Skip to content
AuditingPublished June 18, 2026 · 12 min read

How to conduct an ISO 9001 internal audit.

A step-by-step method for planning, executing and closing out ISO 9001:2015 internal audits — written for quality leaders in high-consequence industries who need defensible, independent verification of their QMS.

Executive summary

A credible ISO 9001 internal audit programme does three things registrars cannot: it finds real defects before Stage 2, it holds up under regulator scrutiny, and it closes the improvement loop back into management review.

Programmes that fail almost always fail the same way — auditors who audit their own work, checklists divorced from clauses, CAPA closed without effectiveness verification, and audit outputs that never reach Clause 9.3 review inputs. This guide covers the five-step method we run for owner-operators across North America.

The Method

Five steps from planning to effectiveness verification

  1. Step 01ISO 9001:2015 · 9.2.2(a)

    Scope the audit against risk, not the calendar

    Start from your process map, not last year's schedule. Weight each process by three factors: consequence of failure (safety, regulatory, contractual), historical NCR density, and recency of change (new equipment, staff turnover, revised procedures). High-weight processes get full-clause coverage annually; low-risk support processes can rotate on a two- or three-year cycle. Document the weighting logic — Clause 9.2.2(a) requires the programme to consider process importance, and registrars increasingly ask to see the risk model, not just the plan.

  2. Step 02ISO 9001:2015 · 9.2.2(c) · 7.2

    Assign auditors who are competent and independent

    Competence means demonstrated: lead auditor certification, prior audits observed and led, and evidence they understand the process under audit. Independence means they do not audit their own work, their manager's work, or a process they helped design in the last twelve months. If your quality team owns most of the QMS, this is where in-house programmes fail — either rotate auditors across sites, cross-train non-quality staff, or bring in an independent third-party auditor for the processes your team owns.

  3. Step 03ISO 9001:2015 · 9.2.2(d)

    Build the audit plan and clause-referenced checklist

    Every audit needs a written plan issued to the auditee at least a week before opening: objectives, scope, criteria, dates, auditors, interviewees, process owners. Build the checklist directly from the clauses in scope and from the auditee's own procedures — every question tied to either a standard clause or a documented internal requirement. Vague questions like 'is training adequate?' produce vague findings; questions like 'show me the last three welders qualified to AWS D1.1 and the records that prove currency' produce evidence.

  4. Step 04ISO 9001:2015 · 9.2.2(e)

    Run the audit: opening, evidence, closing

    Open with a short meeting confirming scope, method, confidentiality and daily debriefs. Then work the checklist: interview the doer (not just the manager), sample records against the population, walk the process, verify hand-offs. Every finding must be evidenced — a document ID, a photo, a serial number, a named interviewee — and traced to a specific clause or requirement. Close each day with the process owner so nothing in the final report is a surprise. Hold a formal closing meeting to present findings, agree the facts (not yet the corrective actions), and confirm timelines.

  5. Step 05ISO 9001:2015 · 9.2.2(f) · 10.2 · 9.3.2

    Report, CAPA and effectiveness verification

    Issue a written report within ten working days: scope, criteria, sample size, findings classified as Major NCR / Minor NCR / Observation / Opportunity for Improvement, each with clause reference and evidence. Findings without root-cause analysis and a corrective action plan are not closed — they are logged. Verify effectiveness on the next audit cycle by re-sampling the same process, not by rereading the CAPA form. Feed audit results into management review inputs (Clause 9.3.2), which is where most programmes lose the improvement loop.

Pre-audit checklist

Documents to have on the table before the opening meeting

01Current process map with owner, inputs, outputs and interfaces documented
02Latest revision of all procedures, work instructions and forms in scope
03Prior audit reports, NCRs and CAPA status for the process being audited
04Management review minutes covering the last twelve months
05Risk register entries relevant to the process (Clause 6.1)
06Competence and training records for staff performing the work (Clause 7.2)
07Calibration records for measurement equipment in use (Clause 7.1.5)
08Customer complaints, warranty claims and supplier NCRs since last audit
What we see most often

Six recurring ISO 9001 internal audit findings

ClauseFindingWhat it looks like on-site
7.5.3Uncontrolled documented informationProcedures printed months ago still in use at the workstation; superseded revisions not withdrawn from point-of-use.
8.5.1Production controls not verifiedWork instructions reference a torque value; no evidence anyone confirmed the calibrated tool was used at the specified setting.
9.3.2Incomplete management review inputsReview minutes cover customer complaints but skip risk, opportunity or supplier performance data.
10.2CAPA closed without effectiveness checkCorrective actions marked complete on issuance of a revised procedure — no re-sample, no follow-up audit, no proof the recurrence stopped.
7.2Competence gap between requirement and recordJob description requires ISO 17020 inspector certification; personnel file contains only an internal induction record.
8.4.1Supplier controls not proportional to riskCritical safety-related suppliers treated the same as stationery vendors; no re-evaluation on schedule.
Why independent

Verification you can defend to a regulator.

In high-consequence sectors — energy, infrastructure, aerospace, rail, medical devices — the audit programme is not a certification formality. It is the mechanism that catches the defect before it becomes an incident, a regulator notice or a warranty claim.

Independent third-party auditors bring three things a busy in-house team usually cannot: freedom from the conflict of interest inherent in self-audit, sector-calibrated benchmarks from other programmes, and the discipline to hold every finding to evidence — clause reference, sample size, named interviewee — that will stand up to your registrar and, if it comes to it, to a claim adjuster.

Frequently asked

ISO 9001 internal audit questions we answer most often

How often should we run ISO 9001 internal audits?
ISO 9001:2015 Clause 9.2.2 requires audits at planned intervals. In practice most certified organisations audit every clause of the standard and every critical process at least once per certification cycle, with high-risk processes audited annually or more often. A risk-based programme — weighted by process criticality, past NCR frequency and recent change — is what registrars now expect to see.
Who can conduct an ISO 9001 internal audit?
Anyone competent and independent of the activity being audited. Competence typically means formal ISO 9001:2015 lead auditor training plus demonstrated experience. Independence means the auditor does not audit their own work or their direct reports. Small organisations without that capacity commonly bring in an independent third party to run — or shadow — the internal audit programme.
What is the difference between an internal audit and a certification audit?
Internal audits are first-party audits you run against your own QMS to find issues before the registrar does. Certification (third-party) audits are conducted by an accredited body such as those operating under ISO 17021 to grant or maintain your ISO 9001 certificate. A strong internal audit programme is the single best predictor of a clean Stage 2 or surveillance visit.
What are the most common ISO 9001 internal audit findings?
Documented information not controlled to the current revision (Clause 7.5), management review inputs missing risk and opportunity data (Clause 9.3), CAPA closed without effectiveness verification (Clause 10.2), and competence records that do not match the requirements defined in job descriptions (Clause 7.2). Building your audit checklist around these recurring weak points catches most defects early.
Should we use an independent third party for internal audits?
For multi-site operations, regulated sectors and any organisation whose own quality team also owns the processes being audited, yes. Independent verification eliminates the conflict of interest inherent in self-audit, satisfies Clause 9.2.2's independence requirement without straining internal headcount, and typically surfaces 2–3x more findings than in-house audits in the first cycle.
Get in touch

Need an independent ISO 9001 internal audit?

Our lead auditors run risk-based internal audit programmes across North America — with India and the UAE coming soon. Independent, evidenced, defensible.

Request an Internal Audit