7.4 Collecting & Verifying Evidence: Interviews, Observation, Audit Trails & Sampling

Key Takeaways

  • Audit evidence comes from interviews, observation, documented information, records, data/performance indicators, and other sources, and is strongest when multiple sources agree.
  • Effective interviews start with open questions, avoid leading the interviewee, and are corroborated rather than accepted at face value.
  • Only verified information counts as audit evidence, and audit evidence must be recorded, per ISO 19011:2018 Clause 6.4.8.
  • Following an audit trail forward and backward tests whether a process operates consistently end to end, not just whether the right documents exist.
  • Because audits rely on sampling, they provide reasonable rather than absolute assurance; this inherent audit risk is managed through risk-based, representative sampling, never eliminated.
Last updated: July 2026

With the opening meeting done, the audit's core work begins: gathering information the audit criteria can actually be measured against, and making sure that information is trustworthy before it is treated as evidence.

Sources of Audit Evidence (Clause 6.4.7 / Annex A)

Auditors draw on a wide range of sources, including:

  • Interviews with people performing the work
  • Observation of activities, the physical environment, and working conditions
  • Documented information: policies, objectives, plans, procedures, standards, work instructions, licenses, permits, specifications, drawings, contracts, and orders
  • Records showing what actually happened
  • Data summaries, analyses, and performance indicators
  • Information on sampling plans and on procedures for sampling and controlling the sampling/measurement process itself
  • Reports from other sources — customer feedback, external performance data or ratings, supplier ratings
  • Databases, websites, and, where relevant, simulation or modeling

No single source is treated as sufficient on its own; a finding is stronger when more than one source points the same way.

Source typeExampleWhat it's good for
InterviewAsking a machine operator to describe their calibration checkUnderstanding intent and day-to-day practice
ObservationWatching the calibration check actually being performedConfirming the practice matches the description
Documented informationThe calibration procedure itselfConfirming what should happen
RecordThe completed calibration logConfirming what did happen, and when

Interviewing Effectively (Annex A.14)

Interviews are one of the richest — and easiest to get wrong — sources of evidence. Good practice:

  • Interview people at the appropriate level or function who actually perform the activity or task within the audit scope
  • Conduct interviews during normal working hours and, where practical, at the interviewee's normal workplace
  • Put the interviewee at ease; explain the reason for the interview and for any notes being taken
  • Start by asking the person to describe their own work, rather than opening with a yes/no question
  • Avoid leading questions that suggest the "correct" answer
  • Summarize the results with the interviewee, where appropriate, to confirm the auditor's understanding is accurate
  • Corroborate: a single account, however confident, is not treated as conclusive on its own
  • Thank the interviewee for their time, and be mindful that being interviewed by an auditor is stressful for many people — a calm, professional manner produces more reliable information than an interrogative one

An interview that opens with "walk me through what you do when a batch fails inspection" surfaces far more useful evidence than one that opens with "do you follow the nonconforming-output procedure? Yes or no?" — the first invites the interviewee to describe the real process, including any workarounds or informal steps; the second invites a rehearsed "yes."

Observation and Document/Record Review

Observation means watching an activity actually being performed rather than relying only on a description of it — this is often where the gap between "what's documented," "what's said," and "what's actually done" first becomes visible. An auditor who only interviews a warehouse supervisor about goods-inward inspection has heard a description; an auditor who then walks the receiving dock and watches the next delivery being checked in has evidence of the practice itself, including details — like whether the inspector actually checks the paperwork against the physical count, or just signs it off — that rarely surface in conversation alone.

Document and record review means checking documented information against the audit criteria for adequacy, and checking records for completeness, accuracy, and currency — and, critically, whether they show the process operating the way it is claimed to operate. A procedure that reads well on paper but whose associated records are incomplete, undated, or missing required approvals is itself a finding, independent of anything an interview or observation turns up. Auditors typically move between these three methods on the same process within minutes — asking, watching, and checking the paperwork for the same activity — rather than completing one method for the whole audit before starting the next.

Verifying Before Recording

The rule that governs all of this: only information that can be verified is treated as audit evidence, and audit evidence must be recorded. An unverified claim — "we always calibrate before use" — is not yet evidence; it becomes evidence once it is corroborated against something else, such as a calibration record, a second independent account, or direct observation of the practice. Where sources conflict — an employee describes one practice, but the record shows another — the auditor reconciles the conflict or explicitly records it rather than accepting whichever account is more convenient. This discipline is what keeps an auditor's conclusions defensible: every finding traces back to evidence that was actually checked, not simply asserted.

Objective evidence, in ISO 9000:2015 vocabulary terms, is data supporting the existence or verity of something — and it can be obtained through observation, measurement, testing, or other means. That definition is the reason interviews alone are treated cautiously: a statement is data about what someone believes or claims happens, and only becomes objective evidence once it can be corroborated against something independently checkable, such as a record, a second interview, or direct observation of the activity itself.

Because an audit is never a complete inspection of everything an organization does, two ideas govern how far its conclusions can be trusted: following the audit trail, and understanding the limits of sampling.

Following the Audit Trail

An audit trail is the path of evidence that links what a procedure says should happen to what records show actually did happen — traced deliberately forward and backward through a process rather than examined only in isolated snapshots.

  • Backward trail: start from an outcome — a customer complaint, a rejected batch, a nonconformity — and trace back through the corrective-action record it should have triggered, and further back to any root-cause analysis behind it
  • Forward trail: start from an input — a raw-material receipt record — and trace forward through in-process inspection, final release, and delivery documentation

Following a trail is how an auditor tests whether a system is consistent end to end, not just whether the right forms exist. A form that exists but never drove the correct downstream action (a corrective-action record with no closure evidence, for example) is exactly the kind of gap a trail exposes that a single-point document check would miss.

A well-run audit typically follows several short trails rather than one exhaustive one, spreading coverage across the higher-risk processes identified during planning. Each trail is a small, self-contained test: pick a starting record, follow it in one direction, and see whether the system holds together at every step, or breaks down at a specific handoff between departments, shifts, or systems.

Audit Sampling and Its Limitations

Because collecting and verifying every record, transaction, and output an organization produces is not practical, audit evidence is gathered by sampling — examining a portion of the available information and drawing a conclusion about the whole. ISO 19011:2018 requires that the sample be appropriate and representative of the population it is drawn from, so conclusions about the sample can reasonably be extended to that wider population. The choice of sampling method — judgment-based or statistical — depends on the audit objectives and the characteristics of the population being sampled, and the intended extent and method of sampling for each area should already be set out in the audit plan and checklists from Section 7.2, weighted toward higher-risk processes.

Judgment-based sampling relies on the auditor's knowledge, experience, and risk judgment to select records or activities most likely to reveal a problem — for example, deliberately choosing records from a shift or product line with a known history of issues. Statistical sampling uses a defined selection method and sample size intended to be representative of the whole population, more common where large, homogeneous record sets need a defensible, repeatable basis for the sample chosen (such as a high-volume inspection log). CQI/IRCA lead-auditor training generally emphasizes judgment-based, risk-focused sampling for management-system audits, because the goal is to find the areas most likely to be nonconforming, not to produce a statistically precise estimate of a defect rate.

Audit Risk — Why an Audit Is a Sample, Not a Guarantee

Because sampling is inherent to how audits work, an audit provides reasonable assurance, not absolute assurance. This built-in uncertainty is called audit risk: the possibility that a nonconformity exists somewhere in the wider population but was not captured by the specific records, activities, or people that happened to be sampled. Audit risk cannot be eliminated, but it can be managed:

Managing audit riskHow it helps
Risk-based sample sizingPuts more scrutiny where the consequences of missing a nonconformity are highest
Following audit trailsTests consistency across a process, not just isolated points
Multiple evidence sourcesCorroborates a single claim before it is treated as fact
Documenting sampling rationaleMakes the audit's conclusions defensible and repeatable

None of these measures make audit risk zero — they reduce it to a level the audit programme and certification body consider acceptable. This is also why a single clean surveillance audit is never treated as a permanent guarantee: subsequent surveillance visits re-sample the same and different processes precisely because a system's conformity can drift, and no single sample from a single visit can rule that out indefinitely.

A clean sample means no nonconformity was found in what was actually examined — it does not certify that the entire population is defect-free. This is precisely why the CQI/IRCA syllabus and ISO 19011:2018 both frame the audit as providing a level of confidence proportionate to the sample examined, not a warranty. An auditor who reports "the process conforms" after checking 5 of 200 records should mean, and should be prepared to explain if challenged, "conformity was confirmed in the sample examined, selected using a risk-based rationale" — not "every one of the 200 records has been checked."

That distinction matters directly to the next step in the process: once evidence has been collected and verified, it still has to be evaluated against the audit criteria to generate a finding, which is where Section 8.1 picks up.

Test Your Knowledge

A lead auditor selects 5 of a supplier's 200 incoming-inspection records to check for conformity. All 5 conform, and the auditor closes out the process area with no findings. What core limitation of audit sampling should the auditor keep in mind before drawing that conclusion?

A
B
C
D
Test Your Knowledge

An auditor notices a customer complaint record that references a corrective action, but the corrective-action log shows that entry was never closed. To verify this properly, the auditor should:

A
B
C
D