How to conduct an ISO 9001 internal audit.
A step-by-step method for planning, executing and closing out ISO 9001:2015 internal audits — written for quality leaders in high-consequence industries who need defensible, independent verification of their QMS.
A credible ISO 9001 internal audit programme does three things registrars cannot: it finds real defects before Stage 2, it holds up under regulator scrutiny, and it closes the improvement loop back into management review.
Programmes that fail almost always fail the same way — auditors who audit their own work, checklists divorced from clauses, CAPA closed without effectiveness verification, and audit outputs that never reach Clause 9.3 review inputs. This guide covers the five-step method we run for owner-operators across North America.
Five steps from planning to effectiveness verification
- Step 01ISO 9001:2015 · 9.2.2(a)
Scope the audit against risk, not the calendar
Start from your process map, not last year's schedule. Weight each process by three factors: consequence of failure (safety, regulatory, contractual), historical NCR density, and recency of change (new equipment, staff turnover, revised procedures). High-weight processes get full-clause coverage annually; low-risk support processes can rotate on a two- or three-year cycle. Document the weighting logic — Clause 9.2.2(a) requires the programme to consider process importance, and registrars increasingly ask to see the risk model, not just the plan.
- Step 02ISO 9001:2015 · 9.2.2(c) · 7.2
Assign auditors who are competent and independent
Competence means demonstrated: lead auditor certification, prior audits observed and led, and evidence they understand the process under audit. Independence means they do not audit their own work, their manager's work, or a process they helped design in the last twelve months. If your quality team owns most of the QMS, this is where in-house programmes fail — either rotate auditors across sites, cross-train non-quality staff, or bring in an independent third-party auditor for the processes your team owns.
- Step 03ISO 9001:2015 · 9.2.2(d)
Build the audit plan and clause-referenced checklist
Every audit needs a written plan issued to the auditee at least a week before opening: objectives, scope, criteria, dates, auditors, interviewees, process owners. Build the checklist directly from the clauses in scope and from the auditee's own procedures — every question tied to either a standard clause or a documented internal requirement. Vague questions like 'is training adequate?' produce vague findings; questions like 'show me the last three welders qualified to AWS D1.1 and the records that prove currency' produce evidence.
- Step 04ISO 9001:2015 · 9.2.2(e)
Run the audit: opening, evidence, closing
Open with a short meeting confirming scope, method, confidentiality and daily debriefs. Then work the checklist: interview the doer (not just the manager), sample records against the population, walk the process, verify hand-offs. Every finding must be evidenced — a document ID, a photo, a serial number, a named interviewee — and traced to a specific clause or requirement. Close each day with the process owner so nothing in the final report is a surprise. Hold a formal closing meeting to present findings, agree the facts (not yet the corrective actions), and confirm timelines.
- Step 05ISO 9001:2015 · 9.2.2(f) · 10.2 · 9.3.2
Report, CAPA and effectiveness verification
Issue a written report within ten working days: scope, criteria, sample size, findings classified as Major NCR / Minor NCR / Observation / Opportunity for Improvement, each with clause reference and evidence. Findings without root-cause analysis and a corrective action plan are not closed — they are logged. Verify effectiveness on the next audit cycle by re-sampling the same process, not by rereading the CAPA form. Feed audit results into management review inputs (Clause 9.3.2), which is where most programmes lose the improvement loop.
Documents to have on the table before the opening meeting
Six recurring ISO 9001 internal audit findings
| Clause | Finding | What it looks like on-site |
|---|---|---|
| 7.5.3 | Uncontrolled documented information | Procedures printed months ago still in use at the workstation; superseded revisions not withdrawn from point-of-use. |
| 8.5.1 | Production controls not verified | Work instructions reference a torque value; no evidence anyone confirmed the calibrated tool was used at the specified setting. |
| 9.3.2 | Incomplete management review inputs | Review minutes cover customer complaints but skip risk, opportunity or supplier performance data. |
| 10.2 | CAPA closed without effectiveness check | Corrective actions marked complete on issuance of a revised procedure — no re-sample, no follow-up audit, no proof the recurrence stopped. |
| 7.2 | Competence gap between requirement and record | Job description requires ISO 17020 inspector certification; personnel file contains only an internal induction record. |
| 8.4.1 | Supplier controls not proportional to risk | Critical safety-related suppliers treated the same as stationery vendors; no re-evaluation on schedule. |
Verification you can defend to a regulator.
In high-consequence sectors — energy, infrastructure, aerospace, rail, medical devices — the audit programme is not a certification formality. It is the mechanism that catches the defect before it becomes an incident, a regulator notice or a warranty claim.
Independent third-party auditors bring three things a busy in-house team usually cannot: freedom from the conflict of interest inherent in self-audit, sector-calibrated benchmarks from other programmes, and the discipline to hold every finding to evidence — clause reference, sample size, named interviewee — that will stand up to your registrar and, if it comes to it, to a claim adjuster.
ISO 9001 internal audit questions we answer most often
- How often should we run ISO 9001 internal audits?
- ISO 9001:2015 Clause 9.2.2 requires audits at planned intervals. In practice most certified organisations audit every clause of the standard and every critical process at least once per certification cycle, with high-risk processes audited annually or more often. A risk-based programme — weighted by process criticality, past NCR frequency and recent change — is what registrars now expect to see.
- Who can conduct an ISO 9001 internal audit?
- Anyone competent and independent of the activity being audited. Competence typically means formal ISO 9001:2015 lead auditor training plus demonstrated experience. Independence means the auditor does not audit their own work or their direct reports. Small organisations without that capacity commonly bring in an independent third party to run — or shadow — the internal audit programme.
- What is the difference between an internal audit and a certification audit?
- Internal audits are first-party audits you run against your own QMS to find issues before the registrar does. Certification (third-party) audits are conducted by an accredited body such as those operating under ISO 17021 to grant or maintain your ISO 9001 certificate. A strong internal audit programme is the single best predictor of a clean Stage 2 or surveillance visit.
- What are the most common ISO 9001 internal audit findings?
- Documented information not controlled to the current revision (Clause 7.5), management review inputs missing risk and opportunity data (Clause 9.3), CAPA closed without effectiveness verification (Clause 10.2), and competence records that do not match the requirements defined in job descriptions (Clause 7.2). Building your audit checklist around these recurring weak points catches most defects early.
- Should we use an independent third party for internal audits?
- For multi-site operations, regulated sectors and any organisation whose own quality team also owns the processes being audited, yes. Independent verification eliminates the conflict of interest inherent in self-audit, satisfies Clause 9.2.2's independence requirement without straining internal headcount, and typically surfaces 2–3x more findings than in-house audits in the first cycle.
Need an independent ISO 9001 internal audit?
Our lead auditors run risk-based internal audit programmes across North America — with India and the UAE coming soon. Independent, evidenced, defensible.
