What You Should Know About ISO 9001 Internal Audits (2023)

Certify Your Internal Auditorsread More

31 May 2021

The internal audit program is a self-check mechanism which organizations use to periodically verify they meet ISO 9001 requirements. ISO internal auditing is required by the standard. But audits are not only necessary to maintain ISO registration, they're also a powerful tool for improving the effectiveness of the quality management system (QMS) and the efficiency of operational processes.

In this article, we'll explain what ISO 9001 internal audits are, how to benefit from them, and what you need to do to ensure compliance.

What You Should Know About ISO 9001 Internal Audits (4)

Before examining the internal audit process, it's worth comparing them to external audits. While internal and external audit activities are usually the same, they are performed for different reasons and often have a different scope.

(Video) What you should know about the ISO 9001 Internal Audit Process

External audits are undertaken by a third party – usually an auditor or team of auditors appointed by your company's registrar. They could also be conducted by a customer or other interested party.These types of external audits are often more limited in scope and focus on particular aspects of your quality system.

Internal audits, on the other hand, are performed in-house as a self-check mechanism at periodic intervals. The internal auditor or audit team are company employees who've been appointed and trained as ISO 9001 auditors, usually as an additional responsibility.

The purpose of internal audits is to:

Assess process conformity

Evaluate performance

Identify processes that require improvement in order to ensure the QMS remains fully implemented

Prepare for external audits

What Is the ISO 9001 Internal Audit Process?

The audit process involves the Document Review, which is where auditors check whether documentation meets ISO 9001 requirements, and the Process Review, which consists of checking actual business activities against documentation and looking for discrepancies.

ISO 9001 internal audits apply the Process Approach which means that the auditor reviews a sequence of work activities rather than picking an ISO requirement and checking if the requirement is correctly implemented. Essentially, the ISO auditor would observe an activity, ask the operator questions, and request to view related documents and records. It's common practice for the internal auditor to cross-check what was said and verify records in other departments, for example, training records in the HR department.Auditors can't assess every single process, employee and document in the company, so it's important they exercise judgement in picking a representative sample.

(Video) Conducting ISO 9001 Internal Audits

The actual auditing process is generally straightforward. An internal auditor checks whether procedures and other documentation adheres to ISO 9001 requirements and then verifies that employees follow the procedures in their daily routines.

This can get difficult, though, when there is no procedure or work instruction document for the auditor to refer to. While ISO 9001 does not require procedures and work instructions for all processes, it does require such documentation where it adds value to the company. It is important to emphasize that process documentation is for the internal benefit of the company – not for the convenience of the auditor. Companies are neither required nor encouraged to develop procedures and work instructions that assist auditors.

In the absence of process documentation, the auditor will use a combination of employee interviews, observation of actual work processes and review of records to determine if the process conforms to ISO 9001 requirements and is effectively implemented. During this process, the auditor also evaluates if procedures and work instructions would be beneficial and, therefore, required.

When auditors have to rely more on employee interviews than observation of actual work processes, the best approach is to ask each employee the same set of questions and cross-check their answers for consistency. If these answers aren't consistent, the auditor will need to check further to see if this due to actual inconsistencies in which work is performed, if there is a need for standardization and work instructions, if there is a need for training, if the entire process requires review and improvement, or if there are other factors involved.


As important and useful as internal audits are, some business owners dread them. There are company owners who believe that ISO 9001 internal audits merely duplicate the work of registrars. For them, internal audits represent a waste of resources and an unnecessary disruption of regular work activities.

Other business owners view internal auditors as a kind of business police force, hiding essential data and sometimes outright lying to maintain the illusion of compliance.

The truth is that these criticisms are only justified if the ISO 9001 internal audit program is incorrectly implemented. In fact, well-set-up ISO audit program could be leveraged to become one of the most powerful tools to improve your business.

You will need to perform at least one internal audit two or three months prior to the certification audit.This will produce audit reports and records of corrective action that show where your organization's weak points are (ie, nonconformities) and your plans to address them. These records are mandatory and are reviewed during external audits. By the time your certification audit is conducted, you should have taken all corrective action necessary to eradicate nonconformities.

Streamlining Your Internal Audit Process

Depending on the level of preparation that goes into your audit, it can be a smooth operation that highlights opportunities for improvement, or an unproductive and expensive nuisance. Consider the following tips for streamlining your internal audits and ensuring a stress-free path to compliance.

(Video) How to Become an ISO 9001:2015 Internal Quality Auditor

1. Appoint the Right Auditors

One of the first tasks is to choose your internal audit team and provide training in both the ISO 9001 standard and auditing techniques. Look for authoritative, trustworthy employees with good people skills and analytical or investigative talents. More required auditor qualifications are defined in ISO 19011. You should be able to demonstrate how internal auditor qualifications are met so be sure to keep records of auditor training, education, skills, and experience.

Importantly, you need to train enough auditors to prevent individuals from auditing their own department. Small businesses may have one auditor who audits the entire company except the internal audit function, and another auditor who just audits the audit function.

2. Use Forms and Checklists

Audit forms and checklists are used to simplify your internal audit process. The following two documents are particularly useful:

Audit Checklist
The most important tool for internal audits is the audit checklist. It includes every ISO 9001 requirement as well as the overall processes to facilitate process auditing. In preparation of an audit, the lead auditor or audit supervisor customizes the audit checklist by excluding sections that are not part of the audit at a particular department; specific audit questions can also be added based on a review of process documentation or experience in prior audits.During the audit, the auditor uses the checklist to ensure that business processes are checked against all pertinent ISO 9001 requirements and process steps.

Audit Report Form
All audit findings are recorded and the audit report is presented to management of the audited departments for corrective action. Using a standardized format for the audit reports helps the auditor ensure that all required information is documented, as well as present the audit findings in an easy-to-understand way.

Note that the mentioned internal audit forms and checklists are included in our ISO 9001 Audit Toolkit.

3. Standardize the Audit

Like every other business process, the internal audit process works best if it's well designed and standardized. As mentioned above, internal audits involve two stages: the documentation review and the process review.During the process review the auditor seeks answers to three questions:

Can employees describe what they do?

(Video) ISO Internal Quality Audit (IQA) Explained

Do employees do what they describe?

Are employees effective at what they do?

These questions cover employee intent, implementation, and effectiveness in business activities. ISO 9000 describes effectiveness as "the extent to which planned activities are realized and planned results are achieved." Be sure to look beyond compliance and determine whether procedures are truly effective at meeting business objectives.

4. Hold a Closing Meeting with Auditees

Many auditors make the mistake of privately reviewing internal audit results only with top management or merely sending an audit report. Both approaches leave employees wondering about ISO 9001 nonconformance. A better plan is to hold a closing meeting immediately after completing the audit and organizing its findings. Top management and managers of the audited departments should join the meeting, but staff could also participate.

During the meeting, don't focus too much on processes that didn't hold up to close inspection. Instead, reinforce positive feedback by identifying and praising departments that performed well.Never give staff the feeling that internal audits are a kind of punishment. In addition, use the meeting as an opportunity to promote the benefits and importance of ISO 9001.

5. Get Feedback from Auditees

Another way to improve the internal audit experience is by gathering auditee feedback. It may be tempting to treat audits like a one-way process, but your auditees' reactions are as important as your auditors' methods.Whenever possible, try to get this feedback in real-time and use the results to adjust your auditors' approach. Involving people on every level will ensure a fair and balanced internal audit process.


The internal audit program can be an immensely powerful tool that not only ensures your company achieves and retains ISO 9001 certification, but also helps employees, process owners and managers improve their areas of responsibility.

There's a common and persistent myth that internal audits need to show that every process is perfect to begin with. This is obviously not true and does in fact contradict one of the core tenets of ISO 9001 – continuous improvement. Our advice is simple: treat your internal audits with the respect they deserve, and use them as opportunities to discover ways of improving your company's operations and enjoying the rewards of ISO 9001.

Start by giving your internal auditors good training.

Last but not least, there are companies that are either too busy and just not interested in setting up their own internal audit program, or too small to fully benefit from it. If that's your company, consider outsourcing your internal audit program to an experienced lead auditor.

(Video) ISO 9001:2015 Understanding to conduct an audit. Each section of the standard is explained.


What are the internal audit requirements for ISO 9001? ›

Basic audit requirements
  • Plan, establish, implement and maintain the organisation's audit program. ...
  • Define the criteria and scope of the audit. ...
  • Select impartial auditors. ...
  • Report results to management. ...
  • Implement recommendations and corrective actions as soon as possible. ...
  • Retain the documentation as evidence of implementation.
10 Sept 2019

What is the purpose of an ISO 9001 internal audit? ›

The purpose of the ISO 9001 internal audit is to assess the effectiveness of the quality management system and the organization's overall performance.

How do I prepare for an ISO internal audit? ›

6 tips to ace your ISO audit
  1. Be well-prepared. The ISO certification should be a living management process that is constantly updated and optimized. ...
  2. Take internal audits seriously. ...
  3. Implement corrective actions. ...
  4. Don't forget your management review. ...
  5. Correctly monitor objectives. ...
  6. Ensure that everything is clean.

What things should we consider when doing an internal audit? ›

To conduct an Internal Audit properly, you will need to decide the following: Who will perform the audit and when.
During the Audit
  • Studying the expected procedures.
  • Observing procedures being carried out.
  • Looking at records and similar documents.
  • Talking to other members of staff.
28 Nov 2018

What are 5 phases of internal audit process? ›

Internal audit conducts assurance audits through a five-phase process which includes selection, planning, conducting fieldwork, reporting results, and following up on corrective action plans.

What questions do ISO auditors ask? ›

ISO Auditor Questions
  • What is your quality (environmental, safety, information security) policy? ...
  • What are your objectives? ...
  • Where do you get your procedures from? ...
  • What do you do if you find a nonconformance or a potential improvement? ...
  • What are your responsibilities?
4 Mar 2013

What is ISO audit checklist? ›

An ISO 9001 audit checklist helps the auditor to gather documentation and information about quality objectives, corrective action, internal issues, and customer satisfaction.

What are the three types of internal audit report? ›

Types of Internal audits include compliance audits, operational audits, financial audits, and an information technology audits.

What are the 3 key components of ISO? ›

The first three clauses of ISO 9001:2015 are scope, normative references and terms. These are information clauses rather than clauses that outline particular actions or major requirements. Additionally, these clauses highlight the basic tenants of a high-value quality management system.

How do I prepare an ISO 9001 audit checklist? ›

ISO 9001 Audit Checklist Preparation
  1. information on results of audits,
  2. customer feedback,
  3. process performance and product conformity,
  4. status of corrective and preventive actions,
  5. follow-up actions from previous management reviews,
  6. changes that could affect the quality management system, and.

What are the 7 steps in the audit process? ›

Audit Process
  1. Step 1: Planning. The auditor will review prior audits in your area and professional literature. ...
  2. Step 2: Notification. ...
  3. Step 3: Opening Meeting. ...
  4. Step 4: Fieldwork. ...
  5. Step 5: Report Drafting. ...
  6. Step 6: Management Response. ...
  7. Step 7: Closing Meeting. ...
  8. Step 8: Final Audit Report Distribution.

What standards do internal auditors follow? ›

The Core Principles of Internal Auditing

Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization.

What does an internal auditor do on a daily basis? ›

They review the organization's processes, operations, and goals. They provide objective, professional advice to all levels of management and pave the path toward continuous improvement. Competent internal auditors follow the profession's internationally accepted code of ethics and standards for professional practice.

What are the 5 C's of internal audit? ›

What Are the 5 C's of Internal Audit? Internal audit reports often outline the criteria, condition, cause, consequence, and corrective action.

What is QMS internal audit? ›

Internal QMS Audits

Internal quality audits are conducted to ensure ongoing compliance with requirements of the QMS standards, and the Division's policies and procedures. This is accomplished by auditing against all important processes and areas, and by applying all applicable sections of the standard.

What are the 4 stages of an internal audit? ›

Although every audit process is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report and Follow-up Review.

What are 6 mandatory quality procedures? ›

Six procedure are- Control of Documents, Control of Records, Internal Audit, Corrective Action, Preventive Action, Control of Non Conforming Products."
  • Control of Documents.
  • Control of Records.
  • Internal Audit.
  • Corrective Action.
  • Preventive Action.
  • Control of Non Conforming Products. Comments (0)

What are the 5 quality procedures? ›

Quality procedures include: quality manual, procedure for the control of documents, procedure for the control of records, procedure for the performance of internal audits, procedure for the control of nonconformity, and procedure for the for integrating and controlling corrective action and preventive action.

Is internal audit mandatory for ISO 9001? ›

Internal audit is a mandatory requirement of ISO 9001. Internal Audits are conducted internally by the organization. That means the organization initiates and plans this audit.

In what clause of ISO 9001 2015 standard is the requirement for conducting internal audit specified? ›

Clause 9.2 basically states that internal audits shall be conducted per planned intervals to verify the quality management system conforms to: a company's own requirements, ISO 9001 requirements, and is effectively implemented and maintained.

What is ISO audit criteria? ›

Main definition. audit criteria. set of requirements used as a reference against which objective evidence is compared. Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words “compliance” or “non-compliance” are often used in an audit finding.

What questions do ISO auditors ask? ›

ISO Auditor Questions
  • What is your quality (environmental, safety, information security) policy? ...
  • What are your objectives? ...
  • Where do you get your procedures from? ...
  • What do you do if you find a nonconformance or a potential improvement? ...
  • What are your responsibilities?
4 Mar 2013

What is ISO standard for internal audit? ›

ISO 19011 is defined as the standard that sets forth guidelines for auditing management systems. The standard contains guidance on managing an audit program, the principles of auditing, and the evaluation of individuals responsible for managing the audit programs.

How often should internal audits be performed ISO 9001? ›

The frequency of internal audits should depend on the criticality of each process and the perceived need to audit it, but all processes should be formally audited at least once during a 2-year audit cycle.

What are the three types of internal audit report? ›

Types of Internal audits include compliance audits, operational audits, financial audits, and an information technology audits.

What are the 7 key principles of quality? ›

The seven principles of quality management are:
  • Engagement of people.
  • Customer focus.
  • Leadership.
  • Process approach.
  • Improvement.
  • Evidence-based decision making.
  • Relationship management.

What are the six mandatory quality procedures? ›

Here are six mandatory ISO 9001 procedures to implement:
  • Control of Documents. It's essential to maintain efficient communication for a seamless business operation. ...
  • Control of Records. ...
  • Internal Audit. ...
  • Control of Non-conforming Products. ...
  • Corrective Action. ...
  • Preventive Action.
22 Nov 2021

What an auditor should not do? ›

However, in my 15 years experiences, I observe, there are at least 3 things you should not do as a good auditor.
certified productivity specialist
  • Do not be a “know it all”. ...
  • Do not be arrogant. ...
  • Do not focus on minor thing.
18 Mar 2015

What happens if you fail an ISO audit? ›

If you fail an ISO audit, you may face the risk of certified status removal. External audits reveal major non-conformances that the organisation needs to address. Sometimes it may detect issues with the quality management system you were unaware of.

Who conducts ISO audits? ›

1. Internal Audits. An internal ISO audit can be conducted by a designated auditor within your company — if ISO compliance is your goal, an internal audit may be satisfactory for ensuring your company is adopting ISO standards as a model for best practices.


1. What is ISO 9001 - Internal Audits
(Best Practice)
2. Secret to a Successful ISO 9001:2015 Internal Quality Audit
(AGF Consulting Group)
3. ISO 9001:2015 Management Review (and how to do internal audit on MR)
(AGF Consulting Group)
4. Understanding ISO 9001:2015: Internal audits.
(Peter van Nederpelt)
5. INTERNAL AUDIT CHECKLIST QMS , Understanding of ISO 9001:2015 Checklist
6. Internal Auditor Training | Top Tips Internal Auditor ISO 9001
(Best Practice)
Top Articles
Latest Posts
Article information

Author: Ouida Strosin DO

Last Updated: 01/28/2023

Views: 5589

Rating: 4.6 / 5 (76 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Ouida Strosin DO

Birthday: 1995-04-27

Address: Suite 927 930 Kilback Radial, Candidaville, TN 87795

Phone: +8561498978366

Job: Legacy Manufacturing Specialist

Hobby: Singing, Mountain biking, Water sports, Water sports, Taxidermy, Polo, Pet

Introduction: My name is Ouida Strosin DO, I am a precious, combative, spotless, modern, spotless, beautiful, precious person who loves writing and wants to share my knowledge and understanding with you.