If you've cleared Stage 1 and your audit date is on the calendar, the Stage 2 is where certification actually gets decided. This is the audit that matters — the one where an accredited third-party auditor walks through your organization and determines whether your quality management system does what you've said it does.
Most of the anxiety around Stage 2 comes from not knowing what to expect. In my experience working with 200+ clients through certification, the organizations that struggle are rarely the ones with a poorly built QMS. They're the ones that got surprised. So this article is about removing the surprises.
What Stage 2 Is Actually Testing
Stage 1 was a document review — the auditor confirmed you have the right policies, procedures, and objectives in place. Stage 2 is different. The auditor is now testing whether your QMS is implemented and effective, not just documented.
That distinction matters. You can have a beautifully written quality manual and still fail Stage 2 if the shop floor hasn't seen it, if your corrective actions don't close out, or if your employees can't explain what "customer focus" means in the context of their daily work.
ISO 9001:2015 is built around the Plan-Do-Check-Act cycle. Stage 2 auditors are essentially walking through each phase of that cycle across your entire operation — looking for evidence that you planned something, did it, checked whether it worked, and acted on what you found.
How Long Does a Stage 2 Audit Take?
Audit duration depends on your organization's size, scope, and complexity. The IAF MD 5 document provides guidance on audit time calculation, and most certification bodies use it to set their day counts.
As a rough benchmark:
| Organization Size | Approximate Stage 2 Duration |
|---|---|
| 1–10 employees | 1 day |
| 11–50 employees | 1.5–2 days |
| 51–250 employees | 2–3 days |
| 251–1,000 employees | 3–5 days |
| 1,000+ employees | 5+ days (multi-site adjustments apply) |
These are general ranges. If your scope includes multiple product lines, high-risk processes, or complex regulatory interfaces, expect the upper end. Your certification body will confirm the exact day count when they issue the audit plan.
The Audit Plan: What It Tells You
About two weeks before your Stage 2, your certification body will send a formal audit plan. This document is worth reading carefully — it lays out which processes and clauses the auditor intends to cover on each day, and it tells you which departments or functions need to have people available.
A few things to note when you receive it:
- It's a guide, not a script. Auditors follow the plan but will pivot if something catches their attention. If an auditee mentions a recent customer complaint during a conversation about quality objectives, expect the auditor to pull that thread.
- It tells you who needs to be present. Senior leadership is almost always needed on day one (ISO 9001:2015 clause 5 — leadership — is typically covered early). Process owners, quality personnel, and front-line staff are needed throughout.
- Gaps in coverage are intentional. The auditor isn't checking every single transaction or record. They're sampling. A clean sample doesn't guarantee no findings, but it does matter.
How the Opening Meeting Works
Stage 2 starts with a formal opening meeting, usually 30–60 minutes. The auditor introduces themselves and their role, confirms the scope and objectives of the audit, explains the process for raising nonconformities and observations, and typically asks leadership a few orienting questions about the business.
This isn't a trap. The opening meeting is administrative and professional. That said, what you say here sets a tone. Leadership that demonstrates genuine understanding of the QMS — not just "our quality manager handles that" — makes a strong first impression.
The auditor will also confirm logistics: where they can work, who their escort will be, and how breaks and meals are handled. Simple, but worth having sorted before they arrive.
What Auditors Actually Do During Stage 2
Once the audit starts in earnest, the auditor moves through your processes using a combination of three methods:
Interviewing — They ask employees at all levels questions about their work, how they know what to do, what they do when something goes wrong, and how their work connects to quality. The questions aren't trick questions, but they do require people to actually understand their role in the QMS. An employee who says "I just do what I'm told" when asked about quality objectives is a yellow flag.
Observing — They watch work happen. In a manufacturing environment, that might mean watching a production run, observing inspection procedures, or reviewing how nonconforming product is segregated. In a service environment, it might mean watching how a customer request is handled from intake to fulfillment.
Reviewing records — They pull documents, logs, reports, and forms to verify that your system is operating as described. Calibration records, internal audit reports, corrective action logs, management review minutes, training records — these are all fair game.
The auditor is building a picture of whether your QMS is real and working, or just a binder on a shelf.
Which ISO 9001:2015 Clauses Get the Most Scrutiny
Not every clause gets equal time. In my experience, the areas that generate the most findings — and therefore deserve the most preparation — are:
Clause 6.1 — Actions to Address Risks and Opportunities This is the clause that trips up more organizations than any other. Auditors want to see that you've systematically identified risks, that your risk assessment is proportionate to your context, and that the actions you've taken actually address the risks you identified. A risk register that was built for the audit and hasn't been touched since is easy to spot.
Clause 8.4 — Control of Externally Provided Processes, Products, and Services If you use subcontractors, suppliers, or outsourced processes, this clause requires evidence that you're actually managing them. Approved supplier lists, performance evaluations, and incoming inspection records all live here.
Clause 9.2 — Internal Audit Your internal audit program needs to cover the full scope of the QMS, be conducted by competent personnel, and generate findings that are actually acted on. An internal audit that found zero nonconformities across every process — in every cycle — tends to raise an eyebrow.
Clause 10.2 — Nonconformity and Corrective Action Auditors look for a complete corrective action cycle: the nonconformity is identified, root cause is determined, an action is taken, and the action is verified as effective. Corrective actions that are still "open" years later, or that were closed without verification, are common findings.
Clause 5.1 — Leadership and Commitment Top management is specifically required by ISO 9001:2015 to demonstrate leadership — not just sign a quality policy. Auditors will interview your CEO or equivalent to assess whether they understand the QMS, its performance, and their role in it.
Types of Findings: Nonconformities vs. Observations
When an auditor finds something, it lands in one of three categories:
| Finding Type | Definition | Impact on Certification |
|---|---|---|
| Major Nonconformity | Systematic failure or complete absence of a required element | Certification withheld until resolved |
| Minor Nonconformity | Isolated failure that doesn't indicate a systematic breakdown | Corrective action plan required; certification may proceed |
| Observation / Opportunity for Improvement | Potential weakness, not a violation | No action required; documented for your awareness |
A major nonconformity doesn't mean your certification is over — it means certification is delayed until you address the issue and the certification body verifies the fix, either through a document review or a follow-up visit. I've seen organizations receive a major, respond quickly and thoroughly, and still get certified within their original timeline.
Minor nonconformities are the most common outcome of a Stage 2. Getting a few minors is normal. The goal isn't a perfect audit — it's a credible, functioning QMS.
What Makes Auditors Dig Deeper
Auditors use process tracing and sampling, which means one answer can open a whole new line of inquiry. A few things that reliably prompt deeper scrutiny:
- Inconsistent answers across employees. If the quality manager describes the nonconforming product process one way and the production supervisor describes it another, the auditor notices.
- Records that don't match the procedure. If your procedure says calibration is checked annually and three instruments haven't been calibrated in 18 months, that's a finding.
- Excessive hedging from leadership. "I think we have a process for that" when asked about management review minutes is not reassuring.
- New or recent changes. If you've recently changed a key process, updated a procedure, or onboarded a major supplier, expect those areas to receive extra attention.
- Your own internal audit findings. If your last internal audit raised issues and your corrective actions are weak or incomplete, the Stage 2 auditor will likely land on the same issues.
How to Prepare Your Team Without Over-Coaching
One of the more common mistakes I see in Stage 2 prep is over-scripting employees. You don't want a team that's been coached to recite rehearsed answers — auditors are experienced enough to feel the difference between someone who understands their job and someone who memorized talking points.
What actually works:
Run a mock audit. Walk through your processes with someone playing the auditor role — asking the real questions, requesting the real records, and noting what you find. A good mock audit done 3–4 weeks before Stage 2 gives you time to fix things.
Brief process owners, not just your quality team. The people who will be interviewed need to understand the QMS as it relates to their work. Not the whole standard — just their part of it. What are their quality objectives? What do they do when something goes wrong? Who do they escalate to?
Make sure your records are actually findable. Auditors work in real time. If it takes 20 minutes to locate a calibration record, that itself becomes an observation about document control.
Do a final document review. Check that your quality policy is current, your objectives are updated, your internal audit program is complete, and your management review has been conducted within the last 12 months.
The Closing Meeting
At the end of Stage 2, the auditor presents their findings in a formal closing meeting. This is when you'll hear:
- A summary of the processes audited
- Any nonconformities (major or minor) and observations raised
- The auditor's recommendation to the certification body
The auditor makes a recommendation, but the certification body makes the final certification decision. That's an important distinction. The recommendation is almost always followed, but the formal certificate comes from the CB after they review the audit report.
This is also your opportunity to ask for clarification on any findings. If something is unclear, ask. If you believe a finding is inaccurate, there is a formal appeals process — though in practice, findings are rarely reversed unless there's been a genuine misunderstanding of evidence.
What Happens After Stage 2
If you receive no major nonconformities: The certification body reviews the audit report, and your certificate is issued — typically within a few weeks.
If you receive minor nonconformities: You submit a corrective action plan (usually within 30–90 days, depending on your CB). The CB reviews and accepts it, then issues the certificate.
If you receive a major nonconformity: You address the root cause, implement the fix, and provide evidence to the CB. They may require a follow-up audit or may accept documentary evidence depending on the nature of the finding.
Your certificate, once issued, covers a three-year surveillance cycle. You'll have annual surveillance audits in years one and two, and a recertification audit in year three. The work doesn't end at Stage 2 — but Stage 2 is where you earn the right to call yourself certified.
A Note on What "First-Time Pass" Actually Takes
In my work at Certify Consulting, we've maintained a 100% first-time audit pass rate across 200+ clients. That's not because audits are easy — it's because the organizations that prepare properly almost always pass. The QMS has to be real. The records have to exist. The people have to understand it.
There's no shortcut to that, but there is a path. Build the system before you document it, not after. Train your team on what they actually need to know. Run your internal audit like a real audit. Conduct management review with genuine attention to the data. And when you get to Stage 2, what the auditor finds will be a system that actually works.
That's what certification is supposed to confirm.
For a deeper look at how Stage 1 sets you up for Stage 2, see our guide on ISO 9001 Stage 1 audit preparation. If you're still building out your QMS and want to understand what documentation is actually required, our ISO 9001 required documents checklist covers exactly that.
Last updated: 2026-05-19
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.