What is the difference between an audit programme and an audit plan?

An audit programme is the overarching arrangement that covers all internal audit activity across a defined period, typically one year. It sets out what will be audited, how often, by whom, and with what resources. An audit plan is the specific document prepared for an individual audit event. It details the scope, criteria, timing, and logistics for that particular audit. The programme contains many plans across the cycle.

How many internal audits do I need to conduct each year?

The ISO standards do not specify a minimum number of audits. The requirement is that all processes within the scope of the management system are audited at planned intervals, with frequency reflecting risk and the results of previous audits. For most small to medium organisations this translates to between four and twelve audit events per year, depending on the number of processes, sites, and risk levels involved.

Can the same person manage the audit programme and conduct audits?

Yes, in many organisations the quality or HSE manager both manages the programme and conducts individual audits. The key requirement is independence. The programme manager must not conduct audits of processes they are directly responsible for. As long as independence is maintained, there is no restriction on the same person fulfilling both roles.

What should I do if planned audits are not completed on schedule?

First, document the reason for the delay and reschedule as soon as practicable. If audits are consistently not being completed on schedule, that is a programme management issue that needs to be addressed at management review. Common causes include insufficient auditor resources, poor scheduling, and operational resistance. The programme review should identify the root cause and adjust the programme accordingly.

How do I handle auditor independence in a small organisation?

In small organisations where only one or two people have auditing skills, independence can be challenging. Practical options include cross training staff from different departments to conduct audits of each other's areas, using an external auditor for specific high risk processes, or engaging a consultant to conduct audits of areas where internal independence cannot be achieved. The key is to document how independence has been maintained and be transparent about any limitations.

Does the audit programme need to be reviewed and updated during the year?

Yes. While a formal review typically happens annually as part of management review, the programme should be updated during the year whenever significant changes occur. If a new process is added to scope, a major nonconformity is raised, or an auditor becomes unavailable, the programme should be adjusted to reflect the new situation. Treating the programme as a living document rather than a fixed annual plan leads to much better outcomes.

Building an Internal Audit Programme: A Practical Guide

Why Your Internal Audit Programme Is More Than a Schedule

Most organisations have some form of internal audit activity happening. A few audits get done each year, findings are raised, corrective actions are logged, and the certification body seems satisfied. But there is a difference between running audits and running an effective internal audit programme.

On this page

An audit programme is the overarching plan that governs how internal audits are managed across a defined period, typically a year. It sets out what will be audited, when, by whom, and with what scope. It accounts for risk. It ensures coverage. And it feeds into management review in a meaningful way.

ISO 9001 Clause 9.2, ISO 14001 Clause 9.2, and ISO 45001 Clause 9.2 all require a programme, not just individual audits. Yet in practice, many organisations treat the programme as an afterthought and focus all their energy on individual audit events. This article walks through how to build an internal audit programme that actually works, from the ground up.

What an Internal Audit Programme Must Include

Before you start scheduling audits, it helps to understand what the standards actually require from the programme itself. All three major management system standards, ISO 9001, ISO 14001, and ISO 45001, use similar language. They require that the audit programme takes into account the importance of the processes concerned, changes affecting the organisation, and the results of previous audits.

In practical terms, this means your programme needs to address the following elements.

Defined Objectives

What is the programme trying to achieve? This sounds obvious, but many programmes have no stated objectives. The objective might be to verify conformity with the standard, to assess whether the management system is effectively implemented, or to identify improvement opportunities. Stating the objective upfront shapes every decision that follows.

Scope and Coverage

The programme needs to cover all processes and areas within the scope of your management system over the audit cycle, which is typically twelve months. This does not mean every process gets equal attention. Higher risk processes and areas with previous nonconformities should receive more frequent or more detailed audit coverage.

Frequency

How often each area or process gets audited should reflect risk, not convenience. A warehouse with a history of nonconformances around stock control warrants more frequent attention than a stable administrative process that has been running cleanly for three years. Risk based frequency is a requirement under the standards, not optional.

Responsibilities

Who manages the programme? Who conducts each audit? The programme should assign clear ownership. The programme manager, often the quality or HSE manager, is responsible for planning, resourcing, and reviewing the programme. Individual auditors are responsible for executing assigned audits to the required standard.

Auditor Competence and Independence

ISO 19011 is clear that auditors must be competent for the audits they are assigned. Competence includes knowledge of the standard, understanding of the process being audited, and auditing skills. Independence is equally important. Auditors must not audit their own work. For small organisations this can be a genuine constraint, and the programme needs to account for it.

Documented Information

The programme must be documented. This includes the programme plan itself, individual audit plans, audit reports, and records of findings and corrective actions. The exact format is up to you, but the records must be retained and available for review by the certification body.

Become a certified ISO auditor

Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.

ISO 9001 ISO 14001 ISO 45001 ISO 27001 ISO 42001

Explore Courses

Recognised Training ProviderRTP No. 310970

Step One: Map Your Management System Scope

You cannot build a credible audit programme without first being clear on what your management system covers. Pull out your scope statement and list every process, function, and location included.

For a small single site business this might be straightforward. For a multi site or multi function organisation, the mapping exercise takes more effort but is essential. Common process areas for an ISO 9001 programme include sales and customer requirements, design and development, procurement and supplier management, production or service delivery, inspection and testing, and management review. For ISO 14001 you would add environmental aspects and impacts management, legal compliance, and emergency preparedness. For ISO 45001, hazard identification, risk assessment, and incident investigation come into the picture.

Once you have the full list, you have the raw material for your audit schedule. Every item on that list needs to be audited at least once across the programme cycle.

Step Two: Apply Risk to Determine Frequency and Depth

Not every process deserves the same level of audit attention. Risk based scheduling is one of the most important concepts in modern audit programme design, and it is explicitly required by the standards.

When deciding how much audit attention to direct at each process or area, consider the following factors.

Significance of the process: Processes that directly affect product quality, environmental impact, or worker safety carry higher inherent risk and warrant more frequent auditing.
History of nonconformities: Areas that have generated nonconformities in previous audit cycles, whether internal or external, should receive increased attention until the root cause has been resolved and the fix has held.
Recent changes: New processes, new equipment, organisational restructures, or changes to key personnel all introduce risk. These areas should be prioritised in the programme following the change.
Regulatory and legal exposure: For environmental and safety management systems, processes with significant legal obligations or compliance risk deserve closer scrutiny.
Customer or stakeholder sensitivity: Processes that directly touch customer requirements or that have generated complaints warrant more frequent review.

A practical way to apply this is to create a simple risk rating for each process area, high, medium, or low, and use that rating to determine audit frequency. High risk areas might be audited twice per year or more. Low risk, stable areas might be audited once per year or even once across a two year cycle if your programme structure allows it.

For a deeper look at how to approach this, the article on risk based audit scheduling covers the decision making process in detail.

Step Three: Build the Annual Audit Schedule

With your process map and risk ratings in hand, you can now build the schedule. The schedule is the calendar view of the programme. It shows which audits will happen, when, and who will conduct them.

A few practical points to keep in mind when building the schedule.

Spread Audits Across the Year

Avoid clustering all your audits in the months immediately before a certification or surveillance audit. This is a common trap. If you do all your internal auditing in October and your external audit is in November, you have no real audit cycle. You have a pre audit scramble. Spread audits evenly across the year so that findings can be addressed and improvements verified before the next round.

Allow Time for Corrective Action

Build enough lead time between an internal audit and the next external audit to allow corrective actions to be implemented and verified. Raising a nonconformity two weeks before a certification audit is not useful to anyone.

Account for Operational Constraints

Scheduling an audit of the production floor during the annual shutdown or the financial year end close is going to create friction. Work with operational managers to identify periods when audits can be conducted with minimal disruption and when the right people will be available.

Assign Auditors at the Planning Stage

Do not leave auditor assignment to the last minute. Assign auditors when you build the schedule, check for independence conflicts, and confirm that the assigned auditor has the competence required for that particular process or area.

If you are building a schedule for ISO 9001 specifically, the article on how to plan an ISO 9001 internal audit schedule for the year provides a worked example that you can adapt.

Step Four: Define the Audit Criteria and Scope for Each Audit

The programme tells you what will be audited and when. Before each individual audit takes place, you need to define the audit criteria and scope for that specific audit event.

Audit criteria are the requirements you will audit against. These might be specific clauses of the standard, internal procedures, legal requirements, or customer specifications. Defining the criteria upfront keeps the audit focused and ensures the auditor is comparing what they find against a defined benchmark.

Audit scope defines the boundaries of the specific audit. Which processes, locations, time periods, and activities are included? A clearly defined scope prevents scope creep during the audit and ensures the auditee knows what to expect.

Both the criteria and scope should be documented in the individual audit plan and communicated to the auditee before the audit begins.

Step Five: Select and Manage Your Internal Auditors

The quality of your audit programme is only as good as the people conducting the audits. Auditor selection and competence management is a genuine programme management responsibility, not just a box to tick.

What Competence Looks Like

ISO 19011 identifies several dimensions of auditor competence. These include knowledge of the relevant standard, understanding of management systems and auditing principles, knowledge of the sector and processes being audited, and the personal attributes needed to conduct an effective audit, such as the ability to ask good questions, listen carefully, and remain objective under pressure.

Formal Training

Internal auditors should hold recognised training in auditing. An ISO internal auditor course provides the foundational knowledge and skills needed to plan and conduct audits effectively. Without this training, auditors often default to checking documents rather than assessing process effectiveness, which produces weak findings and misses the real issues.

Maintaining a Competence Record

Keep a record of each auditor's training, qualifications, and audit experience. This record serves as evidence for your certification body and helps you identify gaps when planning future audits. If a new process is added to your scope and none of your current auditors have relevant experience, that is a gap you need to address before scheduling the audit.

Independence

Auditors must not audit their own work or the work of their immediate team. In small organisations this can require some creative scheduling. Options include cross departmental auditing, bringing in an auditor from another site, or using an external resource for specific audits. Whatever approach you take, the independence requirement is non negotiable.

Step Six: Monitor, Review, and Improve the Programme

An audit programme is not a set and forget document. ISO 9001 Clause 9.2.2, ISO 14001 Clause 9.2.2, and ISO 45001 Clause 9.2.2 all require that the programme be reviewed and updated as needed.

Programme review should happen at least annually, typically as part of management review. The review should consider the following questions.

Were all planned audits completed on schedule?
Were the audit objectives achieved?
What did the programme find? Were findings consistent with the risks identified in the planning stage?
Were corrective actions implemented effectively and on time?
Are there processes or areas that need more attention in the next cycle?
Has anything changed in the organisation that should affect the programme design?

The outputs of this review feed directly into the next programme cycle. If audits were consistently finding nonconformities in supplier management, the next cycle should allocate more audit time to that area. If a previously high risk area has been stable for two years, it may be appropriate to reduce the frequency of audits there.

This is also the point at which you review auditor performance. Were audit reports clear and well evidenced? Were findings graded correctly? Did auditors follow up on corrective actions as required? If gaps are identified, address them through additional training or coaching.

Common Mistakes to Avoid

After conducting and reviewing hundreds of internal audit programmes across different industries, certain mistakes appear repeatedly. Here are the ones worth specifically avoiding.

Treating the Programme as a Compliance Exercise

The worst audit programmes are designed to satisfy the certification body rather than to improve the organisation. Audits are scheduled to tick boxes, findings are kept superficial to avoid conflict, and corrective actions are closed without genuine resolution. This approach wastes everyone's time and adds no value. Design your programme to find real issues and drive real improvement.

Ignoring Previous Findings

If the same nonconformity appears in consecutive audit cycles, that is a programme failure. Either the corrective action was not effective, or the root cause was never properly identified. The programme should track repeat findings and flag them for escalation.

Underprepared Auditors

Sending an untrained or underprepared auditor into an audit is worse than not auditing at all. They will miss issues, ask the wrong questions, and produce reports that carry no weight with management. Invest in auditor training before you invest in audit frequency.

No Follow Up on Corrective Actions

Raising findings without following up on corrective actions is one of the most common programme weaknesses. The programme must include a mechanism for tracking corrective actions to completion and verifying their effectiveness. This is not optional under any of the three main management system standards.

Connecting the Programme to Management Review

One of the most important functions of the internal audit programme is to feed useful information into management review. ISO 9001 Clause 9.3, ISO 14001 Clause 9.3, and ISO 45001 Clause 9.3 all require that internal audit results be an input to management review.

This means the programme needs to produce information that is actually useful for management decision making. Summary reports that list findings without analysis do not help management understand where the system is performing well and where it is not. Trend analysis, repeat finding identification, and coverage reporting give management the information they need to make informed decisions about resources, priorities, and system improvements.

Build your programme reporting with management review in mind from the start. Decide what information management needs and design your audit reports and programme summaries to deliver it.

Getting Your Team Audit Ready

A well designed programme is only effective if the people being audited understand what is expected of them. Preparing your team for internal audits reduces friction, improves the quality of evidence gathered, and makes the audit process more productive for everyone involved.

The article on how to prepare your team for an internal audit covers this in detail, including how to communicate the audit purpose, what auditees should have ready, and how to manage common concerns about the process.

Training Your Internal Auditors

If you are building or rebuilding your internal audit programme and your auditors have not completed formal training, that is the first gap to close. An internal auditor course provides the knowledge and practical skills needed to plan audits, gather evidence, write findings, and contribute meaningfully to the programme.

At Audit Workshop, the internal auditor courses for ISO 9001, ISO 14001, and ISO 45001 are designed for practitioners who want to audit confidently, not just understand the theory. Courses are available in live virtual and self paced formats, and are recognised through Exemplar Global. Whether you are training yourself or upskilling your audit team, completing formal training before launching a new audit programme cycle is the most practical investment you can make.

You can explore the available courses at auditworkshop.com.

Building an Internal Audit Programme: A Practical Guide for Quality and HSE Managers