Guides
How to audit document control: a 6-step checklist
A document control audit is a structured check that your controlled documents are current, approved, and traceable β that the right version is in use, the right person approved it, and the record proves both. Its goal is to catch version, approval, and access gaps yourself, on your own schedule, before an external auditor or a client finds them for you.
This guide walks the audit in six steps, then hands you a copy-usable checklist you can run the same way every period. It assumes you already have a documented control procedure to audit against; if you are still unsure what the discipline covers, start with what document control is.
What is a document control audit?
A document control audit is a review that confirms your documents are managed the way your procedure says they should be β current versions in use, obsolete copies withdrawn, approvals recorded, and every change traceable to a person and a date. It tests the system, not the contents: the question is not "is this invoice correct?" but "can we prove this is the approved, current version, and show who approved it?"
An internal audit is one you run on yourself β a self-check to find and fix gaps quietly, before they cost anything. An external audit is run by an outside party: a certification body verifying an ISO 9001 quality system, a client checking a supplier, or a regulator confirming a requirement. The two look for the same things, which is exactly why running the internal version well makes the external one uneventful.
The 6-step document control audit
Work these six steps in order. Each opens with the instruction, then explains what you are actually looking for and why it matters.
1Define the audit scope
Decide exactly which documents, periods, and teams the audit covers before you look at a single file. A tight scope β "the last three months of subcontractor billing packs for the West Bay project" β keeps the audit finishable and the findings comparable. Agree the standard you are auditing against too, whether that is an internal procedure, a client requirement, or an ISO 9001 clause.
2Review the documented procedure against practice
Read the written document control procedure, then check whether people actually work that way. The gap between the procedure on paper and the habit at the desk is where most audit findings live: a procedure that says "two approvers" but a folder where one person signs off everything is a finding waiting to be written. If there is no documented procedure at all, that is itself the first finding.
3Verify roles and responsibilities
Confirm that the people named as document owners, reviewers, and approvers are the ones doing that work, and that their access matches their role. An approver who cannot actually see the documents they are meant to sign off, or a viewer who can quietly overwrite a current version, both point to a control that exists in name only. Map each responsibility to a real, scoped account.
4Sample documents for version and approval evidence
Pull a representative sample of documents and check each one for a current version and a recorded approval. You are not reading the contents for accuracy here β you are asking whether this document is the controlled, approved copy or an uncontrolled guess. A sample of ten to twenty documents across the scope is usually enough to expose a systemic problem without auditing every file.
5Walk the trail β who uploaded, who approved, when
For your sampled documents, trace the history end to end: who uploaded the current version, who approved it, and when each event happened. A control is only as good as the evidence it leaves behind. If the answer to "who approved this and when?" is a shrug or a forwarded email, the approval is not really controlled β it is remembered, and memory is not audit evidence.
6Classify and report findings with corrective actions
Write up each issue and grade it β major, minor, or observation β then attach a corrective action and an owner to every one. A major finding is a control that has failed (an unapproved document in active use); a minor finding is a control that slipped once; an observation is a risk worth watching. Findings without owners and dates are just complaints; the corrective action is what closes the loop before the next audit.
The audit checklist
Here is the reusable checklist to run against your sampled documents. Every item is a yes/no question β a "no" (or an "I'm not sure") is a finding to grade in step six. Copy it, keep it, and work it the same way each audit so results stay comparable period to period.
Document control audit checklist
- Is there a written, dated document control procedure that staff can find?
- Are the current versions of controlled documents the ones actually in use?
- Have obsolete or superseded documents been withdrawn or clearly marked?
- Is every controlled document traceable to a recorded approval?
- Can you identify who approved each current version, and when?
- Is version history retained so previous versions can be recovered?
- Is access scoped so people see and edit only what their role allows?
- Are external parties (subcontractors, vendors, clients) given scoped, separate access rather than shared logins?
- Is there an activity record showing who uploaded, changed, or approved each document?
- Are required documents tracked so missing items are visible before a deadline?
- Are rejected or "needs revision" documents handled through a defined path, not overwritten silently?
- Can the whole trail be reproduced later without reconstructing it from email?
What auditors flag most often
Across audits, the same handful of findings come up again and again. Knowing them in advance is half the fix β most are failures of evidence, not effort.
Uncontrolled copies in circulation
The single most common finding: a spreadsheet emailed around and edited locally, so three people hold three different "current" versions and none of them is the approved one.
Missing approval evidence
A document is being used as final, but nothing records that anyone approved it. "Everyone knew it was signed off" is not evidence an auditor can accept.
No version history
When the current version is the only version, there is no way to prove what changed, when, or whether the change was authorised. Overwritten files erase their own audit trail.
Shared credentials
One login used by a whole team means every action is attributable to "the account," not a person β which quietly voids every approval and upload record tied to it.
Undocumented changes
A figure changed between versions with no note of who changed it or why. Silent edits are the finding auditors escalate fastest, because they undermine trust in every other document.
Making the next audit boring
Here is the honest PaperTight part, clearly signposted so you can skip it if you only came for the checklist. Most audit findings are not failures of care β they are failures of evidence. The approval happened; nobody recorded it. The version was current; the filename could not prove it. The fix is a system where the evidence exists by default instead of being reconstructed under pressure.
That is what PaperTight is built to do. Your Excel, Word, and PDF files stay the source of truth; around them, the control layer captures the evidence an audit asks for as a side effect of normal work:
- Β·Version history per document slot, so "which is current" is a fact, not a filename guess β and previous versions are always recoverable.
- Β·The Activity Log, so who uploaded, changed, and approved each document β and when β is on the record, not in someone's memory.
- Β·Approval records from the review workflow, so every current version carries proof it was signed off, or a documented "needs revision" if it wasn't.
- Β·Scoped access, so subcontractors and clients get their own separate logins instead of a shared credential β and every action stays attributable to a person.
When the trail is already there, the audit stops being an excavation. You can see how it fits together on the product overview and read how access and records are handled on the security page.
Questions & answers
How do you audit document control?+
Audit document control in six steps: define the audit scope, review the documented procedure against actual practice, verify that roles and access match responsibilities, sample documents for version and approval evidence, walk the trail of who uploaded and approved each one, then classify and report findings (major, minor, or observation) with corrective actions and owners.
How often should document control be audited?+
Most organisations run a full internal document control audit at least annually, with lighter spot checks each quarter or at the close of each reporting period. Systems tied to a certification such as ISO 9001 are typically audited on the certifierβs cycle, and any major process change or failed control should trigger an audit sooner rather than waiting for the calendar.
What does an auditor check in document control?+
An auditor checks whether the current versions are the ones in use, whether obsolete documents have been withdrawn, whether every controlled document has recorded approval, whether access is scoped to the right people, and whether the history shows who did what and when. In short, they check that the control leaves evidence behind, not just that the documents look tidy.
What is a document control audit checklist?+
A document control audit checklist is a set of yes/no questions an auditor works through to confirm each control is working β current versions in use, obsolete copies withdrawn, approvals recorded, access scoped, and history retained. It turns a vague "are our documents under control?" into a repeatable, comparable review you can run the same way every time.
Make your next audit uneventful.
See version history, the Activity Log, and approval records on a real document slot.