How to Survive Your Next Audit

The $125k Audit That Went Wrong (Hypothetical Scenario)

This example is inspired by multiple real audit situations. In a typical mid-sized aerospace MRO scenario, a routine AS9100 surveillance audit can go very wrong very fast when systematic compliance gaps exist. Day 2 of the audit, the registrar issues 3 major findings:

1. Calibration records incomplete for 12 measurement tools
2. Drawing change control procedures not followed (Rev B parts made to Rev A drawing)
3. Corrective action tracking system showed 18 overdue actions

Potential Impact:

• Certificate suspended pending corrective actions
• 90-day window to remediate or lose certification
• Customer notifications required
• $45k in emergency consultant fees
• $80k in lost revenue during suspension
• Total cost: $125k+ from preventable findings

Emergency re-certification audits can cost in the tens of thousands of dollars, not including lost production revenue. The shop knew the requirements. They just hadn't implemented them systematically. No one caught the gaps until the auditor walked in. This article is your pre-audit insurance policy—a comprehensive checklist to find and fix issues before auditors do.

Understanding Audit Types

Aerospace shops face three primary audit frameworks:

AS9100D: Quality Management System

• Who: Aerospace quality management standard (ISO 9001 + aerospace requirements)
• Frequency: Initial certification, then surveillance audits every 6-12 months
• Who audits: Third-party registrars (accredited certification bodies)
• Consequences: Major findings = certificate suspension; lost certification = lost customers

FAA / PMA: Regulatory Compliance

• Who: Federal Aviation Administration for production or parts manufacturer approvals
• Frequency: Initial approval, then periodic surveillance (announced or unannounced)
• Who audits: FAA inspectors
• Consequences: Fines $10,000-$50,000+ per violation
  Government Report:FAA✓
  ; certificate suspension; criminal penalties for egregious violations

CMMC Level 2: Cybersecurity Certification

• Who: Defense contractors handling Controlled Unclassified Information (CUI)
• Frequency: Every 3 years by certified C3PAO assessors
• Who audits: CMMC Third-Party Assessment Organizations (C3PAOs)
• Consequences: Failed assessment = disqualified from DoD contracts

Each has different focus areas, but overlap significantly on documentation, traceability, and process control.

Most Common Audit Findings

Based on 2024 industry data

Source:NQA✓

, these are the top findings that trigger major non-conformances:

1. Calibration Records Incomplete

What auditors look for:

• Calibration stickers current on all measurement equipment
• Certificates traceable to NIST standards
• Recall system ensuring tools don't go past due
• Out-of-tolerance procedures (what happens if calibration fails)

Common gaps:

• "We sent it out for calibration but don't have the cert"
• Tools past due because recall system failed
• No procedure for handling out-of-tolerance findings

Fix: Centralized calibration database, automated recall notices, require certs before tool returns to service. MLNavigator helps: Audit logs show which tools were used to measure which features on which parts—enabling retroactive impact analysis if calibration lapses.

2. Work Instructions Inadequate

What auditors look for:

• Documented procedures for each manufacturing operation
• Instructions accessible at point of use
• Current revision controlled
• Evidence workers trained to current revision

Common gaps:

• "We've always done it this way" (undocumented tribal knowledge)
• Instructions outdated, workers using newer methods
• No training records showing who's qualified

Fix: Document procedures, implement revision control, train and document training. MLNavigator helps: Drawing compliance scanning ensures work instructions reference current drawings.

3. Corrective Actions Not Closed

What auditors look for:

• CARs (Corrective Action Requests) opened for all NCRs
• Root cause analysis documented
• Corrective actions implemented and verified
• CARs closed in timely manner

Common gaps:

• Overdue CARs (opened but never closed)
• Root cause = "operator error" (not acceptable—what process allowed the error?)
• No verification that corrective action actually worked

Fix: CAR tracking system with automated reminders, management review of overdue CARs. MLNavigator helps: Immutable logs provide evidence for root cause analysis (which drawing, which engineer, which adapter version).

4. CUI Access Control Gaps

What auditors look for:

• CUI identified and marked
• Access controls enforced
• Audit logs showing who accessed what
• Encryption in transit and at rest

Common gaps:

• No systematic identification of CUI
• Shared passwords, no access control
• No logging of CUI access

Fix: CUI identification training, role-based access, immutable logging. MLNavigator helps: Enforces access control on engineering drawings, logs all CUI access with timestamps and user IDs.

5. Drawing Revision Control Failures

What auditors look for:

• Only current revision drawings used
• Change control process documented
• Obsolete drawings removed from circulation
• Parts traceable to drawing revision

Common gaps:

• Old revision found on shop floor
• No system preventing use of obsolete drawings
• Parts made to wrong revision

Fix: Electronic drawing distribution, obsolete drawings purged, revision verification at start of production. MLNavigator helps: Flags rev mismatches at upload, logs show which revision scanned for each part.

6. Material Traceability Gaps

What auditors look for:

• Material certs for all raw materials
• Heat lot traceability
• Sub-tier supplier approvals
• Test reports retained

Common gaps:

• "We know we got the cert, but can't find it"
• Material used before cert arrived
• No system ensuring cert retained with job

Fix: Require cert before material released to production, centralized cert repository.

Pre-Audit Preparation Timeline

6-8 Weeks Before Audit

• Run internal audit: Find your own findings before auditor does
• Review open CARs: Close overdue actions or document delays
• Verify calibration status: Ensure no past-due tools
• Check document control: Confirm current revisions in use

4 Weeks Before Audit

• Train staff: Ensure everyone knows what auditor might ask
• Update quality manual: Reflect current processes
• Organize records: Calibration certs, training records, CARs
• Mock audit: Have someone unfamiliar with your system review records

2 Weeks Before Audit

• Final walk-through: Check for obvious issues (obsolete drawings, expired cal stickers)
• Briefing: Remind staff to answer only what's asked, be honest, don't volunteer extra info
• Assign escorts: Designate who will accompany auditor

Day of Audit

• Opening meeting: Understand scope, special focus areas
• Stay calm: Findings aren't personal; they're opportunities to improve
• Take notes: Document auditor comments for corrective action
• Closing meeting: Understand findings, ask for clarification if needed

How to Respond to Findings

Major Finding

• Definition: Absence or complete breakdown of a system required by the standard
• Timeline: Usually 90 days to correct
• Response:
  1. Immediate containment (stop the nonconforming activity)
  2. Root cause analysis (why did it happen)
  3. Corrective action (fix the system)
  4. Verification (prove the fix works)
  5. Documentation (provide evidence to auditor)

Minor Finding

• Definition: Isolated lapse or minor deviation
• Timeline: Address by next audit
• Response:
  1. Investigate
  2. Correct the specific instance
  3. Check for systemic issue (is it really isolated?)
  4. Document correction

Observation (Not a Finding)

• Definition: Potential area of concern, not yet a nonconformance
• Timeline: No formal deadline, but wise to address
• Response: Consider it a warning; fix before it becomes a finding next audit

Common Auditor Questions and How to Answer

"How do you ensure only current drawings are used?"

❌ Bad answer: "Our engineers know to check."
✅ Good answer: "We have a controlled drawing server. Engineers download drawings via MLNavigator, which verifies current revision. Obsolete drawings are purged from the system. Audit logs show which revision was used for each job."

"What happens if calibration fails?"

❌ Bad answer: "Hasn't happened."
✅ Good answer: "Our procedure (QP-07) requires notification to Quality Manager, quarantine of parts measured since last good calibration, and disposition decision (scrap, rework, or 100% re-inspect). Last occurrence was documented in CAR 2024-023."

"How do you prevent unauthorized access to CUI?"

❌ Bad answer: "We have passwords."
✅ Good answer: "MLNavigator enforces role-based access control. Only authorized engineers can view CUI drawings. Access is logged with user ID and timestamp. Logs are immutable per CMMC AU-9. I can show you the logs."

"What's your root cause analysis process?"

❌ Bad answer: "We figure out what went wrong."
✅ Good answer: "We use 5-Whys or fishbone diagrams per procedure QP-14. Root cause must identify a process gap, not blame an individual. Example: CAR 2024-015 identified lack of work instruction as root cause for machining error. We created the instruction, trained operators, and verified with 3-month follow-up."

Penalties for Non-Compliance

AS9100 Certificate Suspension

• Loss of customer approvals
• Inability to bid on new work
• Existing contracts at risk
• Emergency re-certification costs: $20,000-$50,000

FAA Fines and Suspensions

FAA production-certificate violations can incur fines from $10,000 to $50,000 per violation

Government Report:FAA✓

, along with:

• Certificate suspension (no production until reinstated)
• Criminal penalties for willful violations

CMMC Failed Assessment

• Disqualified from bidding on DoD contracts
• Loss of existing contract renewals
• Must remediate and re-assess (6-12 month delay)
• Competitors gain market share

How MLNavigator Accelerates Audit Readiness

MLNavigator's built-in compliance features address common audit findings:

Immutable Audit Logs

• Every drawing review logged with timestamp, user ID, revision
• Logs BLAKE3-hashed (tamper-proof)
• Satisfies AS9100 4.2.3, CMMC AU-2/AU-3/AU-9

Access Control

• Role-based permissions on CUI drawings
• Satisfies CMMC AC-2, AC-3

Drawing Revision Control

• Flags rev mismatches at upload
• Ensures current revisions used
• Satisfies AS9100 8.5.1, FAA production approval requirements

Corrective Action Support

• Root cause analysis data (which drawing, which issue)
• Historical error patterns
• Satisfies AS9100 10.2

Instead of scrambling to find evidence during an audit, MLNavigator provides:

• Pre-built reports for auditors
• Exportable logs for compliance review
• Traceability from drawing to part to shipment

Are You Ready?

Audits don't have to be stressful. The shops that struggle:

• Wait until the week before to prepare
• Lack systematic documentation
• Rely on tribal knowledge instead of documented processes

The shops that sail through audits:

• Run internal audits quarterly
• Address findings immediately
• Use tools like MLNavigator for automated compliance

Use the checklist above to assess your readiness. Checking off 90%+ of items? You're in good shape. Below 70%? Start fixing gaps now—don't wait for the auditor to find them. The cost of non-compliance ($125k+ in that Florida example) far exceeds the cost of preparation. And tools you deploy for compliance often improve efficiency and reduce CoPQ too—double ROI. Your next audit is coming. The question is whether you'll be ready.