Is an audit plan the same as an audit programme under ISO 9001?

No, they are different documents. An audit programme covers the full schedule of audits planned over a period, typically a year, including which processes will be audited, when, and by whom. An audit plan is specific to a single audit event and details the objectives, scope, criteria, schedule, and auditor assignments for that particular audit. Both are required to demonstrate that your internal audit process is planned and managed.

Does ISO 9001 specify what format an audit plan must take?

No. ISO 9001 clause 9.2 requires that internal audits be planned but does not prescribe a specific format for the audit plan. A simple structured document covering objectives, scope, criteria, date, duration, auditor assignment, and the sequence of activities is entirely sufficient. What matters is that the plan is documented, shared with relevant parties in advance, and retained as evidence of the audit programme.

How far in advance should an audit plan be issued to auditees?

In most organisations, issuing the audit plan one to two weeks before the audit date is appropriate. This gives auditees enough time to confirm the availability of relevant personnel, prepare records that will be requested, and raise any scheduling conflicts. For larger or more complex audits, two to three weeks notice is more practical. Issuing the plan on the morning of the audit is not good practice and undermines the purpose of planning.

Can the audit plan change once the audit has started?

Yes. An audit plan is a guide, not a rigid script. If the auditor discovers something during the audit that warrants deeper investigation, it is entirely appropriate to adjust the sequence or allocate more time to that area. What you should not do is abandon the scope entirely without a legitimate reason. Any significant changes to the plan should be noted in the audit records and communicated to the auditee and the audit client.

What should I do if the auditee is unavailable on the planned audit date?

Reschedule the audit rather than proceeding without the relevant personnel. An audit conducted without the process owner present will produce incomplete evidence and may miss important context. To avoid this situation, confirm auditee availability when you issue the plan and ask for confirmation in writing. If repeated unavailability becomes a pattern, this is itself worth noting in your audit programme review as it may indicate a management commitment issue.

How does risk-based thinking affect what goes into an audit plan?

Risk-based thinking should influence both which processes you include in the scope and how much time you allocate to each one. Processes with a history of nonconformities, those that have recently changed, or those that have a significant impact on product quality or customer satisfaction should receive more audit time and more rigorous sampling. Processes that have consistently demonstrated conformity can receive proportionally less attention. This approach is consistent with the requirements of ISO 9001 clause 9.2, which specifically requires that the audit programme take into account the importance of processes and the results of previous audits.

ISO 9001 Internal Audit Plan With a Worked Example

An ISO 9001 internal audit plan is the document that turns your annual audit programme into a concrete schedule of activities for a single audit event. Without it, auditors arrive unprepared, auditees do not know what to expect, and the audit drifts. With a well-constructed plan, the same time on site produces far more useful evidence. This article walks through every element of a practical audit plan, then shows you exactly what one looks like for a real-world manufacturing business.

On this page

What an Audit Plan Actually Is

Before going further, it helps to be clear about terminology. Many people use the terms audit programme and audit plan interchangeably, but they are two different things.

Your audit programme covers the full year. It lists every audit you intend to run, which processes or clauses each one will cover, who will conduct them, and roughly when. If you want guidance on building that bigger picture, the article on how to plan an ISO 9001 internal audit schedule for the year covers that in detail.

Your audit plan is specific to one audit event. It says: on this date, in this area, these processes will be audited, by this person, using these criteria, in this sequence. It is the working document the auditor carries into the audit.

ISO 9001 clause 9.2 requires that internal audits be planned, established, implemented and maintained. The audit plan is how you demonstrate that planning has happened.

Build your ISO auditing skills

Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.

Browse courses

What ISO 9001 Clause 9.2 Requires

Clause 9.2 does not prescribe a specific format for your audit plan. What it does require is that your audit programme takes into account the importance of the processes concerned, changes affecting the organisation, and the results of previous audits. Your plan needs to reflect those considerations.

In practice, this means your plan should not be a generic template you recycle unchanged each year. If a process had a nonconformity raised against it last cycle, that should influence how much time you allocate to it this time. If the organisation recently changed its subcontracting arrangements, that warrants closer attention in the plan.

The standard also requires that auditors be objective and impartial, meaning the plan should assign auditors who have no responsibility for the area being audited. That is a planning decision, not just a policy statement.

The Key Elements of an ISO 9001 Audit Plan

A practical audit plan for an ISO 9001 internal audit should contain the following elements. You do not need a complex form. A simple structured document covering these points is entirely sufficient.

Audit Objectives

What is this audit trying to determine? Common objectives include verifying conformity with clause requirements, checking that the QMS is effectively implemented, and identifying opportunities for improvement. Be specific. Verify that the customer complaint handling process conforms to clause 8.2.1 and is operating effectively is a useful objective. Check the QMS is not.

Audit Scope

Which processes, locations, departments, and time periods are included? The scope sets the boundary. If you are auditing the production process, say so explicitly, and note whether this includes goods inwards inspection, in-process checks, and final release, or whether those are separate audit events.

Audit Criteria

What will you measure conformity against? For an ISO 9001 internal audit, criteria typically include the relevant clauses of ISO 9001:2015, the organisation's own quality management system documentation, and any applicable legal or contractual requirements. List the specific clauses relevant to the scope.

Audit Date and Duration

When will the audit take place and how long will it take? Include the date, start time, and expected finish time. If the audit spans more than one session, list each session. Realistic time allocation is one of the most common failures in internal audit planning. Rushing through a process audit in 45 minutes produces superficial findings.

Auditor Assignment

Who will conduct the audit? Confirm they are not responsible for the area being audited. If you are using a team, note who is leading and who is supporting.

Auditee Contacts

Who in the area being audited will be available? This is the person who will accompany the auditor, answer questions, and retrieve documents. Confirming this in advance prevents the audit from stalling because no one is available to assist.

Sequence of Activities

What is the order of the audit? An opening meeting, followed by which process areas in which order, followed by a closing meeting. Setting this out in advance helps both the auditor and the auditee manage the day.

Documents to Review in Advance

What documented information should the auditor review before arriving on site? Procedures, work instructions, the previous audit report, corrective action records, and any relevant quality records are typical starting points.

How to Allocate Time Realistically

One of the most practical skills in audit planning is time allocation. Many internal auditors underestimate how long it takes to gather meaningful evidence. A useful rule of thumb is to plan for roughly one hour per major process area, plus time for document review, the opening meeting, travel between locations, and the closing meeting.

For a full-day internal audit of a small to medium organisation, a realistic breakdown might look like this:

Opening meeting: 20 to 30 minutes
Document review: 30 to 45 minutes
Process area 1: 60 to 75 minutes
Process area 2: 60 to 75 minutes
Process area 3: 45 to 60 minutes
Auditor working time to consolidate findings: 30 to 45 minutes
Closing meeting: 20 to 30 minutes

That adds up to roughly six hours of structured activity, which is a realistic full-day internal audit. If you try to squeeze in five or six process areas in the same timeframe, you will end up skimming the surface of each one.

Risk-Based Thinking in Audit Planning

ISO 9001 expects risk-based thinking to inform how you plan and prioritise audits. This applies directly to your audit plan. Processes that carry higher risk to product quality or customer satisfaction, or that have had previous nonconformities, should receive more audit time and more rigorous sampling.

In practice, this means reviewing the results of your previous audit before finalising the plan. If the previous audit found a minor nonconformity in the purchasing process, allocate extra time to purchasing this cycle. If customer satisfaction scores have declined, make sure the customer-related processes are audited thoroughly.

Risk-based planning also means you do not need to give equal time to every process every cycle. A process that has consistently demonstrated conformity and strong performance can receive a lighter audit. One that has been problematic warrants deeper attention.

Worked Example: Internal Audit Plan for a Manufacturing Business

The following worked example is based on a fictional but representative scenario: a small Australian manufacturer of industrial components, certified to ISO 9001:2015, with around 35 employees. The business operates from a single site with production, quality, purchasing, and administration functions.

The audit programme for the year schedules four internal audits, each covering different process areas. This plan covers the second audit of the year, focusing on production and product release.

INTERNAL AUDIT PLAN

Organisation: Precision Components Pty Ltd

Audit Reference: IA-2025-02

Date of Audit: 14 August 2025

Audit Duration: 8:30 AM to 3:30 PM

Audit Objectives:

Verify that the production process conforms to the requirements of ISO 9001:2015 clauses 8.1, 8.5, 8.6, and 8.7.
Verify that documented information required by the QMS is being maintained and retained in accordance with clause 7.5.
Confirm that corrective actions from audit IA-2025-01 relating to nonconforming output handling have been effectively implemented.

Audit Scope: Production process including job setup, in-process inspection, nonconforming output control, and product release. Covers production activities conducted at the main facility during the period January 2025 to August 2025.

Audit Criteria:

ISO 9001:2015, clauses 7.5, 8.1, 8.5, 8.6, and 8.7
Precision Components QMS Procedure QP-08: Production Control
Precision Components QMS Procedure QP-09: Control of Nonconforming Outputs
Customer contract requirements where applicable

Lead Auditor: Sarah Nguyen (Quality Systems Coordinator)

Auditor Independence Confirmed: Sarah has no direct responsibility for production operations.

Auditee Contact: Marcus Webb, Production Manager

Documents to Review Prior to Audit:

QP-08 Production Control (current version)
QP-09 Control of Nonconforming Outputs (current version)
Audit report IA-2025-01 and associated corrective action records
Production job cards and travellers from the past three months (sample)
Nonconforming output register from January to August 2025
Final inspection and release records from the past three months

Audit Schedule:

8:30 AM: Opening meeting. Attendees: Lead Auditor, Production Manager, Quality Manager. Purpose: confirm scope and objectives, explain the audit process, confirm availability of personnel and records.
9:00 AM: Document review. Review QP-08 and QP-09 for currency and completeness. Review previous corrective action evidence.
9:45 AM: Production floor walkthrough with Production Manager. Observe job setup activities, review current job travellers, interview machine operators on awareness of quality requirements and nonconformance reporting.
11:00 AM: In-process inspection and product release review. Sample five completed job packs from the past three months. Verify in-process inspection records are complete, approvals are recorded, and product has been released by an authorised person.
12:00 PM: Lunch break.
12:45 PM: Nonconforming output review. Review the nonconforming output register. Select three nonconformance records and trace through to disposition, containment, and corrective action where applicable. Verify quarantine process is being followed.
1:45 PM: Follow-up on previous corrective actions. Review evidence provided for closure of IA-2025-01 findings. Interview relevant personnel to confirm the corrective action has been embedded in practice, not just documented.
2:30 PM: Auditor working time. Consolidate notes, classify findings, prepare for closing meeting.
3:00 PM: Closing meeting. Present findings, confirm any nonconformities and observations, agree on timeframes for corrective action responses.

Confidentiality: All audit findings are confidential and will be reported only to the Quality Manager and relevant management.

Audit Plan Issued: 31 July 2025

Audit Plan Approved By: James Tran, Quality Manager

This plan is one page. It does not need to be longer. Every element serves a purpose. The objectives tell the auditor what they are trying to find out. The scope sets the boundary. The schedule prevents the audit from running over time or missing critical areas. The document list means the auditor arrives prepared rather than asking for things on the day.

Common Mistakes in Internal Audit Planning

Having reviewed and conducted hundreds of internal audits, the same planning failures come up repeatedly. Here are the ones worth avoiding.

Objectives That Are Too Vague

Writing check conformity with ISO 9001 as your only objective gives the auditor no direction. Specific objectives produce focused audits and more useful findings.

Scope That Is Too Wide for the Time Available

Trying to audit the entire QMS in a single day is a common mistake in smaller organisations. It results in superficial coverage of every area rather than meaningful evidence from any of them. Break the scope into manageable segments across multiple audit events.

Forgetting to Confirm Auditee Availability

Turning up to audit a process and finding that the responsible person is on leave or in a customer meeting wastes everyone's time. Confirm availability when you issue the plan, not on the morning of the audit.

No Link to Previous Audit Results

A plan that ignores what was found last time misses one of the most valuable inputs available. Always review the previous audit report and corrective action status before finalising your plan.

Treating the Plan as a Checklist

The audit plan sets the structure. It is not a substitute for an audit checklist, and it is not a script to be followed rigidly. If something unexpected comes up during the audit, the auditor should follow the evidence, even if that means adjusting the sequence. The plan is a guide, not a constraint. For more on this, the article on how to use an audit checklist without becoming checklist dependent is worth reading alongside this one.

Communicating the Plan to Auditees

The audit plan should be shared with auditees in advance, typically one to two weeks before the audit. This gives them time to confirm availability, prepare relevant records, and ensure the right people will be present. It also reduces the anxiety that many auditees feel when they know an audit is coming but do not know what to expect.

Sharing the plan is not about giving people time to hide problems. It is about making the audit more efficient. When auditees know what processes will be examined and what records will be requested, they can have those records ready. The auditor spends less time waiting and more time auditing.

If you want to understand more about what the audit will actually cover once the plan is in motion, the article on what does an internal audit actually cover provides a clear overview of the typical scope of an ISO 9001 internal audit.

After the Audit: Keeping the Plan as a Record

Once the audit is complete, the audit plan becomes part of the documented information for that audit event. ISO 9001 clause 9.2 requires that you retain documented information as evidence of the audit programme and the audit results. Your plan, checklist, notes, and report together form that evidence.

Store the plan alongside the audit report and any corrective action records. When the next audit cycle comes around, reviewing the previous plan is one of the best ways to ensure continuity and to identify whether the scope needs to be adjusted based on what was found.

Building the Skill Through Training

Writing an effective audit plan is a skill that develops with practice, but it develops much faster when you have been taught the underlying principles properly. Many internal auditors produce plans that technically tick the boxes but do not actually direct the audit toward meaningful findings. The difference usually comes down to understanding how to connect objectives, scope, criteria, and time allocation into a coherent audit strategy.

If you are new to internal auditing or want to sharpen your planning skills, the how to become an ISO internal auditor guide covers the full pathway from training through to conducting your first audit. For those ready to move beyond internal auditing, Audit Workshop's ISO 9001 Lead Auditor course covers audit planning in depth from the perspective of someone leading a full certification audit team, including multi-process and multi-site planning scenarios drawn from real audit practice.