Internal Audit Report Format With Example: A Practical Guide for ISO Auditors

Why the Audit Report Matters More Than Most Auditors Realise

You can conduct a thorough, well planned internal audit and still have it count for nothing if the report is poorly written. The audit report is the permanent record of what was found, what was assessed, and what action is required. It goes to management, feeds into the management review, and provides the evidence base for corrective action. A vague or disorganised report undermines all of that.

Yet many internal auditors treat the report as an afterthought. They spend days planning and conducting the audit, then rush through the write up in an hour. The result is a document that raises more questions than it answers, that management files away without acting on, and that provides little value when the certification auditor arrives.

This guide covers the standard internal audit report format used across ISO 9001, ISO 14001, and ISO 45001 audits, explains what each section should contain, and walks through a worked example so you can see how the format applies in practice.

What an Internal Audit Report Must Achieve

Before looking at format, it helps to be clear about purpose. An internal audit report must do four things well.

• It must document that the audit was conducted in accordance with the planned audit programme, satisfying the requirements of ISO 9001 Clause 9.2, ISO 14001 Clause 9.2, or ISO 45001 Clause 9.2, depending on your standard.
• It must communicate findings clearly enough that people who were not present during the audit can understand what was found and why it matters.
• It must provide the factual basis for corrective action. If the nonconformity description is vague, the corrective action will be equally vague.
• It must be retained as documented information, demonstrating that the organisation is running an effective audit programme.

Keep these four purposes in mind as you build your report. Every section should serve at least one of them.

The Standard Internal Audit Report Format

There is no single mandatory template prescribed by ISO standards. The standards require that audit results be retained as documented information, but they leave the format to the organisation. In practice, most well structured internal audit reports follow a consistent pattern. Here are the sections you should include.

Section 1: Audit Identification Information

This is the header block at the top of the report. It establishes the basic facts of the audit and makes the document traceable. Include the following fields.

• Report reference number: A unique identifier for filing and retrieval.
• Date of audit: The date or date range when auditing was conducted.
• Date of report: When the report was finalised and issued.
• Standard or audit criteria: For example, ISO 9001:2015, ISO 14001:2015, or ISO 45001:2018.
• Audit scope: Which processes, departments, sites, or clauses were covered.
• Audit objectives: What the audit was intended to determine.
• Lead auditor: Name and, if relevant, qualification or registration number.
• Audit team members: Names of any other auditors involved.
• Auditee or process owner: The person or area being audited.

Getting this header right matters. When the certification auditor reviews your audit records, they will look here first to confirm that audits are being planned and conducted with defined scope and objectives.

Section 2: Audit Objectives and Scope

This section expands on the header fields with a brief narrative. Describe what the audit set out to determine and what was included and excluded from scope. Keep it concise, one to three short paragraphs is enough.

For example, if you audited the purchasing process against ISO 9001 Clause 8.4, you would state that the audit objective was to verify that externally provided products and services are controlled in accordance with the requirements of the standard and the organisation's own documented procedures. You would note that the scope covered the purchasing function at the Brisbane facility, including supplier selection, purchase order controls, and receiving inspection records for the period January to June 2025.

Section 3: Audit Method

Briefly describe how the audit was conducted. This confirms to readers and to future auditors that appropriate methods were used. Typical content includes the following.

• Document review: which procedures, records, or registers were examined.
• Interviews: which roles or staff members were interviewed.
• Observation: any processes, activities, or physical areas observed.
• Sampling approach: how records were selected for review.

You do not need to write an essay here. A short paragraph or a simple list is sufficient. The point is to show that the audit was based on evidence gathered through multiple methods, not just a conversation with the process owner.

Section 4: Summary of Findings

This is the most important section of the report, and the one that most auditors get wrong. The summary of findings should give the reader a clear picture of the overall audit outcome before they get into the detail. It should cover the following.

• Overall conformity status: did the area audited broadly conform to requirements?
• Number and classification of findings: how many nonconformities were raised, and at what grade? How many observations or opportunities for improvement were noted?
• Any significant positive findings: evidence of good practice worth acknowledging.
• The overall audit conclusion: a professional judgement about the effectiveness of the system in the audited area.

The audit conclusion is a critical element that many internal auditors omit. ISO 19011 is clear that an audit should produce a conclusion, not just a list of findings. The conclusion reflects the auditor's professional judgement about whether the management system is effectively implemented and maintained in the audited area. It does not have to be lengthy, but it must be present.

Section 5: Detailed Findings

This section contains the individual audit findings, each written up in a consistent format. For each finding, you should record the following.

• Finding reference: A unique number for tracking purposes.
• Classification: Major nonconformity, minor nonconformity, or observation or opportunity for improvement.
• Clause or requirement: The specific clause of the standard and or the organisation's own requirement that has not been met.
• Finding statement: A clear, factual description of what was found.
• Objective evidence: The specific evidence that supports the finding. This should be precise enough that someone not present at the audit could verify it.

If you want to understand how to write individual nonconformity statements well, the article on how to write a nonconformity report that actually gets fixed covers the structure in detail. The principle is the same here: a finding without specific evidence is an opinion, not an audit finding.

Observations and opportunities for improvement should also be recorded with enough detail to be actionable. Noting that record keeping could be improved is not useful. Noting that five of the ten purchase orders sampled lacked the required supplier approval date, which is not a nonconformity against the current procedure but represents a risk if the procedure is tightened, gives the process owner something to work with.

Section 6: Positive Findings

This section is optional but recommended. Auditors who only report what went wrong miss an opportunity to reinforce good practice. If you observed something that was working particularly well, note it. This might be a well maintained calibration register, a thorough and up to date risk register, or a team that demonstrated clear understanding of their quality objectives.

Positive findings also make the report more balanced and easier for auditees to receive. People are more receptive to corrective action when they can see that the audit recognised what was done well, not just what was not.

Section 7: Corrective Action Requirements

For each nonconformity raised, the report should include a section that records the required corrective action response. At the time of issuing the report, this section will typically include the following.

• The nonconformity reference number.
• The required response date: when the auditee must submit their proposed corrective action.
• Space for the auditee to record the immediate correction taken, the root cause identified, and the corrective action planned.

Some organisations use a separate corrective action request form for this, referenced from the audit report. Others include it within the report itself. Either approach works, as long as there is a clear link between the finding and the corrective action record.

The audit report should not specify what the corrective action should be. That is the auditee's responsibility. The auditor's job is to define the nonconformity clearly and set a reasonable response timeframe.

Section 8: Distribution and Sign Off

The final section records who the report has been sent to and, where required, includes sign off by the lead auditor and the auditee or process owner. Distribution should include at minimum the auditee, the quality or management system manager, and top management or their representative. For significant findings, broader distribution may be appropriate.

Sign off by the auditor confirms that the report is accurate. Sign off by the auditee acknowledges receipt, not necessarily agreement. If an auditee disputes a finding, that dispute should be handled through your documented appeals or dispute process, not by withholding sign off.

A Worked Example: Internal Audit Report for a Purchasing Process

The following example shows how the format applies in practice. This is a simplified version for illustration purposes.

Audit Identification

Report reference: IA-2025-07
Date of audit: 14 July 2025
Standard: ISO 9001:2015
Scope: Purchasing process, Clause 8.4, Brisbane facility
Objective: To verify that externally provided products and services are controlled in accordance with ISO 9001:2015 Clause 8.4 and the organisation's Purchasing Procedure PR-08
Lead auditor: Sarah Nguyen
Auditee: Purchasing Manager, James Okafor

Audit Method

The audit was conducted through document review, interview with the Purchasing Manager and two purchasing officers, and examination of purchase order records for the period April to June 2025. A sample of 12 purchase orders was reviewed. The approved supplier register and supplier evaluation records were also examined.

Summary of Findings

The purchasing process is broadly implemented in accordance with the requirements of ISO 9001:2015 Clause 8.4 and Procedure PR-08. The approved supplier register is maintained and current. Supplier evaluations are being conducted and recorded. One minor nonconformity was raised relating to the completeness of purchase order specifications. One observation was noted regarding the frequency of re-evaluation for low risk suppliers.

Audit conclusion: The purchasing process demonstrates general conformity with the applicable requirements. The minor nonconformity identified does not represent a systemic failure but should be addressed to prevent recurrence. The process owner demonstrated good understanding of purchasing controls and supplier management obligations.

Detailed Findings

Finding NC-01 | Minor Nonconformity
Clause: ISO 9001:2015 Clause 8.4.3, PR-08 Section 4.2
Finding: Purchase orders do not consistently include the required product or service specifications as required by Clause 8.4.3 and the organisation's own Purchasing Procedure PR-08 Section 4.2.
Objective evidence: Of the 12 purchase orders sampled (PO-2025-0412, PO-2025-0438, PO-2025-0491), three did not include the required specification reference or drawing number. PO-2025-0412 for fasteners from Apex Supplies referenced only a verbal description. PR-08 Section 4.2 requires that all purchase orders include a specification reference, part number, or drawing number to ensure the supplier understands the requirement.

Finding OBS-01 | Observation
Clause: ISO 9001:2015 Clause 8.4.1
Finding: The re-evaluation schedule for Category C (low risk) suppliers has not been reviewed since 2022. While current practice is not a nonconformity, the absence of a defined re-evaluation frequency for this supplier category creates a risk that changes in supplier performance may go undetected.
Objective evidence: The approved supplier register lists 14 Category C suppliers. No re-evaluation records were found for any Category C supplier since the category was introduced. The Purchasing Manager confirmed that re-evaluation for this category is conducted informally at the discretion of the purchasing officer.

Corrective Action Requirements

NC-01: The Purchasing Manager is required to submit a proposed corrective action, including root cause analysis and planned actions, by 11 August 2025. Immediate correction should address the three purchase orders identified where specifications were incomplete.

Distribution

James Okafor, Purchasing Manager; Lisa Tran, Quality Manager; General Manager.

Auditor signature: Sarah Nguyen, 15 July 2025
Auditee acknowledgement: James Okafor, 15 July 2025

Common Mistakes in Internal Audit Reports

Having reviewed hundreds of audit reports across multiple industries, here are the mistakes that come up most often.

Findings Without Evidence

A finding that says records were not maintained is not useful. Which records? For which period? What specifically was missing? Every finding must be anchored to specific, verifiable evidence. If you cannot name the document, the record reference, or the person who confirmed it, the finding will not hold up.

Vague Audit Conclusions

Writing that the audit identified some areas for improvement is not an audit conclusion. A conclusion is a professional judgement: the system is effectively implemented in this area, or there are systemic weaknesses that require management attention. Be specific and be willing to make a call.

Missing Clause References

Every nonconformity must be referenced to a specific requirement. That means a clause of the standard, a clause of the organisation's own procedure, or both. Without a clause reference, the auditee cannot verify whether the finding is valid and the corrective action cannot be properly scoped.

Corrective Actions Specified by the Auditor

The report should define the problem, not the solution. Auditors who prescribe corrective actions overstep their role and remove accountability from the process owner. Describe what was found and leave the corrective action to the people responsible for the process.

Reports Issued Too Late

An audit report issued three weeks after the audit has limited value. By then, the auditee has moved on and the evidence is less fresh. Aim to issue the report within five working days of the audit closing meeting. For complex audits, ten days is a reasonable outer limit.

For a broader look at how findings should be classified and communicated, the article on what is an audit finding vs observation vs nonconformity provides useful background.

Adapting the Format for Different Standards

The format described above works across ISO 9001, ISO 14001, and ISO 45001 with minor adjustments. For ISO 14001 audits, you might include a section specifically addressing legal compliance obligations or aspects and impacts registers. For ISO 45001 audits, you might add a section on hazard identification and risk controls observed during the audit.

The core structure remains the same. What changes is the audit criteria and the specific evidence you are looking for. The report format follows the audit, not the other way around.

If you are running audits across multiple standards simultaneously, the report may reference multiple clause sets. In that case, be clear in each finding which standard and clause the requirement comes from. Mixing ISO 9001 and ISO 45001 references in a single finding without clarity creates confusion and makes corrective action harder to scope.

Keeping Audit Reports as Documented Information

Under all three major ISO management system standards, audit results must be retained as documented information. This means your reports need to be stored in a way that keeps them accessible, protected from unintended alteration, and retrievable when needed. That might be a shared drive, a quality management system platform, or even a well organised filing system, as long as it is controlled.

When the certification auditor visits, they will ask to see your internal audit records. They will look for evidence that audits have been conducted across the scope of the management system at planned intervals, that findings have been raised and recorded, and that corrective actions have been initiated and followed through. A well written, consistently formatted audit report makes that review straightforward. A disorganised collection of incomplete reports creates doubt about whether the audit programme is functioning at all.

The article on audit report writing: how to communicate findings clearly goes further into the writing craft side of this, which is worth reading alongside this format guide.

Templates Are a Starting Point, Not a Finish Line

Using a template for your internal audit reports is sensible. It ensures consistency across auditors and audit cycles, makes it easier to train new auditors, and speeds up the writing process. But a template only works if the person using it understands why each section exists.

Auditors who fill in templates mechanically, ticking boxes without engaging with the purpose of each section, produce reports that look complete but lack substance. The audit conclusion is left blank or filled with a generic phrase. The findings are described in vague terms. The evidence section lists a document name without specifying what was found in it.

Use the template as a scaffold, but bring your professional judgement to every section. The report should reflect what you actually found and what it actually means for the organisation.

If you are building your internal auditing skills from the ground up, the step by step guide to becoming an ISO internal auditor covers the broader competence and training path, including how audit report writing fits into the overall skill set.

How Audit Workshop Can Help

At Audit Workshop, our internal auditor training courses cover audit report writing as a core practical skill, not an optional add on. You will work through real audit scenarios, practice writing findings and conclusions, and get feedback on your reports from experienced auditors who have conducted hundreds of real certification audits.

Whether you are auditing against ISO 9001, ISO 14001, or ISO 45001, our courses are built for practitioners who want to produce audit reports that actually drive improvement, not just satisfy a compliance checkbox. Training is available in live virtual and self paced formats, so you can build these skills around your existing workload.