One of the most common questions quality and HSE managers ask is how often internal audits should happen. The answer is not a fixed number. ISO standards deliberately avoid prescribing a specific frequency, and for good reason. What works for a 10-person engineering firm will not suit a 500-person manufacturer with a complex supply chain. Internal audit frequency should be driven by risk, the size and complexity of your operations, and what past audits have revealed. This article breaks down what the standards actually require, how to apply risk-based thinking to your audit schedule, and what experienced auditors look for when they review your programme.
On this page
What ISO Standards Actually Say About Audit Frequency
ISO 9001, ISO 14001, and ISO 45001 all contain internal audit requirements, and none of them state a minimum number of audits per year. What they do require is that audits are conducted at planned intervals. That phrase is important because it places the responsibility on you to determine what intervals are appropriate for your organisation.
Clause 9.2 of ISO 9001, for example, requires that the organisation conducts internal audits at planned intervals to provide information on whether the quality management system conforms to requirements and is effectively implemented. ISO 14001 and ISO 45001 carry equivalent requirements under their respective Clause 9.2 provisions.
The standard also requires you to take into account the importance of the processes concerned and the results of previous audits when planning your programme. This is the clearest signal that frequency should be risk-based, not arbitrary.
If your certification body asks why you only audited certain processes once in three years, you need a documented rationale. If your answer is simply that nothing went wrong, that may not be sufficient. If your answer is that the process is low-risk, stable, and previous audits have consistently found conformance, that is a defensible position.
The Minimum Expectation in Practice
While the standards do not state a number, certification bodies and experienced auditors have a practical expectation. Every clause of your management system, and every significant process within your scope, should be audited at least once within each three-year certification cycle. Most organisations interpret this as auditing the full scope at least once per year.
Annual coverage of the entire system is the baseline most organisations work to. From there, higher-risk processes, areas with recurring nonconformities, or processes that have undergone significant change should be audited more frequently.
If you are running a simple management system in a low-risk environment, one full cycle of internal audits per year may be entirely appropriate. If you are managing a complex integrated system across multiple sites, with significant environmental aspects or serious safety hazards, quarterly or even monthly audits of specific processes may be warranted.
Risk-Based Audit Scheduling: The Practical Approach
Risk-based thinking is central to all three ISO management system standards. It should also drive your internal audit schedule. The question is not how often do we audit in general, but how often do we need to audit each specific process or area given what we know about it.
Factors That Increase Audit Frequency
- Previous nonconformities: If a process has generated major or repeat nonconformities, audit it more frequently until you have confidence the issues are resolved and systemic.
- High-risk activities: Processes involving significant safety hazards, significant environmental aspects, or critical quality characteristics should receive more audit attention.
- Recent changes: New equipment, new personnel, new procedures, or changes to regulatory requirements all increase the likelihood of gaps. Audit sooner after changes occur.
- Regulatory or legal significance: Processes tied to legal compliance obligations, particularly under ISO 14001 and ISO 45001, warrant more frequent review.
- Customer complaints or product failures: If a process is linked to customer dissatisfaction or product escapes, increase the frequency until you understand the root cause and verify the fix is holding.
- High staff turnover: Areas with frequent personnel changes are more likely to drift from documented procedures.
Factors That Support Less Frequent Auditing
- Consistent conformance over multiple audit cycles: A process that has been audited several times with no findings is a lower-risk candidate for reduced frequency.
- Stable processes with experienced, long-tenured staff: Stability reduces the likelihood of undiscovered gaps.
- Low consequence of failure: Processes where a gap would have minimal impact on quality, safety, or environmental performance can be audited less often.
- Strong monitoring and measurement in place: If a process is subject to robust ongoing monitoring, the internal audit can afford to be less frequent.
Document your rationale. When your certification body auditor reviews your audit programme, they will want to see that frequency decisions were deliberate and defensible, not just a matter of fitting everything into the calendar.
How to Structure Your Annual Audit Programme
Most organisations plan their internal audit programme at the start of each year or certification cycle. The programme should map out which processes or clauses will be audited, when, and by whom. It does not need to be elaborate, but it does need to be documented.
A practical approach is to start with your process list or clause list and assign a risk rating to each. High-risk processes get audited more frequently, perhaps twice a year or quarterly. Medium-risk processes get audited once a year. Low-risk processes might be audited once every 18 months, provided you can justify that decision.
Spread audits throughout the year rather than clustering them all before your surveillance audit. Certification bodies notice when all internal audits happen in the two months before their visit. It looks like compliance theatre rather than genuine system management.
For organisations running integrated systems across ISO 9001, ISO 14001, and ISO 45001, consider combined audits that cover all three standards in a single process review. This reduces the burden on operational staff while still achieving full coverage. For more on planning your schedule, the article on how to plan an ISO 9001 internal audit schedule for the year covers the mechanics in detail.
Specific Guidance by Standard
ISO 9001 Internal Audit Frequency
For quality management systems, the typical expectation is that every clause and every significant process is audited at least once per year. High-volume production processes, customer-facing processes, and any process that has generated nonconformities in the past should be audited more frequently.
Pay particular attention to Clause 8 processes, which cover operational planning, customer requirements, design and development, supplier control, production and service provision, and control of nonconforming outputs. These are where most quality failures originate, and they deserve proportionally more audit time and frequency.
ISO 14001 Internal Audit Frequency
For environmental management systems, audit frequency should reflect the significance of your environmental aspects and your compliance obligations. Processes tied to significant environmental aspects, such as waste handling, chemical storage, or emissions to air and water, should be audited more frequently than administrative processes with negligible environmental impact.
Compliance evaluation under Clause 9.1.2 is a separate requirement from internal auditing, but the two should be coordinated. If your compliance evaluation has identified gaps in meeting legal obligations, your audit programme should respond by increasing frequency in those areas.
ISO 45001 Internal Audit Frequency
For occupational health and safety management systems, audit frequency should be highest in areas with the greatest risk to worker health and safety. High-risk work environments, processes involving critical controls for serious hazards, and areas with recent incidents or near misses all warrant more frequent auditing.
Worker participation requirements under ISO 45001 also mean that auditors should be engaging workers directly during audits, not just reviewing documents. This takes time, and it is a reason to build adequate time into your audit schedule rather than rushing through processes to tick boxes.
What Happens When Audit Frequency Is Inadequate
If your certification body auditor determines that your internal audit programme does not provide adequate coverage of your management system, you are likely to receive a nonconformity. The most common finding is that certain processes or clauses have not been audited within a reasonable period, or that the programme does not reflect risk-based scheduling.
A common scenario is an organisation that audits the same three easy processes every year and avoids the complex or politically sensitive ones. Certification auditors are experienced at spotting this pattern. They will ask to see your audit records for the full scope, and gaps will be evident quickly.
Another frequent issue is organisations that complete audits but do not follow up on findings before the next audit cycle. If nonconformities from the previous year are still open when the certification auditor arrives, that raises questions about both your corrective action process and the effectiveness of your audit programme. The article on how to build an internal audit programme from scratch covers the full structure of a compliant programme.
Practical Tips for Getting Frequency Right
Review and Adjust Your Programme Annually
Your audit programme should not be a static document. At the end of each year, review what the audits found, what changed in your operations, and whether the frequency decisions you made at the start of the year were appropriate. If a process generated three nonconformities in one audit, increase its frequency next year. If a process has been clean for three consecutive years, consider whether you can reduce its frequency and redirect audit resources elsewhere.
Do Not Wait for Problems to Schedule Audits
Internal audits are a preventive tool, not just a reactive one. Waiting until something goes wrong before scheduling an audit defeats the purpose. Build your programme proactively, and treat it as a genuine management tool rather than a compliance obligation to be minimised.
Align Audit Timing with Operational Cycles
Audit processes when they are actually running. Auditing a seasonal process during the off-season will produce limited evidence and limited value. Schedule audits when the work is happening so you can observe the process in action, interview the people doing the work, and sample real records.
Account for Management Review Inputs
Internal audit results are a mandatory input to management review under all three standards. Plan your audit programme so that a meaningful number of audits are completed before each management review meeting. This gives management real data to work with rather than a summary of audits that have not yet happened.
Keep Records of Your Programme Decisions
Document why you chose the frequencies you did. A brief note in your audit programme explaining that a particular process is audited twice per year due to previous nonconformities, or once every 18 months due to consistently clean results and low risk, demonstrates that your programme is managed thoughtfully. This documentation also protects you when questions are raised during certification audits.
Unannounced and Short-Notice Audits
Most internal audits are planned well in advance, but there is value in occasionally conducting short-notice or unannounced audits, particularly in high-risk areas or where previous audits have raised concerns about whether the documented system reflects actual practice.
Unannounced audits tend to reveal the true state of the system. When people know an audit is coming two weeks in advance, they tidy up records, refresh their knowledge of procedures, and put their best foot forward. That is not necessarily a problem, but it does mean that planned audits alone may not give you a complete picture.
Use unannounced audits selectively. They can create anxiety if overused, and they require a culture where auditing is seen as a genuine improvement tool rather than a policing exercise. Building that culture takes time and consistent behaviour from auditors and management alike.
The Link Between Frequency and Auditor Competence
Increasing audit frequency is only valuable if the audits are conducted competently. An internal auditor who is not properly trained will miss findings regardless of how often they audit. If your organisation is relying on untrained staff to conduct internal audits, the first priority should be getting them properly trained, not simply scheduling more audits.
ISO 9001, ISO 14001, and ISO 45001 all require that internal auditors are competent. Competence means having the knowledge, skills, and attributes to conduct audits effectively. This includes understanding the relevant standard, knowing how to gather evidence, how to write findings, and how to conduct audit interviews without leading or intimidating auditees.
If you are building or refreshing your internal audit capability, the step-by-step guide to becoming an ISO internal auditor covers the competence requirements and training pathways in detail.
A Word on Small Organisations
Small organisations sometimes struggle with internal audit frequency because they have limited people to conduct audits, and the requirement for auditor independence means the person managing a process cannot audit their own work. In a five-person business, this can create genuine practical challenges.
The solutions include training multiple staff members to conduct audits so you have coverage across different processes, using a trusted external party to conduct some or all of your internal audits, or structuring the audit programme so that staff audit processes outside their own area of responsibility.
The standard does not require a dedicated internal audit team. It requires that audits are conducted by competent people who are objective and impartial with respect to the activity being audited. Small organisations can meet this requirement with creative scheduling and appropriate training.
Summary: Getting Internal Audit Frequency Right
There is no single correct answer to how often internal audits should happen. The right frequency for your organisation depends on the risk profile of your processes, the results of previous audits, the complexity of your operations, and any changes that have occurred since the last audit cycle.
The baseline expectation is that every significant process and every relevant clause is audited at least once within the certification cycle, which most organisations achieve with an annual programme. From that baseline, risk-based thinking should drive you to audit some areas more frequently and allow you to justify less frequent auditing of stable, low-risk processes.
Document your rationale, review your programme annually, and treat internal auditing as a genuine management tool. When you do that, frequency becomes a strategic decision rather than a compliance headache.
If you want to build the skills to design and conduct effective internal audits, Audit Workshop offers internal auditor training for ISO 9001, ISO 14001, and ISO 45001. The courses are built around practical audit skills, not just theory, and are delivered by an experienced lead auditor who has conducted hundreds of real certification audits. Whether you are new to auditing or looking to sharpen an existing programme, the guide to choosing an internal audit training course is a useful starting point.
