How to Create Process Documentation That Passes an Audit

Compliance is 20% doing and 80% documenting. Here is what auditors actually check and how to give it to them.

Sebastian Lesser
Sebastian Lesser

Business Process Expert·7 min read

What auditors actually check

A company thought they were HIPAA ready. They were not. The problem was not missing tools or inadequate security. Nobody had ever written down how any of it was supposed to work. It was all in people's heads or lost in random documents. The audit failed on documentation, not on practice.

Auditors check five things. If you provide all five, you pass. If you are missing any, you have a finding.

The five audit essentials

1. Controls exist and are documented

Every approval step, review gate, and validation check must be visible in the process map. In BPMN, these are typically exclusive gateways with "Approved?" conditions and review tasks.

2. Segregation of duties is clear

The person who requests something cannot be the same person who approves it. In BPMN, this is shown through lanes - each lane is a different role. Auditors check that critical steps are in different lanes.

3. Exception handling is defined

What happens when something goes wrong? Rejected approvals, failed validations, timeout escalations. If the diagram only shows the happy path, auditors will flag missing exception handling.

4. Ownership is assigned

Every process needs a named owner. Every document needs a review date. "Who owns this?" and "When was this last reviewed?" are the two most common auditor questions.

5. Evidence that the process is followed

The map alone is not enough. Auditors sample actual process instances and check they match the documentation. If reality deviates from the diagram, fix one or the other.

Sebastian LesserSebastian's take

"In my experience advising on ISO 9001 implementations, the number one audit finding is not missing controls. It is documentation that does not match reality. Auditors check whether people actually follow the documented process."

The minimum viable process document

For each audited process, provide:

  • -One-page overview - process name, owner, trigger, outcome, key metrics.
  • -BPMN diagram - showing steps, decisions, roles (lanes), and exception paths.
  • -Version and date - when created, when last reviewed, by whom.
  • -Review schedule - quarterly for critical processes, annually for others.

Audit preparation timeline

  • -3 months before - identify which processes will be audited. Review and update their documentation.
  • -1 month before - do a dry run. Walk through each process with the owner. Does the diagram match reality?
  • -1 week before - gather evidence samples. Collect 3-5 recent process instances that demonstrate compliance.

Related guides

Compliance Guide

ISO, SOX, GDPR, HIPAA requirements.

Documentation Best Practices

Naming, versioning, ownership.

Collaboration Diagrams

Lanes show segregation of duties.

Common Mistakes

Errors auditors catch.

Keep learning

Practice

Best Practices

Clean, auditable diagrams.

Practice

Travel Agency

Complex documented processes.

Frequently asked questions

Is BPMN required for compliance audits?

No specific notation is mandated. But BPMN is the most accepted because it is an ISO standard itself (ISO 19510), it is precise, and auditors across industries recognize it.

How often should audit-relevant processes be reviewed?

Quarterly for critical processes (financial, compliance, safety). After any significant process change. And always before an audit cycle.

What is the biggest reason audits fail on documentation?

The documentation does not match reality. The process map shows one thing; the team does another. Map the actual process, not the ideal one.