Quick Answer
Quick Answer
ISO 9001:2015 requires organizations to maintain documented information — quality records — that provide evidence of conformity and process effectiveness. Audit readiness means having the right records, organized for rapid retrieval, with demonstrable controls on access, modification, and retention. Material certificates are among the most scrutinized records in a fabrication shop audit.
An ISO 9001 audit is not a surprise test. The standard tells you exactly what evidence an auditor will look for. The problem is not knowing the requirements — it is the operational discipline to maintain records consistently enough that they are always audit-ready, not just the week before the assessment.
For fabrication shops, material traceability and certificate records are the section that generates the most findings. This guide focuses on what auditors look for, where records typically fall short, and what a robust quality records system looks like in practice.
What ISO 9001:2015 Requires: The Relevant Clauses
§7.5 — Documented Information
ISO 9001:2015 replaced the terms "documents" and "records" with the unified term "documented information." The standard requires organizations to:
- Create and update documented information with appropriate identification, format, and review/approval
- Control documented information to ensure it is available where needed, adequately protected, and accessible to authorized persons only
- Retain documented information as evidence of conformity for a defined period, then dispose of it appropriately
For quality records in fabrication, this clause governs the entire certificate lifecycle: creation at receipt, review and approval, storage and access control, and eventual archival or disposal.
§8.4 — Control of Externally Provided Processes, Products and Services
This clause requires organizations to verify that externally provided products (i.e., purchased materials) conform to requirements. For certified materials, the evidence of conformity is the verified MTC or CoC. Auditors will ask:
- How do you verify that purchased materials conform to specified requirements?
- What records demonstrate that this verification occurred?
- How are non-conforming purchased products identified and controlled?
Approved certificates, incoming inspection records, and NCR records are the primary evidence.
§8.6 — Release of Products and Services
Organizations must retain documented information on the release of products and services. For fabrication, this includes:
- Evidence that product conformity criteria have been met
- Traceability to the person authorizing release
- Records of any deviations
The certificate approval record, in-process inspection sign-offs, and final release authorizations collectively constitute this evidence.
§8.7 — Control of Nonconforming Outputs
When non-conforming materials or products are identified — including materials rejected at incoming inspection — the organization must retain documented information describing:
- The nonconformity
- The actions taken
- Any concessions obtained
- The identity of the authority deciding the action
Your NCR system, and its linkage to certificate records and stock disposition, is the primary evidence for this clause.
What Auditors Look for in Certificate Records
Based on common audit findings in fabrication environments, auditors focus on:
1. Certificate completeness and technical accuracy
Do the certificates on file contain all required data? Have chemistry and mechanical values been verified against the standard limits? Auditors may spot-check values against specifications — especially for high-risk or customer-specified materials.
Finding: Certificates on file but values never checked against specification. Certificate passes completeness check but contains a chemistry value slightly above the standard maximum. No verification record exists.
2. Linkage between certificate and physical material
Can you demonstrate that the certificate in the system covers the specific heat of material used in a given job? Auditors will ask you to trace a work order to the stock issue, to the heat number, to the certificate. Every link must hold.
Finding: Certificate on file, but no documented connection between the MTC and the specific plates cut for the order. Heat numbers match by coincidence, not by systematic control.
3. Approval authority and authorization records
Who approved the certificate? Do they have documented authority to do so? Is the approval record retained and retrievable?
Finding: Certificates "filed" without a documented approval decision. The person who reviewed them is unknown. No approval timestamp exists.
4. Control of retained documented information
Are records protected from unauthorized modification? Are access controls documented and enforced? Is there a retention schedule?
Finding: Certificates stored in a shared folder with no access control. Anyone can delete or modify files. No retention schedule documented.
5. Non-conformance closure
For every NCR raised against a certificate issue, is there a recorded disposition, corrective action (where required), and closure date?
Finding: NCRs opened but never formally closed. No evidence of corrective action effectiveness review.
Building Audit-Ready Quality Records: Practical Steps
Step 1: Identify all required record types and owners
Create a documented list of all quality record types your organization must maintain, the clause(s) they satisfy, the owner responsible for maintaining them, and the required retention period. This is your documented information register — it is itself an ISO 9001 requirement.
For material certification, the register should include at minimum:
- Incoming MTCs and CoCs (by heat number)
- Incoming inspection records
- NCRs with disposition records
- Approved supplier list / QSL
- Outgoing certification packages by job number
- Certificate approval records with approver identity and timestamp
Step 2: Standardize record creation
Records that are created inconsistently are unreliable as audit evidence. Standardize:
- What data must be captured for each record type
- Who creates the record and when (at what point in the process)
- What system or form is used
For certificate records, this means a structured intake process — not saving a PDF to a folder and calling it filed.
Step 3: Enforce access and modification controls
Approved quality records must not be modifiable without a controlled change process. Implement:
- Role-based permissions: viewers can read, approvers can sign, administrators can configure
- No delete capability for approved records — only archiving with audit trail
- Audit log for all record access and modification attempts
Step 4: Establish and document retention periods
For each record type, define the retention period and the basis for that period (standard requirement, customer requirement, regulatory requirement). Document this in your quality management procedure and implement it in your records system.
Step 5: Practice retrieval
The true test of audit readiness is speed of retrieval. An auditor who asks for the complete documentation package for a specific job should receive it in minutes, not hours. Run retrieval drills before audits:
- Pick a work order from six months ago and retrieve all associated certificates
- Search by heat number and confirm it returns the correct MTC and all work orders that consumed that heat
- Pull the NCR record for a specific finding and confirm the disposition and closure record are complete
If retrieval is slow or incomplete in rehearsal, it will be worse under audit pressure.
Common ISO 9001 Findings in Certificate Records
| Finding | Clause | Root Cause |
|---|---|---|
| No evidence certificate values were checked against specification | §8.4 | Verification step not documented; no system-enforced check |
| Certificate filed but not linked to physical material or work order | §8.4, §7.5 | Filing system based on date/supplier, not heat number |
| Approvals not documented | §8.6 | Verbal approval culture; no electronic workflow |
| Retention period not defined or not followed | §7.5 | No documented retention schedule |
| NCRs open with no resolution | §8.7 | No ownership and closure tracking |
TestCert addresses each of these by providing structured intake, standards-aware verification, workflow-enforced approval, heat-number-keyed storage, and configurable retention rules — all with a complete audit trail.
How long must quality records be retained under ISO 9001?
ISO 9001:2015 §7.5.3 requires organizations to retain documented information as evidence of conformity for a defined period. The standard does not specify a minimum period — it requires the organization to define appropriate periods based on context, including applicable statutory and regulatory requirements, customer requirements, and the nature of the records. Most fabrication shops set minimum retention periods by product category, ranging from 7 years for general commercial fabrication to 25+ years for pressure-retaining components.
What is the difference between a document and a record under ISO 9001:2015?
ISO 9001:2015 uses the unified term "documented information" for both. Informally, documents are living information that is updated over time (procedures, work instructions), while records are evidence of activities performed (inspection reports, certificates, approval records). Records must be protected from unintended alteration; documents are controlled through a defined review and approval process. Both fall under §7.5 requirements, but the control needs differ.
Can digital records satisfy ISO 9001 requirements, or are paper originals required?
Digital records fully satisfy ISO 9001 requirements provided they meet the documented information control requirements: they are accessible to authorized persons, protected from unauthorized modification, retained for the required period in a readable format, and retrievable on demand. Many certification bodies and customers prefer digital records for their retrieval speed. Paper originals may be required in specific regulated contexts (some ASME applications, 21 CFR Part 11 contexts) — confirm requirements per application.
How should we prepare for a customer quality audit that focuses on material records?
Prepare by running your own retrieval audit first: pick five to ten recent jobs and try to retrieve the complete documentation package for each. Note any gaps, slow retrievals, or broken linkages and address them before the customer visits. Prepare a one-page summary of your certificate management process — how certificates are received, verified, approved, and stored — so you can walk the auditor through the process rather than having them discover it. Have your documented retention policy and your qualified supplier list ready.
What should our corrective action process look like for certificate-related non-conformances?
Certificate NCRs should follow your standard corrective action process: document the finding, identify the immediate containment action (hold or quarantine), conduct root cause analysis, define and implement corrective action, verify effectiveness, and close the record. For recurring certificate issues from a specific supplier, the corrective action should address the supplier performance dimension — not just the individual instance. Document everything; root cause analysis and effectiveness verification are the sections most often incomplete at audit.
Ready to automate your certificate workflow?
Try TestCert free