Clause 9.2 of ISO 9001:2015 sets out what internal auditing actually requires. This is where many organisations stumble. They schedule audits, tick boxes, and call it compliance. The standard demands something far more rigorous. Internal auditing under 9.2 is not a compliance exercise; it is a mechanism for verifying whether your quality management system (QMS) actually works and whether you are truly conforming to the standard. This distinction matters profoundly because it separates organisations that improve from those that merely maintain the appearance of a system.
On this page
Understanding the Core Requirement
ISO 9001:2015 Clause 9.2 requires the organisation to conduct internal audits at planned intervals to provide information about whether the QMS conforms to the requirements of the standard and to the organisation's own requirements, and whether it is effectively implemented and maintained. That language is precise. The standard does not say internal audits are optional, nor does it allow you to audit only the processes you worry about. It demands systematic coverage of your entire system at planned intervals.
The word "planned" is critical. This means you cannot wake up one morning and decide to audit something because a problem has emerged. Planning precedes action. You establish an audit programme, define the scope, frequency, and methodologies, and then execute according to that plan. The plan itself must consider the status and importance of the processes and areas to be audited, the results of previous audits, and any changes to the organisation.
Many organisations confuse internal audit frequency with rigour. Some believe that conducting one internal audit per year is sufficient simply because the standard does not prescribe a minimum number. This is a fundamental misunderstanding. Frequency must be justified by your risk assessment and the criticality of your processes. A manufacturing plant producing safety critical components requires far more frequent auditing than a service business with stable, well controlled processes.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesScope and Coverage Requirements
Clause 9.2.1 establishes the scope. The internal audit programme must cover all processes of the QMS. This does not mean auditing everything in excruciating detail at every audit cycle. It means ensuring that across your annual (or multiyear) audit programme, every relevant process receives attention. Some organisations structure their programmes on a rolling three year cycle: certain processes are audited annually because they are high risk or frequently change, others are audited every two or three years because they are stable and lower risk.
The critical word here is "coverage". If you operate a call centre, you cannot legitimately run an audit programme that never touches training processes because staff turnover is high and training directly affects service quality. If you manufacture products, you cannot skip supplier evaluation because compliance costs are lower that way. The standard requires systematic coverage, not selective auditing.
Coverage also extends to outsourced processes. If you have contracted out your design engineering, your internal audit scope must still encompass the effectiveness of supplier management and the controls you maintain over that outsourced function. You are not auditing the supplier's processes in detail; you are auditing whether you have adequately specified requirements and monitored performance. This distinction is vital.
Many organisations struggle with outsourced processes because they confuse second party auditing (which you may perform directly at a supplier's premises) with the internal audit of your own supplier management controls. Both may occur, but they serve different purposes. Your internal audit of Clause 8.4 (outsourced processes) is about whether your organisation has defined requirements, gathered information to monitor performance, and ensured continued conformity. That is something you audit internally, regardless of whether you also conduct supplier audits.
The Audit Criteria and Methodology
Clause 9.2.2 addresses audit criteria and methodology. The organisation must define audit criteria, which are the benchmarks against which you measure conformity. For ISO 9001, your primary criterion is always the standard itself. But you may also establish internal criteria based on your policies, procedures, work instructions, and legal requirements applicable to your business.
Methodology refers to the approach you take. The standard does not prescribe one. You might use questionnaires for low risk areas and detailed process walkthroughs for high risk zones. You might conduct interviews, observe work in progress, review records, or request samples. The methodology must be appropriate to the audit's objectives and the process being examined. An audit of your document control process will look very different from an audit of your sales order handling or your complaint management system.
One common weakness in internal audit programmes is the failure to adapt methodology to reality. An auditor armed only with a checklist can miss the real issues. Someone auditing a production line needs to watch the line operate, speak with operators, and observe how they handle non standard situations. Someone auditing procurement needs to review purchasing decisions, supplier performance data, and evidence of requirement communication. The methodology must fit the process; the process must not be forced into an inflexible methodology.
Audit criteria must also be documented and made available. This is not bureaucracy; it is transparency. When an auditor sits down with an auditee, both parties should understand what is being audited against. If you are auditing against the standard, say so. If you are also checking internal procedures, those should be clear. This prevents arguments later about whether something really was a nonconformity.
Auditor Independence and Competence
Clause 9.2.2 requires that internal audits are conducted by personnel who are impartial and objective. You cannot audit your own work. If you designed the process, wrote the procedure, or manage the area, you are not an appropriate auditor for that function. This independence requirement is not always easy in smaller organisations, but it is non negotiable. Independence preserves the integrity of the audit process and ensures that findings are based on evidence rather than politics or personal relationships.
Competence is equally important. Auditors must have the knowledge and skills to conduct audits effectively. This means understanding ISO 9001, understanding the processes they are auditing, and possessing audit skills. Many organisations appoint someone as "internal auditor" without any formal training. The results are predictably poor: audits that miss real issues, audits that waste time on trivia, audits that generate defensive responses rather than genuine improvement.
Formal training is the standard way to build auditor competence. A proper internal auditor course teaches audit methodology, evidence gathering, interview techniques, and nonconformity identification. How to become an ISO internal auditor through formal training is the most reliable pathway. That training should be aligned with ISO 19011, the standard that establishes guidelines for auditing management systems. Your auditors do not need to be certified external auditors, but they do need genuine competence in auditing methodology and the standard itself.
Competence also means maintaining and updating knowledge. If an auditor trained five years ago has not updated their knowledge, they may not understand recent changes to the standard or emerging best practices. Some organisations require auditors to attend refresher training every two years or to maintain their knowledge through relevant professional development.
Planning and Reporting
Clause 9.2.1(a) requires that audit procedures specify the planning, scope, frequency, methodologies, and responsibilities associated with conducting internal audits. This means you have an audit programme, typically documented. The programme defines which processes will be audited, how often, and who will audit them. It considers the status and importance of processes; a newly implemented process might be audited more frequently than one that has operated stably for years.
The programme must be documented. Many auditors note that this need not be a formal document. A spreadsheet showing which processes are scheduled for audit in the next 12 months, who will audit them, and when, satisfies the requirement. However, the programme should be reviewed annually and updated to reflect changes in the organisation, previous audit results, and risk assessments.
Clause 9.2.1(b) requires that audit results and conclusions are reported to relevant management. This means auditors cannot conduct an audit, write a report, and file it away. Results must be communicated to the people responsible for the audited processes and, typically, to senior management. The purpose is to drive action and improvement, not to assign blame. An audit finding of nonconformity regarding uncontrolled handling of customer data is useless if management never learns about it.
Reports should be clear and specific. Vague findings like "documentation is incomplete" tell the auditee nothing actionable. A clear finding identifies the specific requirement, shows what was actually found (or not found), and explains the gap. For example: "ISO 9001 Clause 8.5.4 requires that changes to product be controlled. During the audit, we reviewed the change control process for the new product line launched in September. We found that of 23 engineering changes submitted for approval, 6 were implemented without documented approval signatures from the design engineer, manufacturing engineer, and quality manager. This represents a failure to follow the documented change control procedure."
The audit report should include any nonconformities identified, observations (matters that do not yet constitute nonconformities but warrant attention), and potentially recommendations. However, remember that the auditor identifies findings; management decides on corrective actions. An auditor can recommend that management investigate the root cause of inadequate change control and implement preventive measures, but the decision on what action to take rests with management.
Nonconformity Identification and Evidence
Internal audit has teeth only if auditors are prepared to identify nonconformities when evidence supports them. A nonconformity exists when a requirement of the standard or an organisation's own documented procedures is not being met. The key word is "evidence". An auditor cannot claim nonconformity based on suspicion, hearsay, or what they think should be happening. They need objective evidence: records that are missing, a procedure that is not being followed, an interview that reveals gaps, or observations of work being performed in a way that contradicts requirements.
Many internal audit programmes are weak because auditors are too tentative. They feel uncomfortable identifying nonconformities in their own organisation, particularly if the nonconformity implicates someone senior or someone who is generally well regarded. Professional audit practice requires setting that discomfort aside. If the evidence supports a finding, the auditor must report it. The organisation benefits from knowing where actual conformity gaps exist.
Conversely, auditors must not invent nonconformities to justify their audit programme or to appear thorough. Every finding must rest on documented evidence. If you cannot point to a specific requirement and show that it is not being met, you do not have a nonconformity. You might have an observation: "The monthly management review agenda rarely includes review of customer feedback. While this is not a direct violation of Clause 9.3.1, it represents a missed opportunity to ensure that the QMS remains aligned with customer needs." That is a legitimate observation that invites management reflection, without overstating the case.
Frequency and Risk Based Auditing
The standard specifies no minimum audit frequency. Instead, it requires planned intervals. Determining appropriate frequency is a risk based decision. Processes that are complex, frequently changing, or critical to product or service quality warrant more frequent audit. Processes that are stable, straightforward, and lower risk can be audited less frequently.
Consider a manufacturing organisation with both a standard product line and a bespoke custom manufacturing division. The standard product line, running for five years without significant change, might justify a biennial audit. The custom manufacturing division, where every project is different and specifications are negotiated with customers, might justify an annual audit. The purchasing process, which is fundamental to the entire QMS and involves regular supplier changes, might also be audited annually. The calibration process for measurement equipment, assuming it is well controlled and stable, might be audited every two years.
Risk based frequency is defensible and efficient. It focuses audit resources on areas where they matter most. However, the risk assessment underlying frequency decisions must be documented. If an auditor or certifying body asks why design is audited annually but maintenance of facilities is audited every three years, you should have a clear answer based on process criticality, complexity, and historical conformity.
Some organisations use a rolling frequency approach. They divide their organisation into audit units or process groups and schedule them across a multiyear cycle such that coverage is systematic but not everything is audited every year. This approach works well provided the programme ensures comprehensive coverage over the cycle and adjusts frequency based on risk. A process with a history of nonconformities should move to more frequent auditing; a process with consistent conformity might drop to a longer cycle.
Follow up on Audit Findings
The standard requires that management takes appropriate action on audit findings. This is where many organisations disconnect from the intent of internal auditing. An audit identifies a gap. Management must decide whether to accept the finding, dispute it, or implement corrective action. If a nonconformity is legitimate, waiting months to address it while continuing to operate out of conformity sends a message that compliance is not genuinely important.
The organisation should establish a process for managing audit findings. This might include a timeline for management response (for example, initial action plan within two weeks of receiving the audit report), a tracking system to monitor progress of corrective actions, and a verification mechanism to confirm that actions have actually been implemented and are effective. Managing corrective actions after an ISO audit is a discipline that requires commitment from management.
Auditors should not drive corrective actions themselves. Their role is to identify findings and gather evidence. Management decides on responses. However, auditors can follow up on previously identified nonconformities to verify whether corrective actions have been implemented. If a previous audit found that change control procedures were not being followed and management committed to retraining, the next audit should verify that retraining occurred and that changes are now being properly controlled. If they are not, this becomes a repeat finding, which is a serious issue that should escalate.
Integration With Management Review
Clause 9.2.2(b) requires that audit results are reported to relevant management. Clause 9.3 (management review) requires management to determine the need for actions in response to audit results. This is the connection between audit and governance. Internal audit is not a separate, parallel activity. It feeds directly into the management review process where senior leadership considers the overall effectiveness of the QMS.
A robust organisation brings internal audit results into the management review meeting. The QMS owner or audit coordinator presents findings, and management discusses implications. Are nonconformities isolated or systemic? Do they suggest deeper problems with training, procedure design, or resource allocation? Are there patterns? Has the frequency of particular types of nonconformities increased or decreased? This discussion shapes management decisions about whether the system is effective and what improvements are needed.
Organisations that treat audit results as a compliance formality miss this strategic value. Those that genuinely use internal audit findings to inform management decisions strengthen their QMS continuously.
Documentation and Records
The audit programme itself must be documented. This does not require volumes of paper. A simple, maintained schedule showing planned audits, auditors assigned, and areas covered is sufficient. Audit reports and records of findings must be maintained. These records demonstrate that audits were actually conducted and provide evidence of the organisation's actual conformity to Clause 9.2.
During a certification audit, the auditor will ask to see the audit programme and review completed audit reports. They will verify that audits actually occurred, that they covered what the programme said they would cover, and that findings were reported. If audit records are sparse or sketchy, it suggests that auditing is not taken seriously or that it is being done superficially. Good audit records demonstrate competence and commitment.
Records should include the audit plan (what was to be audited and why), evidence of the audit (notes from interviews, records reviewed, observations documented), and the final audit report with findings. Some organisations also maintain an action register tracking corrective actions arising from audits.
Links to ISO 19011
While not directly cited in ISO 9001 Clause 9.2, ISO 19011 provides guidelines for auditing management systems. It addresses auditor competence, audit planning, conducting audits, reporting, and follow up. Many organisations use ISO 19011 as a framework for developing their internal audit programme and training auditors. The guidelines reinforce the importance of auditor independence, the need for impartial examination of evidence, and the value of audit as a tool for continuous improvement rather than a compliance checkbox.
If your organisation is serious about internal auditing, alignment with ISO 19011 principles strengthens your programme. How to plan an internal audit programme using a structured approach informed by ISO 19011 yields audits that are more focused and more effective at identifying real issues.
Common Gaps in Internal Audit Programmes
Many organisations fail to fully meet Clause 9.2 not because they do not understand the requirement but because they cut corners. Common gaps include:
- Auditing only areas where problems have occurred, rather than systematically covering all processes
- Appointing auditors without training in audit methodology or ISO 9001
- Conducting audits without a documented programme, making them irregular and incomplete
- Identifying few or no nonconformities, suggesting that audits are superficial or conducted by people with vested interests in not finding problems
- Failing to report findings to relevant management or senior leadership
- Not following up on corrective actions to verify that issues have actually been resolved
- Allowing audits to become merely verification that procedures exist, rather than auditing whether they are actually being followed
Strong internal audit programmes demonstrate that all these elements are in place: a documented, risk based schedule; trained, independent auditors; systematic coverage of processes; rigorous evidence gathering; clear reporting; and active management follow up.
The Relationship to Certification Audits
External auditors conducting surveillance or certification audits always examine the internal audit programme. Internal audit versus certification audit serve different purposes, but they are connected. If your internal audit programme is strong, it provides evidence of effective control and gives external auditors confidence that the QMS is actively managed. If your internal audit programme is weak, external auditors may question how management can be confident that the system is actually conforming and effective.
Some organisations wait until a few months before certification to conduct their first internal audit. This is backward. Internal audits should be running continuously as part of normal QMS operation. By the time a certification auditor arrives, your organisation should have multiple completed audit cycles demonstrating consistent monitoring and control of the system.
Audit Workshop offers accredited ISO Internal Auditor training that covers internal audit planning, execution, and reporting in depth. Our courses are recognised by Exemplar Global and designed for working professionals who need practical skills they can apply immediately.
