Most organizations treat their management review meeting as a scheduling obligation — something to complete before the audit and forget about afterward. That mindset is precisely why management review is one of the top five findings across ISO 9001, ISO 14001, ISO 45001, and ISO 13485 audits globally. The meeting happens, but the evidence auditors need either doesn't exist, isn't complete, or doesn't connect to anything downstream.
After 8+ years of guiding 200+ clients through first-time and surveillance audits — with a 100% first-time pass rate — I can tell you exactly what a third-party auditor is looking for when they open your management review folder. It's not just meeting minutes. It's a documented, traceable, decision-driven record that demonstrates top management is actively steering the quality management system (QMS), not rubber-stamping it.
This guide breaks down the auditor's perspective, clause by clause, with the specific evidence gaps that get organizations cited.
Why Management Review Is an Auditor's Favorite Audit Trail
Management review isn't an isolated requirement. It sits at the top of the Plan-Do-Check-Act (PDCA) cycle and functions as the connective tissue between your QMS performance data and your strategic decision-making. Under ISO 9001:2015 clause 9.3, the standard requires top management to review the organization's QMS at planned intervals to ensure its continuing suitability, adequacy, effectiveness, and alignment with strategic direction.
That phrase — "strategic direction" — is where most organizations fall short. Auditors aren't just checking whether you held a meeting. They're tracing whether the review produced real decisions, whether those decisions were followed up, and whether top management (not middle managers acting as proxies) was genuinely in the room and engaged.
According to the ISO Survey of Certifications, over 1.1 million ISO 9001 certificates were issued globally as of 2022, making it the world's most widely adopted management system standard. Every single one of those certified organizations is required to conduct and document management reviews. Yet nonconformances related to clause 9.3 appear on the top-10 finding lists published by major accreditation bodies year after year.
The Auditor's Mental Checklist: Before They Open a Single Document
When an auditor sits down to evaluate your management review, they arrive with a structured mental framework. Understanding that framework lets you prepare evidence that answers their questions before they ask them.
Their core questions are:
- Who attended? Was this actually "top management" as defined in clause 5.1?
- When did it happen? Was it at a "planned interval" — and is that interval defined somewhere?
- What was reviewed? Did the agenda cover every required input?
- What was decided? Are there documented outputs with owners and deadlines?
- Were those decisions closed out? Is there follow-up evidence from the next review?
If your management review documentation can't answer all five questions with objective evidence, you're at risk of a finding — regardless of how smooth the actual meeting was.
Required Inputs: The Agenda Items Auditors Will Cross-Reference
ISO 9001:2015 clause 9.3.2 specifies the minimum inputs your management review must address. This list is not a suggestion — it's a compliance requirement. Auditors will compare your meeting agenda or minutes against this list and flag any omissions.
| Required Input | Common Evidence | Frequent Gap |
|---|---|---|
| Status of actions from previous reviews | Action log, follow-up minutes | Actions listed but not closed or escalated |
| Changes in external/internal issues | SWOT/PESTLE update, context register | Context analysis never updated post-certification |
| QMS performance and effectiveness | KPI dashboard, audit summary | Metrics reported without trend analysis |
| Adequacy of resources | Resource plan, budget summary | Discussion not documented; verbal only |
| Effectiveness of actions to address risks and opportunities | Risk register update | Risk register exists but wasn't pulled into the review |
| Opportunities for improvement | Corrective action log, OFI tracker | OFIs identified but not linked to QMS objectives |
| Customer satisfaction and feedback | Survey results, complaint log, NPS data | Only positive data presented; complaints omitted |
| Monitoring and measurement results | Internal audit results, process metrics | Audit findings presented but not analyzed for trends |
| Performance of external providers | Supplier scorecard, approved supplier list | Supplier performance reviewed separately, not in MRM |
Auditor behavior to anticipate: Auditors frequently pull your previous year's internal audit report and check whether its findings appear in your management review inputs. If your audit found three process nonconformances but your management review doesn't reference them, that's a gap — and it signals to the auditor that your QMS is siloed, not integrated.
Required Outputs: Where Most Organizations Fail
If the inputs are the "what we reviewed," the outputs are the "what we decided." ISO 9001:2015 clause 9.3.3 requires that management review outputs include decisions and actions related to:
- Opportunities for improvement of QMS effectiveness
- Any need for changes to the QMS, including the quality policy and objectives
- Resource needs
This sounds simple. In practice, it's where most organizations generate their nonconformances.
The most common output failure I see across clients is what I call the "noted and acknowledged" trap — minutes that record discussion but produce no decisions. An auditor reading minutes full of phrases like "the team noted the KPI decline" or "management acknowledged the supplier issue" will immediately flag the review as lacking documented outputs. Discussion is not a decision. Acknowledgment is not an action.
Every output must have: - A clear decision or action statement - An assigned owner (by name or role) - A target completion date - A follow-up mechanism (typically the next review's action log)
The "Planned Intervals" Requirement: More Nuanced Than It Sounds
Clause 9.3.1 requires management reviews to occur "at planned intervals." The standard deliberately doesn't prescribe a frequency — annual, semi-annual, quarterly reviews are all acceptable — but the auditor will look for two things:
- Where is the interval defined? It should appear in your QMS documentation (quality manual, procedure, or management review procedure).
- Did the review actually occur within that interval? If your procedure says "annually" but the last review was 14 months ago, you have a nonconformance.
A subtler issue arises when organizations hold reviews too infrequently for their QMS complexity. A 500-person medical device manufacturer holding one management review per year may satisfy the letter of the standard but invite auditor scrutiny about whether the review is substantive enough to cover all required inputs. I generally recommend semi-annual reviews for organizations with active corrective action programs, multiple product lines, or rapidly changing external context.
Top Management Attendance: The Clause 5.1 Connection
Here's a finding pattern that surprises many clients: the management review itself was fine, but the wrong people were in the room.
ISO 9001:2015 clause 9.3.1 explicitly states that top management shall review the QMS. Clause 5.1 defines top management as "a person or group of people who directs and controls an organization at the highest level." For most companies, that means the CEO, President, Managing Director, or equivalent — not the Quality Manager alone, not a department head, not a delegated representative who then "reports back."
Auditors check attendance records against your organizational chart. If your org chart shows a CEO and VP of Operations, but your management review was attended only by the Quality Manager and a plant supervisor, expect a finding under clause 9.3.1 linked back to clause 5.1.
One documented exception is acceptable: If top management is genuinely unavailable (travel, health), the review can proceed with a delegate — but the delegation must be documented, and top management must formally ratify the outputs. This ratification needs to appear in the record.
Documented Information: What to Retain and How to Format It
ISO 9001:2015 clause 9.3 requires organizations to retain documented information as evidence of management review results. The standard doesn't mandate a specific format — but auditors do have preferences shaped by what makes evidence clear and auditable.
Minimum documented information to retain:
- Agenda (pre-meeting): Confirms the planned scope and inputs
- Attendance record: Names, titles, and signatures (or digital equivalents)
- Meeting minutes or summary: Covers each required input with actual data discussed
- Output/action log: Decisions, owners, due dates, status
- Supporting data packages: KPI reports, audit summaries, risk register excerpt, customer satisfaction data — whatever was reviewed in the meeting
Format tips from the field: - Use a structured minutes template that maps directly to clause 9.3.2 inputs. Auditors can follow the document without needing to interpret free-form notes. - Timestamp your documents. An undated set of minutes from a meeting held "sometime in Q3" is a red flag. - Store supporting data alongside the minutes, not in a separate location that requires the auditor to hunt for it. Auditors working under time pressure will note inaccessible evidence as a gap.
How Auditors Verify Effectiveness: The Longitudinal Review
Here's the test that separates a performative management review from a genuinely effective one: longitudinal traceability.
An auditor reviewing your second or third surveillance audit will look at management reviews over time and ask: Are the same problems appearing in every review with no resolution? If your risk register shows the same top risk for three consecutive reviews with no change in treatment, if your customer complaint rate is trending up with no corresponding improvement actions, or if the same corrective actions keep rolling over from one review's output log to the next without closure — that pattern tells an auditor that management review is a compliance exercise, not a management tool.
A robust management review record should show: - KPIs trending in a defined direction (not just static snapshots) - Risks being actively treated and re-evaluated - Previous output actions being closed, not perpetually deferred - Quality objectives being revised when context changes
Longitudinal traceability is also the single most powerful thing you can do to prepare for ISO 9001 recertification audits. When an auditor can see three years of management reviews that tell a coherent story of QMS maturity, it dramatically reduces scrutiny on other clauses.
Sector-Specific Considerations
ISO 13485:2016 (Medical Devices)
Under ISO 13485:2016 clause 5.6, management review requirements are more prescriptive than ISO 9001. The standard adds specific inputs including regulatory requirements, feedback from customers (including complaints), post-market surveillance data, and process performance. Auditors from notified bodies and FDA-accredited third parties will specifically check for post-market surveillance data in the review inputs. Omitting it — even if product performance is excellent — is a citable gap.
ISO 14001:2015 / ISO 45001:2018
Both standards include management review requirements in clause 9.3 with language nearly identical to ISO 9001 but with environment- and safety-specific inputs. For ISO 45001, auditors will look for worker consultation and participation data as a management review input — a requirement that surprises many organizations new to OH&S certification.
AS9100 Rev D (Aerospace)
AS9100 Rev D clause 9.3.2 adds operational risk, customer satisfaction, and on-time delivery performance as required inputs. Aerospace auditors, particularly OASIS-registered auditors, are highly experienced and will cross-reference management review outputs against open corrective actions in your CAR system.
The Most Common Management Review Nonconformances (and How to Avoid Them)
Based on my experience across 200+ certifications and surveillance audits, here are the findings I see most frequently — and the preventive measures that eliminate them:
| Nonconformance Pattern | Root Cause | Prevention |
|---|---|---|
| Missing required inputs | Agenda not mapped to clause 9.3.2 | Use a clause-mapped agenda template |
| Outputs lack assigned owners or due dates | Minutes taken informally | Use an action log format integrated with minutes |
| Top management not in attendance | Scheduling treated as optional | Embed MRM in executive calendar cycle 12 months out |
| Review interval exceeded | No documented frequency definition | Define interval in QMS procedure; add calendar trigger |
| Previous outputs not followed up | No carry-forward mechanism | Action log includes status column; reviewed at meeting open |
| Supporting data not retained | Data presented verbally or via slideshow not saved | Attach slide deck and reports as records |
| Context and risk inputs absent | Departments working in silos | QMS coordinator assembles data package pre-meeting |
Building a Management Review That Impresses Auditors
The highest-performing management reviews I've seen across my consulting work share four characteristics that go beyond minimum compliance:
1. They tell a story. The best reviews present data in a narrative arc — here's where we were, here's what changed, here's what we decided, here's what happened as a result. Auditors are human. A coherent story is more persuasive than a checklist.
2. They produce real decisions. Not "we will monitor" or "the team will continue to assess." Real decisions: "We are discontinuing Supplier X effective Q2 and transitioning to Supplier Y. Quality Manager owns the transition plan by March 31."
3. Top management asks hard questions. When minutes reflect executives challenging data, requesting explanations, or pushing back on proposed actions, it signals authentic engagement. This is the difference between a QMS that management owns and one that the quality team maintains in isolation.
4. They link back to strategic objectives. The quality objectives reviewed in clause 9.3.2 should connect visibly to the organization's broader strategic plan. Auditors notice when the QMS exists in a separate universe from the business.
How Certify Consulting Prepares Clients for Management Review Audits
At Certify Consulting, we work with clients to build management review systems — not just meeting templates. That means designing a data collection workflow that surfaces the right inputs automatically, building an agenda template mapped to every required clause, training top management on their role under clause 5.1, and conducting a pre-audit mock review to identify gaps before the auditor does.
Our 100% first-time audit pass rate across 200+ clients is, in significant part, a result of treating management review as a strategic system rather than a compliance checkbox.
If you're approaching certification or a surveillance audit and want to ensure your management review will hold up under scrutiny, explore our full-service certification consulting packages or reach out directly to discuss your QMS.
Frequently Asked Questions
How often should management review meetings be held?
ISO 9001:2015 clause 9.3.1 requires management reviews at "planned intervals" but does not specify a frequency. Annual reviews are common and generally acceptable, but organizations with complex QMS environments — multiple product lines, active corrective action programs, or rapidly changing regulatory contexts — should consider semi-annual reviews. Whatever frequency you choose must be documented in your QMS.
What happens if top management doesn't attend the management review?
If top management (as defined in ISO 9001:2015 clause 5.1) is absent and no formal delegation is documented, auditors can cite a nonconformance under clause 9.3.1. If an emergency prevents attendance, document the delegation in writing and have top management formally ratify the meeting outputs afterward. This ratification must appear in the retained records.
Can management review be done virtually or via email?
Yes. The standard does not require an in-person meeting. A well-documented virtual meeting with an attendance record, agenda, and captured outputs is fully compliant. Email chains alone are generally insufficient unless they clearly document all required inputs being reviewed and all outputs with owners and dates assigned.
What is the difference between a management review input and output?
Inputs are the information and data brought into the review for evaluation — KPIs, audit results, customer feedback, risk status, etc. Outputs are the decisions and actions that come out of the review — commitments to improve, resource allocations, changes to the QMS, and assigned actions with due dates. Both are required, and both must be documented.
Do supporting documents like KPI reports need to be retained as part of the management review record?
Yes. ISO 9001:2015 clause 9.3 requires retaining documented information as evidence of management review results. "Results" encompasses not just the decisions made but the data used to make them. Auditors routinely request the supporting data packages — if they can't be produced, the adequacy of the review itself comes into question.
Last updated: 2026-03-23
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.