The Stage 2 audit is where the work becomes real. If Stage 1 was a document review — your registrar checking that your quality manual, procedures, and system design are coherent and complete — Stage 2 is the opposite of that. It's an on-site evaluation of whether your QMS actually operates the way you described it on paper. Auditors will walk your processes, interview your team, pull records at random, and form a judgment about conformance at every level of your organization.
I've guided more than 200 organizations through ISO 9001 certification at Certify Consulting, and the clients who walk out of Stage 2 with a clear path to certification are the ones who understood what was coming before they walked in. This guide covers the full picture: what happens during the audit, what auditors are actually looking for, what different findings mean, and how to position your team to finish strong.
Stage 2 vs. Stage 1: The Core Difference
Stage 1 is essentially a readiness check. Your certification body reviews your documented QMS to confirm it covers the requirements of ISO 9001:2015 and that you're far enough along to proceed to a full audit. Any significant gaps surfaced at Stage 1 give you time to remediate before the conformity evaluation begins.
Stage 2 is that conformity evaluation. Your auditor is no longer reading documents — they're testing whether the system described in those documents is real. That means watching processes happen, asking employees unprepared questions, reviewing actual production or service delivery records, and tracing nonconformances and corrective actions to their source.
According to the International Accreditation Forum (IAF), Stage 2 must be conducted within a reasonable timeframe after Stage 1, typically within 90 days, to ensure the readiness assessment remains valid. If the gap stretches beyond that window, many registrars will require you to repeat Stage 1 elements before Stage 2 can proceed.
If you haven't gone through Stage 1 yet, our ISO 9001 Stage 1 Audit Overview covers what to expect at that stage and how to close the gaps before your readiness window opens.
How Long a Stage 2 Audit Takes
Duration depends on the size and complexity of your organization. The IAF's MD 5 guidance document provides a formula for calculating audit time based on employee count, and accredited registrars are required to follow it. Here's what that looks like in practice:
| Organization Size | Typical Stage 2 Duration |
|---|---|
| 1–5 employees | 0.5–1 day |
| 6–25 employees | 1–1.5 days |
| 26–100 employees | 1.5–2.5 days |
| 101–500 employees | 2.5–3.5 days |
| 501–1,000 employees | 3.5–4.5 days |
| 1,000+ employees | 4.5–5+ days |
Multi-site organizations, highly complex manufacturing environments, and scopes with significant regulatory overlay — medical devices, aerospace, food safety — often add days beyond these estimates. Your registrar will confirm exact audit time in your certification contract.
The Structure of the Audit Day
Most Stage 2 audits follow a predictable cadence, and knowing the sequence helps you manage your team's availability and attention.
Opening Meeting
The audit opens with a formal meeting that includes senior leadership, process owners, and whoever is serving as the primary management representative. The lead auditor covers the audit agenda, scope, sampling approach, confidentiality expectations, and the reporting process. This meeting typically runs 30–60 minutes.
In my experience, the opening meeting sets the tone for everything that follows. Organizations that approach it as a formality — managers half-present, phones on the table — tend to struggle more in the process audits that come next. Engage fully. Ask clarifying questions about the agenda if you have them. It signals to the auditor that this isn't a checkbox exercise for your leadership team.
Process and Site Audits
The majority of audit time is spent here. Auditors work through your processes systematically, typically following the sequence of your QMS scope or your value stream, and looking for objective evidence of conformance at each step.
What that looks like in practice varies by clause. For operational processes (ISO 9001:2015 clause 8), expect auditors to pull work orders, production records, inspection sheets, or service delivery logs. They're testing whether your documented controls are visibly in use, not just written down. For clause 9 (performance evaluation), they'll want to see measurement data, trend analysis, internal audit records, and evidence of management review.
The auditor is sampling — they cannot review every record you've ever created. But they're also trained to follow threads. A single incomplete corrective action record can prompt the auditor to pull ten more to determine whether the gap is isolated or systemic.
Employee Interviews
This is the part that makes organizations most anxious, and honestly, it probably shouldn't. Auditors are not trying to trick your team, but they are looking for one specific thing: whether employees understand how their work connects to the QMS requirements that govern it.
A typical interview looks something like this — the auditor approaches an operator on the floor and asks, "What do you do if you receive a nonconforming part from the previous process step?" A trained employee gives a specific answer tied to your documented procedure. An untrained employee gives a vague answer or says they'd ask their manager. The auditor notes the difference.
Across a Stage 2 audit, auditors typically speak with 10–30 percent of the workforce depending on organization size, and interviewees are generally not selected in advance. Your team should know the basics: what quality means in their role, what to do when something goes wrong, and where to find the procedures that govern their work.
Document and Records Review
Alongside the process audit, auditors will request records as they move through each area. These might include calibration records, training logs, customer complaint logs, supplier evaluation records, internal audit reports, corrective action logs, and management review minutes, among others.
The records don't need to be perfect. Minor gaps are common and expected. What auditors are looking for is a pattern of disciplined operation: evidence that you're measuring what you said you'd measure, reviewing what you said you'd review, and addressing what you said you'd address.
Closing Meeting
At the end of the final audit day, the lead auditor presents a summary of findings. This is a formal session — all previously involved parties should attend. The auditor will state the number and classification of nonconformities (if any), summarize positive observations, and explain the path forward.
No certification decision is made at the closing meeting. That determination happens at the registrar's office, after the lead auditor submits their report and it passes through an independent technical review.
Understanding Audit Findings: What Each Type Means
The single most important thing your team should understand before Stage 2 is the difference between finding types, because the response requirements and certification consequences differ significantly.
| Finding Type | Definition | Certification Impact | Response Required |
|---|---|---|---|
| Major Nonconformity | Complete absence or systematic breakdown of a required process | Certification blocked until resolved | Root cause analysis + correction + evidence, typically within 90 days |
| Minor Nonconformity | Isolated lapse or single instance of noncompliance | Certification conditional | Corrective action plan + evidence, typically within 90 days |
| Observation / OFI | Area of concern not yet at nonconformance level | No impact on certification decision | No formal response required |
| Positive Finding | Evidence of particularly effective implementation | No impact | No response needed |
A major nonconformity is not a failing grade — it's a significant finding that must be formally closed before your registrar can issue a certificate. In my experience, a well-prepared organization rarely receives a major at Stage 2. When majors do appear, they tend to cluster around three areas: the absence of a functioning internal audit program, management review that exists only as a document rather than as a real organizational activity, and corrective action processes that log problems but never demonstrate root cause resolution.
Minor nonconformities are common. Roughly 40 percent of organizations receive at least one minor finding during Stage 2. A minor is not a crisis — it's an opportunity to demonstrate that your corrective action process works exactly as your QMS describes.
The Five Areas Where Auditors Spend the Most Time
Based on ISO Survey data and patterns across certification audits in dozens of industries, these are the clauses that generate the most findings and receive the most scrutiny.
Clause 6 — Planning and Risk-Based Thinking
ISO 9001:2015 introduced risk-based thinking as a foundational concept, and it remains one of the most commonly misunderstood requirements. Auditors aren't looking for a formal FMEA. They want to see that you've identified the risks and opportunities relevant to your processes, decided what to do about them, and that those decisions are reflected in how your operations actually run. A risk register that was built for the audit and hasn't been touched since is easy to spot.
Clause 7.2–7.3 — Competence and Awareness
How do you know your people are competent to do their work? How do you ensure they understand how their work affects quality? These two requirements produce a lot of minor nonconformities because organizations train employees but don't always document evidence of that training or connect it to specific role requirements.
Clause 8 — Operations
This is the core of your QMS in practice. Expect thorough sampling of your production or service delivery processes, supplier management records, customer communication logs, and nonconforming product controls. Process-specific documentation — work instructions, inspection criteria, control plans — will be cross-referenced against actual practice in the facility or field.
Clause 9.2 — Internal Audit
Your internal audit program is the clearest leading indicator of whether your QMS is self-sustaining or just a set of documents. Auditors look for a complete audit cycle covering all processes within scope, evidence that findings were recorded and addressed, and audit reports that reflect actual investigation rather than a checklist walk-through. Organizations that ran a single internal audit right before Stage 2 with no documented history before that stand out immediately. For more on building an audit program that holds up under this kind of scrutiny, see our guide to ISO 9001 internal audits.
Clause 9.3 — Management Review
Management review must demonstrate that senior leadership is genuinely engaged with QMS performance — reviewing inputs that include internal audit results, customer satisfaction data, process performance, and risk status, and making decisions based on what they find. Meeting minutes that are two pages long for a 50-person organization with a dozen active quality metrics are a red flag. Auditors know what real management review looks like.
What Happens After the Closing Meeting
After Stage 2, your registrar's technical review team evaluates the auditor's report. If no major nonconformities were issued and any minors have an accepted corrective action plan, most registrars issue certification within two to four weeks of the closing meeting.
If major nonconformities were found, you'll have a defined period — typically 90 days — to implement corrections and submit evidence. The registrar reviews that evidence, sometimes via a targeted follow-up audit, and makes their determination from there.
Once certified, your ISO 9001 certificate carries a three-year validity period, with surveillance audits occurring annually in years one and two, and a recertification audit in year three. The surveillance audits are narrower in scope than Stage 2, but they're not perfunctory — registrars are actively checking that the QMS is maintained and improving, not just preserved.
How to Prepare in the Final Weeks Before Stage 2
The most effective preparation isn't a documentation sprint — it's a people sprint. Here's what I recommend to clients in the six weeks before their Stage 2 date.
Run a complete internal audit of your highest-risk processes and close every finding before the audit window opens. An open corrective action from your own internal audit is a straightforward minor nonconformity waiting to happen.
Brief every process owner on their clause responsibilities, their supporting records, and the questions an auditor is likely to ask in their area. Not a script — understanding. There's a meaningful difference between an employee who can locate a procedure and an employee who can explain why that procedure exists.
Test your records retrieval. On audit day, when an auditor asks for all corrective action records from the past year, how long does it take to produce them? If the answer is more than three minutes, you have a practical problem regardless of whether the records exist.
Review your management review minutes with an honest eye. Do they actually reflect leadership input and decision-making, or are they a transcription of a PowerPoint? If it's the latter, schedule a real meeting before Stage 2 and document it properly.
Walk your facility the way an auditor would. Is quality documentation visible where the work happens? Are nonconforming material controls in place and understood by operators? Are calibration stickers current?
The certificate is the outcome of an audit, but it's also a reflection of how you actually run your organization. The preparation that matters most is the preparation that makes the QMS real — not the preparation that makes it look good for three days.
Frequently Asked Questions
How long does the Stage 2 audit take?
For most small to mid-sized organizations (under 100 employees), the Stage 2 audit runs one to two-and-a-half days. Larger or more complex organizations may require up to five or more audit days. Your registrar will specify the required audit time in your certification agreement, based on IAF MD 5 guidance.
What's the difference between a minor and major nonconformity?
A minor nonconformity is an isolated lapse — a single instance where a process requirement wasn't met. A major nonconformity is a systemic failure: either a complete absence of a required element, or a pattern of breakdowns that undermines the integrity of that part of the QMS. Majors must be resolved before certification can proceed; minors require a corrective action plan that is reviewed during the first surveillance audit.
Can you fail a Stage 2 audit?
Certification can be blocked, but not permanently. A major nonconformity adds a step to the process, not an endpoint. You correct the root cause, submit evidence, and the registrar reviews it. Organizations that go in well-prepared rarely encounter majors, and the ones that do almost always trace them back to the same three gaps: internal audit, management review, and corrective action.
What should you do if an auditor identifies a nonconformity you weren't aware of?
Don't argue with the finding on the spot. Listen carefully, ask clarifying questions to understand exactly what the auditor observed, and take detailed notes. You'll have an opportunity to respond formally after the audit with a root cause analysis and corrective action plan. Contesting a finding in the closing meeting almost never changes the outcome and signals something about the organizational culture that the auditor will remember at your first surveillance audit.
How soon after Stage 1 does Stage 2 happen?
The International Accreditation Forum recommends completing Stage 2 within 90 days of Stage 1 to maintain the validity of the readiness assessment. Most registrars schedule both stages at contract signing and build in a gap of 30–60 days, giving organizations time to address Stage 1 findings without letting the readiness determination go stale.
Last updated: 2026-06-05
Jared Clark, JD, MBA, PMP, CMQ-OE, CQA, CPGP, RAC is the Principal Consultant at Certify Consulting, where he has guided 200+ organizations through ISO 9001 and regulatory compliance certifications with a 100% first-time audit pass rate.
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.