Guide to Internal Quality Audits under ISO 9001

Internal quality audits are a cornerstone of the ISO 9001 Quality Management System (QMS). These audits are first-party assessments conducted within your organisation to verify that your processes comply with ISO 9001 requirements and your own QMS procedures. They serve not as a “gotcha” exercise, but as a valuable tool to ensure the QMS is…

Internal quality audits are a cornerstone of the ISO 9001 Quality Management System (QMS). These audits are first-party assessments conducted within your organisation to verify that your processes comply with ISO 9001 requirements and your own QMS procedures. They serve not as a “gotcha” exercise, but as a valuable tool to ensure the QMS is effective and continually improving. Quality managers and internal auditors across all industries use internal audits to check the health of their systems and prepare for successful external audits.

Internal audits often involve on-site inspections, interviews with staff, and reviews of documents and records. In practice, an internal audit is a systematic, disciplined process for gathering objective evidence to see if day-to-day operations align with what’s documented. The insights gained from these audits help organisations catch problems early, drive improvements, and maintain readiness for third-party certification audits.

This guide will explain the purpose and importance of internal audits, outline how to plan and prepare for an audit, describe best practices for audit execution and reporting, and detail the critical follow-up activities after an audit. We’ll also highlight common pitfalls to avoid and discuss how internal audits support continual improvement under ISO 9001. The aim is to provide quality managers and auditors whether newcomers or experienced professionals—with a clear, practical roadmap for effective internal auditing, without heavy jargon.

Purpose and Importance of Internal Audits

Under ISO 9001:2015, internal audits are not optional they are a mandatory requirement to be conducted at planned intervals (per Clause 9.2). But beyond mere compliance, internal audits deliver significant value to an organisation’s QMS:

  • Ensure Compliance: Verify that processes meet both ISO 9001 requirements and the organisation’s own procedures, uncovering any gaps or nonconformities. This helps maintain certification and avoid surprises in external audits.

  • Provide Assurance to Stakeholders: Demonstrate through evidence that the QMS is functioning properly and meeting customer and regulatory requirements. Audit results give management and customers confidence that quality controls are in place.

  • Identify Risks and Weaknesses: Act as a “health check” to spot where processes might be breaking down or drifting from standards. By finding process nonconformities or inefficiencies internally, you can address them before they impact product/service quality or customer satisfaction.

  • Support Continual Improvement: Highlight opportunities for improvement and innovation in processes. Internal audits are opportunities to improve, not just to find faults. Each audit provides feedback that can be used to enhance efficiency and effectiveness in the QMS.

  • Prepare for External Audits: Serve as a dress rehearsal for certification or surveillance audits. By resolving internal audit findings, organizations are better positioned to succeed when external auditors examine the QMS.

  • Increase Engagement and Accountability: When done in a collaborative way, internal audits get employees and departments involved in upholding quality standards. They reinforce that quality is everyone’s responsibility and encourage cross-functional dialogue about process performance.

In short, a well-run internal audit program provides confidence that the QMS is not only compliant but also continuously improving It shifts the mindset from just “ticking the box” for ISO compliance to truly using the QMS as a tool for business excellence. The next sections break down how to set up and conduct internal audits to achieve these benefits.

Planning and Preparation for Internal Audits

Plan your audits strategically. ISO 9001 requires organizations to “conduct internal audits at planned intervals. This means developing an internal audit program or schedule for the year, spreading audits out so they regularly cover all key processes (rather than scrambling to do them all right before an external audit). Planning audits throughout the year prevents a last-minute rush and ensures audits can be as effective as intended  providing regular check-ups on the system for improvement. Top management should approve the audit schedule and allocate time/resources to support it.

Key steps in audit planning include defining the scope, criteria, frequency, and methods for each audit. For example, you might plan to audit critical or high-risk processes more frequently, and ensure every department or clause of the standard is audited at least annually. The scope and objectives of each internal audit should be clear – for instance, an audit might cover a specific process (like purchasing or production) or a location, and use criteria such as ISO 9001 requirements and your company’s internal procedures.

Select and train competent auditors. A fundamental part of preparation is choosing your internal audit team. Auditors should be independent of the areas they audit (to maintain objectivity) and properly trained in audit techniques and ISO 9001 requirements. Often, auditors are drawn from various departments so they can audit each other’s areas, avoiding self-audit situations. Look for people with good analytical skills, attention to detail, and effective communication skills. Provide training (based on ISO 19011 guidelines for auditing) so that they understand how to plan an audit, interview personnel, review documents, and report findings. Investing in auditor training and qualifications ensures your audits add value.

Gather information and documents in advance. Before the audit, the auditor should review relevant documentation to get familiar with the process or department. This may include the quality policy, process procedures or work instructions, past internal audit reports, corrective action logs, and performance data (KPIs, customer feedback, etc.). Reviewing these ahead of time helps the auditor identify focus areas and potential issues to probe, so the audit is efficient and evidence-based. Preparing an audit checklist or working notes based on ISO 9001 clauses and process controls is also a good practice. A checklist ensures the audit is systematic and nothing critical is overlooked  though it should be used flexibly, not as a rigid script.

Finally, practical arrangements must be made: schedule the audit date and duration, notify the area being audited, and ensure managers are aware. Often an opening meeting at the start of the audit is held to confirm the scope, introduce the auditor, and set a positive tone with the auditee (letting them know this is about improvement, not blame). With solid planning and preparation, the audit team and auditees will be ready and aligned on the audit’s purpose and scope.

Audit Execution  Conducting the Internal Audit

When audit day arrives, the internal auditor (or audit team) proceeds to gather evidence on how the process really works. This is the core of the audit: observing activities, interviewing personnel, and reviewing records to answer the question  “Are we doing what we say we do, and is it effective?.

During the audit, objective evidence is collected in various ways:

  • Interviews: Auditors talk with employees and process owners to understand how tasks are carried out. They may ask open-ended questions about procedures, roles, and quality controls. It’s important the auditor creates a calm, non-confrontational atmosphere so people feel comfortable describing their work. Information from interviews is corroborated by other sources (for example, if a supervisor says they calibrate an instrument monthly, the auditor will later check the calibration records to verify this).

  • On-site observation: The auditor observes activities on the shop floor, in the warehouse, or in offices, depending on the audit scope. They compare actual practices with documented procedures. For instance, if the procedure says all incoming materials are inspected, the auditor might watch a delivery being received to see if inspection actually happens. Seeing processes in action provides real-time evidence of process conformity or deviations.

  • Document and record review: A significant part of auditing is checking records and documents for compliance. Auditors might sample things like training records, control charts, customer orders, corrective action reports, etc., to ensure requirements are met. They look for evidence that outputs meet specifications and that required documentation (forms, signatures, approvals) is in place. Records also tell whether processes are achieving the desired results (e.g. meeting quality objectives or KPIs).

Internal auditors often inspect processes on-site, interviewing employees and examining records to verify that documented procedures are followed in practice. Effective audits rely on gathering objective evidence through observation, interviews, and record sampling.

Throughout execution, an auditor must remain objective and factual. Findings should be based on verifiable evidence, not hearsay or assumptions. It’s important to note both conformities (areas that are working well or meet requirements) and nonconformities (instances where requirements are not met) during the audit. A good auditor also keeps an eye out for opportunities for improvement  these might be observations where a process, while not violating any requirement, could be made more efficient or less risky.

Communication during the audit is key. Auditors should keep the auditee informed of what they’re doing and, if appropriate, share minor observations as they go. If any serious issue is discovered, it’s wise to alert management quickly rather than waiting until the end. Many auditors host brief daily debriefs or a closing meeting at the end of the audit to review the preliminary findings with the auditee. In this meeting, the auditor presents the main results highlighting what’s working well and what isn’t  and ensures there’s agreement on the facts. This gives the auditee a chance to clarify any misunderstandings and demonstrates that the audit was conducted fairly. By the end of the audit execution phase, the auditor will have a list of evidence-based findings ready to be formalized in the audit report.

Reporting Audit Findings

Documenting the results of an internal audit is just as important as performing the audit. The audit report is the tangible deliverable that management and teams will use to take action. A clear, well-structured report turns audit observations into an actionable plan for improvement.

At minimum, an internal audit report should include:

  • Scope and overview: What was audited, when, and who conducted the audit. For example, “Internal Audit of the Purchasing Process on 15–16 Oct 2025, audited by Jane Doe.” This provides context and traceability.

  • Audit criteria: Reference the standards or documents against which the audit was conducted (e.g., “Criteria: ISO 9001:2015 clauses 8.4 and 8.5, and Company Purchasing Procedure QP-7”).

  • Findings: A detailed description of each finding, categorised by significance. Typically, findings are classified as nonconformities, observations, or opportunities for improvement. For each nonconformity, the report should explain what requirement was not met, the evidence (audit observations, record references) supporting that conclusion, and sometimes whether it’s considered major or minor. Observations (minor issues or isolated incidents) and positive notes (areas of good practice) can also be recorded. The goal is to reflect the audit accurately and truthfully.

  • Conclusions and recommendations: Summarise the overall result  did the process conform to requirements overall or were there significant gaps?  and list any recommended corrective actions or improvements. This might be a high-level summary pointing out systemic issues or recurring themes found. Auditors often refrain from prescribing how to fix an issue (that’s for process owners to determine), but they can recommend that a root cause analysis be done or point to best practices.

  • Follow-up actions: The report should note that corrective action plans are required for each nonconformity, with target dates. In some formats, the auditor will include the agreed corrective action or responsibility if it was discussed in the closing meeting. At the very least, it should state that findings will be tracked to closure (often through the corrective action system).

The report should be completed and circulated promptly after the audit. Timeliness is important  the sooner management and process owners see the findings, the sooner they can respond. Typically, the internal audit report is provided to the process owner (auditee’s manager) and to top management and the quality manager. Many organisations also review internal audit results in Management Review meetings (which ISO 9001 requires periodically) as part of overall QMS performance evaluation.

A good practice is for the auditor or lead auditor to present the findings in person to management or in a brief meeting. This allows clarification of any issues and reinforces management’s commitment to addressing the results. Remember to balance the report by noting positive findings as well  departments appreciate hearing what they’re doing well, not just what’s wrong.

Finally, all audit records – the report, checklists with notes, evidence of compliance, attendance sheets from meetings, etc.  should be stored in an organized manner. These records will be looked at in external audits to ensure you have an effective internal audit process (registrars often ask to see internal audit reports and how nonconformities were handled). A standardised audit report template and filing system makes this easier and ensures consistency from audit to audit.

Follow-Up and Corrective Actions

An internal audit’s value depends on what happens after the audit: the corrective and preventive actions that close the gaps found. ISO 9001 expects that when audits uncover nonconformities, the organization will “take necessary correction and corrective actions without undue delay. In practice, this means establishing a clear follow-up process to address each audit finding and verifying that issues are resolved.

Assign and implement corrective actions: For every nonconformity reported, management should create a corrective action plan. This typically involves root cause analysis (using methods like 5 Whys or fishbone diagrams) to understand why the issue occurred, then identifying actions to eliminate the cause so the problem doesn’t recur. The plan should define who is responsible for each action and due dates for completion. Simply fixing the immediate problem (correction) is not enough – ISO 9001 emphasizes addressing the cause (corrective action) for lasting improvement. For example, if an audit finds that training records are missing (nonconformity to a documentation requirement), the correction might be to update the missing records, while the corrective action could be to improve the training tracking system or retrain supervisors on record-keeping procedures.

It’s crucial that these actions are completed promptly. Undue delay in responding to audit findings is a common weakness that certification auditors watch for. Organisations often set internal deadlines (e.g. 30 days to submit a corrective action plan, 60–90 days to implement the actions)  but the key is that timing should be appropriate to the risk of the issue. High-risk findings should be addressed immediately. If too much time passes, small issues can fester into bigger problems and it signals a lack of management commitment. In fact, failure to address internal audit nonconformities in a timely manner can even jeopardize your ISO 9001 certification during external audits.

Verify the effectiveness of actions: Once a corrective action is implemented, someone (often the internal auditor or quality manager) needs to verify that it was effective. This might involve reviewing new records, re-auditing the specific issue, or observing the changed process in action. The question to answer is: Did the action actually solve the problem and prevent recurrence? For instance, if new training software was introduced to fix the missing records issue, a verifier would check after a few months that training records are now consistently present and up-to-date. If the underlying problem persists, further action is required. Many organizations conduct a follow-up audit or at least a focused check on major nonconformities to confirm they’re fully resolved. Only when evidence shows the issue is fixed and will not recur should the nonconformity be formally closed out.

All these follow-up activities – the corrective action plans, the evidence of implementation, and the verification results  should be documented. This can be done in a corrective action log or within the audit report itself. During the next internal audit, auditors also verify previous audit findings to ensure past problems stay solved. This creates continuity and confidence that internal audits lead to real improvements, not just paperwork.

Finally, the outputs of internal audits and subsequent actions feed into the broader QMS improvement cycle. Trends in audit findings or recurring issues should be analyzed for systemic improvements (for example, if multiple audits find communication issues between departments, that might prompt a company-wide initiative). Also, these results become an input to Management Review, where top management evaluates if the QMS is effectively improving. In essence, the follow-up is where internal audits truly prove their worth – by driving corrective action and continual improvement, rather than just identifying problems.

Best Practices for Effective Internal Audits

To get the most out of your internal audit program, it’s helpful to go beyond the bare minimum requirements. Experienced quality managers employ several best practices to transform audits from a routine compliance task into a powerful improvement tool. Here are some proven best practices for ISO 9001 internal audits:

  • Schedule audits with a risk-based approach: Integrate your audit schedule into your regular business cycle (quarterly, monthly, etc.) and prioritize areas that are high-risk or have undergone changes. By aligning audits with business priorities (e.g. focusing on critical processes or known problem areas), you ensure audits add maximum value. Don’t treat audits as isolated events; link them with management reviews and planning activities so findings inform decision-making.

  • Ensure auditor competence and independence: Select auditors who are properly trained in ISO 9001 requirements and in audit techniques. They should also be independent of the work they audit to maintain objectivity (e.g. an auditor from manufacturing can audit the sales process, and vice versa). Continually develop your auditors’ skills  including interview techniques, attention to detail, and report writing – through training and practice. Competent, unbiased auditors will gain trust from auditees and are more likely to uncover meaningful insights.

  • Foster an open, blame-free culture: Emphasise that internal audits are about learning and improvement, not finding fault or punishing people. Management should communicate audits as a positive activity and encourage constructive engagement  auditors and auditees working together to improve the process. When auditees understand that findings will be used to help them (not penalize them), they tend to be more candid and cooperative during audits. A culture of openness leads to more accurate audit findings and a stronger quality culture overall.

  • Focus on process effectiveness, not just compliance: While checking compliance is essential, internal auditors should also evaluate whether the process is achieving its intended results. In practice, this means looking at performance metrics, customer feedback, error rates, etc., during the audit  not only whether procedures were followed, but whether the procedure as designed is effective. For example, an auditor might note that a process technically meets the ISO requirements but still has inefficiencies or frequent rework. By identifying these improvement opportunities, audits become a tool for business performance enhancement, not just ISO checkbox ticking.

  • Document and track audit results over time: Treat each audit as one data point in a continuous monitoring system. Keep a log of audit findings and corrective actions, and periodically analyze them for trends. You may discover recurring nonconformities in a particular department or common weaknesses such as incomplete documentation across multiple audits. Tracking these trends helps in prioritising systemic fixes and also in measuring the effectiveness of past improvements. It also provides valuable input for management reviews (e.g. “audit findings have dropped 50% year-over-year” is a great indicator of QMS improvement). Following up on all corrective actions to ensure they are completed and effective is part of this rigorous approach.

By following these best practices, internal audits become more than a formality – they turn into an engine for continuous improvement and operational excellence. You’ll notice audits starting to yield insights that drive process changes, reduce waste, and improve customer satisfaction, which is exactly what a quality management system is intended to do.

Common Pitfalls to Avoid

Even well-intentioned audit programs can fall into traps that reduce their effectiveness. Here are some common pitfalls in internal auditing (and how to avoid them):

  • Neglecting or rushing internal audits: One major pitfall is not conducting internal audits regularly, then scrambling to do them all just before a certification audit. Skipping planned audits or doing a last-minute “rush job” defeats the purpose of continual monitoring. It can also leave serious issues undiscovered. Avoid this by sticking to your audit schedule – plan audits throughout the year so they’re thorough and not done under panic just to “get them done”.

  • Failing to address audit findings: An internal audit has little value if identified nonconformities and issues are left unresolved. Unfortunately, some organizations document problems but then do not follow through with effective corrective action. This can lead to repeat findings and even jeopardise certification. Always treat internal audit findings seriously: develop corrective action plans promptly and track them to closure. If an issue is not corrected, it’s bound to resurface, perhaps during an external audit or as a real incident affecting quality.

  • Lack of auditor objectivity or skill: Your internal audits will falter if the auditors are untrained or are auditing their own work. Using only quality department staff or inexperienced auditors can result in superficial audits or overlooked problems. Likewise, auditors auditing their own department may be biased or hesitant to report issues. Avoid this by investing in auditor training and ensuring auditors have no conflict of interest in the areas they check. Pair new auditors with experienced ones until they gain confidence. A strong auditor team is the backbone of a strong audit program.

  • “Tick-box” mentality: Internal auditing should not be treated as a bureaucratic exercise of completing checklists and ticking off ISO clauses without insight. A pitfall is focusing only on compliance to each clause and ignoring the effectiveness or improvement aspect. This mentality results in audits that satisfy paperwork but miss real opportunities to add value. To avoid this, reinforce the mindset that internal audits are aimed at improving the business, not just pleasing an auditor. For example, rather than simply checking if a procedure exists, the auditor should ask “Is this procedure helping us meet our goals?”. Steer clear of the tick-box trap by always asking “so what?”  if a nonconformity is noted, what does it mean for the business? If everything is conforming, are there still ways to do better? Remember that ISO 9001 internal audits are meant to be a driver of improvement as much as a compliance check.

  • Poor engagement and communication: Sometimes audits fail because employees see them as an ordeal or feel threatened, leading to lack of cooperation. If auditees are defensive or hide information, the audit won’t get to the truth. This pitfall often stems from a company culture that treats audits as police inspections rather than collaborative reviews. The antidote is to build a non-punitive culture (as noted in best practices) and actively involve employees. Explain the benefits of internal audits to staff and encourage their input. Lack of engagement is a “significant challenge” that can impede continuous improvement, so combat it by making audits as transparent and positive as possible. Celebrate improvements that result from audits and recognize people who contribute to solving audit findings – this turns auditing into a team effort for quality excellence.

By being aware of these common pitfalls, you can take proactive steps to avoid them. Essentially, commitment from management and a focus on improvement are the cures for most of these pitfalls. Top management should champion internal audits (not just mandate them) so that everyone understands their value. With strong leadership support, trained auditors, and an open culture, internal audits will avoid these traps and remain effective.

Internal Audits as a Driver for Continual Improvement

Continuous improvement is at the heart of ISO 9001, and internal audits are one of the key mechanisms to achieve it. Think of internal audits as the “Check” in the Plan-Do-Check-Act (PDCA) cycle of your quality management system – they provide feedback on how well the “Plan” and “Do” parts (your processes and controls) are working, so that you can “Act” by making enhancements.

Regular internal audits give the organisation ongoing opportunities to improve. Rather than waiting for a problem to manifest in defective products or customer complaints, audits proactively identify weak points or inefficiencies in processes. Each audit finding, whether a nonconformity or a mere observation, is essentially an improvement opportunity in disguise. When you investigate why a nonconformity happened and fix the underlying cause, you improve that process. When you notice an area for optimization (even if it meets requirements) and implement a best practice, you elevate performance. In this way, internal audits continually push the organization closer to its quality objectives.

Moreover, internal audits encourage a mindset of preventive action. Auditors often ask, “What could go wrong here? Where might this process fail?”  which is aligned with risk-based thinking. Addressing issues before they escalate is far cheaper and more effective than reacting after a failure. As one quality expert noted, conducting audits throughout the year provides “regular opportunities to check in on the system for continual improvement. Instead of a one-off exercise, audits feed an ongoing cycle of improvement.

Another aspect is that audit results feed into management review and strategic planning. Top management will see from audit reports where resources might be needed or where processes are excelling. For example, if several audits point out training issues in different departments, management might decide to revamp the training program  a strategic improvement that arose from cumulative audit insights. In essence, internal audits provide a structured feedback loop for the organization: they bring objective data from the front lines up to management, who can then allocate resources or change policies to improve the organisation.

It’s worth noting the cultural impact too. When employees see that audit findings lead to positive changes (not blame), they become more engaged in suggesting improvements themselves. Over time, the organisation builds a culture of continuous improvement where people are always looking for ways to enhance quality. Internal audits support this by making improvement a systematic, routine part of business, rather than a reactive effort.

In summary, internal audits under ISO 9001 directly support continual improvement by finding and fixing gaps, preventing issues, and driving organizational learning. A QMS without internal audits would lack a critical self-correcting mechanism. With effective internal audits, a company can steadily increase its process performance and customer satisfaction, staying competitive and adaptable in the long run.

An ISO 9001 internal audit program is far more than a box-checking compliance requirement  when implemented properly, it becomes a powerful driver of quality and business excellence. Effective internal audits give management “powerful insights into [the] quality management system, highlight opportunities for improvement, and ensure [the] organization is always ready for external certification”. They enable your team to catch problems early, share best practices, and continuously fine-tune processes in line with the ISO philosophy of continuous improvement.

For quality managers and auditors in any sector, the keys to success are clear: plan well, audit smart, report clearly, and follow up diligently. Treat internal audits with the importance they deserve – resource them adequately and focus on using the findings to make real improvements. By avoiding common pitfalls and adhering to best practices, internal audits will not be seen as a disruptive chore, but rather as a regular and beneficial part of running the business.

In the end, a strong internal audit process helps build a robust QMS that not only complies with ISO 9001, but truly adds value. It strengthens customer confidence, improves operational efficiency, and fosters a culture of quality and accountability. As ISO 9001 practitioners often observe, “continuous improvement lies at the heart of ISO 9001 and internal audits are one of your best tools to keep that heart beating. By leveraging internal audits for more than just compliance, you support your organization’s journey toward long-term success and continual quality improvement.

Get Started

There has never been a better time to invest in ISO certification. Show your commitment to quality management, the environment or occupational health & safety performance with a UKAS certified ISO certification from Compliant.
Get in Touch

Free Download

Download our free “The ISO process and ongoing Support pdf”