Exemplar Global certified courses from USD 99. Save while it lasts. Enrol today.

What Is an Internal Audit? A Plain English Guide for Quality and Safety Professionals

AW

Team @ Audit Workshop

12 min read
What Is an Internal Audit? A Plain English Guide for Quality and Safety Professionals

The Short Answer

An internal audit is a systematic, independent examination of your organisation's own management system. It checks whether your processes conform to the requirements of your chosen ISO standard, whether those processes are actually being followed, and whether the system is producing the results it was designed to produce.

That is the textbook version. In practice, a well run internal audit is one of the most useful tools an organisation has for finding problems before a certification body does, identifying where processes have drifted from what was intended, and giving management honest information about how the system is actually performing.

If you are new to ISO standards or have recently been asked to run internal audits for the first time, this article will walk you through what an internal audit actually is, why it matters, how it differs from other types of audits, and what the process looks like from start to finish.

Why Internal Audits Exist in ISO Standards

Every major ISO management system standard requires internal audits. ISO 9001 requires them under Clause 9.2. ISO 14001 and ISO 45001 have the same requirement in the same clause. The logic is straightforward: you cannot manage what you do not measure, and you cannot improve a system you have not honestly evaluated.

Internal audits serve as the organisation's own feedback loop. They give you structured, evidence based information about whether the management system is working. Without them, you are relying on assumptions, anecdotes, and the occasional crisis to tell you where things are going wrong.

For certification purposes, internal audits are also mandatory. A certification body will expect to see evidence that you have conducted internal audits across all relevant clauses and processes before they grant or maintain certification. If your internal audit programme is missing, incomplete, or clearly just a paper exercise, that is a nonconformity in itself.

Become a certified ISO auditor
Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.
Explore Courses
Exemplar Global Recognised Training ProviderRecognised Training ProviderRTP No. 310970

First Party, Second Party, Third Party: Where Internal Audits Fit

ISO standards and ISO 19011 describe three types of audits based on who conducts them and why.

  • First party audits are internal audits. The organisation audits itself.
  • Second party audits are conducted by a customer or a party with a direct interest, such as a supplier audit.
  • Third party audits are conducted by an independent certification body for the purpose of granting or maintaining certification.

Internal audits are first party audits. You are auditing your own system, using your own people or contracted internal auditors, against your own documented requirements and the relevant ISO standard. The findings stay within the organisation and are used to drive improvement.

This is fundamentally different from a certification audit, where an external auditor from an accredited certification body makes an independent assessment and issues a formal certification decision. For a deeper look at how these two types differ, see our article on internal audit vs certification audit.

What an Internal Audit Actually Checks

An internal audit checks three things, and understanding all three is important.

Conformity to the Standard

The audit checks whether the organisation's management system meets the requirements of the relevant ISO standard. For example, does the organisation have a documented quality policy that meets the requirements of ISO 9001 Clause 5.2? Does it conduct management reviews with the inputs required by Clause 9.3? These are conformity questions.

Conformity to the Organisation's Own Requirements

The audit also checks whether people are following the organisation's own documented procedures, work instructions, and policies. A company might have an excellent procedure for handling customer complaints, but if the audit finds that complaints are not being logged or that corrective actions are not being closed out, that is a nonconformity against the organisation's own requirements, regardless of what the standard says.

Effectiveness

This is where many internal audit programmes fall short. The best internal audits go beyond tick and flick conformity checking and ask whether the system is actually working. Are quality objectives being achieved? Are environmental aspects being controlled? Are hazards being identified and risks reduced? Effectiveness questions require the auditor to look at outcomes, not just documentation.

For a detailed breakdown of what internal audits cover across different clauses and processes, our article on what an internal audit actually covers goes into much more depth.

Who Conducts Internal Audits

Internal audits must be conducted by people who are competent to do so and who are independent of the area being audited. Both conditions matter.

Competence

The auditor needs to understand the relevant ISO standard, know how to plan and conduct an audit, know how to gather and evaluate evidence, and be able to write clear findings. These are not skills most people pick up naturally. They require training and practice.

ISO 9001 Clause 9.2, for example, does not specify what training internal auditors must have, but it does require that they be competent. In practice, most organisations send their internal auditors through a formal internal auditor course to meet this requirement and to give auditors a structured methodology to work from.

Independence

Internal auditors must not audit their own work. This is a fundamental principle. A production manager cannot audit the production process they are responsible for. A quality manager cannot audit the quality management system in a way that amounts to reviewing their own decisions. The auditor must be independent enough to report findings without fear of conflict of interest.

In small organisations, this can be genuinely challenging. Common solutions include cross departmental auditing, where staff from one area audit another, or engaging an external consultant to conduct internal audits on the organisation's behalf.

The Internal Audit Process Step by Step

A well structured internal audit follows a consistent process. Here is what that looks like in practice.

Step 1: Plan the Audit Programme

Before any individual audit happens, the organisation needs an audit programme. This is the plan for all internal audits over a given period, typically a year. The programme identifies which processes, clauses, or areas will be audited, how frequently, and by whom. Risk should inform the programme. Higher risk processes and areas with previous nonconformities should be audited more frequently.

Step 2: Plan the Individual Audit

Each audit needs its own plan. This includes the audit scope, the audit criteria, the processes to be covered, the people to be interviewed, and the schedule. A simple audit plan does not need to be complex, but it does need to be documented and communicated to the people being audited in advance.

Step 3: Prepare an Audit Checklist

A checklist helps the auditor stay focused and ensures nothing important is missed. A good checklist is built around the requirements of the relevant clause or process, not just a list of yes or no questions. It should prompt the auditor to look at specific records, ask particular questions, and observe actual activities.

Step 4: Conduct the Opening Meeting

The opening meeting sets the tone for the audit. The auditor explains the purpose, scope, and method of the audit, confirms the schedule, and gives the auditee an opportunity to raise any issues. It does not need to be long, but it should be professional and clear.

Step 5: Gather Evidence

This is the core of the audit. The auditor gathers evidence through three main methods: reviewing documents and records, interviewing people, and observing activities and the physical environment. Good auditors use all three methods and triangulate across them. A record might say one thing, but an interview or observation might reveal a different reality.

Step 6: Analyse Findings and Classify Them

After gathering evidence, the auditor analyses what was found and classifies findings. A nonconformity is a failure to meet a requirement. Nonconformities can be major or minor depending on severity. An observation or opportunity for improvement is something that is not yet a nonconformity but could become one, or where a better approach is available. The auditor must be careful to base all findings on objective evidence, not opinion or assumption.

Step 7: Conduct the Closing Meeting

The closing meeting is where the auditor presents findings to the auditee and relevant management. Findings should not come as a surprise if the auditor has been communicating throughout the audit. The closing meeting is also an opportunity to confirm the process for addressing nonconformities and the timeline for corrective action.

Step 8: Write the Audit Report

The audit report documents the audit scope, criteria, findings, and conclusions. It is the formal record of the audit and needs to be clear, accurate, and specific enough that someone who was not present can understand what was found and why. Vague findings are almost useless because they cannot be acted on effectively.

Step 9: Follow Up on Corrective Actions

An internal audit that produces findings but never follows up on corrective actions is a waste of everyone's time. The organisation needs a process for assigning corrective actions, verifying that root causes have been identified, reviewing proposed actions, and confirming that actions have been implemented and are effective. This is where many organisations fall down.

Common Mistakes in Internal Audit Programmes

Having run and trained auditors for many years, certain mistakes come up again and again in internal audit programmes. Knowing what they are helps you avoid them.

Treating Internal Audits as a Compliance Exercise

The most common mistake is conducting internal audits purely to satisfy the certification body, with no genuine intent to find and fix problems. Auditors who are told to avoid finding nonconformities, or who are under pressure to produce clean reports, are not conducting real audits. The value of internal audits comes from honest findings, not from tidy paperwork.

Auditing Documents Instead of Processes

Many internal auditors spend too much time reviewing documents and not enough time talking to people and observing actual work. A procedure might be perfectly written and completely ignored on the shop floor. You will not find that by reading the document. Get out of the office and see what is actually happening.

Weak or Vague Findings

A finding that says the corrective action process could be improved is not a finding. It is an opinion. A proper nonconformity states the requirement that was not met, the evidence that demonstrates the failure, and the specific location or instance. Auditors who cannot write clear findings are not providing useful information to the organisation.

No Follow Up on Corrective Actions

Raising a nonconformity and then never checking whether it was actually fixed defeats the purpose of the audit. Corrective action follow up is part of the audit process, not an optional extra.

Auditing the Same Low Risk Areas Every Year

An audit programme that always audits the same comfortable, low risk areas while ignoring complex or high risk processes is not serving the organisation. Risk based scheduling means directing audit attention where it is most needed.

Internal Audits Under Different ISO Standards

While the internal audit requirement appears in the same clause across ISO 9001, ISO 14001, and ISO 45001, the focus of each audit differs based on the standard's intent.

Under ISO 9001, internal audits focus on quality management processes: customer requirements, product and service conformity, customer satisfaction, supplier control, and the effectiveness of the quality management system overall.

Under ISO 14001, the focus shifts to environmental management: aspects and impacts, compliance obligations, operational controls for significant environmental aspects, emergency preparedness, and whether environmental objectives are being achieved.

Under ISO 45001, internal audits examine the occupational health and safety management system: hazard identification, risk assessment, operational controls, worker participation and consultation, incident investigation, and the effectiveness of controls in reducing OH&S risks.

If your organisation operates an integrated management system covering two or more of these standards, internal audits can be combined. This is more efficient and avoids the disruption of running three separate audit programmes, though it requires auditors who are competent across all relevant standards.

How to Build a Credible Internal Audit Programme

A credible internal audit programme has several characteristics that distinguish it from a paper exercise.

  • It is risk based. Higher risk processes and areas with previous nonconformities receive more audit attention.
  • It covers all clauses and processes over the audit cycle. Not every clause needs to be audited every year, but all relevant requirements should be covered across the programme period.
  • It uses competent, independent auditors. Auditors have been trained and are not auditing their own work.
  • It produces specific, evidence based findings. Findings are documented with clear references to requirements and evidence.
  • It drives corrective action. Nonconformities are addressed, root causes are identified, and effectiveness is verified.
  • It feeds into management review. Internal audit results are one of the mandatory inputs to management review under all three major ISO standards.

Getting Trained as an Internal Auditor

If you are responsible for running internal audits and have not been through formal training, it is worth investing in a structured internal auditor course. The difference between an auditor who has been trained and one who is just working from instinct is significant. Trained auditors know how to plan effectively, gather evidence systematically, write defensible findings, and conduct themselves professionally in interviews and meetings.

At Audit Workshop, our internal auditor courses are available for ISO 9001, ISO 14001, and ISO 45001. They are delivered live virtually and self paced, designed for practitioners who need to apply what they learn immediately. Courses are recognised by Exemplar Global and count toward CPD requirements. Whether you are conducting your first internal audit or looking to sharpen your approach, the step by step guide to becoming an ISO internal auditor is a useful companion to this article.

If you are weighing up whether to pursue internal auditor training or go straight to lead auditor level, our comparison of ISO lead auditor vs internal auditor courses will help you make that decision.

Frequently Asked Questions

An internal audit is conducted by the organisation itself, or someone acting on its behalf, to check whether its management system conforms to ISO requirements and is working effectively. A certification audit is conducted by an independent, accredited certification body and results in a formal certification decision. Internal audits are first party audits; certification audits are third party audits. The findings of an internal audit stay within the organisation, while a certification audit produces an external report and a certification outcome.
Start Learning

Ready to Build Real Audit Skills?

Join practitioners training with ISO auditors who've conducted 500+ external certification audits.

ISO 9001:2015 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 45001:2018 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 14001:2026 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
Exemplar Global Recognised Training Provider digital badge

Audit Workshop is an Exemplar Global Recognised Training Provider

Globally Recognised, Certified Training

Pass an Exemplar Global Certified course and you earn a Certificate of Attainment and an Exemplar Global digital badge. Audit Workshop graduates can apply for third-party Personnel Certification through Exemplar Global.

  • 12 months of Graduate certification
  • Access to Exemplar Global Community
  • Access to self-coaching assessment
  • Access to webinars, events, and online resources
Learn Anytime

No fixed schedule. Start, pause, and pick up exactly where you left off.

Instant Certificate

Download your digital certificate the moment you complete the course.

Practical Content

Every lesson is built from real-world ISO auditing experience.

Lifetime Access

Course materials are yours to keep and revisit long after you complete.