Running an ISO 9001 internal audit is one of the most practical things a quality manager or internal auditor will do all year. Done well, it gives your organisation a clear picture of how the quality management system is actually performing, not just how it looks on paper. Done poorly, it becomes a box-ticking exercise that satisfies the requirement on paper but adds no real value. This guide walks you through every stage of the process, from deciding what to audit through to closing out findings, with practical advice drawn from real audit experience.
On this page
Why ISO 9001 Requires Internal Audits
Before getting into the steps, it helps to understand what the standard actually expects. Clause 9.2 of ISO 9001 requires organisations to conduct internal audits at planned intervals to determine whether the quality management system conforms to the organisation's own requirements and to the requirements of the standard, and whether it is effectively implemented and maintained.
That phrase “effectively implemented and maintained” is the part many internal audits miss. It is not enough to confirm that a procedure exists. You need to verify that people are following it, that it is working as intended, and that it is producing the outcomes the organisation needs. That is the difference between a compliance check and a genuine audit.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesStep 1: Plan Your Internal Audit Programme
An internal audit programme is the overarching plan that covers all the audits you intend to conduct across a defined period, usually a calendar year. It is not the same as an individual audit plan, which covers a single audit event.
Your programme needs to consider the status and importance of the processes being audited, the results of previous audits, and any changes that have occurred in the organisation. High-risk processes, areas with prior nonconformities, and recently changed procedures should all attract more frequent or more thorough audit attention.
What Goes Into the Programme
- Which processes and areas will be audited
- The frequency of each audit
- Who will conduct each audit
- The methods to be used
- Reporting requirements
If you are building this from scratch, the article on building an internal audit programme from scratch covers the foundations in detail. The key point here is that your programme should be risk-informed. Not every clause and every process needs the same level of attention every year.
Step 2: Define the Scope, Objectives and Criteria for Each Audit
Once you know which area or process you are auditing, you need to define three things before you start preparing.
Scope defines the boundaries of the audit. Which processes, locations, or functions are included? Which are excluded? Be specific. “Auditing the production department” is too vague. “Auditing the production planning and job setup processes against Clause 8.1 and the relevant work instructions” gives you something to work with.
Objectives define what you are trying to achieve. For most internal audits the objective is to determine whether the process conforms to requirements and is operating effectively. You might add a more specific focus, such as reviewing how nonconforming outputs are being managed following a run of customer complaints.
Criteria are the requirements you will audit against. For an ISO 9001 internal audit this typically includes the relevant clauses of ISO 9001:2015, your documented procedures and work instructions, and any applicable customer or regulatory requirements.
Step 3: Select and Brief Your Auditor
ISO 9001 is clear that auditors must not audit their own work. This is the independence requirement. A person who wrote the procedure should not be the one assessing whether it is being followed effectively. In small organisations this can be challenging, but it is non-negotiable.
Auditors need to be competent. That means having knowledge of the audit process, understanding of the relevant requirements, and the ability to gather and evaluate evidence objectively. Formal training through an ISO 9001 internal auditor course is the most reliable way to establish and demonstrate that competence.
Briefing the Auditor
Before the audit begins, make sure the auditor understands the scope, objectives, and criteria. Provide access to any relevant documented information, including previous audit reports for the area, any open corrective actions, and the process documentation they will be reviewing. The auditor should not be walking in cold on the day.
Step 4: Prepare the Audit Plan and Checklist
An individual audit plan sets out the logistics of the audit: who will be interviewed, what processes will be observed, what documents will be reviewed, and when each activity will take place. It does not need to be elaborate, but it needs to be communicated to the auditee in advance so they can prepare.
A checklist is a working tool, not a script. It should prompt the auditor to cover the key requirements without constraining them to a rigid sequence of questions. The best checklists are built around the process being audited, not just the clauses of the standard. Think about what could go wrong in this process, what evidence would demonstrate it is working, and what questions would help you find out.
A Note on Checklist Dependency
One of the most common weaknesses in internal audits is auditors who work through their checklist mechanically without following up on anything interesting they hear or see. If an auditee mentions something that does not quite add up, that is your cue to probe further, not to tick the box and move on. Your checklist should guide you, not constrain you.
Step 5: Conduct the Opening Meeting
The opening meeting sets the tone for the entire audit. Keep it brief and professional. Introduce yourself, confirm the scope and objectives, explain the process you will follow, and let the auditee know how findings will be communicated. Reassure them that the purpose is to evaluate the system, not to catch people out.
For an internal audit in a small organisation, the opening meeting might be a five-minute conversation. In a larger organisation auditing a significant process, it might involve a team leader and several process owners and take fifteen to twenty minutes. Either way, do not skip it. It establishes the professional framework for what follows.
Step 6: Gather Evidence
This is the core of the audit. You gather evidence through three main methods: interviewing people, reviewing documents and records, and observing processes and activities. Effective auditors use all three, and they triangulate what they find across each method.
Interviewing
Talk to the people who actually do the work. Ask open questions that require more than a yes or no answer. “Walk me through what happens when a customer order comes in” will tell you far more than “Do you follow the order management procedure?” Listen carefully to what is said and what is not said. Notice when someone hesitates or gives a vague answer, and follow up.
Document and Record Review
Look at the documented information that is supposed to support the process. Is the procedure current and approved? Are the records being completed correctly and in full? Are they being retained for the required period? Sample across different time periods and different staff members. Do not just look at the most recent or the most obvious records.
Observation
Where possible, watch the process in action. Does what you observe match what the procedure says should happen? Is the work environment consistent with the requirements? Are people using the right tools, materials, and methods? Observation often reveals gaps that neither interviews nor document review would surface.
Step 7: Evaluate Evidence and Identify Findings
As you gather evidence, you are continuously evaluating it against your audit criteria. When you find a gap between what you observe and what is required, you have a potential finding. Not every gap is a nonconformity. You need to classify your findings correctly.
Types of Findings
A nonconformity is a failure to meet a requirement. It needs to be clearly stated, with the specific requirement that has not been met and the objective evidence that supports the finding. Nonconformities can be major or minor depending on the severity and extent of the failure.
An observation or opportunity for improvement is something that is not technically a nonconformity but where improvement would be beneficial. These are valuable findings that add real value to the audit, but they should not be used as a way of softening a finding that is genuinely a nonconformity.
A positive finding is evidence of something working well. Internal auditors often neglect these, but noting them explicitly adds credibility to the audit and motivates the people being audited.
Step 8: Conduct the Closing Meeting
Before you leave the audit area, hold a closing meeting. Present your findings to the auditee and their manager. Be clear and factual. State each nonconformity with the specific requirement it relates to and the evidence you found. Avoid vague language. “There seem to be some issues with records” is not a finding. “Three of the five calibration records sampled did not include the calibration date, which is required by the calibration procedure version 2.1” is a finding.
Give the auditee the opportunity to ask questions or seek clarification. If they disagree with a finding, hear them out. If they provide new evidence that changes your assessment, adjust accordingly. If they simply do not like the finding, acknowledge their view and maintain your position if the evidence supports it.
Step 9: Write the Audit Report
The audit report is the formal output of the audit. It needs to be written promptly while the evidence is fresh, and it needs to be clear enough that someone who was not present can understand exactly what was found and why.
What the Report Should Include
- Audit scope, objectives, and criteria
- The date and location of the audit
- The names of the auditor and auditees
- A summary of the audit activities conducted
- All findings, including nonconformities, observations, and positive findings
- The audit conclusion: does the system conform to requirements and is it effectively implemented?
Write your nonconformities in a consistent format. State the requirement, state the evidence, and state the finding. Keep the language factual and objective. The report is not the place for opinions or recommendations about how to fix the problem. That is the responsibility of the auditee during corrective action.
Step 10: Follow Up on Corrective Actions
The audit is not complete when the report is issued. ISO 9001 Clause 9.2 requires that corrective actions are taken without undue delay. Your internal audit process needs to include a mechanism for following up on whether those actions have been completed and whether they have been effective.
This does not always mean a formal follow-up audit. For minor nonconformities, reviewing the evidence of correction and corrective action may be sufficient. For major nonconformities or systemic issues, a follow-up visit to verify effectiveness is often the more appropriate approach.
The most common failure in internal audit programmes is not the audit itself. It is the lack of follow-through. Findings that are raised but never properly closed out, or corrective actions that address the symptom without tackling the root cause, represent a significant lost opportunity. If you want your internal audits to drive genuine improvement, the follow-up stage is where that improvement actually happens.
Common Mistakes to Avoid
After conducting hundreds of external certification audits, the patterns of weakness in internal audit programmes are consistent. Here are the most frequent ones.
- Auditing to the calendar rather than to risk. Ticking off areas because they are due, rather than because they need attention, produces low-value audits.
- Accepting verbal assurances without evidence. “Yes, we do that” is not audit evidence. Ask to see the records.
- Writing vague nonconformities. A nonconformity that does not specify the requirement and the evidence cannot be properly addressed. It will either be closed out superficially or disputed.
- Skipping the root cause analysis. Corrective action that does not address root cause will not prevent recurrence. Push for a genuine analysis, not just a quick fix.
- Treating internal audits as a certification rehearsal. Internal audits exist to improve the system, not to prepare for the external auditor. When they are designed primarily to impress a certification body, they stop being useful.
Building Auditor Competence
The quality of your internal audit programme is directly proportional to the competence of your internal auditors. Sending someone through an ISO 9001 internal auditor course gives them the foundational knowledge and skills to plan, conduct, and report audits effectively. It also gives the organisation documented evidence of auditor competence, which certification bodies will look for.
If you are responsible for quality in your organisation and want to build a capable internal audit function, or if you are an individual looking to formalise your auditing skills, the path to becoming an ISO internal auditor is more accessible than many people realise. Formal training, combined with practical experience conducting audits, is the most direct route.
Audit Workshop delivers ISO 9001 internal auditor training in both live virtual and self-paced formats, designed for practitioners who need real skills, not just a certificate. The courses are built around how audits actually work, with practical exercises grounded in the kinds of situations you will encounter in your own organisation.
