Common ISO 55001 Audit Findings and How to Avoid Them

How Audit Findings Work in ISO 55001

Before examining specific findings, it is important to understand the classification system that certification auditors use and what each level of finding means for your certification outcome.

Major Nonconformity

A major nonconformity indicates the absence or complete breakdown of a requirement. Examples include: no Strategic Asset Management Plan exists, no risk assessment has been conducted for the asset portfolio, or the asset management policy has never been communicated. A major nonconformity must be resolved and verified before the certification decision can be made. This typically requires a follow-up audit within 90 days.

Minor Nonconformity

A minor nonconformity is an isolated instance of non-compliance that does not indicate systemic failure. Examples include: one asset management plan has not been updated after a significant change, a single competence record is missing, or a management review omitted one required input. The certificate can be issued with an accepted corrective action plan, but the corrective action must be verified at the next surveillance audit.

Observation / Opportunity for Improvement (OFI)

An observation highlights an area where the system could be strengthened but where no specific requirement has been breached. No action is required, but addressing observations demonstrates maturity and commitment to continual improvement.

Finding 1: Weak Strategic Alignment (Clause 4.1, 4.2, 6.2)

What auditors find: Asset management objectives that bear no clear relationship to the organisational strategic plan. The SAMP exists as a standalone document without traceable links to corporate goals, or asset management activities are operationally focused without strategic context.

Why it occurs: Many organisations build their asset management system from the bottom up — starting with maintenance activities and working backwards to create objectives. ISO 55001 requires the opposite: a top-down cascade from organisational objectives through the SAMP to asset management objectives and plans.

How to prevent it:

• Start with the organisational strategic plan and identify what it requires from asset management
• Document the line of sight from each organisational objective to specific asset management objectives
• Ensure the SAMP explicitly references the organisational plan and explains how AM will deliver value
• Review the alignment annually — when strategic priorities change, asset management objectives must adapt

Finding 2: Missing or Inadequate Asset Criticality Framework (Clause 8.1)

What auditors find: No documented methodology for determining asset criticality, or a criticality assessment that considers only one dimension (e.g., replacement cost) while ignoring consequence of failure across safety, environmental, service delivery, and regulatory dimensions.

Why it occurs: Organisations often have informal, tribal knowledge about which assets are "important" but have not formalised this into a systematic framework. Some organisations inherit criticality ratings from their CMMS without understanding or validating the underlying methodology.

How to prevent it:

• Develop a documented criticality assessment methodology that considers multiple consequence dimensions (safety, environment, service, financial, regulatory, reputation)
• Apply the methodology consistently across the asset portfolio
• Validate criticality ratings with subject matter experts and operational staff
• Use criticality outputs to drive differentiated maintenance strategies, inspection frequencies, and investment priorities
• Review and update criticality assessments when asset context changes (new regulations, changing demand, deterioration)

Finding 3: Inadequate Strategic Asset Management Plan (Clause 6.2.1)

What auditors find: A SAMP that is either missing entirely, or that reads like a high-level policy statement without the specificity needed to guide asset management planning and decision-making. Some organisations produce a SAMP that simply restates the asset management policy in longer form.

Why it occurs: The SAMP is a concept unique to ISO 55001 that many organisations find difficult to translate into practice. Unlike a policy (which states commitments) or a plan (which details actions), the SAMP occupies a strategic middle ground that many organisations have not previously documented.

How to prevent it:

• The SAMP should document: how the organisational plan drives AM objectives; the AM approach (e.g., risk-based, condition-based, lifecycle-optimised); how AM plans will be developed from the SAMP; the timeframe and horizon for AM planning; and the resources and capabilities required
• Include specific AM objectives with measurable targets and timeframes
• Reference the context analysis (Clause 4.1) and stakeholder requirements (Clause 4.2) as inputs
• Ensure the SAMP is approved by top management and reviewed at least annually
• Demonstrate that asset management plans are derived from and consistent with the SAMP

Finding 4: Poor Performance Measurement (Clause 9.1)

What auditors find: Asset management KPIs that are vague ("improve asset reliability"), not measured, not reported, or not linked to the asset management objectives. In some cases, organisations measure operational metrics (e.g., work order completion rate) but cannot connect these to strategic objectives.

Why it occurs: Many organisations have extensive operational data but lack a structured performance measurement framework that connects operational metrics to strategic AM objectives. Others set objectives during implementation and never establish the measurement mechanisms.

How to prevent it:

• For every AM objective, define at least one measurable KPI with a target, measurement method, frequency, and responsible person
• Implement a tiered measurement framework: strategic KPIs (reported to leadership), tactical KPIs (reported to AM management), operational KPIs (used for day-to-day management)
• Establish regular reporting cadence — monthly operational, quarterly tactical, annual strategic
• Include performance trends in management review inputs
• Act on adverse performance trends — not just report them

Finding 5: Competence Gaps (Clause 7.2)

What auditors find: No documented competence requirements for asset management roles, or competence evidence that covers technical qualifications but ignores asset management-specific competencies. Organisations often cannot demonstrate that people making asset investment decisions have appropriate competence in lifecycle costing, risk assessment, or strategic planning.

Why it occurs: Competence frameworks are typically built around technical and operational skills. The strategic and analytical competencies required for effective asset management — lifecycle analysis, decision-making under uncertainty, balancing competing stakeholder requirements — are often not formally defined or assessed.

How to prevent it:

• Define competence requirements for all roles that affect asset management outcomes — from strategic planners to maintenance technicians
• Include AM-specific competencies: risk assessment, lifecycle cost analysis, criticality assessment, data analysis and interpretation, stakeholder management
• Maintain evidence of competence: qualifications, training records, experience records, assessment results
• Identify competence gaps and implement training or recruitment plans to address them
• Evaluate the effectiveness of training — not just attendance

Finding 6: Incomplete Risk Assessment (Clause 6.1)

What auditors find: Risk assessments that focus exclusively on asset-level technical risks (failure modes, condition degradation) without addressing management system risks — the risks that the asset management system itself will not achieve its intended outcomes. Some organisations confuse equipment reliability analysis with the broader risk assessment ISO 55001 requires.

Why it occurs: Asset-intensive organisations often have mature asset risk assessment processes (FMEA, RCM, RBI) that they assume satisfy ISO 55001 requirements. While these are valuable, ISO 55001 requires a broader assessment that includes risks and opportunities related to the management system's ability to deliver the SAMP.

How to prevent it:

• Conduct risk assessment at two levels: (1) asset/portfolio level risks to service delivery, safety, environment, and financial performance; and (2) management system risks to the AM system's ability to achieve its intended outcomes
• Include opportunity identification — not just risk avoidance
• Consider risks from: resource constraints, skill shortages, regulatory changes, technology obsolescence, climate impacts, supply chain disruption, data quality
• Document risk treatment decisions with clear rationale
• Review and update risk assessments when the context changes significantly

Finding 7: Lifecycle Cost Omissions (Clause 8.1, 6.2.2)

What auditors find: Asset management decisions (acquisition, renewal, maintenance strategy) made on the basis of capital cost alone without considering total lifecycle cost. Organisations may have detailed capex processes but no structured approach to evaluating whole-of-life costs including operation, maintenance, downtime, and disposal.

Why it occurs: Lifecycle costing requires data, analytical capability, and a long-term perspective that many organisations have not yet developed. Annual budget cycles incentivise short-term cost minimisation rather than lifecycle optimisation.

How to prevent it:

• Develop a lifecycle cost analysis methodology appropriate to your asset portfolio (it does not need to be complex — even a simple total-cost-of-ownership model is better than capital cost alone)
• Apply lifecycle thinking to major asset decisions: acquisition/procurement, maintenance strategy selection, renewal/replacement timing, and disposal
• Include: acquisition cost, installation/commissioning, operation and energy, planned maintenance, unplanned maintenance, downtime/lost production, regulatory compliance, and disposal/decommissioning
• Use lifecycle cost outputs to inform the SAMP and asset management plans
• Train decision-makers on lifecycle thinking and provide supporting tools

Finding 8: Documentation Gaps (Clause 7.5)

What auditors find: Key documents missing, outdated, or not approved. Common examples: asset management plans that have not been reviewed since initial implementation, documented procedures that do not reflect current practice, or records of decisions made without documented rationale.

Why it occurs: Documentation is created during the implementation phase but is not maintained as a living system. Processes evolve but documents do not. In some cases, the documented information requirements of ISO 55001 are not fully understood, leading to gaps.

How to prevent it:

• Establish a documentation matrix listing all required documented information, the responsible owner, review frequency, and current status
• Schedule annual reviews for all key documents (policy, SAMP, AM plans, procedures)
• Ensure document control processes are applied — version control, approval, distribution, and obsolete document management
• Record decision rationale — particularly for asset investment, disposal, and risk acceptance decisions
• Keep documentation proportionate — ISO 55001 does not prescribe document volume, only that required information is documented and controlled

Finding 9: Management Review Deficiencies (Clause 9.3)

What auditors find: Management reviews that do not cover all required inputs, produce no documented outputs (decisions and actions), or are conducted as quick sign-off exercises without genuine strategic discussion. Some organisations combine management review with other meetings but cannot demonstrate that ISO 55001-specific inputs were addressed.

Why it occurs: Senior leaders are busy and may view management review as an administrative requirement rather than a strategic governance mechanism. The review becomes a presentation of data rather than a decision-making forum.

How to prevent it:

• Use a management review checklist that ensures all required inputs are covered: status of previous actions, changes in context and stakeholder needs, AM performance and KPIs, nonconformities and corrective actions, monitoring and measurement results, audit results, risk and opportunity status, supplier/outsource performance, and opportunities for improvement
• Document actual decisions made and actions assigned (with owners and deadlines)
• Track action completion and report at subsequent reviews
• Ensure top management genuinely participates — not just receives a report
• Include discussion of the SAMP's continued suitability and any need for revision

Finding 10: Insufficient Continual Improvement Evidence (Clause 10.3)

What auditors find: No systematic approach to continual improvement, or improvement activities that are purely reactive (fixing audit findings) without proactive improvement. Organisations may claim continual improvement but cannot demonstrate a structured programme with evidence of implemented improvements and their effectiveness.

Why it occurs: Continual improvement is often the last clause organisations implement, and it remains the least mature. Organisations focus on establishing the system and meeting initial certification requirements without building in the mechanisms for ongoing evolution.

How to prevent it:

• Maintain an improvement register that captures improvement opportunities from multiple sources: audit findings, management review outputs, performance trend analysis, incident investigations, employee suggestions, benchmarking, and technology developments
• Prioritise improvements based on impact and feasibility
• Implement improvements with defined scope, resources, and success criteria
• Evaluate whether improvements achieved their intended outcome
• Report improvement activities and outcomes at management review
• Demonstrate year-over-year maturity progression — not just maintenance of the status quo

Prevention Checklist

Use this checklist to assess your readiness before your ISO 55001 certification audit.

The best preparation for an ISO 55001 certification audit is a genuinely functioning asset management system — not a last-minute documentation exercise. Auditors can quickly distinguish between organisations that manage their assets strategically every day and those that prepared for the audit. Focus on building a system that delivers value to the organisation, and the audit will take care of itself.

Frequently Asked Questions