An ISO 9001 internal audit is a structured review of your quality management system (QMS) to confirm it works as planned and meets the standard’s requirements. Clause 9.2 of ISO 9001:2015 requires every certified organization to run these audits at planned intervals, and certification bodies will ask for evidence that you’ve done them. The process breaks down into five phases: scheduling, planning individual audits, conducting fieldwork, reporting findings, and following up on issues.
Build Your Audit Program First
Before you audit anything, you need an audit program. This is the overarching plan that defines how often each part of your QMS gets reviewed, who does the auditing, and what criteria each audit uses. ISO 9001 requires you to establish, implement, maintain, and continually improve this program over time.
Your program should cover every process in the QMS over a defined cycle, but not every process needs the same frequency. Base your schedule on two factors: the importance of each process and the risks associated with it. A process that directly affects product quality or has a history of nonconformities should be audited more often than a low-risk administrative process. Results from previous audits should also influence how you schedule future ones. If a process had significant findings last time, schedule it sooner.
Keep the audit program documented. Certification auditors will want to see it, and it serves as the backbone for tracking what’s been covered and what’s coming up.
Choose Qualified, Independent Auditors
ISO 9001 requires that internal auditors be competent in auditing techniques and knowledgeable about the QMS processes they’re reviewing. This doesn’t mean you need to hire outside consultants. Employees can audit internal processes, but they cannot audit their own work. Auditors must be independent of the activity being audited to avoid conflicts of interest that compromise objectivity.
In practice, this means cross-training people from different departments. Your production supervisor can audit the purchasing process, and someone from purchasing can audit production. For smaller organizations with limited staff, consider training two or three people across different functions so you always have someone qualified and independent available. ISO 19011, a companion standard focused on auditing management systems, provides detailed guidance on auditor competence if you want a formal framework for training.
Plan Each Individual Audit
Once the schedule identifies which process is up for review, the assigned auditor prepares for that specific audit. Start by confirming the timing with the process owner. The program schedule is a guideline, but the actual date should work for both parties so the auditor can observe normal operations rather than catching people at their busiest or least available.
During preparation, the auditor should:
- Review previous audit results to check whether past findings were addressed and whether corrective actions were effective.
- Review relevant documentation including procedures, work instructions, process flowcharts, and any applicable regulatory requirements tied to that process.
- Define the audit scope and criteria so everyone knows exactly what’s being evaluated. The scope might be a single process like document control or a broader area like customer complaint handling.
- Prepare a checklist or question list based on the ISO 9001 clauses that apply to the process, along with the organization’s own documented procedures.
Share the audit plan with the process owner beforehand. Internal audits work best as collaborative exercises, not surprise inspections. When process owners know what to expect, they can have records ready and make the right people available.
Conduct the Audit
Start with a brief opening meeting with the process owner to confirm the plan, clarify the scope, and set expectations for how the audit will proceed. This meeting can be as short as ten minutes for a focused process audit.
The core of the audit is gathering objective evidence that the process conforms to its documented procedures and to ISO 9001 requirements, and that it’s effective at producing the intended results. Auditors collect this evidence through four main methods:
- Reviewing records: Look at completed forms, logs, inspection reports, training records, and any other documented output of the process. Verify that records match what the procedures say should exist.
- Interviewing employees: Talk to the people who actually perform the work. Ask them to describe how they do their tasks and compare their answers to the documented procedures. Gaps between what’s written and what’s practiced are common findings.
- Observing the process: Watch work being performed in real time. This is especially valuable for manufacturing, inspection, or service delivery processes where you can see whether standard practices are followed.
- Analyzing process data: Review key performance indicators, reject rates, customer complaint trends, or delivery metrics. This tells you whether the process is effective, not just compliant.
Take detailed notes as you go. Record what you observed, who you spoke with, which records you reviewed, and any specific document or record numbers. These notes become your audit evidence and need to be specific enough that someone else could verify your findings.
When you find something that doesn’t match the documented procedure or an ISO 9001 requirement, note it as a potential nonconformity. Don’t jump to conclusions during fieldwork. Collect the evidence, confirm it with the process owner, and save the formal classification for the reporting phase.
Report Your Findings
Hold a closing meeting with the process owner before writing the formal report. Walk through what you found, both positive and negative. Process owners should never be surprised by what appears in the written report. The closing meeting also gives them a chance to provide context or additional evidence that might change your assessment of a finding.
The written audit report should include:
- Audit scope and criteria: What was reviewed and against what standard.
- Nonconformities: Specific instances where the process failed to meet a requirement. Each nonconformity should reference the specific clause or procedure requirement that wasn’t met and describe the objective evidence.
- Observations and opportunities for improvement: Areas that aren’t nonconformities but could be strengthened. These are valuable for continuous improvement even though ISO 9001 only requires action on nonconformities.
- Positive findings: Processes working well or improvements made since the last audit. This keeps the audit from feeling purely punitive.
Issue the written report as soon as possible after the audit. Delays make it harder to recall details and slow down corrective action. ISO 9001 requires you to retain records of both the audit program and the results of each audit, so file reports where they’re accessible for management review and external certification audits.
Follow Up on Nonconformities
ISO 9001 requires the organization to determine and implement corrections and corrective actions for any nonconformities found during internal audits. A correction fixes the immediate problem (for example, updating an expired document). A corrective action addresses the root cause so the problem doesn’t recur (for example, implementing a document review reminder system).
Set target dates for corrective actions and assign clear ownership. The process owner is typically responsible for implementing changes, while the auditor or quality manager verifies that the actions were taken and were effective. This verification step is critical. Without it, the same findings tend to reappear audit after audit.
Track open corrective actions between audit cycles. When planning the next audit of that process, review whether previous corrective actions resolved the issue. If the same nonconformity appears again, the root cause analysis likely wasn’t thorough enough and needs to be revisited.
Feed Results Into Management Review
Internal audit results are a required input to management review under ISO 9001 Clause 9.3. Summarize audit findings, trends in nonconformities, and the status of corrective actions for senior leadership on a regular basis. This gives management visibility into how the QMS is performing and where resources might need to be directed.
Over time, your audit data reveals patterns. If the same types of findings keep appearing across different processes, that points to a systemic issue like inadequate training, unclear procedures, or insufficient resources. These systemic insights are often more valuable than any individual audit finding, and they’re what turns internal auditing from a compliance exercise into a genuine improvement tool.