If you’re in charge of creating policies and procedures that are compliant with standards like ISO, NIST, or others, it can be challenging.

You need to write documentation that both satisfies specific criteria while also making sure employees can use the policies and procedures regularly. This way, the transactions and tasks are done correctly. Unfortunately, these two goals often compete with each other.

Before joining the ScreenSteps team, I was a CPA at a Big 4 accounting firm (more on this later). In my audits, I often saw one priority winning out over the other when it came to writing standard operating procedures (SOPs).

Now, working for ScreenSteps — a knowledge base software company that makes it easy for you to write clear SOPs — I’ve helped hundreds of companies document procedures that can satisfy both meeting specific criteria and usability so that you can pass both aspects of the audit.

In this blog post, I’ll explain one big mistake companies make while preparing their document for an audit. Then I provide five steps to document your procedure so that you can avoid making this mistake in the future.

Jonathan DeVore

By: Jonathan DeVore on October 13th, 2021

Print/Save as PDF

How to Prepare Procedures For an ISO Audit ( 1 Mistake + 5-Step Solution)

One common mistake when writing procedures for an ISO audit

As I said before, I used to work as a CPA at a Big 4 accounting firm. My job was to audit IT security policies and procedures and make sure they were compliant with NIST.

One mistake that I regularly saw when managers were trying to balance writing for compliance and writing for performance was that they almost always wrote the procedures for the auditor instead of the end-user.

Which makes sense. When I performed the audit, the first step was to compare the manager’s policy and procedure documentation to NIST requirements. I noticed that managers often copied the templates that NIST provided. They included revision tables, related controls, and fancy language that nobody ever used.

And I have to say, as an auditor, the procedures looked impressive. It made my job in evaluating the procedure very easy! They ticked all the boxes and I would write in my report something like, “No findings noted.”

2 ways your documented ISO procedures are audited

But here’s the thing — your procedures aren’t just evaluated on whether they include certain information.

Your procedures are also evaluated on how well your employees follow them. And as an auditor, that was the second part of my testing. Is management implementing the procedures?

There are two main ways that your written procedures are audited:

Compliance1. Do your written procedures include certain information?

This audit is checking to make sure you’ve included all of the required compliance elements in your documented procedures. It compares your written procedures to make sure the standards are met. Those standards could include the scope, roles, responsibilities, and more.

Typically, companies focus on this portion of the compliance audit. One reason this happens is it’s easier to write procedures that are compliant with standards.

Governing bodies provide a lot of ISO examples and templates for how to write a procedure that meets their criteria. So managers pull down those templates, fill them out, and call it good.

But those templates are NOT designed for helping employees actually perform the procedure correctly. So in that sense, the templates are kind of useless.

In a way, these templates are helping companies cheat on a pre-test when the real test is coming in the future. Speaking of the real test, that brings me to the second type of compliance audit.

2. Can your employees follow the written procedures to complete ISO compliance tasks?

The second part of the audit is to see how the employees use these procedures. Ultimately, the goal is that the employees can follow the guides to complete various assignments as outlined in the procedure. Unfortunately, this is a part of your annual audit that companies fail all the time.

In my experience, I spent a lot of time writing up reports because employees did not follow written procedures. And that was due to managers not writing procedures in a way that helped employees perform their jobs.

In fact, when we interviewed employees we would almost always learn that they created their own procedures that were easier to follow. The problem was these rogue procedures weren’t approved and didn’t include the necessary tasks to meet compliance.

🔍 Related: 6 Tips to Improve (& Shorten) Your Standard Operating Procedures

5 steps to writing procedures that pass the annual audit

Instead of using templates provided by the government, you can accomplish the two purposes — passing written SOP compliance and the application of those procedures — by creating your own style guide and templates.

Here are five steps that will guide your efforts in writing for performance while also meeting documentation requirements.  

1. Identify the ISO standards your company needs to meet

First, you need to understand what the ISO standards are. Identify what criteria must be met to be compliant and which of those industry standards apply to your company.

Besides listing what your documentation must include, also list out what employees need to do to meet performance standards.

2. Write a first-pass draft focused on helping employees achieve compliance

Once you know all the standards you need to include in your procedures, make the first pass at writing your policies and procedures. In this draft, you’ll focus on helping employees perform so that they are compliant. 

That means you’ll want them to be able to follow the guide to complete tasks. To help you clearly communicate actions in your procedures, you might include screenshots, create checklists, or use special formatting.

🔍 Related: How Long Should My Written Company Procedures Be?

3. Add in necessary components to meet the ISO compliance requirements

After preparing the draft that would best support employees, review the guides. Compare your draft to the ISO standards for written procedures. Check off components you’ve already included.

Then fill in the missing compliance information. Include the necessary components in your documentation. That way, your policies and procedures meet the criteria.

For example, you may need to include specific procedure information, revision dates, the name of the reviewer, related controls and procedures, things like that.

4. Adjust the formatting to provide clarity

As you’ve added in all the necessary components, it may have made it more difficult for your employees to follow your procedure. Review your procedure again. Adjust your formatting so that the necessary components don’t get in the way of showing your employees what to do.

For example, I often see the first two pages of a procedure include lots of tables and information that most employees don’t care about when doing their job. Don’t make employees scroll all around to find your procedures. Put that kind of stuff at the bottom of the document.

Tip: If you use an online knowledge base to document your procedures, you can take advantage of features such as a document approval system or create foldable sections that can reveal or hide that information.

5. Create a template for future use

Once you have a format that works for you, create a template that you can use every time you need to create a new procedure. This gives your employees a consistent experience and it helps you meet documentation standards.

Turn complex compliance procedures into simple guides (that pass audits) for employees

When you use a knowledge base to create, store, and share your ISO procedures, it makes it easier for you to clearer write procedures that both achieve written and performance compliance.

If mistakes are not an option — and that’s the real goal with compliance — then you’ll want policies and procedures your employees can actually use on the job. ScreenSteps makes it easy and fast to document complex procedures.

With features like interactive workflow articles, foldable sections, and more, you can include all the necessary audit information without overwhelming your employees.

Think a knowledge base is the right solution to help you document compliance procedures for your ISO audit? Or are you considering switching to a new knowledge base? Use the five tips below to help you choose the right knowledge base software for your company.

Get Tips For Your Search

About Jonathan DeVore

Customer Success