Delta audits are performed with the intention of auditing management systems for the difference between the status quo and the (new) standard requirements.

The purpose is to identify possible need for action before, for example, a transition audit to a new standard or a certification audit is performed. Delta audits can be performed at any time and independently of regularly scheduled audits.

The delta audit is named after the fourth letter of the Greek alphabet "Delta" (∆). A term often used synonymously is gap analysis.

When does a delta audit make sense?

Delta audits are offered by certification bodies as an optional service. It makes sense, for example, when revisions of ISO management system standards are available and companies want to switch to the new version. As was the case at the time with the well-known quality management standard, the transition from ISO 9001:2008 to ISO 9001:2015. The delta audit was a welcome opportunity for many companies to identify any need for action based on the final standard in order to ensure a successful transition to the new version.

A delta audit is also useful when switching from a management system standard whose publisher is not ISO to an ISO standard. It creates transparency and identifies possible need for action. An example of this comes from the field of occupational safety and health (OHS): the move from BS OHSAS 18001 to ISO 45001:2018.

Another situation where delta audits can be used is the lack of a formal basis for certification. Take the example of the European General Data Protection Regulation (GDPR): although the new GDPR finally took effect in May 2018, there is as yet no way to certify against it. In such cases, the data protection audit uses a gap analysis to determine whether the company complies with the key data protection aspects. This does not produce an official certificate. However, it offers the company the security of knowing the status quo, the delta to the requirements of the General Data Protection Regulation and the need for action.

When is the effort worthwhile?

A delta audit can be a sensible measure in the case of a standard revision, for example, since companies are rarely 100 percent up to date with a revised or newly issued management system standard at the time of the planned changeover.

In terms of effort, the delta audit is roughly comparable to a (likewise optional) pre-audit, which is carried out before the stage 1 audit in the case of initial certification. Both procedures are independent of the actual certification audit and therefore involve additional effort. Nevertheless, in most cases, such an audit saves time and costs compared to an insufficiently prepared certification audit, in which significant non-conformities (deviations) are found.

When should a delta audit be performed?

Anyone commissioning a delta audit should think about the right time to conduct it. If the new requirements of a standard have been established, there is no such thing as too early a date. Conversely, a company must expect that a gap analysis will reveal a need for action. Sufficient time must therefore be allowed, for example until the planned changeover audit, in order to be able to implement any necessary measures.

How does a delta audit work?

A gap analysis is always performed individually for each company. Existing company structures are analyzed in order to determine, for example, the effort and costs required for certification. Depending on the requirements, the analysis can relate only to individual parts of a company or take into account all areas of the company. Among other things, the analysis includes the company's action plans, risk assessments or target definitions.

The audit is usually carried out in the following steps:

  • Self-assessment by your company based on a list of questions
  • Determination of the audit focal points in close consultation with the certification company
  • On-site assessment of the current status by the auditor
  • Evaluation of the self-assessment by the auditor with a view to the actual state determined on site
  • Documentation of weak points and potential for improvement by the auditor.

However, it must be noted that there is no additional assessment by the auditor after the delta audit and a possible upcoming transition or certification audit. This means that it is not possible to show whether the potential for improvement that has been identified has also been implemented.

The procedure and approach clearly show that such a gap analysis is not a service in the sense of a consulting activity. It is a useful preparation for the certification audit with a view to possible need for action. It can precede certification, but is not part of ISO certification.


A delta audit (synonymously a gap analysis) is usually used when a standard is revised or completely reissued. Certification companies thus offer their customers a determination of the current status and a review of their self-assessment. These are compared with the new requirements in the company on site. The weaknesses (deltas / gaps) identified are documented and must be closed by the company before the actual system audit. However, the latter is not audited.

The main benefit is that no more significant deviations (non-conformities) are to be expected in the actual certification audit. This saves time and money.

audits-der-dqs-mitarbeiter diskutieren über inhalte auf tablet

Do you have questions about the Delta Audit?

We would be happy to inform you about the effort and costs in an informal discussion. Without obligation and free of charge.

Ute Droege

DQS expert for quality management systems, long-time auditor and experienced trainer for ISO 9001.