How to Survive Your Next Audit

The $125k Audit That Went Wrong

1. Calibration records incomplete for 12 measurement tools
2. Drawing change control procedures not followed (Rev B parts made to Rev A drawing)
3. Corrective action tracking system showed 18 overdue actions

• Certificate suspended pending corrective actions
• 90-day window to remediate or lose certification
• Customer notifications required
• $45k in emergency consultant fees
• $80k in lost revenue during suspension
• Total cost: $125k+ from preventable findings

Understanding Audit Types

AS9100D: Quality Management System

• Who: Aerospace quality management standard (ISO 9001 + aerospace requirements)
• Frequency: Initial certification, then surveillance audits every 6-12 months
• Who audits: Third-party registrars (accredited certification bodies)
• Consequences: Major findings = certificate suspension; lost certification = lost customers

FAA / PMA: Regulatory Compliance

• Who: Federal Aviation Administration for production or parts manufacturer approvals
• Frequency: Initial approval, then periodic surveillance (announced or unannounced)
• Who audits: FAA inspectors
• Consequences: Fines $10k-$50k+; certificate suspension; criminal penalties for egregious violations

CMMC Level 2: Cybersecurity Certification

• Who: Defense contractors handling Controlled Unclassified Information (CUI)
• Frequency: Every 3 years by certified C3PAO assessors
• Who audits: CMMC Third-Party Assessment Organizations (C3PAOs)
• Consequences: Failed assessment = disqualified from DoD contracts

Most Common Audit Findings

1.

Source:Nqa✓

• Calibration stickers current on all measurement equipment
• Certificates traceable to NIST standards
• Recall system ensuring tools don't go past due
• Out-of-tolerance procedures (what happens if calibration fails)

• "We sent it out for calibration but don't have the cert"
• Tools past due because recall system failed
• No procedure for handling out-of-tolerance findings

2.

Source:Nqa✓

• Documented procedures for each manufacturing operation
• Instructions accessible at point of use
• Current revision controlled
• Evidence workers trained to current revision

• "We've always done it this way" (undocumented tribal knowledge)
• Instructions outdated, workers using newer methods
• No training records showing who's qualified

3.

Source:Nqa✓

• CARs (Corrective Action Requests) opened for all NCRs
• Root cause analysis documented
• Corrective actions implemented and verified
• CARs closed in timely manner

• Overdue CARs (opened but never closed)
• Root cause = "operator error" (not acceptable—what process allowed the error?)
• No verification that corrective action actually worked

4.

Source:Nqa✓

• CUI identified and marked
• Access controls enforced
• Audit logs showing who accessed what
• Encryption in transit and at rest

• No systematic identification of CUI
• Shared passwords, no access control
• No logging of CUI access

5.

Source:Nqa✓

• Only current revision drawings used
• Change control process documented
• Obsolete drawings removed from circulation
• Parts traceable to drawing revision

• Old revision found on shop floor
• No system preventing use of obsolete drawings
• Parts made to wrong revision

6.

Source:Nqa✓

• Material certs for all raw materials
• Heat lot traceability
• Sub-tier supplier approvals
• Test reports retained

• "We know we got the cert, but can't find it"
• Material used before cert arrived
• No system ensuring cert retained with job

Pre-Audit Preparation Timeline

6-8 Weeks Before Audit

• Run internal audit: Find your own findings before auditor does
• Review open CARs: Close overdue actions or document delays
• Verify calibration status: Ensure no past-due tools
• Check document control: Confirm current revisions in use

4 Weeks Before Audit

• Train staff: Ensure everyone knows what auditor might ask
• Update quality manual: Reflect current processes
• Organize records: Calibration certs, training records, CARs
• Mock audit: Have someone unfamiliar with your system review records

2 Weeks Before Audit

• Final walk-through: Check for obvious issues (obsolete drawings, expired cal stickers)
• Briefing: Remind staff to answer only what's asked, be honest, don't volunteer extra info
• Assign escorts: Designate who will accompany auditor

Day of Audit

• Opening meeting: Understand scope, special focus areas
• Stay calm: Findings aren't personal; they're opportunities to improve
• Take notes: Document auditor comments for corrective action
• Closing meeting: Understand findings, ask for clarification if needed

How to Respond to Findings

Major Finding

• Definition: Absence or complete breakdown of a system required by the standard
• Timeline: Usually 90 days to correct
• Response:
  1. Immediate containment (stop the nonconforming activity)
  2. Root cause analysis (why did it happen)
  3. Corrective action (fix the system)
  4. Verification (prove the fix works)
  5. Documentation (provide evidence to auditor)

Minor Finding

• Definition: Isolated lapse or minor deviation
• Timeline: Address by next audit
• Response:
  1. Investigate
  2. Correct the specific instance
  3. Check for systemic issue (is it really isolated?)
  4. Document correction

Observation (Not a Finding)

• Definition: Potential area of concern, not yet a nonconformance
• Timeline: No formal deadline, but wise to address
• Response: Consider it a warning; fix before it becomes a finding next audit

Common Auditor Questions and How to Answer

"How do you ensure only current drawings are used?"

"What happens if calibration fails?"

"How do you prevent unauthorized access to CUI?"

"What's your root cause analysis process?"

Penalties for Non-Compliance

AS9100 Certificate Suspension

• Loss of customer approvals
• Inability to bid on new work
• Existing contracts at risk
• Emergency re-certification costs: $20k-$50k

FAA Fines and Suspensions

• $10,000-$50,000 per violation
• Certificate suspension (no production until reinstated)
• Criminal penalties for willful violations
• (
  Source:Faa✓
  ))

CMMC Failed Assessment

• Disqualified from bidding on DoD contracts
• Loss of existing contract renewals
• Must remediate and re-assess (6-12 month delay)
• Competitors gain market share

How MLNavigator Accelerates Audit Readiness

Immutable Audit Logs

• Every drawing upload logged with timestamp, user ID, revision
• Logs BLAKE3-hashed (tamper-proof)
• Satisfies AS9100 4.2.3, CMMC AU-2/AU-3/AU-9

Access Control

• Role-based permissions on CUI drawings
• Satisfies CMMC AC-2, AC-3

Drawing Revision Control

• Flags rev mismatches at upload
• Ensures current revisions used
• Satisfies AS9100 8.5.1, FAA production approval requirements

Corrective Action Support

• Root cause analysis data (which drawing, which issue)
• Historical error patterns
• Satisfies AS9100 10.2

• Pre-built reports for auditors
• Exportable logs for compliance review
• Traceability from drawing to part to shipment

Related Compliance Resources

• Why Most Defense Suppliers Aren't Ready for CMMC 2.0 - Full CMMC Level 2 preparation guide.
• CMMC Level 2 Compliance: 110 Controls by 2026 - Complete control breakdown and timeline.
• Engineering Drawings: The Hidden Compliance Risk - How drawing errors trigger audit findings.

Conclusion

• Wait until the week before to prepare
• Lack systematic documentation
• Rely on tribal knowledge instead of documented processes

• Run internal audits quarterly
• Address findings immediately
• Use tools like MLNavigator for automated compliance