Internal Quality Audit Checklist for ISO 9001: A Clause by Clause Guide

Why a Good Checklist Makes a Real Difference

An internal quality audit checklist for ISO 9001 is one of the most practical tools an auditor can carry into an audit. Done well, it keeps you focused, ensures you cover the right ground, and gives you a structured way to record what you find. Done poorly, it turns into a tick and flick exercise that misses the real story of how a quality management system is actually operating.

This guide walks through the key areas of ISO 9001:2015 clause by clause, giving you specific questions to ask, evidence to look for, and things that experienced auditors pay close attention to. Whether you are running your first internal audit or refreshing your approach, these prompts will help you conduct an audit that adds genuine value rather than just satisfying a compliance requirement.

Before we get into the checklist itself, one important point: a checklist is a starting point, not a script. The best auditors use their checklist to orient themselves, then follow the evidence wherever it leads. If you want to explore that balance further, the article on how to use an audit checklist without becoming checklist dependent is worth reading alongside this one.

Clause 4: Context of the Organisation

What to Look For

Clause 4 is where many internal auditors rush through because it feels abstract. In practice, it anchors everything else in the system. If an organisation has not genuinely thought about its context, its interested parties, and the scope of its QMS, the rest of the system is built on shaky ground.

• Has the organisation identified internal and external issues that are relevant to its purpose and strategic direction?
• Is there a documented or clearly communicated analysis of context, such as a SWOT, PESTLE, or similar approach?
• Has the organisation identified interested parties and determined their relevant needs and expectations?
• Is the scope of the QMS defined and available? Does it state which products, services, sites, and processes are included?
• Are any exclusions to Clause 8 justified and documented?
• Are the processes of the QMS identified, including their sequence and interaction?

When auditing context, ask the process owners whether they are aware of the relevant issues and interested parties. If they have no idea what you are talking about, the system exists only on paper.

Clause 5: Leadership

What to Look For

Leadership is audited by looking at behaviour and evidence, not just policy documents. Top management needs to demonstrate commitment, not just sign off on it.

• Is there a quality policy that is appropriate to the organisation, includes a commitment to continual improvement, and provides a framework for quality objectives?
• Is the quality policy communicated, understood, and available to relevant parties?
• Has top management assigned roles, responsibilities, and authorities for the QMS?
• Can top management articulate how the QMS is integrated into business processes?
• Is there evidence that top management promotes customer focus and awareness of customer requirements throughout the organisation?

Ask to speak with a senior manager during the audit. The questions you ask do not need to be adversarial. Simply ask them to describe what the quality system means for the business and how they know it is working. Their answers will tell you a great deal about genuine leadership commitment.

Clause 6: Planning

What to Look For

Risk based thinking is central to ISO 9001:2015, and Clause 6 is where it becomes concrete. Many organisations document a risk register but never actually use it. Your job is to find out whether the risks and opportunities identified have genuinely influenced planning and decision making.

• Has the organisation identified risks and opportunities relevant to its context and the needs of interested parties?
• Are actions planned to address those risks and opportunities, and are they integrated into QMS processes?
• Are quality objectives established for relevant functions and processes?
• Are quality objectives measurable, monitored, communicated, and updated as needed?
• Are there plans in place showing what will be done, who is responsible, what resources are needed, and how results will be evaluated?
• When changes to the QMS are planned, are they carried out in a controlled manner?

Look for evidence that quality objectives are reviewed and updated. Static objectives that have not changed in three years are a red flag. Ask how the objectives were set and whether they reflect current business priorities.

Clause 7: Support

What to Look For

Clause 7 covers the resources that make the QMS function: people, infrastructure, environment, monitoring and measurement equipment, organisational knowledge, competence, awareness, communication, and documented information. This is often where the most nonconformities are found in practice.

• Has the organisation determined and provided the resources needed for the QMS?
• Are persons doing work that affects quality competent on the basis of appropriate education, training, or experience?
• Is there evidence of competence, such as training records, qualifications, or skills matrices?
• Are persons aware of the quality policy, relevant quality objectives, their contribution to QMS effectiveness, and the implications of not conforming?
• Has the organisation determined the internal and external communications relevant to the QMS?
• Are documents and records controlled? Is there a process for creating, updating, and controlling documented information?
• Are records retained for defined periods and protected from unintended alteration or loss?

For documented information, ask to see a specific procedure and then verify that the version in use matches the controlled version. Also check whether obsolete documents have been removed from use. This is a common gap.

Clause 8: Operation

What to Look For

Clause 8 covers the core operational processes of the business. This is typically where the most time is spent during an internal audit, and rightly so. It is where the quality system either delivers or fails.

Customer Requirements and Design

• Does the organisation have a process for determining requirements for products and services, including statutory and regulatory requirements?
• Is there a process for reviewing requirements before committing to supply?
• Are customer communications managed, including enquiries, contracts, complaints, and feedback?
• If design and development applies, are inputs, outputs, controls, and reviews documented and retained?

External Providers

• Does the organisation control externally provided processes, products, and services?
• Are criteria for evaluating, selecting, monitoring, and re evaluating external providers defined and applied?
• Is there documented information of the results of supplier evaluations?

Production and Service Provision

• Are production and service provision carried out under controlled conditions, including documented information, suitable monitoring, and use of appropriate equipment?
• Is traceability maintained where required?
• Is customer or external provider property identified, protected, and safeguarded?
• Are post delivery activities addressed, including warranty, maintenance, and recycling obligations?

Nonconforming Outputs

• Does the organisation have a process for identifying and controlling nonconforming outputs?
• Are nonconformities recorded, including the actions taken and any concessions obtained?
• Is there evidence that corrections are verified after they are made?

When auditing operations, walk the process rather than sitting in a meeting room. Follow a job or order from enquiry through to delivery and look for the evidence at each step. This process based approach will surface issues that a document review alone will never find. For more on this technique, see the article on what auditors look for in an ISO 9001 quality management system.

Clause 9: Performance Evaluation

What to Look For

This clause is about whether the organisation is actually measuring what matters and using that information to drive decisions. Many organisations collect data but never analyse it or act on it.

• Has the organisation determined what needs to be monitored and measured, and by what methods?
• Is customer satisfaction being monitored? What methods are used, and what do the results show?
• Is data being analysed and evaluated to assess QMS performance and identify improvement opportunities?
• Are internal audits being conducted at planned intervals, covering all processes and clauses over time?
• Is there an audit programme that reflects risk, and are auditors selected to ensure objectivity and impartiality?
• Are management reviews being held at planned intervals?
• Do management review records include all required inputs and outputs, including decisions and actions?

For the internal audit programme, check whether all areas of the QMS have been audited within the current cycle and whether findings from previous audits have been closed out. For a deeper look at what this clause actually requires, the article on ISO 9001 Clause 9.2 explained covers the requirements in detail.

Clause 10: Improvement

What to Look For

Clause 10 is where the system proves it can learn and improve. If nonconformities are being raised but root causes are never addressed, or if the same issues keep recurring, the improvement process is not working.

• When nonconformities occur, does the organisation react, contain, investigate root causes, and implement corrective actions?
• Are corrective actions reviewed for effectiveness?
• Is there documented information of the nature of nonconformities and subsequent actions taken?
• Does the organisation continually improve the suitability, adequacy, and effectiveness of the QMS?

Ask to see the corrective action register and look for patterns. If the same type of nonconformity appears repeatedly, that is a sign the root cause has not been properly addressed. Also check whether corrective actions have been closed within the agreed timeframes.

How to Use This Checklist in Practice

A clause by clause checklist gives you complete coverage, but it works best when you combine it with a process based approach. Before the audit, identify the key processes you will follow and map the relevant clauses to each one. This way you are not jumping between clauses in a disconnected way but following the natural flow of work.

During the audit, use the checklist questions as prompts rather than reading them verbatim. Your goal is a conversation, not an interrogation. Ask open questions, listen carefully, and follow up on anything that does not quite add up. The checklist keeps you on track; your professional judgement determines what to probe further.

After the audit, use the checklist to confirm you have covered all required areas before writing your report. Any area you could not audit due to time or access should be noted and scheduled for follow up.

It is also worth remembering that the checklist needs to be reviewed and updated over time. If your organisation is preparing for the ISO 9001:2026 revision, some additional considerations around climate change, data integrity, and organisational knowledge will need to be reflected in your internal audit checklists. Building that review into your annual audit programme planning is good practice.

If you are developing your internal audit skills or looking to formalise your credentials, Audit Workshop offers practical ISO 9001 internal auditor training that goes well beyond the theory. The courses are built around real audit scenarios, with a focus on what actually happens when you are on the floor asking questions and following evidence. Whether you are new to auditing or looking to sharpen your technique, the training is designed to be directly applicable from day one.