How to Prove Compliance to an Auditor - What They Look For and How to Be Ready
UK Business Guide · 6 min read · 5 stepsWhether it is a regulatory inspector, an ISO auditor, a client procurement team, or an insurer's risk assessor - the question is always the same: "Can you show me that you are compliant?"
This guide explains what auditors actually look for, what good compliance evidence looks like, and how to ensure you are always ready to answer that question confidently.
Step-by-Step Guide
Understand what the auditor is looking for
Different auditors use different frameworks, but they all look for the same three things: Evidence that you knew about your obligations - a documented compliance register or obligations list showing you identified the relevant laws and requirements that apply to your business. Evidence that you implemented controls to meet those obligations - policies, processes, training records, and current certificates, licences, and inspection reports. Evidence that your controls were effective and maintained over time - an audit trail showing that documents were renewed before they expired, that reminders were sent and acted on, and that compliance is a genuine ongoing activity rather than a document collection exercise done the week before the audit. The third element is where most businesses fall short. They can show current certificates but cannot demonstrate that compliance has been continuously maintained.
Prepare and review your compliance register before the audit
Before any scheduled audit, review your compliance register to confirm it is current. Check: every obligation is still listed and accurate; the evidence linked to each obligation is the most recent version; the responsible person for each item reflects current staffing (not a former employee); there are no obligations with lapsed or missing evidence; and there are no obligations you are aware of that are absent from the register. An auditor who finds a clear gap in your register - an obligation you obviously should have been tracking but are not - raises doubts about the reliability of the whole programme.
Organise your compliance evidence by obligation, not by document type or date
Auditors want to check a specific obligation and immediately see everything relevant to it. Organise your compliance files by obligation (e.g., "Liability Insurance", "Annual Gas Safety Inspection - Site A", "First Aid Certification - Sarah Jones") rather than by document type or date. For each obligation, the file should contain: the current certificate or document; the immediately previous certificate (demonstrating continuity - no gap between the old and new document); the reminder log showing when reminders were sent; and any supporting records such as inspection reports, booking confirmations, or training attendance records.
Prepare an audit trail for each obligation
An audit trail shows the history of an obligation - not just the current state. For any obligation you want to demonstrate actively, prepare a timeline showing: when the previous document expired; when the first renewal reminder was sent and to whom; when it was acknowledged and acted on; when the renewal was completed; when the new document was received, verified, and stored; and who was responsible at each step. This is the evidence that your compliance management is a genuine, active programme. It answers the auditor's implicit question: "Was this managed proactively, or did you scramble at the last minute?"
Be transparent about any historical lapses - and document your response
Almost every business has experienced at least one compliance lapse - a certificate that expired before renewal was completed, a training record that slipped through. Do not attempt to hide historical lapses. Auditors find gaps in records, and attempting to conceal them is significantly more damaging than the original lapse. Instead, for any historical lapse: document what occurred, how quickly it was identified, what immediate action was taken to resolve it, what process change was implemented to prevent recurrence, and evidence that the obligation has been continuously met since then. An auditor who sees a lapse followed by a documented, evidenced corrective response views this far more favourably than a business that presents a superficially perfect record under scrutiny.
Frequently Asked Questions
What documents do ISO auditors typically ask for first?
ISO 9001, ISO 14001, and ISO 45001 auditors typically begin with three requests: the compliance register or legal register (to confirm you have identified your regulatory obligations); the management review records (to confirm senior management monitors compliance performance); and a sample of compliance evidence - often selected at random to test whether the register is genuinely maintained. They then follow the evidence trail: if the register states you have an annual safety inspection, they will ask to see the current inspection record, then ask to see the previous one, and then ask to see how the renewal was managed. Prepare for this sequential evidence trail, not just a single document for each obligation.
Can I export compliance evidence from ExpiryEdge for an audit?
Yes. ExpiryEdge allows you to export a compliance report for any obligation, team, site, or time period - showing the current status, renewal history, reminder log, and document versions. This export can be shared directly with an ISO auditor, a client's procurement team, or a regulatory inspector. It provides exactly the sequential evidence trail that auditors look for: the current document, the previous document, the reminder history, and the named responsible persons - all in one exportable package.
What if a regulatory inspector arrives without advance notice?
Unannounced regulatory inspections occur in many jurisdictions - particularly in health and safety, food safety, and environmental regulation. If this happens: cooperate fully and provide access to the areas and documents requested; be honest about any issues the inspector raises; contact your legal adviser before making formal admissions or signing anything; and if you cannot immediately produce a document that is requested, say so clearly and provide it as promptly as possible rather than improvising. A compliance management system that is accessible from a mobile device means you can retrieve and show evidence from any location within seconds.