Internal audits under ISO standards are often misunderstood. Many organisations treat them as compliance exercises, where an auditor ticks boxes and generates a report that sits in a filing cabinet. In reality, internal audits are a systematic examination of your management system's effectiveness, designed to identify gaps, drive improvement, and generate evidence that you are operating as documented. The scope of what an internal audit covers depends on your standard, your audit objectives, and how thoroughly you examine your processes. This article unpacks what internal audits actually address in practice and what auditors are genuinely looking for when they conduct one.
On this page
The Core Purpose of Internal Audits
Before examining what internal audits cover, it is important to understand their fundamental purpose. An internal audit is a first party audit conducted by your own organisation to evaluate whether your management system conforms to the requirements of the standard you have implemented and whether it is being effectively implemented. This dual focus—conformance and effectiveness—is critical. A system can technically conform to the standard on paper whilst failing to work in practice. An effective internal audit identifies both types of issue.
The audit is also a control mechanism within your broader monitoring and evaluation framework. ISO 9001, ISO 14001, and ISO 45001 all require organisations to monitor and measure the performance of their systems. Internal audits are one of the key methods for doing this. They provide independent verification that processes are being followed, objectives are being achieved, and risks are being managed appropriately.
The requirement for internal audits is not merely bureaucratic. External certification auditors use internal audit reports and schedules to assess your organisation's commitment to the standard. They expect to see evidence of systematic auditing, corrective action follow up, and continuous improvement driven by audit findings. An organisation without a credible internal audit programme raises red flags during external audits.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesAuditing the Management System Framework
Every ISO standard requires an organisation to establish a documented management system. An internal audit starts with evaluating whether the documented system—your policies, procedures, work instructions, and processes—actually aligns with the standard's requirements. This is the conformance element of the audit.
For example, under ISO 9001, an internal auditor will verify that your quality management system documentation addresses all mandatory clauses: context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement. The auditor will check whether your documented policies actually reflect the requirements. If the standard requires you to establish procedures for managing changes to your product or service, your documentation must address this. An internal audit confirms it does.
This sounds straightforward, but many organisations stumble here. Their documentation is generic or incomplete. They have copied templates from online sources without tailoring them to their actual operations. An effective internal audit identifies these gaps early, before an external auditor finds them during a certification audit.
ISO 14001 audits follow the same logic but address environmental requirements. An internal auditor checks whether your documented environmental management system covers aspects and impacts identification, legal and other requirements, objectives and targets, operational planning, and emergency preparedness. ISO 45001 audits verify coverage of hazard identification and risk assessment, legal compliance, workers' participation, operational control, incident investigation, and contractor management.
Evaluating Actual Implementation Against Documentation
The second layer of an internal audit is far more revealing. It examines whether what is documented is actually being done. This is the effectiveness element and where internal audits uncover the real issues.
Consider a documented procedure for handling customer complaints. The procedure states that all complaints will be logged within one business day, assessed for root cause within five business days, and a response provided within ten days. An internal audit will request the complaint logs and examine actual complaints received over the past six months. The auditor will then verify whether the timeframes were met, whether root cause assessments were genuinely conducted, and whether responses addressed the actual causes. If the procedure states one thing but practice shows something different, that is a finding.
This gap between documentation and practice is where most nonconformities originate. Organisations often have reasonable procedures that are not being followed consistently. Staff may be unaware of the procedure, lack the resources to follow it, or follow informal workarounds instead. An internal audit exposes these gaps and creates the impetus to fix them.
For environmental management systems, this might involve checking whether your environmental aspects register accurately reflects your actual operations and has been updated when operations changed. For occupational health and safety, it involves verifying that hazard identification and risk assessments have been conducted for all relevant work activities, not just a few high profile ones.
Specific Content Areas Covered by Internal Audits
The specific content areas audited depend on the standard and your audit scope. However, there are common areas that appear across most ISO management system audits.
Leadership, Commitment, and Culture
ISO standards increasingly emphasise the role of leadership in driving system effectiveness. An internal audit examines whether senior management is genuinely committed to the system or merely going through the motions. This involves reviewing evidence of management's actions: Have they communicated the importance of the management system? Do they allocate adequate resources? Do they review system performance regularly? In practice, auditors look for minutes from management review meetings, evidence of resource allocation for system improvements, and whether corrective actions from previous audits have been addressed.
Planning and Risk Assessment
All ISO standards require organisations to determine risks and opportunities relevant to their context and management system. An internal audit examines how thoroughly this has been done. For ISO 9001, this includes evaluating whether you have identified risks to achieving quality objectives and established controls. For ISO 14001, it means reviewing whether environmental aspects and their impacts have been identified and evaluated. For ISO 45001, it involves examining hazard identification, risk assessment, and whether controls have been implemented and are effective.
Many organisations undertake risk assessments superficially. An internal audit probes deeper. Has the risk assessment process engaged relevant personnel? Has it considered external and internal context? Have the assessments been kept current as circumstances change? Do the identified risks actually reflect your operational reality, or are they generic boilerplate?
Competence and Training
ISO standards require that personnel performing work that affects system performance are competent. An internal audit examines whether your organisation has identified competence requirements, evaluated whether personnel meet those requirements, and provided training where gaps exist. In practice, this means reviewing training records, job descriptions, and evidence of competence assessment. An auditor will check whether training content is relevant to actual role requirements and whether training effectiveness is verified.
Documented Information and Records
Organisations must maintain documented information to support their management system and demonstrate conformance. An internal audit reviews whether the documented information management process is working. Are records being created and retained as required? Are they readily accessible? Are obsolete documents being removed? Are critical documents being controlled appropriately so that changes are authorised and communicated?
This element is straightforward but frequently overlooked. Auditors find outdated versions of procedures still in circulation, incomplete records, and records stored in locations where they cannot be quickly retrieved. An effective internal audit ensures your information management is disciplined.
Operational Processes
The heart of any internal audit is examining whether your key operational processes are being executed as designed and whether they are achieving intended outcomes. For a manufacturing organisation under ISO 9001, this means auditing production planning, material control, product realisation, and inspection processes. For a service provider, it might involve auditing client intake, service delivery, and client follow up. For an environmental focus, it includes auditing compliance with operational controls relevant to your environmental aspects.
Auditing a process you have never seen before requires systematic evidence gathering. The auditor interviews personnel performing the process, observes the process in action when possible, and reviews documentation and records generated by the process. The goal is to understand how the process actually works and whether it is delivering results.
Measurement, Monitoring, and Performance Evaluation
ISO standards require organisations to measure and monitor their system performance. An internal audit examines whether the organisation has established appropriate metrics, whether data is being collected, and whether the data is being analysed to drive improvement. This might involve reviewing customer satisfaction survey results, quality metrics, environmental monitoring data, or safety statistics. The auditor evaluates whether the organisation is actually using this data or simply collecting it.
Corrective Action and Continuous Improvement
When problems are identified, ISO standards require investigation of root causes and corrective action to prevent recurrence. An internal audit reviews whether incidents, nonconformities, and audit findings have resulted in meaningful corrective actions. Many organisations struggle here. They undertake corrective actions that address symptoms rather than root causes, or they implement actions without verifying effectiveness. An internal audit verifies that your corrective action process is rigorous.
Supplier and Outsourced Process Management
Most organisations rely on external suppliers and service providers. ISO 9001 specifically requires control of externally provided processes and products. An internal audit examines whether suppliers have been evaluated before being selected, whether there are agreements specifying requirements, and whether supplier performance is monitored. Under ISO 14001, this might involve assessing whether suppliers understand and comply with your environmental requirements. Under ISO 45001, it includes verifying that contractors have been evaluated for occupational health and safety competence.
How Scope Affects What Is Audited
The scope of an internal audit defines which processes, departments, or locations are being audited. A single audit typically cannot cover every aspect of your management system in detail. Instead, you develop an annual audit schedule that covers all significant processes over the course of a year. Planning an internal audit programme requires identifying all significant processes and scheduling them appropriately.
Scope decisions are typically risk based. Processes that are critical to product or service quality, that present significant environmental impacts, or that pose occupational health and safety risks are audited more frequently and in greater depth. Less critical support processes might be audited less frequently or in less detail. An effective audit programme ensures comprehensive coverage whilst using audit resources efficiently.
Audit scope also includes a determination of which locations will be audited. A multi site organisation cannot audit all locations in every audit cycle. The audit schedule typically specifies which locations are audited when, ensuring that all significant locations receive audit attention within a defined period.
Depth and Sampling in Internal Audits
Internal auditors must decide on the depth of audit testing. Will you examine all records or a sample? Will you observe all instances of a process or a sample? The auditor typically uses sampling, focusing on high risk areas, recent transactions or activities, and areas where previous audits identified issues.
For example, if a production process involves quality inspections, the auditor will not review every inspection record from the past year. Instead, they will select a sample of recent inspection records and verify that inspections were conducted, documented, and acted upon appropriately. The sample size should be large enough to provide reasonable confidence that what is being checked represents the broader population.
Similarly, if your procedure requires supervisors to conduct safety briefings, an internal auditor will not observe every briefing. They might attend a sample of briefings, interview personnel about briefing content, and review any records of briefings conducted. This risk based sampling approach allows auditors to be efficient whilst still gathering sufficient evidence.
Audit Evidence Gathering Methods
Internal audits gather evidence through multiple methods. The auditor interviews personnel involved in the process being audited. These interviews establish understanding of how the process is supposed to work and how it actually works. The auditor observes processes in operation when possible. They review records and documentation. They examine physical evidence, such as materials, products, or equipment. Gathering audit evidence that stands up to scrutiny requires systematic and documented methods.
Effective internal auditors remain objective and curious rather than accusatory. They ask open ended questions to understand situations rather than leading questions designed to confirm a predetermined finding. They verify information from multiple sources before concluding that an issue exists. They distinguish between isolated lapses and systemic problems. This professionalism builds trust and encourages candid responses from personnel being audited.
Differences Across ISO Standards
Whilst the general principles of internal auditing apply across ISO standards, the specific content varies significantly. An ISO 9001 internal audit focuses on quality management, customer focus, product and service realisation, and management of risks and opportunities affecting quality. An ISO 14001 internal audit focuses on environmental management, compliance with environmental laws, management of environmental aspects and impacts, and environmental performance. An ISO 45001 internal audit focuses on occupational health and safety, worker participation, hazard management, and prevention of work related injury and illness.
If your organisation holds multiple ISO certifications, your internal audit programme may either conduct separate audits for each standard or integrated audits that address all standards simultaneously. Integrated audits are generally more efficient, particularly for support processes that serve all standards. Process audits that address specific operational areas can be conducted to the relevant standard.
What Internal Audits Do Not Cover
Understanding what internal audits do not cover is equally important. An internal audit does not provide external verification of conformance. Only an external certification body can issue a certificate confirming that your organisation conforms to a standard. An internal audit also does not replace external surveillance audits conducted by your certification body.
An internal audit is not a compliance inspection designed to catch people breaking rules. Whilst violations of procedures will be documented, the purpose is to understand why violations occur and correct system weaknesses, not to discipline personnel. An internal audit also is not a substitute for normal operational management. Process owners and operational managers remain responsible for day to day oversight of their processes.
Additionally, an internal audit of one standard does not certify your organisation against other standards. An organisation certified to ISO 9001 must still conduct internal audits against ISO 9001 requirements and cannot claim compliance with ISO 14001 or ISO 45001 without conducting separate audits against those standards.
Preparing for an Internal Audit
The scope of an internal audit is only useful if the organisation actually prepares adequately. Before an internal audit commences, documentation that will be reviewed should be readily available. Personnel being audited should understand what is being audited and why. Records should be current and well organised. This does not mean creating false documentation—that would be counterproductive and would be detected by an experienced auditor—but rather ensuring that your genuine records and operations are accessible and observable.
Organisations sometimes attempt to hide or minimise issues in advance of an internal audit. This defeats the entire purpose. An effective internal audit is designed to find problems so they can be fixed. An organisation that discovers issues through internal audit and addresses them proactively is far stronger than one where issues first surface during an external audit.
The Audit Report and Follow Up
After the internal audit is completed, the auditor produces a report documenting their findings. The report typically includes a summary of the audit scope, the areas audited, any nonconformities or observations identified, and recommendations for improvement. Writing a nonconformity report that actually gets fixed requires clear identification of the issue, evidence supporting the finding, and practical recommendations.
The organisation then addresses the findings through corrective action. This is not a separate activity but an integral part of the internal audit process. The audit is only valuable if findings result in genuine improvement. Many organisations fail here, treating corrective action as a compliance obligation rather than a genuine opportunity to strengthen their system.
Audit Workshop offers accredited ISO Internal Auditor training that covers internal audit planning, execution, and reporting in depth. Our courses are recognised by Exemplar Global and designed for working professionals who need practical skills they can apply immediately.
