Why Auditor Independence Is a Non-Negotiable
Auditor independence is one of those concepts that sounds obvious until you try to apply it in a small organisation with three staff members and a quality manager who also runs operations. The question of whether you can audit your own work sits at the heart of how internal audit programmes succeed or fail. Get it wrong and your audit programme becomes a box-ticking exercise that satisfies nobody, least of all your certification body.
On this page
ISO 9001, ISO 14001, and ISO 45001 all require that internal auditors are objective and impartial. ISO 19011, the guidelines that shape how auditing should be conducted, lists impartiality as one of the seven core principles of auditing. This is not a suggestion. It is a foundational requirement that shapes how you assign auditors, plan your programme, and defend your findings when a certification auditor asks who audited what.
This article breaks down what auditor independence actually means in practice, where the line sits between acceptable and unacceptable, and how organisations of all sizes can meet the requirement without tying themselves in knots.
What the Standards Actually Say
The Clause 9.2 Requirement
ISO 9001 Clause 9.2.2 requires that organisations select auditors and conduct audits in a way that ensures objectivity and impartiality. The exact wording states that auditors shall not audit their own work. ISO 14001 and ISO 45001 carry the same requirement in their equivalent clauses. This is not unique to one standard. It runs across the entire family of management system standards built on the High Level Structure.
The clause does not say auditors must come from outside the organisation. It says they must not audit their own work. That distinction matters enormously, especially for smaller organisations where the temptation is to assume the requirement means you need an external party every time.
What ISO 19011 Adds
ISO 19011 goes further by describing impartiality as freedom from bias and conflicts of interest. It acknowledges that threats to impartiality can come from self-interest, familiarity, intimidation, and advocacy. For internal auditors, the most common threat is self-review. You cannot objectively evaluate something you designed, implemented, or are responsible for maintaining.
Understanding how the ISO 19011 guidelines shape modern audit practice gives auditors a much clearer picture of why these principles exist and how to apply them with judgement rather than rigidity.
Auditing Your Own Work: Where the Line Sits
The Clear Cases
Some situations are straightforward. A quality manager who wrote the document control procedure should not audit document control. A safety officer who conducted the hazard identification process should not audit hazard identification. A production supervisor who owns the nonconforming product process should not audit that process.
In each of these cases, the person has a direct stake in the outcome. They designed the system, made decisions about how it works, and are likely to defend those decisions under scrutiny. That is a conflict of interest, full stop.
The Grey Areas
The grey areas are where most of the real-world difficulty lives. Consider these scenarios.
- A quality manager who is responsible for the entire QMS is asked to audit the management review process. They did not run the management review themselves but they did prepare the agenda and collate the inputs. Is that their own work?
- An HSE advisor who contributed to the risk assessment methodology is asked to audit whether hazard identification records are complete. They did not fill in the records but they trained the supervisors who did. Is that their own work?
- A team leader who follows a procedure every day is asked to audit whether the procedure is being followed in their own area. They did not write the procedure but they are responsible for its implementation.
In each of these cases, the answer requires judgement. The test is not just whether you wrote something. It is whether your involvement creates a reasonable risk of bias. If auditing a process would require you to evaluate your own decisions, your own training, or your own oversight, independence is compromised.
The Practical Test
A useful test is to ask: if this audit finds a nonconformity, would I be in a position of having to raise a finding against myself? If the answer is yes, you should not be auditing that area. A finding raised against your own work is not just uncomfortable. It is structurally compromised because you are simultaneously the auditor and the auditee, which means there is no independent check on the process at all.
How Organisations Handle Independence in Practice
Cross-Functional Auditing
The most common and practical solution in medium to large organisations is cross-functional auditing. Auditors from one department audit another department. The accounts team audits production. The operations team audits procurement. This approach works well when you have enough people with sufficient training to rotate across functions.
The key requirement is that auditors have the competence to audit the area they are assigned to. Cross-functional auditing does not mean sending someone completely unfamiliar with management system requirements into a complex technical process and hoping for the best. Auditors need enough understanding of the process to ask the right questions and recognise a nonconformity when they see one.
Peer Auditing Within Departments
In larger departments, peer auditing can work if it is structured carefully. One team member audits the work of another team member in the same function, provided neither of them has direct responsibility for the specific process being audited. This requires clear assignment of audit scope and honest acknowledgement of who owns what.
The risk with peer auditing is familiarity. When you work alongside someone every day, you may unconsciously avoid challenging their work or raising uncomfortable findings. This is one of the threats to impartiality that ISO 19011 identifies explicitly. Familiarity does not automatically disqualify an auditor but it does require awareness and active management.
Outsourcing Internal Audits
Some organisations, particularly small ones, outsource their internal audits entirely to an external consultant or auditing firm. This is a legitimate approach and it solves the independence problem cleanly. An external auditor has no stake in the outcome and no prior involvement in the processes being audited.
The trade-off is cost and continuity. External auditors need time to understand your processes and context. They may miss nuances that an internal auditor would catch immediately. And they are not available for the kind of ongoing audit activity that a mature programme requires. Outsourcing works best as a supplement to internal capability, not a replacement for it.
The Small Organisation Challenge
This is where many organisations genuinely struggle. If you have five staff members and two of them have any kind of management system responsibility, your options are limited. A common and defensible approach is to have the person with the least involvement in a particular area conduct the audit of that area, even if their independence is not perfect.
In these cases, transparency is critical. Document the rationale for your auditor assignments. Acknowledge the limitation in your audit programme. Show that you have made a genuine effort to achieve the best available level of independence given your constraints. Certification bodies understand the reality of small organisations. What they do not accept is no consideration of independence at all.
For more on how to structure an audit programme that works within your organisation's constraints, the article on how to build an internal audit programme from scratch covers the planning decisions in detail.
Common Audit Programme Failures Related to Independence
The Quality Manager Who Audits Everything
This is the most frequently observed failure in small to medium organisations. The quality manager, who is responsible for the entire management system, conducts all internal audits. They audit document control, management review, corrective actions, operational processes, and everything else. Every finding goes back to the quality manager to close. The loop is entirely self-referential.
This is not an internal audit programme. It is a quality manager reviewing their own work and calling it an audit. Certification bodies find this regularly and raise it as a nonconformity. The fix is not complicated but it does require the organisation to invest in training additional auditors or engaging external support.
Nominal Independence That Does Not Hold Up
A variation on the above is where organisations assign auditors who appear independent on paper but are not in practice. For example, a quality manager nominates a colleague as the auditor but then sits in on every audit, directs the questioning, and writes the report. The colleague is listed as the auditor but the quality manager is doing the work.
Certification auditors are experienced at spotting this. They will ask the nominated auditor to describe how they conducted the audit, what evidence they gathered, and how they reached their conclusions. If the auditor cannot answer these questions independently, the programme's integrity is in question.
Auditing the Programme but Not the Practice
Another common issue is auditors who check whether procedures exist and records are present but do not actually evaluate whether the process is working effectively. This often happens when auditors are too close to the process and unconsciously avoid the questions that might surface uncomfortable findings.
Genuine independence requires the willingness to raise findings even when they are inconvenient. An auditor who is too familiar with or too invested in a process will tend to interpret ambiguous evidence favourably. That is a bias problem, even if it is not deliberate.
Documenting Auditor Independence
What Your Audit Programme Should Record
Your documented audit programme should show, at minimum, who audited what and the basis for their assignment. When a certification auditor reviews your internal audit records, they will look for evidence that the independence requirement was considered and applied. This means your audit schedule or assignment records should show that auditors were not assigned to areas they are responsible for.
You do not need a complex independence matrix, though one can be helpful. A simple record that shows auditor name, area audited, and their normal role or responsibility is enough to demonstrate that you have thought about this. If there is a limitation, note it and explain the compensating measures you applied.
Auditor Competence Records
Independence is only part of the picture. The other part is competence. An independent auditor who lacks the knowledge to audit a process effectively is not actually providing assurance. Your records should show that assigned auditors have the training and experience to audit the areas they are responsible for.
This is where formal auditor training becomes important. An auditor who has completed a recognised internal auditor course has demonstrated a baseline of competence that supports the credibility of your programme. For guidance on what that training involves and what level is appropriate, the article on internal auditor competence: what ISO expects covers this in practical terms.
Independence in the Context of ISO 19011:2026
The 2026 revision of ISO 19011 has brought renewed attention to audit programme risks, including threats to impartiality. The updated guidelines give more explicit guidance on identifying and managing conflicts of interest, and they extend the discussion to include digital tools and remote auditing contexts where independence risks can be less visible.
For organisations updating their audit programmes in response to these changes, the key question is whether your current auditor assignment process adequately addresses the independence requirement. If your programme was designed years ago and has not been reviewed since, it is worth checking whether your current arrangements still hold up against the updated guidance.
Practical Steps to Strengthen Independence
If you are reviewing your audit programme with independence in mind, here are the practical steps worth taking.
- Map your auditors against your processes. List every process in scope for internal audit and identify who has responsibility for each one. Then check whether any of your assigned auditors have responsibility for the processes they are auditing.
- Train additional auditors. If your programme relies on one or two people, you do not have enough capacity to maintain genuine independence. Training additional staff as internal auditors gives you the flexibility to rotate assignments properly.
- Document your rationale. For every audit assignment, record why that auditor was chosen and confirm they have no direct responsibility for the area being audited. If there is a limitation, document it and the steps taken to mitigate it.
- Review auditor assignments annually. People change roles. A person who was genuinely independent when first assigned may have taken on new responsibilities that create a conflict. Your annual programme review should include a check of auditor independence.
- Consider external support for high-risk areas. If you have a process that is critical to your certification and you cannot find an independent internal auditor for it, engaging an external auditor for that specific area is a reasonable and defensible decision.
What Happens When Independence Is Challenged
If a certification auditor challenges the independence of your internal audit programme, the most important thing is to respond with evidence, not defensiveness. Show your auditor assignment records. Explain the rationale for each assignment. If there is a gap, acknowledge it and describe what you are doing to address it.
A nonconformity against Clause 9.2 for failure to ensure auditor independence is not the end of the world. It is a finding that requires a root cause analysis and a corrective action. The corrective action is usually straightforward: train additional auditors, revise your assignment process, or engage external support. What matters is that you take it seriously and address the underlying issue rather than just updating a document.
If you want to build a stronger foundation for your internal audit programme, including how to handle independence requirements from the start, Audit Workshop offers internal auditor training for ISO 9001, ISO 14001, and ISO 45001. The courses are built around practical audit scenarios rather than theory alone, which means you come away with the judgement to handle real situations like the ones described in this article. You can explore the available courses at auditworkshop.com.
