ISO 9001 Internal Audit Process — Step-by-Step Guide
Internal audits are the most underutilised tool in most quality management systems. When treated as a box-ticking exercise, they consume time without generating value. When conducted properly, they function as an early warning system that identifies problems before external auditors or — worse — clients do.
What Is an ISO 9001 Internal Audit?
An internal audit is a planned, systematic review of your own quality management system. It checks whether the QMS is implemented as designed, whether documented procedures match what actually happens, and whether the system is achieving its intended results. ISO 9001 Clause 9.2 requires internal audits at planned intervals covering the full scope of your QMS.
Step 1 — Plan the Annual Audit Programme
Before conducting any individual audit, create an annual audit programme. This programme identifies which areas of the QMS will be audited and when. Higher-risk processes should be audited more frequently. Assign auditors who are independent of the area being reviewed — meaning they do not audit their own work. Record the programme and get it approved by management.
Step 2 — Prepare the Audit Plan for Each Session
For each individual audit, prepare a specific plan that defines the scope (which processes or departments), the objectives (what you are trying to find out), the criteria (which clauses of the standard and which procedures apply), and the schedule. Build a checklist of questions and evidence requests tailored to the area being audited.
This checklist should be built on the same structure as the external auditor will use. Our ISO 9001 audit checklist guide provides a clause-by-clause template that works equally well for internal and external audits.
Step 3 — Conduct the Audit
Open the audit with a brief meeting to explain the purpose, scope, and process. Review documents and records first — are the procedures current, do records match what is described? Move to interviewing staff using open questions: "Can you show me how you handle a customer complaint?" "What do you do if a delivery arrives damaged?" Observe processes where possible. Record findings objectively, noting both areas of compliance and areas of concern.
Step 4 — Report Findings
Produce a written audit report within a few days of the audit. Findings are classified into three categories. A major nonconformance means the system has a significant failure — a required element is missing or not functioning. A minor nonconformance means an isolated or limited failure that does not represent a systemic breakdown. An opportunity for improvement is an observation that is not a failure but could become one, or a suggestion that would make the system stronger.
Step 5 — Corrective Action and Follow-Up
For every nonconformance, assign a root cause analysis and a corrective action. Record the owner and the target completion date. The corrective action must address the root cause, not just the symptom. Follow up at the agreed date to verify the action has been completed and has been effective. Document the verification. Unclosed corrective actions from internal audits are one of the most common findings in external certification audits.
Understanding what the ISO 9001 documentation requirements are for audit records ensures your reports meet the standard's evidence requirements.
Who Should Conduct Internal Audits?
Internal auditors must be competent — meaning they understand the relevant clauses of ISO 9001 and the processes they are auditing — and independent, meaning they do not audit their own work. You can train existing staff in internal auditing through a one to two day course, which is the most cost-effective approach for most organisations. Alternatively, you can engage an external resource to conduct your internal audits, which is particularly useful for very small teams where independence is difficult to achieve.
How Many Internal Audits Do You Need Per Year?
The standard requires that internal audits are conducted at planned intervals covering the full scope of the QMS. There is no minimum number mandated. In practice, most organisations conduct one full audit cycle per year, with some high-risk or high-activity areas audited more frequently. The key requirement is that the full QMS scope is covered within each certification period.
Need expert ISO support? Contact Global ISO Certificates: https://globalisocertificates.com/contact-us/










