviewing skills. It also requires the auditee organization to be open to a more holistic, collaborative, and potentially challenging audit process. The rewards to the organization are a more effective, efficient, and resilient organization and are well worth the effort. By focusing on capability rather than just compliance, auditors can transform the audit process from a bureaucratic exercise into a vital driver of organizational excellence.
—
This article was written by IJ, Principal Consultant at QMII. With extensive experience in ISO standards, auditing, and organizational transformation, IJ has guided global organizations in strengthening their management systems. His approach focuses on aligning ISO implementation with strategic business objectives to drive long-term performance improvement.
