Last week one my customers had their first ISO9001:2015 stage 1 documentation audit. The audit went pretty well but we did had some tough discussions with the auditors. I honestly don't mind the discussions but it also made me thinks about the boundaries of when they can write an AOC. The main discussions were about the risk assessment and the stakeholder analysis. They claimed we missed a few stakeholders and some risks. Though we all agreed on the fact they we should add them, the discussion was about wether or not the auditor is allowed to write an AOC because (s)he doesn't agree with the content of it. Especially the risk assessment is a lively and dynamic document which will change due to changes in the surrounding of the company. With the old 2008 standard we never had any discussion on the content of a procedure because that doesn't affect the management system, though it can have an influence on the effectiveness of it. Do you have any idea what the boundaries of an auditor are with respect to the content of certain documents?