Most organisations approach their ISO 9001 internal audit schedule as an afterthought. They slot audits into the calendar around busy periods, assign whoever is available, and hope the coverage ticks the box. By mid year, audits slip, documentation falls behind, and when the certification body arrives, half the planned schedule has never materialised. The result is a rushed, reactive approach that fails to deliver the continuous improvement that internal auditing is meant to provide.
On this page
Planning an internal audit schedule properly is fundamentally different. It requires intentional design, honest assessment of your organisation's complexity and resources, and a commitment to follow through consistently across twelve months. This is where audit programmes succeed and compliance becomes embedded rather than bolted on.
Understanding What ISO 9001 Actually Requires
Clause 9.2 of ISO 9001:2015 sets out the mandatory requirements for internal audits. The standard requires your organisation to conduct internal audits at planned intervals to provide information on whether your quality management system (QMS) conforms to your own requirements and to the requirements of ISO 9001. It must also determine whether the QMS is effectively implemented and maintained.
The key word here is "planned intervals". This does not mean audits happen randomly when someone remembers them. It means your organisation must determine what interval makes sense for each process or functional area, document that intention, and then execute against it consistently throughout the year. ISO 9001 Clause 9.2 Explained provides detailed guidance on what the standard actually expects, and it goes well beyond just having audits happen.
Your audit schedule must also cover all processes and functions within the QMS scope. This does not necessarily mean auditing everything with equal frequency. A low risk, stable process might be audited annually, while a critical customer facing process might be audited quarterly. The schedule must be deliberate and justified.
Additionally, the standard requires that internal audits be conducted by competent individuals who are impartial and independent. If your organisation relies entirely on external auditors or consultants to deliver internal audits, you are not meeting the spirit of the requirement, which is to build internal capability and ownership. How to Become an ISO Internal Auditor explains the practical pathway to developing this capability within your team.
Conducting a Process Risk Assessment to Set Audit Frequency
The starting point for scheduling is understanding which processes matter most to your QMS. Not all processes carry equal risk or importance. A manufacturing organisation's production scheduling process is critical to delivery and cost management. The same organisation's document control process, while necessary, is lower risk because failures are more easily detected and corrected.
Audit frequency should reflect this risk gradient. Begin by listing every significant process within your QMS scope. Include customer focused processes like sales and delivery, production and service delivery processes, support processes like HR and procurement, and management processes like leadership review and risk management. For a typical mid sized organisation, this list runs to 10 to 15 core processes.
For each process, assess its risk using criteria like business criticality, complexity, regulatory sensitivity, frequency of change, and historical nonconformity patterns. A process that is critical to customer satisfaction, frequently changing, and has generated nonconformities in certification audits deserves higher audit frequency. A stable, well embedded, low risk process can be audited less frequently.
Many organisations use a simple three tier approach. Tier one processes (high risk or high complexity) are audited quarterly or at minimum twice per year. Tier two processes (moderate risk or complexity) are audited annually. Tier three processes (low risk, stable) are audited every two years, or sometimes as part of a rolling sampling approach.
Document this assessment formally. Your audit schedule should reference it. When the certification body asks why production scheduling is audited quarterly but document control is audited annually, you have a clear answer rooted in risk rather than convenience.
Calculating the Auditor Capacity You Actually Have
This is where planning becomes concrete. Determine how many audit days your organisation can realistically deliver across the year.
Start by identifying who will conduct internal audits. This might be a dedicated quality team member, a rotating group of trained staff, external consultants, or a combination. For each person, estimate how many working days per year they can allocate to audits. Someone in a dedicated quality role might manage 15 to 20 audit days per year. Someone in another role conducting audits as part of broader responsibilities might realistically contribute 2 to 5 days per year.
Next, estimate the time required for each audit. An audit of a simple, well defined process with stable documentation might take one day. A comprehensive audit of production, with multiple shifts, complex equipment, and extensive documentation, might take two or three days. Include time for planning the audit, conducting the audit itself, compiling findings, and writing the report. Most organisations underestimate this significantly. A one day on site audit typically requires 0.5 days of planning and 0.5 to 1 day of reporting and follow up.
Once you have total available audit days and the time required per audit, you can determine your realistic audit volume. If you have 25 audit days available per year and each comprehensive audit requires 2 days (including planning and reporting), you can conduct approximately 12 to 13 audits annually. This is a real constraint. It means your schedule cannot include 20 audits if you only have capacity for 12.
Most organisations making this calculation realise they have less capacity than they assumed. They then face a choice: allocate more resources to auditing, reduce scope, extend audit intervals, or prioritise certain audits over others. There is no correct answer, but the choice must be made consciously and documented.
Building the Twelve Month Schedule
With process risk assessment and capacity calculations complete, you can now build the actual schedule. This should be a document that lists each scheduled audit by month, including the process or area to be audited, planned dates, assigned auditors, and expected duration.
Several practical considerations apply. Avoid concentrating audits in particular months. If you schedule six audits in November and one in July, you create feast and famine patterns that disrupt routine operations and make scheduling difficult. Spread audits relatively evenly across the year. This also means that findings and corrective actions are distributed across the year rather than bunching into particular periods.
Consider business seasonality. In retail, concentrate major audits during quieter periods. In agriculture, work around harvest. If your organisation has an annual shutdown, that is not a good time to schedule production audits. If you run management review meetings in March and September, schedule audits in the month or two before so that findings can be discussed.
Build in scheduling buffer. Do not schedule audits so tightly that a single cancellation cascades across the year. If your plan calls for audits in weeks 2, 4, 6, and 8 of January, and week 2 audit gets deferred due to illness, the subsequent audits will shift and you quickly lose control. Build in space between audits.
Factor in any planned external audits. Certification audits typically occur annually. Surveillance audits occur between certification audits. Schedule internal audits to be completed at least a month before certification audits, not in the week immediately prior. Internal audits are meant to identify and address issues before external auditors arrive.
Document any changes to the schedule formally. If an audit is deferred, record why and when it will be rescheduled. If the schedule is adjusted due to resource constraints or business priorities, update the document and maintain a version history.
Allocating Auditors and Building Competence
Assigning the right auditor to each audit is critical. Avoid assigning auditors to audit their own areas, as this violates the independence requirement. Someone from production should not audit production, and the manager of a function should not audit that function.
Consider using audits as development opportunities. A newer staff member can conduct audits with an experienced auditor accompanying them. Over time, they build audit competence and can lead audits independently. This approach distributes audit workload, builds internal capability, and creates succession planning.
Ensure that assigned auditors have completed appropriate training. This does not necessarily mean sending everyone to a formal course, though for organisations taking their QMS seriously, internal auditor training is valuable. At minimum, auditors need to understand audit planning and interview techniques, how to gather evidence, and how to document findings appropriately.
Document auditor competence. Maintain a simple register noting which staff members are trained as internal auditors, what training they have completed, and when they last conducted an audit. This becomes important evidence that audits are conducted by competent people, and it helps identify training needs when people step away from auditing for extended periods.
Integrating Audit Objectives with Process Performance
Each audit in your schedule should have defined audit objectives. These specify what the audit is intended to examine and achieve. For a routine annual audit, the objective might be to verify that the process operates in conformity with documented procedures and ISO 9001 requirements. For an audit triggered by a customer complaint, the objective might be specifically to examine root cause and identify whether systemic issues exist.
Audit objectives should also consider process performance data. If a process has shown deteriorating on time delivery performance, an audit objective might specifically examine what controls exist, whether they are being followed, and whether documented procedures reflect current reality. If customer complaints spike in a particular area, audit objectives can target that specific concern.
How to Write Audit Objectives demonstrates how to move beyond generic tick box audits and focus on areas that matter to your organisation. This elevates auditing from compliance activity to genuine improvement tool.
Planning for Different Audit Types
Not every scheduled audit is identical. Your schedule should distinguish between routine compliance audits, risk based audits triggered by specific concerns, and audits focused on new or changed processes.
Routine compliance audits verify that established processes continue to operate as documented and in accordance with QMS requirements. These are typically scheduled at regular intervals and require standard preparation and execution.
Risk based audits respond to identified risks or recent events. If a process change has been implemented, an audit shortly after implementation confirms that the change is working as intended and that staff understand revised procedures. If a particular process area has shown weaker performance or generated complaints, an audit targets that specific concern more intensively.
Transition audits occur when new processes are introduced or significant changes are made to established processes. These audits verify that new procedures are documented clearly, staff are trained, and initial implementation is working.
Your schedule should reflect this mix. A typical year might include 8 to 10 routine compliance audits, 2 to 3 risk based audits triggered by specific concerns, and 1 to 2 transition audits. This provides ongoing verification of conformity while also focusing effort on areas needing deeper examination.
Documenting the Schedule and Maintaining Control
Your internal audit schedule must be documented. This can be a simple spreadsheet or a more structured document within your QMS, but it must exist and be accessible. The schedule should include at minimum the process or area being audited, planned dates, assigned auditors, duration, and audit objectives.
Establish a document management process for the schedule. Assign responsibility for maintaining and updating it. Clearly indicate whether it is a rolling annual schedule or a fixed calendar year schedule. Specify how changes will be approved and documented. If audits are deferred, record the reason and rescheduled date.
Make the schedule visible to relevant people. The quality manager needs to track it. Process managers need to know when their areas will be audited so they can prepare. Auditors need sufficient notice to plan their audit approach. Consider publishing a quarterly view of planned audits so that affected areas understand what to expect.
Review the schedule periodically. At each management review meeting, include a brief report on audit schedule execution. How many audits were planned versus completed? Were there deferrals? What patterns are emerging? Do adjustments need to be made? This keeps the schedule active and relevant rather than a document created once and ignored.
Linking Schedule to Findings and Corrective Actions
Your audit schedule should connect explicitly to how you manage findings and corrective actions. If an audit identifies a significant nonconformity, the schedule planning process should ensure that a follow up audit or review occurs within a reasonable timeframe to verify that corrective actions have been implemented effectively.
Many organisations schedule audits without reference to prior audit findings. A process was audited in March and a major nonconformity was identified. The follow up audit is not scheduled until the normal annual cycle ten months later. By then, the corrective action may have drifted, or it may never have been properly implemented at all. Better practice is to schedule a follow up audit within 2 to 3 months of identifying major nonconformities.
Use your audit schedule as a tool to drive closure of nonconformities rather than allowing findings to languish. If corrective action verification is scheduled as a discrete audit activity, responsibility becomes clear and timelines become firm.
Preparing for Certification Audit Enquiries
Certification auditors will examine your internal audit schedule and execution record. They will ask to see the documented schedule, evidence of actual audits completed, and records of findings and corrective actions. If your schedule exists but audits were not actually conducted, or if the schedule is vague and lacks structure, auditors will raise nonconformities.
Prepare your audit schedule and execution record as a coherent system. The documented schedule should be clear. Actual audit records should match the schedule. Findings should be documented and tracked to closure. This is not onerous if built into normal practice, but it becomes problematic if you try to retrofit documentation shortly before certification audit.
Continuous Improvement of the Schedule Itself
After your first year of executing a planned internal audit schedule, review how well the plan worked. Were audits actually completed as scheduled? Were there patterns of deferral? Did auditors have sufficient time to complete audits properly? Were the time estimates realistic? Did the audit frequency reveal the right issues, or were some audits finding little while others were identifying numerous findings?
Use this experience to refine your schedule for the following year. If auditors consistently need more time than planned, adjust your capacity calculations. If certain process areas generate few findings while others reveal numerous issues, consider adjusting frequency. If particular months prove difficult for scheduling, shift audits to quieter periods. The schedule should evolve based on experience.
Audit Workshop offers accredited ISO Internal Auditor training that covers internal audit planning, execution, and reporting in depth. Our courses are recognised by Exemplar Global and designed for working professionals who need practical skills they can apply immediately.








