Most organisations with ISO management systems experience two fundamentally different types of audits during their certification journey: internal audits conducted by their own personnel, and certification audits performed by external certification bodies. While both serve quality assurance purposes, they operate under different rules, have different objectives, and demand different skill sets from the auditors conducting them. Understanding these distinctions is critical for anyone responsible for audit programmes, whether you're setting one up for the first time or refining an existing process.
On this page
The confusion between internal and certification audits creates real consequences. Teams sometimes over prepare for internal audits as though they were certification audits, burning resources and creating tension where none needs to exist. Conversely, organisations occasionally under prepare for certification audits after becoming comfortable with their internal audit processes, only to be surprised by the rigour and scope of an external assessment. Getting clarity on how these audits differ will help you allocate your audit resources more effectively and understand what each audit is genuinely designed to accomplish.
Purpose and Objectives: Why Each Audit Exists
Internal audits serve fundamentally as a management tool. They exist to help your organisation maintain and improve its management system. According to ISO 9001 Clause 9.2, internal audits must determine whether your management system conforms to the requirements of the standard and whether it is effectively implemented and maintained. This means internal audits are inward facing. They ask: Are we doing what we said we would do? Is our system actually working? Where can we improve?
The second question is crucial. Internal audits are not primarily compliance checks. They're improvement mechanisms. A good internal audit identifies systemic weaknesses before they cause customer complaints, regulatory breaches, or operational failures. Your management team uses internal audit findings to drive corrective actions, allocate improvement resources, and demonstrate to leadership that the management system is genuinely functioning as designed.
Certification audits, by contrast, exist to verify that your organisation meets the requirements of the ISO standard for the purpose of granting or maintaining certification. The certification body's auditor is independently assessing whether your management system meets the standard's requirements. The certification body itself carries accreditation and reputation. If it awards certification to an organisation that subsequently has serious failures, the certification body's credibility is at stake. This creates a different dynamic entirely.
This distinction matters enormously in how each audit is approached. What to expect during an ISO certification audit differs significantly from what happens during an internal assessment because the external auditor is making a formal determination about whether certification should be granted or maintained, whereas internal auditors are gathering information to support management improvement decisions.
Authority and Independence
Internal auditors are almost always employed by the organisation being audited. They understand the business context, the history of the management system, and the constraints under which the organisation operates. Internal auditors often have dual reporting lines: they report to management for day to day accountability but must also report audit findings transparently to ensure the audit maintains credibility. This creates a balance that most organisations navigate reasonably well, though the potential for conflict always exists.
The critical requirement for internal audit independence is that auditors do not audit areas for which they have direct responsibility. An ISO 9001 requirement explicitly states that internal audit shall be conducted by competent persons who are, preferably, independent of the activity being audited. This doesn't mean auditors must be completely detached from the organisation; it means they cannot audit their own work. A production supervisor cannot audit the production process they manage. A document controller cannot audit the document control process they operate. This independence is essential for credibility.
Certification auditors work for external certification bodies and have no ongoing employment relationship with the organisation. They are genuinely independent third parties. They arrive with no prior knowledge of your organisation's specific context, which is simultaneously a weakness and a strength. The weakness is that they may not fully grasp legitimate business reasons for how you've structured certain processes. The strength is that they cannot be influenced by internal politics or management pressure to overlook findings.
External auditors are also bound by their certification body's quality assurance procedures. Their audits are themselves audited. Certification bodies conduct witness audits, review audit reports and findings, and maintain oversight of their auditor population. This external oversight provides assurance to clients that audits are being conducted to consistent standards. If a certification body's audits become known for being either too lenient or excessively harsh, clients will vote with their feet and switch bodies.
Scope and Depth of Assessment
Internal audit programmes must assess whether the entire management system conforms to the standard and is effectively implemented. In practice, this means your internal audit programme should, over time, audit all processes and all locations within your organisation. An organisation with a single site might complete a comprehensive full system audit annually. A multi site organisation typically conducts audits on a rolling schedule, covering all significant processes and locations at least once per year, but often on a more frequent cycle for high risk processes.
The depth of internal audits can vary according to risk and the specific focus you set for each audit. You might conduct a focused internal audit examining only document control and management review, or a process audit that examines a specific manufacturing process end to end. You might conduct a compliance audit focused solely on regulatory requirements that apply to your industry. Internal audits are flexible tools that you can tailor to your organisation's specific needs and priorities.
Certification audits are more standardised in scope. A certification audit must assess your conformance to all relevant clauses of the ISO standard. A certification body cannot skip clauses or declare certain requirements out of scope simply because you haven't prioritised them. The auditor will examine all the standard's requirements and assess whether your system meets them. However, the depth of examination for each clause will vary based on the auditor's assessment of risk and the complexity of that particular area in your organisation.
Certification audits typically occur at defined points: initial audit (when you first seek certification), surveillance audits (usually annually), and recertification audits (every three years for most ISO standards). What is a surveillance audit and how does it differ from certification is worth understanding, as surveillance audits are more targeted than initial certification audits, typically focusing on areas that raised findings in the previous audit and any significant organisational changes.
Audit Criteria and Standards
Internal audits use ISO standards as the primary audit criteria, but they also use your own management system documentation. Your procedures, work instructions, policies, and processes all become audit criteria because you've established them as the way your organisation operates. When an internal auditor finds that actual practice deviates from your documented procedure, that's a finding, even if the deviation doesn't necessarily breach the ISO standard itself. This is because consistency with your own system is part of effective implementation.
Certification audits assess conformance to the ISO standard first and foremost. The standard is the audit criteria. Your organisation's specific procedures and processes are examined to determine whether they demonstrate conformance to the standard's requirements. A certification auditor might note that your actual practice differs from your documented procedure, but if your actual practice still satisfies the standard's requirement, the deviation might not result in a nonconformity. The standard is the benchmark, not your own documentation.
This distinction has real consequences for audit findings. Internal audit might identify that your management review isn't being conducted with the frequency stated in your own procedure. If you've documented that management review occurs quarterly, but it's actually only happening twice yearly, that's an internal audit finding. A certification auditor would examine whether management review is happening at all and whether it covers the topics required by ISO 9001 Clause 9.3. If it does, even if it's less frequent than your own procedure specifies, the certification auditor might not raise a nonconformity, though they might raise an observation suggesting you align your procedure to your actual practice.
Auditor Qualifications and Training Requirements
Internal auditors must be competent. ISO 9001 requires that internal audits be conducted by persons who are competent, and this competence includes knowledge of the standard, understanding of your organisation's processes, and auditing skills. However, there's no specific requirement that internal auditors hold a particular certification credential. Many organisations train internal auditors internally, supplemented by attendance at internal auditor training courses. Others require their internal auditors to hold formal internal auditor certifications recognised by bodies such as Exemplar Global or IRCA.
How to become an ISO internal auditor: a step by step guide outlines the typical pathway, which involves completing an accredited internal auditor course, developing practical auditing experience, and maintaining evidence of competence. For organisations serious about audit quality, requiring internal auditors to hold these credentials ensures a baseline standard of competence across the audit team.
Certification auditors must hold formal qualifications. Most ISO certification bodies require their auditors to hold accredited lead auditor certifications (such as those offered by Exemplar Global or IRCA). These qualifications require formal training, examination, and practical experience. Certification auditors must maintain their qualifications through continuing professional development. The certification body also maintains its own procedures for auditor training, competence assessment, and ongoing monitoring. This creates a much more formalised and regulated population of auditors.
The difference reflects the stakes involved. Internal audit is an internal control mechanism, so the organisation can set its own competence thresholds. Certification audit directly determines whether an organisation can legally claim ISO certification, so the auditors must meet standardised competence requirements that apply across all certification bodies. This protects the integrity of ISO certification across the world.
Finding Classification and Severity
Internal audits use your organisation's own classification system for findings. Most organisations classify internal audit findings as nonconformities (failures to meet the standard or your own procedures), observations (areas for improvement that don't constitute nonconformities), or opportunities (suggestions for positive change). Some organisations add additional classifications such as "findings" versus "observations." The terminology varies, but the concept is that you're categorising findings according to severity and type so that management can prioritise corrective actions appropriately.
Certification audits use a standardised classification system established by the accreditation bodies and adopted by all certification bodies. Findings are classified as major nonconformities (failures that represent a significant breach of the standard or indicate the management system is not effectively implemented), minor nonconformities (isolated breaches or lapses in system implementation), or observations (matters that don't currently constitute nonconformities but that the auditor believes should be addressed).
The severity levels matter enormously for certification outcomes. A single major nonconformity typically prevents certification. Multiple minor nonconformities might delay certification or lead to requirement for a follow up audit before certification is granted. Observations don't prevent certification but the organisation is expected to address them during the next surveillance audit. This formal structure means that certification audit findings carry immediate, defined consequences in a way internal audit findings don't necessarily.
Reporting and Follow Up Processes
Internal audit reports are internal management documents. Your organisation decides what format they take, how detailed they are, and who has access to them. Typically, internal audit reports go to senior management, the process owner being audited, and anyone responsible for implementing corrective actions. The depth of reporting can vary significantly. Some organisations produce detailed audit reports for every audit; others produce summary reports for management and more detailed working papers retained in audit files.
The follow up to internal audit findings is managed internally. You set timelines for corrective actions. You decide whether corrective actions are adequate before closing findings. You determine whether findings warrant system wide corrections or can be addressed in isolation. This flexibility means internal audit follow up can be tailored to your organisation's culture, capacity, and priorities.
Certification audit reports are formal documents that are shared with your organisation and, in some cases, are subject to regulatory oversight. Certification bodies have specific requirements for what must be included in audit reports. These typically include the audit scope, the auditor's assessment of conformance to each relevant clause of the standard, any nonconformities or observations identified, and the organisation's proposed corrective actions. The certification body retains a copy of the report and uses it as the basis for certification decisions and as a reference point for future surveillance audits.
Follow up to certification audit findings is much more formalised. Managing corrective actions after an ISO audit: a practical approach involves submitting corrective action plans to the certification body, often within a defined timeframe. For major nonconformities, most certification bodies require evidence that corrective actions have been implemented before certification is granted. For minor nonconformities, the organisation typically has a longer timeframe to implement corrections, which are then verified during the next surveillance audit.
Cost Implications and Resource Requirements
Internal audits are conducted by your own personnel, so the direct costs are primarily in training and time allocation. If you send staff to a formal internal auditor training course, you're investing in that training. You're allocating the auditor's time away from their regular duties during the audit period. But you're not paying external fees. This makes internal audit a relatively low cost assurance mechanism once the initial infrastructure is in place.
For many organisations, the challenge is commitment. It's easy to defer internal audits when day to day pressures mount, because there's no external deadline and no external consequence if the audit is delayed. This creates a risk that internal audit programmes become inconsistent or lapse entirely, particularly in smaller organisations where resources are stretched thin.
Certification audits involve direct fees paid to the certification body. These fees vary based on the complexity and size of your organisation, but for a small to medium enterprise they typically range from several hundred to several thousand dollars per audit. You're paying for the auditor's time, the certification body's administration, and the body's accreditation and oversight costs. This direct financial outlay often prompts organisations to invest more seriously in preparation, because there's a real cost incurred.
However, certification audits also create indirect resource costs for your organisation. You need to allocate staff time to support the auditor (escorting them around the facility, answering questions, providing documents). You need to ensure relevant personnel are available during the audit period. This is typically less burdensome than conducting an internal audit, because the external auditor works to their own schedule and you're simply supporting their process rather than conducting the audit itself.
Auditor Behaviour and Relationships
Internal auditors have ongoing relationships with the people they audit. If you're a small organisation, your internal auditor might audit the same process owner multiple times. This familiarity can create benefits: the auditor understands the context, knows the people involved, and can build rapport. It can also create challenges: there's a risk of becoming too comfortable, overlooking findings because of personal relationships, or receiving defensive responses from people worried that audit findings might affect their performance reviews.
Certification auditors are typically meeting the people they audit for the first time. This brings both advantages and disadvantages. The advantage is genuine independence and lack of prior assumptions. The disadvantage is that the external auditor doesn't understand your organisation's context, culture, or legitimate constraints. This can sometimes lead to findings that seem unreasonable to you because the auditor doesn't grasp why you've structured something a particular way.
The auditor's behaviour tends to differ accordingly. Internal auditors can be somewhat more flexible and consultative because they're working within the organisation long term. They might suggest improvements or work collaboratively with process owners to address findings. Certification auditors are more formal and structured because they're making an independent assessment that will directly affect your certification status.
Timing and Frequency
Your organisation controls the timing of internal audits, subject to ISO requirements. For most standards, internal audits must occur at least annually, but they can occur more frequently. How often should you run internal audits under ISO 9001 depends on risk assessment and the maturity of your management system. A newly certified organisation might benefit from more frequent internal audits to identify early implementation issues. An organisation with a mature system might use less frequent but more targeted audits focused on high risk processes.
You also control whether internal audits are scheduled well in advance or conducted with minimal notice. Some organisations prefer to schedule audits with advance notice so that auditees can prepare and provide organised access to documentation. Others prefer to conduct surprise audits to assess whether the system is operating as designed in normal conditions. Both approaches are valid, depending on your objectives.
Certification audits follow the certification body's schedule. Initial audits occur when you first apply for certification, typically following a gap analysis to establish that your system is ready for assessment. Surveillance audits typically occur annually, though some certification bodies have moved to a risk based approach where the frequency is adjusted based on your performance and risk profile. Recertification audits occur every three years when your certification needs to be renewed. You cannot move certification audit dates simply because it's inconvenient; you must work with the certification body's schedule or forfeit certification.
Documentation and Evidence Requirements
Internal audits require documented evidence that demonstrates your system is operating as designed. The evidence comes from your organisation's records: procedure documents, training records, meeting minutes, quality records, and so on. Because this is your own documentation, you understand the context and can usually access it readily. An internal auditor knows where to look because they're familiar with your system.
However, internal auditors must still gather credible evidence. Observing a process in operation, interviewing personnel, and reviewing objective records all form part of the audit. The auditor must be able to demonstrate that findings are based on concrete evidence, not assumptions or hearsay. How to gather audit evidence that stands up to scrutiny is equally important for internal and certification audits.
Certification auditors examine your documentation as evidence of system implementation, but they also assess whether your documented system actually reflects how your organisation operates. A mismatch between documented procedures and actual practice is itself a finding. Certification auditors often find that organisations have documented procedures that they don't actually follow, or conversely, that they follow practices that aren't documented. Either gap represents a potential nonconformity because the system isn't consistently implemented.
Audit Planning and Preparation
Internal audit planning is ongoing. You develop an audit programme that identifies which processes will be audited, when, and roughly how extensively. This allows you to schedule audits in advance, allocate auditors, and give auditees reasonable notice. However, you can also adjust the programme based on risk; if a major incident or quality issue occurs, you might add an urgent internal audit focused on that area.
For certification audits, the certification body provides a detailed audit plan in advance. This includes the auditor's name, the dates and times of the audit, the scope of the audit (which clauses will be assessed), and logistical details. You prepare by ensuring relevant personnel are available, that key documentation is organised and accessible, and that facilities are in appropriate condition for audit. How to prepare your organisation for an external audit typically involves some weeks of planning and coordination.
However, preparation for certification audit requires a different mindset than preparation for internal audit. You're not trying to hide problems or present an artificially polished picture. Certification auditors are experienced at recognising when organisations are presenting a false front. Rather, you're ensuring that the auditor can see your normal operations clearly. This means ensuring that normal staff are present (not bringing in consultants just for the audit), that records are easily accessible, and that facilities are clean and orderly in the normal way.
Use of Consultants and External Support
Internal audits can be conducted entirely by internal personnel, or organisations can choose to engage external auditors to supplement internal capacity. Some organisations use external auditors to conduct periodic internal audits for independent perspective. Others use external auditors only during the early stages while building internal auditor capacity. The decision is yours and can vary based on available internal resources and the complexity of your system.
Certification audits are conducted exclusively by the certification body's auditors. You cannot choose an alternative auditor or bring in your own external auditor instead. However, many organisations engage ISO consultants to help prepare for certification audit. These consultants might conduct gap analyses, help remediate identified gaps, provide advice on system design, or conduct practice audits to help your team understand what to expect. This is entirely legitimate and very common.
Role of Management and Governance
Internal audit is a management system function that typically reports to senior management. The management team uses internal audit findings to inform decisions about resource allocation, process improvement priorities, and risk management. A mature organisation treats internal audit as a key performance indicator of system health and uses audit findings as leadership indicators that help predict whether the organisation will meet its objectives.
Certification audit results are a governance matter in that they directly affect the organisation's legal right to claim ISO certification. Directors and senior management often take an interest in certification audit results because certification carries business implications. But unlike internal audit, which is a regular operational process, certification audit is a periodic external assessment.
Continuous Improvement and System Development
Internal audits drive continuous improvement. Findings should lead to corrective actions that strengthen the system. Over time, internal audit data should show decreasing numbers of findings as the system matures and improvements are embedded. An internal audit programme that generates the same findings repeatedly suggests that corrective actions aren't being implemented effectively or that there's a systemic issue that hasn't been properly addressed.
Certification audits contribute to continuous improvement indirectly. They verify that your system meets the standard's requirements and identifies areas where conformance is lacking. However, they're not primarily designed as an improvement mechanism. Their purpose is to provide independent assurance of conformance. That said, organisations often find certification audit observations valuable for improvement because they come from experienced independent assessors who've seen how many other organisations address similar challenges.
Standards and Frameworks Governing Each Audit Type
Internal audits must be conducted in accordance with ISO 19011, Guidelines for Auditing Management Systems. This standard provides guidance on planning internal audits, conducting auditor interviews, documenting findings, and managing the overall audit process. However, organisations have flexibility in how they implement these guidelines. ISO 9001 Clause 9.2 specifies what internal audit must assess, but not exactly how the organisation must conduct audits, as long as the requirements are met.
Certification audits are conducted according to the certification body's procedures, which themselves must conform to the requirements of the relevant accreditation body (such as ISOIEC 17021 1, which specifies requirements for bodies auditing management systems). This creates a more prescriptive framework. Certification auditors follow specific procedures, use standardised documentation, and work within defined guidelines about audit duration, sampling, and evidence requirements.
Audit Workshop offers accredited ISO Internal Auditor training that covers internal audit planning, execution, and reporting in depth. Our courses are recognised by Exemplar Global and designed for working professionals who need practical skills they can apply immediately.








