Exemplar Global certified courses from USD 99. Save while it lasts. Enrol today.
ISO Standards

ISO 9001 Clause 9.2 Explained: Internal Audit Requirements

AW

Team @ Audit Workshop

ISO Standards16 min read
ISO 9001 Clause 9.2 Explained: Internal Audit Requirements

ISO 9001 Clause 9.2 sets out one of the most frequently misunderstood requirements in quality management systems: internal audit. Many organisations treat internal audits as a compliance checkbox to satisfy their certification body, rather than a genuine tool for identifying system improvement opportunities. This approach misses the entire point. Clause 9.2 requires internal audits to be conducted at planned intervals to provide information on whether the quality management system conforms to ISO 9001 requirements and whether it is effectively implemented and maintained. When executed properly, internal audits become one of the most valuable drivers of continuous improvement within an organisation.

What Clause 9.2 Actually Requires

Clause 9.2 contains two sub clauses that spell out the mandatory elements of any internal audit programme. The standard requires the organisation to conduct internal audits at planned intervals to provide information on conformity and effective implementation. It also requires planning, establishment, implementation, and maintenance of an internal audit programme. This is not optional or advisory. The word "shall" in the standard makes these requirements absolute.

The substance of the clause sits in several key areas. First, the organisation must determine the audit criteria and scope. This means you cannot simply audit randomly or based on who causes the most complaints. The audit criteria should reference the ISO 9001 requirements themselves, but also your own quality management system documentation, customer requirements, and relevant legal or regulatory obligations. The scope defines which processes, locations, or functions will be audited in a given period.

Second, the organisation must select auditors in a way that ensures objectivity and impartiality. This does not necessarily mean hiring external auditors. Internal staff can and do conduct internal audits. However, the auditor must not audit their own work or department. A person cannot audit the effectiveness of a process for which they are directly responsible. This is a fundamental principle of audit independence.

Third, audit procedures must be defined. These procedures should address how audits are conducted, how audit planning occurs, how evidence is gathered, how findings are documented, and how audit reports are prepared and communicated. Many organisations establish these in an internal audit procedure document or quality manual section.

Fourth, the organisation must ensure that audit results are reported to relevant management and that corrective actions are taken for any nonconformities or deficiencies identified. This closes the loop between audit findings and organisational response. If audits identify issues that are then ignored, the internal audit programme becomes performative rather than functional.

Become a certified ISO auditor
Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.
Explore Courses
Exemplar Global Recognised Training ProviderRecognised Training ProviderRTP No. 310970

Audit Planning and Frequency

The standard does not prescribe a specific audit frequency. There is no requirement to audit quarterly, annually, or on any fixed schedule. Instead, Clause 9.2 requires audits at "planned intervals." This means your organisation must make a deliberate decision about frequency based on risk, criticality, and the maturity of your system. An organisation with a new quality management system might conduct more frequent audits initially. An established system with strong performance might audit less frequently, provided that all significant processes receive audit coverage across a defined period.

Many Australian organisations interpret "planned intervals" as meaning a rolling annual audit programme where all critical processes are audited at least once per year. This is a sensible approach and aligns with certification body expectations. However, you might audit high risk or critical processes more frequently (such as quarterly or six monthly) while less critical administrative functions might be audited every 18 months.

The audit plan must be documented. This is not just for ISO 9001 compliance; it is essential for actually running an effective audit programme. The plan should identify which processes or departments will be audited, in what sequence, when the audits will occur, and who will conduct them. Many organisations prepare an annual internal audit schedule that is approved by management at the start of the year. This schedule becomes a commitment and ensures that nothing falls through the cracks due to changing priorities or competing demands on auditor time.

When developing your audit plan, consider process risk and criticality. Processes that directly affect product or service quality, customer satisfaction, or safety should be audited regularly. Processes that support quality management (such as document control or records management) should also be included. Administrative or low risk processes can be audited less frequently but must still be included in the programme across time.

One practical approach is to map your organisation's key processes using a process model (sometimes called a process flow diagram or process architecture). Then assign each process a risk rating based on its impact on product or service quality, customer satisfaction, and business continuity. High risk processes should be audited annually or more frequently. Medium risk processes might be audited every 18 months. Low risk processes could be audited once every two years, provided you have a systematic approach to ensuring all processes receive coverage.

Selecting and Training Internal Auditors

The requirement for auditor objectivity and impartiality is non negotiable. You cannot have someone audit their own work. However, you also cannot expect someone with no training to conduct an effective audit. Clause 9.2 does not explicitly require internal auditors to hold formal qualifications, but the certification body and ISO 19011 (the guidance standard on auditing) both indicate that auditors should be competent.

Competence includes knowledge of ISO 9001 requirements, audit principles and techniques, and the specific processes being audited. It also includes interpersonal skills such as the ability to ask probing questions, listen actively, and remain objective when faced with defensive responses from auditees.

Many organisations send staff to ISO Internal Auditor training to build capability. A formal training course typically covers the standard itself, audit planning, audit techniques, evidence gathering, findings reporting, and professional conduct. This investment pays dividends because trained auditors are more thorough, more consistent, and more credible when they identify issues.

If you do not have internal staff available or qualified to conduct audits, Clause 9.2 does allow you to use external auditors. Some organisations use a combination of both: internal auditors for routine audits supplemented by external auditors for specialist areas or high risk processes. If you choose to contract external auditors, ensure they have relevant experience and appropriate qualifications, and brief them thoroughly on your organisation's specific context and operations.

Once auditors are trained, maintain their competence. This does not mean sending them for retraining every year, but it does mean keeping them updated on any changes to the standard, your quality system, or your organisation's operations. Assign experienced auditors to mentor newer auditors. Review audit reports for quality and consistency. If you notice that one auditor consistently misses significant issues while another identifies valuable improvements, provide coaching and feedback.

Defining Audit Scope and Criteria

The audit scope answers the question: what will this audit cover? The scope might be defined by location (the Melbourne facility), by process (the design and development process), by department (the manufacturing team), or by system element (management responsibility and customer focus). A well defined scope keeps the audit focused and manageable.

Audit criteria answer the question: against what standard or requirement will we judge performance? For ISO 9001 audits, the primary criteria are the ISO 9001 requirements themselves. However, your audit criteria should also include your own documented procedures and work instructions, customer specifications and contractual requirements, applicable legislation and regulations, and any industry standards or best practices that apply to your organisation.

When defining audit criteria, be specific. Rather than simply stating "ISO 9001 Clause 8.5" (control of production and service provision), break it down further. For example: "The organisation has identified and documented the controls required for production, including work instructions, inspection requirements, and acceptance criteria. Work is performed in accordance with documented requirements. Nonconforming product is identified and controlled."

This level of specificity gives the auditor clear guidance on what to look for. It also makes it easier to gather evidence because the auditor knows exactly what conformity looks like. Vague criteria lead to inconsistent audits where different auditors assess the same process and reach different conclusions.

Conducting the Audit

The actual audit execution should follow a structured approach. This typically includes an opening meeting with the auditee to explain the audit purpose, scope, and process; interviews with key staff; observation of processes and operations; review of documents and records; and a closing meeting to discuss preliminary findings.

During interviews, the auditor should ask open ended questions that invite the auditee to explain how processes work and demonstrate compliance. Rather than asking "Do you have a procedure for this?" ask "Walk me through how you handle this situation from start to finish." The second approach is more likely to surface gaps or deviations.

Evidence is the foundation of any audit finding. Before concluding that something is nonconforming, the auditor must have objective evidence that supports this conclusion. Evidence might include documents (procedures, work instructions, quality manuals), records (audit trails, inspection reports, corrective action logs), observations of actual work being performed, or interviews with staff. Never rely on assumption or inference alone.

Gathering audit evidence that stands up to scrutiny requires asking probing questions to understand the current state, requesting specific documents to review, observing processes in action, and testing compliance by reviewing actual records and outputs. A common audit mistake is accepting an auditee's verbal assurance that something is being done correctly without requesting evidence to verify this claim.

During the audit, distinguish between observations and findings. An observation might be something you notice that does not indicate nonconformity but warrants attention or could indicate a potential future issue. A finding is a statement of fact based on objective evidence indicating either nonconformity with requirements or absence of evidence that a requirement is being met. This distinction matters because findings drive corrective action while observations might lead to preventive improvements.

Documenting Findings and Managing Follow Up

Once the audit concludes, findings must be documented in a report that is clear, factual, and actionable. Each nonconformity should be described with reference to the specific requirement that is not being met, the evidence that supports the finding, and the specific impact or risk that the nonconformity creates.

Rather than simply stating "procedure not being followed," explain what the procedure requires, what you observed or found in the records, how this differs from the requirement, and why this matters. For example: "The documented procedure for incoming material inspection requires 100 percent visual inspection of all materials. Review of inspection records for July and August shows that visual inspection was performed for only 67 percent of received materials. This increases the risk of nonconforming material entering production."

Writing nonconformance reports that actually drive change requires focusing on the root cause and the system impact, not just the immediate symptom. An auditor who simply documents "procedure not followed" leaves the organisation guessing about how to fix it. An auditor who explores why the procedure was not followed and what system weakness enabled this non compliance provides the information needed for genuine correction.

The audit report should be distributed to relevant management (typically the area manager and the quality manager or management representative) with a clear expectation that nonconformities will be addressed through corrective action. This is where many internal audit programmes break down. The audit is completed, the report is filed, but nothing happens next. For the audit to drive real improvement, there must be a documented corrective action process with timelines, responsible parties, and follow up to verify that corrections have been implemented and are effective.

Some organisations establish a log of all audit findings and corrective actions, reviewed monthly in management meetings, to ensure that nothing slips through the cracks. Others assign the quality manager responsibility for tracking and reporting on corrective action status. Whatever your approach, make it systematic and visible to management.

Audit Independence and Impartiality

The principle of auditor independence cannot be overstated. An auditor must be independent from the area being audited. This means someone cannot audit their own department, their own manager, or work that is directly under their responsibility. Independence allows the auditor to report findings objectively without concern for personal relationships or implications for their own performance.

Impartiality means approaching the audit with no preconceived conclusions. An auditor should not walk into an audit department with the assumption that they will find problems because previous audits found problems. Nor should they assume everything is fine because the department has always performed well. Each audit should be approached with a genuine inquiry into whether the organisation is conforming to requirements and effectively implementing its system.

In practice, this means selecting auditors from different departments or areas. If your organisation is small and you have limited staff, you might need to bring in an external auditor for sensitive areas, use personnel from head office to audit satellite locations, or rotate auditor assignments so that no one consistently audits the same area.

Confidentiality is also part of professional audit conduct. Information gathered during an audit should not be used for performance management of individuals or become office gossip. The audit is about system performance and conformity, not about whether a particular person made a mistake. This distinction helps maintain trust in the internal audit process and encourages staff to be candid during interviews.

Audit Programme Documentation

Clause 9.2 requires that the organisation maintain documented information about the internal audit programme. At minimum, this should include the audit procedure, the annual audit schedule or plan, audit checklists or criteria, audit reports, and records of corrective actions taken in response to findings. This documentation serves multiple purposes: it ensures consistency across audits, it provides evidence to the certification body that audits are being conducted, and it creates an audit trail that management can review to monitor system performance over time.

Some organisations develop an internal audit manual that covers the entire programme: who can conduct audits, what training they require, how audits are planned and scheduled, what the audit procedure is, how findings are classified and reported, and how corrective actions are tracked. This manual becomes the reference document for anyone involved in the audit programme.

Audit reports should be retained. Many organisations keep audit reports for at least three years (the period of certification validity) to demonstrate to the certification body that they are conducting audits regularly and identifying and addressing issues. Some organisations maintain a log or summary of audit reports showing trends over time: how many nonconformities are typically found in each department, what categories of nonconformity are most common, whether nonconformities are decreasing over time as the system matures.

Planning an ISO 9001 internal audit schedule for the year ensures that your audit programme is comprehensive, balanced, and realistic. The schedule should be approved by management and communicated to department heads so that they can plan time with their teams for auditors to conduct interviews and observations.

Common Pitfalls and How to Avoid Them

One frequent mistake is treating internal audits as a substitute for management oversight. The purpose of internal audit is not to police compliance but to provide management with information about system performance and improvement opportunities. If management is already monitoring process performance through metrics, reports, and regular team meetings, the internal audit adds a structured, independent perspective that might identify issues not apparent through day to day monitoring.

Another common pitfall is conducting audits too superficially. Some organisations tick boxes on a checklist and declare the audit complete without genuinely investigating how the process works or whether it is effective. This approach satisfies the certification body but misses the entire value of internal audit. A superficial audit might miss a significant nonconformity that later causes a customer problem or a finding during the certification audit.

Timing is also important. Some organisations postpone audits when workloads are heavy, then try to conduct multiple audits in a compressed period when workload eases. This approach typically results in rushed, lower quality audits. Better to spread audits evenly across the year so that audit teams have adequate time to prepare, conduct interviews thoroughly, and document findings carefully.

Finally, many organisations conduct the audit, identify nonconformities, then fail to follow up. The corrective action is taken but no one verifies that the action actually addressed the root cause and was effective. This creates a cycle where the same nonconformity recurs in subsequent audits. Require auditors or the quality manager to conduct follow up reviews (sometimes called verification audits) within a set period (typically 60 to 90 days) to confirm that corrective actions are effective.

Integration with Other Quality Management System Requirements

Internal audit sits within a broader context of the quality management system. Audit findings feed into the management review process (Clause 9.3), where management considers the results of audits along with other performance data and decides on strategic improvements. Audit findings also inform the organisation's risk assessment and mitigation planning, because audits often identify areas where controls are weak or missing.

The corrective action process (Clause 10.3) is how the organisation responds to audit findings. When an audit identifies a nonconformity, this should trigger investigation into root cause and implementation of corrective action to prevent recurrence. This is not optional: Clause 10.3 specifically requires corrective action for nonconformities.

Competence requirements (Clause 7.2) apply to internal auditors as well as other personnel. The organisation must ensure that individuals performing audits are competent, which may require training, mentoring, or supervised auditing before someone conducts an audit independently.

Preparing for Certification Body Audits

During the certification audit, the external auditor will review your internal audit programme. They will ask to see the audit schedule and plan, review several completed audit reports, ask auditors about their approach and competence, and ask management how audit findings are used. If your internal audits are superficial or nonexistent, this will be immediately apparent and may result in a nonconformity finding from the certification body.

To prepare, ensure that your internal audit plan is current and realistic, that audits are actually being conducted on schedule, that reports are complete and evidence based, and that corrective actions are being tracked and followed up. If you have not conducted internal audits for some time or your programme is weak, conduct several strong internal audits before the certification audit to demonstrate that your system is functioning.

Audit Workshop offers accredited ISO training across ISO 9001, ISO 14001, and ISO 45001 at Foundation, Internal Auditor, and Lead Auditor levels. Our courses are Exemplar Global recognised and designed for professionals who want both standard knowledge and practical audit skills.

Frequently Asked Questions

No, Clause 9.2 does not explicitly mandate formal qualifications. The standard requires that auditors be competent and that they maintain objectivity and impartiality. However, ISO 19011 (the guidance standard on auditing) and certification bodies typically expect that auditors have been trained in audit principles and techniques. Many organisations send staff to formal Internal Auditor training to build this competence. In practice, having trained internal auditors demonstrates to the certification body that you take the audit programme seriously and that auditors understand what they are doing.
Start Learning

Ready to Build Real Audit Skills?

Join practitioners training with ISO auditors who've conducted 500+ external certification audits.

ISO 9001:2015 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 45001:2018 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 14001:2026 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
Exemplar Global Recognised Training Provider digital badge

Audit Workshop is an Exemplar Global Recognised Training Provider

Globally Recognised, Certified Training

Pass an Exemplar Global Certified course and you earn a Certificate of Attainment and an Exemplar Global digital badge. Audit Workshop graduates can apply for third-party Personnel Certification through Exemplar Global.

  • 12 months of Graduate certification
  • Access to Exemplar Global Community
  • Access to self-coaching assessment
  • Access to webinars, events, and online resources
Learn Anytime

No fixed schedule. Start, pause, and pick up exactly where you left off.

Instant Certificate

Download your digital certificate the moment you complete the course.

Practical Content

Every lesson is built from real-world ISO auditing experience.

Lifetime Access

Course materials are yours to keep and revisit long after you complete.