What Happens During Stage 2 ISO Certification Audit: Step-by-Step Guide for Your Team

An auditor arrives in 7 days. The team is on edge, the director keeps asking "what if something goes wrong," and the quality manager re-reads procedures one more time. That reaction is normal, but it rests on a myth that Stage 2 is an exam with unknown questions.

In reality, a Stage 2 certification audit is a structured review with a predictable sequence of steps, defined roles and clear rules of engagement for both sides. Those rules sit in ISO/IEC 17021-1:2015, §9.4 "Audit conduct," and every certification body (CB) is bound by them.

Knowing the sequence lets your team prepare without scrambling. Assign roles, place records where the auditor will look for them, and rehearse responses to typical questions. In this article we walk through the hour-by-hour logic of a 2 to 3-day Stage 2 audit, share an auditor time allocation matrix, and as a flagship piece, run a real duration calculation per IAF MD 5:2023 for three company sizes.

This is not textbook theory. It is the sequence we have observed across 200+ supported audits across ISO 9001, ISO 22000, FSSC 22000, ISO 14001, ISO 45001, on single-site and multi-site setups in Ukraine and for Ukrainian exporters.

The certification cycle under ISO/IEC 17021-1 splits into two formal stages. Confusion often starts here: managers prepare for Stage 2 as if it were a continuation of Stage 1. They are different events with different objectives.

Stage 1 is a system readiness review. The auditor judges whether documentation is mature enough, whether Internal Audit and Management Review have already happened, whether the scope is clear, and whether evidence covers the baseline set of requirements. Stage 1 typically ends with a report listing areas of concern. These are not yet nonconformities, but risk signals.

Stage 2 is a review of how effectively the system runs in real operations. The auditor no longer asks "where is your procedure" but checks "how does it work day to day, and how can you prove it with records."

Two to four weeks before Stage 2 the CB sends you a package: the Stage 1 closing report, an updated audit plan and the agenda. This is not a formality. It is your preparation brief.

How to read the Stage 1 report. Pay attention to the wording of areas of concern. They show where the auditor already sees risk and where they will return at Stage 2. If Stage 1 says "evidence of management review for 2025 not provided," prepare a complete 12-month package with minutes, inputs and outputs, and CAPA records.

How to read the audit plan. A standard Stage 2 plan covers dates, audit team composition, the list of audited processes mapped to clauses, time allocation across days, and the role of each company representative per session. Every line signals which of your people need preparation.

What to do 7 days before Stage 2:

• Confirm the audit plan and notify the CB about conflicts (top mgmt travel, line stoppage).
• Send personal briefs to each participant: when their session takes place, which questions to expect, which records to keep at hand.
• Set up an audit room with internet access, projector and a separate desk for the auditor.
• Verify all CAPAs from recent internal audits are closed or have a plan with realistic deadlines.
• Run a short mock session with QM and top mgmt: 30 minutes, 5 typical questions.

The full 90-day preparation cycle is described in our 90-day certification audit preparation plan, covering Stage 2 along with the earlier gap analysis and internal audit phases.

The first day is the most intense in terms of impressions and the most important in setting the tone. How the team behaves during the opening meeting shapes the atmosphere of the entire audit.

What the auditor says. The audit team leader introduces the team, confirms scope and audit criteria, reminds everyone about confidentiality and impartiality (a requirement of §5 ISO/IEC 17021-1), describes the sampling method, and explains that not every process will be checked. Sampling is the reason, so the absence of a question does not mean the area is "clean."

What the company says. The top manager opens with "we are ready for the review and open to cooperation." The QM introduces the company team and roles. There is no need to perform: the auditor evaluates the system, not the PR.

Common mistake. The team starts to defend itself before the auditor has even asked anything. Phrases like "well, we are not perfect, but…" create a negative impression before any evidence is reviewed.

After the initial document review the auditor moves to the production floor or the office. This is the largest block of the audit by time, and the most stressful for line staff. Anxiety drops with preparation: when an operator knows 3 to 4 typical questions, they answer with confidence.

Questions for operators do not require theoretical knowledge of the standard. They check whether the person understands their operation, its risks and their role in the system. Three typical question formats:

• Show me how you do it: the operator demonstrates the action (fills in a record, takes a measurement, checks a CCP).
• What if?: a hypothetical scenario ("what do you do if the cooker temperature drops below 70°C?").
• Trace it back: the auditor takes a finished-product batch and asks the operator to trace its components, production date, operator and lab control results.

Team preparation: 2 to 3 days before Stage 2, run 15 to 20-minute mock interviews with each key operator. Skip word-for-word rehearsal; teach the structure: "short answer → demonstration → record."

This stage is when auditors most often surface common nonconformities. Reviewing the top 15 typical nonconformities found at certification audits helps you close vulnerable areas before the CB arrives.

At this stage the auditor shifts from "how do you do it" to "prove with records that this happens every day." Records sampling is not a wall-to-wall check; it is a sample built on risk and representativeness.

Sampling logic. The lead auditor picks 3 to 10 batches, transactions or cases from the last 6 to 12 months. Selection criteria include a sample from a high-risk zone, a sample from a low-risk zone, and a sample from a period of a known event (customer complaint, equipment failure, personnel change).

A typical traceability test for ISO 22000 / FSSC 22000. The auditor takes 3 finished-product batches from different dates and asks you to:

1. Trace each batch back to raw materials (lot numbers, supplier, CoA).
2. Show CCP records at the time each batch was produced.
3. Locate finished-product lab control results (microbiology, physical and chemical).
4. Confirm training of the operator who performed the critical operation.
5. Verify calibration of the equipment used.

The time norm for a full traceability test is 2 to 4 hours for 3 batches. If the team cannot pull these records within 30 minutes, this is a signal for a major NC under §8.3 (Traceability).

If the chosen 3 batches come up clean, the auditor will not conclude that "the system works." They add 2 to 3 more samples from adjacent areas. If one sample shows a gap, that is not automatically a major NC, but the auditor expands the sample to 5 to 7 to test whether it was random or systematic. Systematic patterns are what turn a minor into a major.

For ISO 9001 typical sampling looks different: customer orders, production work orders, product nonconformity records, complaints. For ISO 14001, the environmental aspects register, emissions monitoring, permits. For ISO 45001, incident reports, JSAs, occupational health and safety training records.

The penultimate activity is a closed working session by the audit team, lasting 1.5 to 2 hours without the company present. Auditors consolidate observations, classify them (Major NC / Minor NC / OFI / Strength) and prepare the presentation. Use this window for administrative matters and avoid trying to "learn the findings in advance." That creates pressure and lands badly.

1. Do not deny. Even if you feel the auditor is wrong, do not start arguing at the closing meeting. Say "thank you for the observation, we will review it" and ask for details.

2. Do not justify. Phrases like "we only have one person on this process" or "we discussed this with another auditor last year" work against you. The auditor does not weigh mitigating circumstances; they record a fact.

3. Ask clarifying questions. This is the professional response. "Could you clarify which clause you consider breached?" "What scope of records did you review when forming this conclusion?" "Is this a one-off or a systemic pattern?" Such questions give you information for a quality CAPA, not for an appeal.

If you fundamentally disagree with how an NC was classified, you have a formal right to file an appeal with the CB within the deadline set in the contract (typically 14 to 30 days). That is a different channel, not the closing meeting.

Knowing how the auditor spends their time lets you align your own resources accordingly. The matrix below is based on data from 200+ supported Stage 2 audits and aligns well with ISO 19011:2018 recommendations on the distribution of audit activity.

Stage 2 duration is not an arbitrary number. It is calculated by the formula in IAF MD 5:2023 ("Determination of Audit Time of Quality, Environmental, and Occupational Health & Safety Management Systems"). This document is mandatory for all IAF-recognised certification bodies. Unfortunately, only 2 of the top 10 English-language articles on certification cite MD 5 at all, and none of them publishes the formula. Let us walk through it with examples.

H = base table × adjustment factors

Where:

• Base table: Table QMS-1 / EMS-1 / OHS-1 from MD 5, which gives H in person-days as a function of the effective number of personnel.
• Adjustment factors: upward (high complexity, new standard, no previous certification) or downward (mature system, recertification, integrated systems).

For Stage 1 + Stage 2 combined, the base table gives total H. Stage 1 typically takes about 30% of the initial certification audit, Stage 2 the remaining 70%.

Effective number of personnel = total headcount minus personnel performing the same functions on the same shifts. So 50 operators across 3 shifts performing the same function count as 50 effective, not 150.

Table 1 (QMS-1) and Table 2 (EMS-1) are the base tables for ISO 9001 and ISO 14001. The left column lists ranges of effective personnel; the right column gives H in person-days for the initial audit (Stage 1 + Stage 2 combined).

Table 3 (OHS-1) covers ISO 45001. The calculation works the same way as QMS-1, but with a higher base time due to the specifics of OH&S.

Annex 3 governs multi-site sampling: each additional production site adds about 1 to 2 person-days depending on complexity. If you operate 3 similar warehouses, that is not 3× the time but roughly 1.3× the base H thanks to sampling.

Integrated audit discount: when you certify ISO 9001 + ISO 14001 + ISO 45001 in one go, MD 5 allows a 10–30% reduction in total duration thanks to shared elements (Leadership, Document Control, Internal Audit, Management Review).

Surveillance audits = ⅓ of initial. Recertification audit = ⅔ of initial. Multi-site sampling details are well covered in the European Accreditation FAQ Question 38-2.

The closing meeting is not yet certification. What follows:

• 0–14 days: the lead auditor finalises the audit report and submits it to the CB.
• 14–30 days: you submit a CAPA plan for every NC with root-cause analysis and deadlines.
• 30–90 days: CAPA implementation, providing closure evidence.
• 90–120 days: the independent certification committee within the CB reviews the package and makes the certification decision.
• 120–150 days: issuance of the certificate (typically valid for 3 years on a one-third-yearly surveillance cycle).

Once the certificate is issued, a different phase begins: keeping the system in shape. Annual system support helps avoid losing form between surveillance audits, which is what typically happens to companies in their second year after certification.

If you need to look at the full 3-year cycle or prepare your team for a specific certification under ISO 9001 or ISO 22000, get in touch and we will model the time and budget for your scope.

The most common questions about Stage 2 of an ISO certification audit, drawn from the practice of 200+ supported audits and the corresponding Google PAA queries.