AS9100 Clause-by-Clause Audit Readiness: What Objective Evidence Each Requirement Wants Before the CB Walks In
The Stage 2 audit is six weeks out. The internal audit binder is mostly assembled. The certification body sent the audit plan with the clause sequence they will work through, and the lead auditor is the same one who wrote up three minors against Clause 8.1.1 last cycle. The audit-readiness question is no longer whether the QMS is documented. It is whether each clause has the objective evidence the auditor is trained to ask for, in the order they will ask for it, with the cross-references already lined up.
This is the gap that gets most aerospace teams. AS9100D is structured as ISO 9001:2015 with aerospace adders. An audit program that treats it as ISO 9001 with extra paragraphs misses the aerospace-specific evidence the certification body will request line by line. The clauses on operational risk, configuration management, counterfeit parts prevention, product safety, and production process verification each carry an evidence expectation that is more specific than the prose makes obvious.
This post walks Clause 4 through Clause 10 of AS9100D from the auditor's seat. For each clause we cover the requirement compressed to one paragraph, the objective evidence the auditor will want to see, and the recurring gaps that turn into findings.
For the audit-program structure itself, see AS9100 Internal Audit Checklist: What Aerospace Quality Teams Need to Cover. For the aerospace FAI evidence that closes Clause 8.5.1.3, see AS9102 First Article Inspection and Characteristic Accountability in AS9102. For the customer-flow-down side that ties aerospace audit evidence into a PPAP submission, see FAI vs PPAP and What is PPAP? A Complete Guide for Quality Engineers. Our webinar replays walk the submission discipline that feeds the same audit binder, and our next live session follows the same pattern.
What "Audit-Ready" Means Under AS9100D
Audit-ready under AS9100D is not the same as "the procedures are written." The certification body verifies three things at every clause: that the requirement is addressed in documented information, that the documented information is implemented as written, and that records prove implementation across the audit horizon. Each clause has a documented-information expectation, an implementation expectation, and an evidence expectation. A finding is written when any of the three is missing.
The horizon is the period since the last audit, typically twelve months for surveillance and three years for recertification. The auditor samples records from across that window. A clause where the procedure is solid, the most recent record is clean, and the older records are inconsistent will still produce a finding.
Clause 4: Context of the Organization
The requirement in one paragraph. Determine the internal and external issues relevant to the QMS, the interested parties and their relevant requirements, the scope of the QMS, and the processes, their sequence and interaction, the criteria and methods for their control, the resources needed, the responsibilities and authorities, and the risks and opportunities.
Objective evidence the auditor wants. A scope statement that reads like the actual product and process boundary. A documented process map that shows the QMS processes, their inputs, outputs, owners, KPIs, and interactions. A context-of-the-organization record that names the issues and interested parties beyond a generic SWOT template. Customer-specific requirements traceable from the master list into the process documents that implement them.
What gets it written up. A scope statement that excludes a process the company actually performs, like in-house heat treat or NDT. A process map that lists the eight QMS processes but has no measurable criteria for any of them. A customer requirements list that has not been updated since the last Boeing or Lockheed quality manual revision.
Clause 5: Leadership
The requirement in one paragraph. Top management is accountable for the QMS, sets a quality policy aligned with the strategic direction, ensures the QMS achieves its intended results, promotes risk-based thinking, ensures resources, communicates the importance of conformity, engages, directs, supports, and assigns responsibilities and authorities. Customer focus and the product safety responsibilities are emphasized.
Objective evidence the auditor wants. A signed quality policy posted and explainable by floor employees. Management Review minutes from the last cycle that include the AS9100D inputs and outputs by name. Organizational chart with documented quality authority and a clearly assigned individual responsible for product safety and ethical behavior reporting per Clause 5.1.1.
What gets it written up. A quality policy nobody on the floor can articulate. A Management Review that hit the ISO 9001:2015 inputs but skipped the AS9100D adders, particularly on-time delivery performance, customer satisfaction trends, product safety, and counterfeit parts risk. A safety responsibility assignment that names a job title nobody currently holds.
Clause 6: Planning
The requirement in one paragraph. Determine the risks and opportunities that need to be addressed to give assurance the QMS achieves intended results, prevent or reduce undesired effects, and achieve improvement. Establish quality objectives at relevant functions, levels, and processes that are measurable, monitored, communicated, and updated. Plan changes in a controlled way. AS9100D adds operational risk planning under Clause 8.1.1, but the strategic-level risk and opportunities register lives here.
Objective evidence the auditor wants. A risks and opportunities register with assessment, mitigation, owner, due date, and effectiveness check. Quality objectives stated at the function and process level with the measurement frequency and target. A change-control record where a recent QMS change was planned, approved, communicated, and verified.
What gets it written up. A risk register that lists eighteen generic items, none of which have a mitigation. Quality objectives that are stated as the policy ("zero defects, on time, every time") rather than measurable targets at the process level. A QMS change implemented without a planning record, common when an ERP module switches over mid-cycle.
Clause 7: Support
The requirement in one paragraph. Provide the resources, including people, infrastructure, environment, monitoring and measurement resources, and organizational knowledge. Ensure competence, awareness, and communication. Maintain documented information, controlled and protected.
Objective evidence the auditor wants. A calibration program that covers every gauge and instrument used to verify product, with calibration records traceable to a national standard and out-of-tolerance handling procedures. Competence records that match the skill matrix to the people performing the work, including auditors, inspectors, designated engineering authorities, and NDT personnel where applicable. A document control system that shows revision, approval, and obsolete-copy control. Organizational knowledge captured in a way that survives turnover.
What gets it written up. Calibration records present but out-of-tolerance gauges with no reverse traceability investigation. NDT personnel certifications expired between audits. Competence requirements for internal auditors not satisfied. Obsolete drawings still circulating in production folders. Knowledge-management Clause 7.1.6 not addressed at all, since it was a 2015 addition that pre-existing QMS structures often missed.
Clause 8: Operation
Clause 8 is the longest clause and the one where most aerospace findings cluster. We will walk each subclause.
Clause 8.1.1, Operational Planning and Control
Requirement. Plan and control the processes needed to meet product and service requirements, including criteria, resources, controls, and documented information. Establish process controls and account for risks identified per Clause 6.
Evidence. Production plans, work orders, traveler discipline, in-process checkpoints, hold points for customer or third-party inspection, and verification at points where downstream rework is impractical.
Findings. Travelers signed off at operations the operator did not perform. Hold points present in the Control Plan but not implemented on the floor. No documented operational risk assessment for new programs.
Clause 8.1.2, Operational Risk
Requirement. Plan, implement, and control a process for managing operational risks to the achievement of applicable requirements.
Evidence. Process-level FMEAs or equivalent risk analyses tied to operations, with risk mitigation traceable into the Control Plan and the work instructions. For more on what reviewers expect in the process risk analysis itself, see our Process FMEA Practical Guide.
Findings. Generic risk assessments at the program level with no link to operation-level controls. Risk mitigations closed in the risk register but never reflected in the Control Plan revision.
Clause 8.1.3, Configuration Management
Requirement. Plan, implement, and control a configuration management process to ensure identification and control of physical and functional attributes throughout the product lifecycle.
Evidence. Configuration identification at the part-number-and-revision level, baseline definitions, change control records, and configuration status accounting that can answer "what was the build configuration on serial number 12345 shipped on this date." Customer-specific configuration requirements flowed into the system.
Findings. Serial number history that cannot reproduce the as-built configuration. Engineering change orders incorporated into the part but not yet released in the document control system. Configuration records that drift between the ERP, the drawing system, and the shop traveler.
Clause 8.1.4, Prevention of Counterfeit Parts
Requirement. Plan, implement, and control processes for the prevention of counterfeit or suspect counterfeit part use and their inclusion in product delivered.
Evidence. A counterfeit parts prevention procedure aligned to AS5553 for electronics or AS6174 for raw materials. Approved sources of supply, traceability documentation requirements, inspection criteria for high-risk material, supplier flow-down of the same controls, and reporting of confirmed counterfeit material to GIDEP or equivalent.
Findings. Procedure exists but supplier flow-down language is missing from the purchasing terms. Receiving inspection criteria for high-risk material identical to low-risk. No counterfeit-suspect investigation record on file even though the program has been running long enough that the absence is itself suspicious. For the deeper standards walkthrough, see Counterfeit Parts Prevention: How AS5553, AS9100 Clause 8.1.4, and DFARS Fit Together.
Clause 8.2, Customer Requirements
Requirement. Customer communication, requirements review, contract amendment control, and review of changes.
Evidence. A contract review record for every order that includes the technical and quality requirements and any deviations. A documented method to confirm customer requirements before commitment.
Findings. A purchase order accepted with conflicting revision callouts that were not resolved before production started. Amendment records that lag the actual customer-driven change by weeks.
Clause 8.3, Design and Development
Requirement. Applies when the supplier is design-responsible. Planning, inputs, controls, outputs, change control, configuration management within the design process, verification, and validation.
Evidence. Design plans with stage gates, input documents traceable to customer requirements, design reviews with attendance and minutes, verification records that compare the design to the inputs, validation records that compare the product to the intended use.
Findings. A design review held but no record of the input documents reviewed. Verification and validation records that conflate the two. Design changes implemented without going back through the verification step.
Clause 8.4, Externally Provided Processes, Products, and Services
Requirement. Control of external providers, including approval, scope of approval, performance monitoring, and re-evaluation.
Evidence. Approved Supplier List with the scope of approval (commodity, process, customer-mandated source) and the evidence supporting initial approval. Supplier performance scorecards with quality and delivery metrics. Re-evaluation cadence documented. Customer-directed sources tracked separately.
Findings. ASL entries with no objective evidence of initial approval. Suppliers with quality scores below internal thresholds that were never re-evaluated. NADCAP-required special processes outsourced to a non-NADCAP source without a documented customer waiver.
Clause 8.5, Production and Service Provision
Requirement. Controlled conditions including documented information, monitoring, suitable infrastructure, qualified personnel, validation of processes whose output cannot be verified later, identification and traceability, customer property, preservation, post-delivery activities, control of changes, and production process verification under Clause 8.5.1.3.
Evidence. Travelers and work instructions on the floor matching the released revision. Identification and traceability records that survive an audit walk from raw material to shipped product. Special process validation records (heat treat, welding, painting, NDT) with operator qualifications and process parameters. First Article Inspection records per Clause 8.5.1.3, typically per AS9102, for first production runs of a new part and after the four triggering changes.
Findings. Identification that breaks at a kitting operation where lot integrity is lost. Special process records with parameters logged but no operator certification on file for the operator who ran the cycle. FAI required at the change point but not performed because the change was not flagged through the configuration management process. For the FAI side, see AS9102 First Article Inspection and AS9102 Partial FAI Re-accomplishment.
Clause 8.6, Release of Products and Services
Requirement. Verify that product and service requirements have been met before release. Release does not proceed until planned arrangements are completed satisfactorily.
Evidence. Final inspection records, certificates of conformance, and a release-authority signoff that confirms the conformity status of the product.
Findings. Product released on the basis of an incomplete inspection record. Certificate of conformance issued without an underlying inspection record to support it.
Clause 8.7, Control of Nonconforming Outputs
Requirement. Identify, control, and disposition nonconforming product to prevent unintended use or delivery. Take corrective action.
Evidence. A documented nonconformance system with the disposition (use as is, rework, repair, return, scrap), the MRB or equivalent authority that approved use-as-is or repair, customer notification where required, and corrective action that addresses root cause.
Findings. Nonconforming product reworked back to print but the underlying cause never investigated. Use-as-is dispositions without customer concurrence where the customer flow-down requires it. Repair categorized as rework, which dodges the standard's stricter repair controls.
Clause 9: Performance Evaluation
The requirement in one paragraph. Monitoring, measurement, analysis, and evaluation. Customer satisfaction, internal audit, and Management Review.
Objective evidence the auditor wants. A measurement plan that defines what is monitored, the method, the frequency, and the analysis approach. Customer satisfaction data including complaints, returns, and survey results. An internal audit program covering all clauses across the audit cycle with auditor competence on file. Management Review minutes that close the loop on inputs and outputs.
What gets it written up. Customer satisfaction reduced to a survey nobody returns. Internal audits scheduled by department rather than by clause, which leaves clauses uncovered. Management Review minutes that miss the AS9100D-specific inputs on product safety, on-time delivery, and supplier performance.
Clause 10: Improvement
The requirement in one paragraph. Improve products and services, correct undesired effects, and improve performance and effectiveness of the QMS. Take action to eliminate the causes of nonconformities, including corrective action.
Objective evidence the auditor wants. Corrective action records with root cause analysis, containment, corrective action, effectiveness verification, and closeout. A trend analysis that identifies systemic issues. Improvement projects with measurable outcomes.
What gets it written up. Corrective actions closed without an effectiveness check, or with an effectiveness check that is one inspection on one lot. Trend analyses that exist but never feed back into the risk register or the Management Review. For the CAPA effectiveness side, see How to Close a CAPA So It Actually Stays Closed and CAPA Effectiveness Verification.
Five Evidence Gaps That Show Up Across Clauses
When the certification body writes up multiple findings against the same QMS, the gaps tend to cluster in five patterns.
- Configuration drift. The ERP, the drawing system, the traveler, and the shipped product agree at the point of release but cannot be reconstructed three months later. Clause 8.1.3 reads clean on procedure and fails on traceability.
- Risk that does not propagate. Strategic risks under Clause 6 and operational risks under Clause 8.1.2 are documented, but the mitigations never reach the Control Plan or the work instructions. The risk register is a document, not a control.
- Special process records without operator linkage. Heat treat charts, weld parameters, NDT scans, and paint cycles are logged with the date and the operator initials, but the operator certification on file does not cover the process or has expired.
- CAPA effectiveness verified once. A corrective action is closed on the first lot that runs clean. The recurrence shows up two quarters later, and the closure record has nothing to support an effectiveness claim.
- Customer-flow-down language missing in purchasing. AS9100D Clause 8.4.3 requires flow-down to external providers. The Approved Supplier List is solid; the purchase order terms do not flow down the counterfeit parts prevention requirements, the right of access for the customer and regulatory authorities, or the requirement to notify of nonconforming product. The gap shows up as a finding against 8.4.3 even when 8.4.1 and 8.4.2 are clean.
Each pattern crosses multiple clauses. Closing them takes a system change, not a procedure edit.
Why Documentation Cascade Matters for Audit Readiness
The configuration drift pattern is the strongest argument for a connected document model rather than parallel binders. When the Special Characteristic on the print propagates into the PFMEA, the Control Plan, the operator instructions, the calibration program for the gauge that measures it, and the FAI form 3 evidence, the auditor can walk Clause 8.1.3, Clause 8.1.2, Clause 8.5.1, and Clause 8.5.1.3 with the same trace. When those documents are maintained separately and line up only at audit time, the trace breaks and the finding writes itself.
That is the design behind QualityEngineer.ai's PPAP package workflow, the Blueprint Intelligence feature extraction that seeds the Special Characteristic list from the print, and the document cascade that propagates revisions across the connected QMS. Our webinar replays walk through a live submission against the same audit-evidence standard, and the next live session follows the same pattern. The product cascade and the audit-evidence cascade are the same cascade.
Related Reading
- AS9100 Internal Audit Checklist for the audit-program structure that runs the clause-by-clause sweep
- AS9102 First Article Inspection: How Form 1, Form 2, and Form 3 Fit Together Under Rev C for the production-process verification evidence under Clause 8.5.1.3
- Characteristic Accountability in AS9102 for the ballooning discipline that closes the Form 3 trace
- AS9102 Partial FAI Re-accomplishment for the change-point FAI evidence Clause 8.5 expects
- Counterfeit Parts Prevention: How AS5553, AS9100 Clause 8.1.4, and DFARS Fit Together for the Clause 8.1.4 evidence pack
- FAI vs PPAP: When Aerospace Suppliers Need First Article Inspection, PPAP, or Both for the bridge into the AIAG submission lane
- What is PPAP? A Complete Guide for Quality Engineers for the 18-element PPAP foundation
- PPAP Software: How Purpose-Built Tools Reduce Submission Rework for the connected document approach to consistency
- How to Close a CAPA So It Actually Stays Closed for the Clause 10 corrective action evidence
- CAPA Effectiveness Verification for the closeout standard the auditor will check
About the Author
Daniel Crouse is the founder of QualityEngineer.ai and has spent 15 plus years in supplier quality, PPAP, and manufacturing systems. He built QualityEngineer.ai because quality engineers deserve better tools than Excel.
