Internal audit is one of the most commonly misunderstood requirements in ISO 9001. Businesses either treat it as a documentation review (read the procedures, tick a box that they exist) or as a fault-finding exercise that generates defensiveness rather than improvement. Neither approach satisfies the standard or serves the business.
What ISO 9001 actually requires
Clause 9.2 requires you to conduct internal audits at planned intervals to provide information on whether the QMS conforms to the organisation's own requirements and to the requirements of ISO 9001, and is effectively implemented and maintained. The phrase "effectively implemented and maintained" is where most internal audits fall short. A policy document that exists but is not followed is a nonconformity — and an internal audit that only checks whether documents exist will not find it.
What a useful internal audit looks like
An effective ISO 9001 internal audit follows a process, not a checklist. Starting from a process — say, customer order management — an auditor traces a sample of real orders through the system: how they were received, how requirements were captured, how they were communicated to production or delivery, how the customer was updated, and how any complaints or queries were handled. At each step, the auditor compares what actually happened against what the procedure says should happen.
This approach finds real issues: the stage in the process where the procedure is out of date and nobody follows it; the handoff between teams where information consistently gets lost; the customer satisfaction monitoring that is supposed to happen quarterly but has not happened in eight months.
Auditor competence and independence
ISO 9001 requires internal auditors to be objective and impartial. This means they should not audit their own work. It does not mean they need to be external consultants — a competent employee trained in audit technique can audit processes they are not personally responsible for. Where a business is too small to achieve full independence internally, engaging an external resource for internal audit is a practical and cost-effective solution.
The audit programme
You need a documented audit programme that shows all processes and requirements being covered over a defined period — typically annually. Higher-risk processes or areas where problems have been found should be audited more frequently. The programme should be adjusted based on results: if a process is consistently well-managed, a lighter-touch audit is appropriate; if it keeps generating issues, increase the frequency.
Turning findings into improvement
Internal audit findings — both nonconformities and observations — should feed directly into your corrective action process. An audit that produces a list of findings which then sit in a report and are never addressed has delivered no value. Close the loop: assign actions, set deadlines, verify completion, and review whether the actions actually fixed the problem.
The businesses that get most value from ISO 9001 are the ones that treat internal audit as a genuine management tool rather than a compliance burden.
Ready to talk about your business?
Book a free, no-obligation call. We will tell you exactly what certification would involve for your size, sector, and starting point.