The ISO 9001 internal audit is one of the most important — and most misunderstood — requirements of the standard. Done well, it is a powerful tool for continuous improvement. Done poorly (or skipped), it is the most common finding at surveillance audits. This guide tells you exactly what an ISO 9001 internal audit is, how to conduct one, and what certification body auditors look for when they review your internal audit records.
What is an ISO 9001 Internal Audit?
An ISO 9001 internal audit is a systematic, documented examination of your organization's quality management system to verify:
- That your processes conform to ISO 9001 requirements
- That your processes conform to your own documented procedures
- That the QMS is effectively implemented and maintained
Internal audits are conducted by your own organization (or a qualified third party), not by the certification body. They are different from — and preparatory for — the certification body's surveillance audits.
Who Should Conduct the Internal Audit?
ISO 9001 requires that internal auditors are objective and impartial — they should not audit their own work. Typical approaches:
- Cross-auditing within the team — The quality manager audits operations; an operations person audits quality processes
- Dedicated internal auditor — A trained employee whose primary role includes internal auditing
- External support (Elite Assured) — Many small and medium companies prefer to have Elite Assured conduct internal audits — ensuring professional, thorough audits by experts who know what certification body auditors look for
Elite Assured Can Conduct Your Internal Audits
Elite Assured conducts internal audits as part of our ongoing post-certification support. We bring the same thoroughness and expertise as a certification body auditor — ensuring you find and fix issues before the official surveillance audit. This is a key reason our clients have near-zero major findings at surveillance audits.
How Often Must Internal Audits Be Done?
ISO 9001 requires internal audits to be conducted at planned intervals. The standard does not specify a frequency, but:
- Most companies conduct internal audits annually — minimum to satisfy certification body expectations
- Larger companies or companies with complex processes may audit quarterly or every 6 months
- Specific processes with high-risk or quality issues should be audited more frequently
- All processes must be audited at least once across each 3-year certification cycle
Step-by-Step Internal Audit Process
- Prepare the audit programme — Annual schedule showing which processes/departments are audited when, by whom
- Develop audit plan — For each specific audit: scope, objectives, date, auditor, processes to be audited
- Create audit checklist — Questions based on ISO 9001 clauses and your own documented procedures
- Opening meeting — Brief meeting with the auditee to explain the audit purpose and scope
- Conduct the audit — Interview staff, review records, observe processes, verify against checklist
- Document findings — Record all conformances, non-conformances, and observations
- Closing meeting — Present findings to the auditee, agree on corrective action timelines
- Issue audit report — Written report within 1 week of audit completion
- Follow up corrective actions — Verify that non-conformities are corrected within agreed timelines
Key Areas and Questions Auditors Ask
| ISO 9001 Area | Typical Audit Questions |
|---|---|
| Quality objectives | Are objectives being measured? Is data collected? Are targets being met? |
| Customer complaints | How are complaints recorded? Show last 3 complaints and their resolution. |
| Non-conforming output | Show the non-conforming output register. What happened to the last NC product? |
| Supplier management | How do you evaluate suppliers? Show supplier evaluation records. |
| Training and competency | Show training records for staff. How is training effectiveness assessed? |
| Calibration | Show calibration certificates for measuring equipment. Are they current? |
| Document control | Are people using the current versions of procedures? Where are obsolete docs? |
| Corrective actions | Show the CA register. Are overdue CAs present? |
Types of Findings and How to Record Them
- Major Non-Conformity (NC) — A significant failure to meet a ISO 9001 requirement. Example: No internal audit conducted in the past 12 months. Must be corrected before certification can be maintained.
- Minor Non-Conformity (NC) — A limited failure to meet a requirement. Example: One calibration certificate expired by 2 weeks. Must be corrected within an agreed timeframe.
- Observation / Opportunity for Improvement (OFI) — Not a requirement failure, but a practice that could be improved. Example: Customer feedback form could be more detailed. No mandatory action required but worth addressing.
- Conformity / Good Practice — Areas where the QMS is working well. Positive findings should be recorded too — not just problems.
The Internal Audit Report
The internal audit report must be retained as a required record under ISO 9001. A complete report includes: audit date and scope, auditor names, processes audited, findings (NCs, OFIs, conformities), evidence reviewed, corrective actions required with owners and timelines, and audit conclusion.