Knowing how to do an internal audit properly is one of the most practical skills you can develop as a quality, safety, or environmental professional. An internal audit is not just a compliance tick. Done well, it gives your organisation a clear picture of how the management system is actually performing, not just how it looks on paper. This guide walks you through every stage of the internal audit process, from initial planning through to closing the loop on corrective actions.
On this page
What an Internal Audit Is Actually For
Before getting into the mechanics, it helps to be clear on purpose. ISO standards like ISO 9001, ISO 14001, and ISO 45001 all require internal audits under Clause 9.2. The intent is to give the organisation objective evidence about whether the management system conforms to requirements and is being effectively implemented.
That means two things are in scope. First, conformity: does the system meet the requirements of the standard and any internal requirements the organisation has set? Second, effectiveness: is it actually working? A process that is documented beautifully but never followed is still a problem, and internal audits are the mechanism for finding that out before a certification auditor does.
If you want a deeper look at what the clause actually requires, ISO 9001 Clause 9.2 Explained: Internal Audit Requirements covers the specifics in detail.
Step 1: Plan the Audit Programme
An individual audit sits within a broader audit programme. The programme covers the full cycle of audits across the year, ensuring that all processes and relevant clauses are audited at a frequency that reflects their risk and importance.
Risk-based scheduling matters here. A high-risk process like chemical handling, customer complaint management, or a recently changed procedure should be audited more frequently than a stable, low-risk administrative process. The standard does not specify a number of audits per year. It asks you to consider status and importance when setting frequency.
At the programme level, you are deciding what will be audited, when, by whom, and using what criteria. If you are building this from scratch or refining an existing programme, How to Plan an ISO 9001 Internal Audit Schedule for the Year gives you a structured approach.
Step 2: Define the Audit Scope, Objectives, and Criteria
Once you know which audit is coming up, you need to define three things before anything else.
Audit Objectives
What is this particular audit trying to achieve? Common objectives include verifying conformity with specific clauses, checking implementation of a new procedure, or following up on a previous corrective action. Be specific. A vague objective produces a vague audit.
Audit Scope
What is included and what is not? Scope defines the physical boundaries (which sites, departments, or functions), the time period under review, and which processes or clauses are being examined. Be honest about what can be covered in the time available. Trying to audit everything in one session usually means auditing nothing properly.
Audit Criteria
What will you be measuring conformity against? Criteria typically include the relevant ISO standard clauses, the organisation's own documented procedures, legal requirements, and any contractual obligations. Your findings must always be grounded in criteria. Without them, you are expressing opinions, not making audit findings.
Step 3: Select and Assign the Auditor
The auditor conducting the audit must be independent of the activity being audited. This is a fundamental requirement. An auditor cannot audit their own work. In smaller organisations this can be challenging, but it is not impossible. Cross-functional auditing, where a quality team member audits operations and an operations manager audits the quality function, is a common and acceptable approach.
Beyond independence, the auditor needs to be competent. ISO 9001 Clause 7.2 requires the organisation to determine the competence needed for internal auditors and ensure they have it. That means relevant knowledge of the standard, understanding of the process being audited, and the skills to gather evidence and communicate findings clearly.
If you are working out whether your auditors have the right level of training, ISO Lead Auditor vs Internal Auditor: Which Course Do You Need? breaks down the differences between training levels.
Step 4: Prepare the Audit Plan and Checklist
A written audit plan tells everyone what is happening, when, and with whom. It does not need to be long. A one-page document covering the date, scope, objectives, criteria, the auditor's name, the processes being reviewed, and the approximate time allocation for each area is enough.
Send the plan to the auditee in advance. This is not about giving them time to hide problems. It is about basic courtesy and allowing them to have the right people and records available. Surprise audits are rarely more effective and often create unnecessary defensiveness.
Building Your Checklist
A checklist is a guide, not a script. Build it around the audit criteria. For each clause or process being audited, write questions that will generate evidence rather than yes or no answers. Instead of asking “Do you have a procedure for this?” ask “Can you show me how this procedure is applied in practice and give me a recent example?”
Good checklists include space for recording evidence against each question. They prompt you to look at documents, records, physical conditions, and interview responses. They keep you on track when an audit conversation wanders. But they should never stop you following an interesting thread that the auditee raises.
Step 5: Conduct the Opening Meeting
Every internal audit should start with an opening meeting, even if it is brief. The opening meeting serves a specific purpose: it confirms the scope and objectives, introduces the auditor, explains the process, sets expectations about how findings will be communicated, and gives the auditee a chance to raise any concerns or flag anything that has changed since the plan was issued.
Keep it professional but not stiff. You want the auditee to be engaged, not anxious. Explain that the purpose is to improve the system, not to catch people out. Confirm the logistics: where you will be going, who you will be speaking to, when you expect to finish, and how findings will be shared.
For a detailed walkthrough of what to cover, How to Conduct an Opening Meeting for an ISO Audit covers the agenda and common mistakes to avoid.
Step 6: Gather Evidence
This is the core of the audit. Evidence gathering involves three methods used in combination: document and record review, interviews, and observation.
Document and Record Review
Start by reviewing relevant documents before or during the audit. Procedures, work instructions, training records, inspection records, maintenance logs, customer complaint registers, corrective action records. You are looking for two things: does the documented system meet the requirements, and is there evidence that it is being followed?
Records are particularly important. A procedure tells you what should happen. A record tells you what actually happened. Gaps between the two are where nonconformities live.
Interviews
Talk to the people doing the work, not just the manager. Ask open questions. “Can you walk me through what happens when a customer complaint comes in?” is far more useful than “Do you follow the complaints procedure?” Listen carefully. Follow up on anything vague or inconsistent. If someone says “we usually do it this way,” ask what happens when they do not.
Avoid leading questions. Avoid answering your own questions. Give people time to think. Silence is a legitimate interview tool.
Observation
Walk the floor. Watch how work is actually performed. Look at physical conditions, signage, equipment status, storage practices, and anything else relevant to the process. Observation often reveals things that documents and interviews do not. If a procedure says personal protective equipment must be worn in a particular area and no one is wearing it, that is observable evidence of a nonconformity.
Step 7: Analyse Evidence and Classify Findings
As you gather evidence, you are continuously comparing what you find against the audit criteria. When there is a gap, you need to classify it correctly.
Nonconformity
A nonconformity is a failure to meet a requirement. This could be a requirement of the standard, the organisation's own procedure, or a legal obligation. Nonconformities are graded as major or minor. A major nonconformity is a systematic failure or the complete absence of a required element. A minor nonconformity is an isolated lapse or partial implementation.
Observation or Opportunity for Improvement
Not everything you notice needs to be a nonconformity. If something is technically conforming but could be done better, record it as an observation or opportunity for improvement. These are valuable. They demonstrate that the audit is adding value beyond just finding faults.
Be precise when writing findings. A finding needs to state what requirement was not met, what evidence was observed, and where it was found. Vague findings like “training records need improvement” are not useful. Specific findings like “three of five operators in the welding bay had no record of competency assessment against the welding procedure, contrary to the organisation's training matrix” are actionable.
Step 8: Conduct the Closing Meeting
The closing meeting is where you present your findings to the auditee and relevant management. This is a formal step, not an afterthought. Summarise what was audited, what evidence was reviewed, and what findings were made. Present nonconformities clearly and factually. Give the auditee an opportunity to ask questions or seek clarification.
Do not soften findings to the point where they lose meaning, and do not be unnecessarily harsh. Your job is to report what the evidence shows. If the auditee disagrees with a finding, hear them out. If they provide additional evidence that changes your assessment, update the finding. If they simply do not like the finding, acknowledge their view and record it, but do not withdraw a finding just to avoid conflict.
Confirm the next steps: when the audit report will be issued, the timeframe for corrective action responses, and who is responsible for following up.
Step 9: Write the Audit Report
The audit report is the formal record of the audit. It should be issued promptly, ideally within a week of the audit. A delayed report loses relevance and momentum.
A good internal audit report includes the audit date and scope, the auditor's name, the processes and clauses audited, a summary of what was reviewed, all findings with supporting evidence, any positive observations worth noting, and a clear list of nonconformities requiring corrective action.
Write for the reader. The report will be reviewed by management and may be examined by a certification auditor. It needs to be clear, factual, and free of ambiguity. Avoid jargon where plain language works just as well.
Step 10: Follow Up on Corrective Actions
An audit that finds nonconformities but never follows up on them is worse than no audit at all. It creates a record of known problems without resolution, which is exactly what a certification auditor will ask about.
The auditee is responsible for investigating the root cause of each nonconformity, proposing a corrective action, implementing it, and providing evidence of implementation. The auditor or audit programme manager is responsible for verifying that the corrective action was effective, not just that something was done.
Set realistic timeframes. Minor nonconformities might be resolved in 30 days. More complex issues might need 60 to 90 days. Track them. Chase them if they go overdue. Close them out formally once you have verified effectiveness. This is what makes an internal audit programme genuinely useful rather than a paper exercise.
Common Mistakes to Avoid
Even experienced auditors fall into predictable traps. Here are the ones that come up most often in internal audits.
- Auditing documents instead of the system. Checking that procedures exist is not the same as verifying that they are followed. Always trace from document to practice.
- Asking closed questions. Yes and no answers give you almost nothing. Ask open, process-focused questions.
- Ignoring the floor. Walk the physical space. What you see often contradicts what you are told.
- Writing vague findings. Every finding needs a clear requirement reference, specific evidence, and a location or context. Without these, corrective actions cannot be properly targeted.
- Skipping follow-up. Corrective actions that are never verified are corrective actions that may never actually fix anything.
- Auditing only the easy areas. If the same processes are audited every cycle because they are familiar and comfortable, high-risk areas go unexamined. Rotate coverage and follow the risk.
Building Your Skills as an Internal Auditor
Running internal audits well is a skill that develops with practice. The more audits you conduct, the sharper your evidence-gathering instincts become, the better your interview technique gets, and the more confident you become in writing and presenting findings.
Formal training accelerates that development significantly. An internal auditor course gives you the structured knowledge of the standard, the audit process, and the practical techniques that would otherwise take years of trial and error to accumulate. It also gives you a recognised qualification that demonstrates your competence to management and to certification bodies.
At Audit Workshop, the internal auditor courses for ISO 9001, ISO 14001, and ISO 45001 are built around real audit practice, not just theory. You learn how to plan, conduct, and report audits in a way that actually drives improvement. Courses are available live and self-paced, so you can fit training around your existing role. If you are ready to build your internal auditing capability properly, the How to Become an ISO Internal Auditor: A Step by Step Guide is a good place to start.
