Learn About the ISO 9001 Internal Audit

11 March 2018


The internal audit program is a self-check mechanism which organizations use to periodically verify they meet ISO 9001 requirements. But as important and useful as internal audits are, some business owners dread them and believe they merely duplicate the work of registrars. Other business owners view internal auditors as a kind of business police force, hiding essential data and sometimes outright lying to maintain the illusion of compliance.

The truth, though, is that internal audits are not only necessary to maintain ISO registration, they're also a powerful tool for examining the company's quality management processes in great detail. These audits can improve the effectiveness of the quality management system (QMS) and the efficiency of operational processes.

What Is the ISO 9001 Internal Audit Process?

Before examining the internal audit process, it's worth comparing them to external audits. While internal and external audit activities are essentially the same, they are performed for different reasons.

External audits are undertaken by an auditor or team of auditors who are appointed by your company's ISO 9001 registrar. Their purpose is to verify that your QMS is effectively implemented, which enables your company's registrar to issue the ISO 9001 certificate. Like internal audits, they are conducted at periodic intervals. The first external audit is often called "ISO 9001 certification audit" or "ISO 9001 registration audit", while follow-ups are typically referred to as "surveillance audits".

Internal audits, on the other hand, are performed in-house as a self-check mechanism. The internal auditor or audit team are company employees who have been appointed and trained as ISO 9001 auditors as an additional responsibility. They are not allowed to audit their own work or area of responsibility, however, so smaller companies sometimes outsource internal audits to a professional auditor or consultant.

The purpose of internal audits is to:

Assess process conformity;

Evaluate performance;

Identify processes that require improvement in order to ensure the QMS remains fully implemented;

Prepare for external audits.

The audit process involves the Document Review, which is where auditors check whether documentation meets ISO 9001 requirements, and the Process Review, which consists of checking actual business activities against documentation and looking for discrepancies. Auditors can't assess every single process, employee and document in the company, so it's important they exercise judgement in picking a representative sample.

You will need to perform at least one internal audit two or three months prior to the certification audit. This will produce audit reports and records of corrective action that show where your organization's weak points are (ie, nonconformities) and your plans to address them. These records are mandatory and are reviewed during external audits. By the time your external audit is conducted, you should have taken all corrective action necessary to eradicate nonconformities.

ISO 9001 Internal Audits as a Core Component of the PDCA Cycle

When managing internal audits, process owners usually use the PDCA model. This lets audit supervisors define, implement, review and improve the audit program. The PDCA cycle is one of the most popular methodologies used for business improvement, and its principles are incorporated within the requirements of ISO 9001:2015. The term PDCA refers to Plan Do Check Act. The diagram below shows a typical cycle.

The ISO 9001 PDCA Cycle

An effective internal audit program is an integral component of the Check part of the PDCA model, providing structure around comparing what an area should be doing against what is actually going on, and then making recommendations for change (Act - Plan - Do).

The Role of Process Documentation

The actual auditing process is generally straightforward. An internal auditor checks whether procedure documentation adheres to ISO 9001 requirements and then verifies that employees follow the procedures in their daily routines.

This can get difficult, though, when there is no procedure or work instruction document for the auditor to refer to. While ISO 9001 does not require procedures and work instructions for all processes, it requires such documentation where it adds value to the company. It is important to emphasize that process documentation is for the internal benefit of the company – not for the convenience of the auditor. Companies are neither required nor encouraged to develop procedures and work instructions that assist auditors.

In the absence of process documentation, the auditor will use a combination of employee interview, observation of actual work processes and review of records to establish if the process conforms to ISO 9001 requirements and is effectively implemented. During this process, the auditor also evaluates if procedures and work instructions would be beneficial and therefore required.

When auditors have to rely more on employee interviews than observation of actual work processes, the best approach is to ask each employee the same set of questions and cross-check their answers for consistency. If these answers aren't consistent, the auditor will need to check further to see if this due to actual inconsistencies in which work is performed, if there is a need for standardization and work instructions, if there is a need for training, if the entire process requires review and improvement, or if there are other factors involved.

Streamlining Your Internal Audit Process

Depending on the level of preparation that goes into your audit, it can be a smooth operation that highlights opportunities for improvement, or an unproductive and expensive nuisance. Consider the following tips for streamlining your internal audits and ensuring a stress-free path to compliance.

1. Appoint the Right Auditors

One of the first tasks is to choose your internal audit team. Look for authoritative, trustworthy employees with good people skills and analytical or investigative talents. More auditor requirements are defined in ISO 19011. Be sure to keep records of auditor training, education, skills and experience.

Importantly, you need to train enough auditors to prevent individuals from auditing their own department. Small businesses may have one auditor who audits the entire company except the internal audit function, and another auditor who just audits the audit function.

2. Use Forms and Checklists

The following forms and checklists are part of our ISO 9001 Audit Toolkit and are recommended to simplify your internal audit process:

Audit Checklist
The most important tool for internal audits is the audit checklist. It includes every ISO 9001 requirement as well as the overall processes to facilitate process auditing. In preparation of an audit, the lead auditor or audit supervisor customizes the audit checklist by excluding sections that are not part of the audit at a particular department. During the audit, the auditor uses the checklist to ensure that business processes are checked against all pertinent ISO 9001 requirements and process steps.

Audit Report Form
All audit findings are recorded and the audit report is presented to management of the audited departments for corrective action. Using a standardized format for the audit reports helps the auditor ensure that all required information is documented, as well as present the audit findings in an easy-to-understand way.

Attendance Roster
Internal audits typically start and finish with opening and closing meetings. Use an attendance roster to keep records of who participated in these meetings. Good attendance rosters also include the agenda items of the opening and closing meetings.

Like every other business process, the internal audit process works best if it's well designed and standardized. As mentioned above, internal audits involve two stages: the documentation review and the process review. During the process review the auditor asks employees to answer three questions:

Can employees describe what they do?

Do employees do what they describe?

Are employees effective at what they do?

These questions cover employee intent, implementation, and effectiveness in business activities. ISO 9000 describes effectiveness as "the extent to which planned activities are realized and planned results are achieved." Be sure to look beyond compliance and determine whether procedures are truly effective at meeting business objectives.

4. Hold a Closing Meeting with Auditees

Many auditors make the mistake of privately reviewing internal audit results only with top management or merely sending an audit report. Both approaches leave employees wondering about ISO 9001 nonconformance. A better plan is to hold a closing meeting immediately after completing the audit and organizing its findings. Top management and managers of the audited departments should join the meeting, but staff could also participate.

During the meeting, don't focus too much on processes that didn't hold up to close inspection. Instead, reinforce positive feedback by identifying and praising departments that performed well. Never give staff the feeling that internal audits are a kind of punishment. In addition, use the meeting as an opportunity to promote the benefits and importance of ISO 9001.

5. Get Feedback from Auditees

Another way to improve the internal audit experience is by gathering auditee feedback. It may be tempting to treat audits like a one-way process, but your auditees' reactions are as important as your auditors' methods. Whenever possible, try to get this feedback in real-time and use the results to adjust your auditors' approach. Involving people on every level will ensure a fair and balanced internal audit process.


The internal audit program is an immensely powerful tool that not only ensures your company achieves and retains ISO 9001 certification, it also helps employees, process owners and managers improve their areas of responsibility. For more information, check out our article on how ISO 9001 internal audits can improve your business.

Finally, there's a common and persistent myth that internal audits need to show that every process is perfect to begin with. This is obviously not true and does in fact contradict one of the core tenets of ISO 9001 – continuous improvement. Our advice, then, is simple: treat your internal audits with the respect they deserve, and use them as opportunities to discover ways of improving your company's operations and enjoying the rewards of ISO 9001.

    Think your associates and colleagues might enjoy this article too? Share it!

    How can we help?

    Please enter your full name

    Please enter a valid email

    Please enter a valid phone number

    Please enter a message

    Send Inquiry

    Thanks. Your message has been sent. We'll get back to you as soon as possible.

    Looking for information or advice?
    Ask us anything

    We'll reply ASAP



    No, I'm fine