Why Internal Audits Are Critical

Internal audits are a mandatory requirement of ISO 9001:2015 (Clause 9.2) and one of the most powerful tools for keeping your Quality Management System (QMS) effective. Rather than viewing them as bureaucratic obligations, treat internal audits as a health check that surfaces problems before they become customer complaints or external non-conformances.

How to Structure an Internal Audit Program

Your internal audit program should cover the entire scope of your QMS over a defined period (typically one year). Consider:

  • Auditing higher-risk processes more frequently
  • Rotating auditors to avoid familiarity bias
  • Using trained, objective auditors who do not audit their own work
  • Planning audits around the process approach, not just the department approach

Pre-Audit Preparation Checklist

Before the audit begins, confirm the following:

  • ☑ Audit schedule and scope have been communicated to auditees
  • ☑ Relevant procedures, work instructions, and records are available
  • ☑ Previous audit findings and corrective actions have been reviewed
  • ☑ Audit criteria (the ISO 9001 clauses and internal procedures being audited) are defined
  • ☑ Audit checklists/question sets have been prepared

Core Areas to Audit Against ISO 9001:2015

Context of the Organization (Clause 4)

  • Is the organizational context and interested parties list documented and kept up to date?
  • Is the scope of the QMS defined and available?

Leadership (Clause 5)

  • Is there evidence of top management commitment to the QMS?
  • Is the Quality Policy communicated and understood by staff?
  • Are roles and responsibilities clearly assigned and documented?

Planning (Clause 6)

  • Has a risk assessment been conducted and documented?
  • Are quality objectives SMART (specific, measurable, achievable, relevant, time-bound)?
  • Are changes to the QMS planned and managed?

Support (Clause 7)

  • Are competency requirements defined and met for all relevant roles?
  • Is training documented and effectiveness evaluated?
  • Is documented information controlled, versioned, and accessible?

Operation (Clause 8)

  • Are operational processes defined and followed?
  • Are customer requirements reviewed before acceptance?
  • Is non-conforming product/service controlled and segregated?
  • Are supplier evaluations conducted and records maintained?

Performance Evaluation (Clause 9)

  • Is customer satisfaction being measured?
  • Are key process metrics tracked and reviewed?
  • Has a management review been conducted with documented outputs?

Improvement (Clause 10)

  • Are non-conformances logged and corrective actions assigned?
  • Is root cause analysis conducted for significant non-conformances?
  • Is there evidence of continual improvement activities?

Classifying Findings

Audit findings are typically classified as:

Finding TypeDefinitionResponse Required
Major Non-ConformanceSystematic failure or absence of a required elementCorrective action before certification
Minor Non-ConformanceIsolated lapse in an otherwise effective processCorrective action within agreed timeframe
Observation/OFIOpportunity for improvement, not yet a failureRecommended action, not mandatory

After the Audit

Issue a formal audit report summarizing findings, assign corrective actions with owners and due dates, and track completion. Feed audit results into your management review to close the PDCA loop and demonstrate continual improvement.