The internal audit is one of those ISO 9001 requirements almost nobody enjoys, yet it’s what separates quality management systems that actually work from the ones that only exist on paper. Done well, it warns you about problems before the customer or the certification auditor finds them. Done poorly —or rushed at the last minute— it turns into a pile of forms nobody ever opens again.
If you landed here, the internal audit probably feels like a burden: gathering evidence scattered across shared folders, chasing people for records, filling out checklists by hand, and praying nothing is missing. In this guide I’ll walk you through how to conduct an ISO 9001 internal audit step by step, what the standard actually requires, and how to stop living the process as a recurring emergency.
Table of Contents
What an internal audit is and what ISO 9001 requires
An internal audit is a systematic and independent review your own organization runs to verify two things:
1. That your quality management system meets the requirements of ISO 9001:2015 and your own procedures.
2. That the system is genuinely applied and maintained day to day (not just when the external auditor shows up).
The standard requires this in clause 9.2. In short, ISO 9001 asks you to:
- Plan, establish, implement and maintain one or more audit programs, with defined frequency, methods, responsibilities and criteria.
- Make sure the frequency considers the importance of the processes, the changes affecting you, and the results of previous audits.
- Define the criteria and scope of each audit.
- Select auditors and conduct audits ensuring objectivity and impartiality (an auditor doesn’t audit their own work).
- Report results to relevant management.
- Take the appropriate corrections and corrective actions without undue delay.
- Retain documented information as evidence of the program and the results.
That’s everything the standard mandates. The rest —how you organize it— is up to you. Let’s get to the step by step.
Step 1: Build the annual audit program
The audit program is the master calendar for the year: which processes you’ll audit, when, and who does it. It’s not the same as the plan for a single audit (that comes later).
To build it:
- List every process in your QMS (purchasing, production, sales, HR, document control, etc.).
- Assign frequency based on risk: critical processes or those with a history of problems get audited more often; stable ones, once a year is enough.
- Spread the audits across the year so you don’t overload anyone or leave everything for December.
Consultant tip: avoid the “single annual marathon audit.” Splitting the program into several smaller audits throughout the year creates less stress, better evidence, and more actionable findings.
Step 2: Appoint independent auditors
The key word in clause 9.2 is impartiality. Whoever audits a process can’t be the person responsible for that process. In an SMB this is easy to solve: the quality lead audits production, the production lead audits purchasing, and so on, cross-wise.
Your internal auditors should:
- Know the ISO 9001 standard and the process they’ll audit.
- Be trained in audit techniques (interviewing, sampling, evidence gathering).
- Be objective: their job is to verify against criteria, not to give opinions or “help things look good.”
You don’t need an army. With two or three well-trained internal auditors rotating processes, an SMB covers its program with no trouble.
Step 3: Prepare the plan for each audit
Here you go from the annual program down to the specific audit. The audit plan defines:
- Objective and scope: which process or processes, in which area, over which period.
- Criteria: the ISO 9001 standard, your internal procedures, applicable legal requirements.
- Date, duration and agenda by blocks.
- Auditor(s) and auditees.
Communicate the plan in advance. An internal audit is not an ambush: the area should know what will be reviewed so its evidence is ready.
Step 4: Develop the checklist
The checklist is your roadmap during the audit. It turns the standard’s requirements and your procedures into concrete questions you’ll verify with evidence.
A good checklist question isn’t “do you comply with purchasing?”, but:
- “Show me the supplier evaluation criteria and the last three re-evaluation records.”
- “How do you ensure only current documents are used on the floor?”
The checklist keeps you focused, ensures you cover every requirement, and leaves a trail of what you reviewed.
Step 5: Run the audit in the field
The day has come. Execution usually has three moments:
1. Opening meeting: confirm scope, agenda and clear up questions. Five minutes is enough.
2. Evidence gathering: interviews, on-site observation and record review. The golden rule: every conclusion rests on objective evidence, not impressions. If they say they control something, ask to see the record.
3. Closing meeting: summarize what you found with the area before you leave, no surprises in the report.
During execution you classify what you find into three categories:
- Nonconformity: a requirement that isn’t met. It needs correction and, where applicable, corrective action.
- Observation / opportunity for improvement: something that complies but could be strengthened.
- Strength: practices worth recognizing and replicating.
Step 6: Document the findings and issue the report
The audit report is the deliverable. It must be clear, evidence-based and useful to whoever has to act. Include at minimum:
- Scope, criteria and dates.
- Findings classified (nonconformities, observations, strengths).
- The evidence supporting each finding.
- An overall conclusion on the performance of the audited process.
Avoid vague language. “Deficiencies were observed in purchasing” is useless. “No evidence was found of re-evaluation for three critical suppliers in the last 12 months, breaching procedure PR-PUR-02” works: it’s actionable.
Step 7: Manage corrective actions
Every nonconformity needs a response. And this is the step where most quality management systems fail: they raise brilliant findings that then nobody closes.
For each nonconformity:
- Apply the immediate correction (fix the specific case).
- Analyze the root cause (why did it happen?).
- Define the corrective action so it doesn’t happen again.
- Assign an owner and a due date.
- Verify effectiveness: did the action actually work?
Want to go deeper on this step? Check our guide on how to adequately manage corrective actions.
Step 8: Follow-up, closure and input to the management review
The audit doesn’t end with the report: it ends when you verify the actions worked and formally close each finding. That follow-up is what turns the audit into real improvement.
Finally, internal audit results are a mandatory input to the management review (clause 9.3). In other words, top management must learn how the system is doing and make decisions based on that data.
The most common mistakes (and how to avoid them)
After years supporting internal audits, these are the recurring stumbles:
- Auditing to “pass,” not to improve. If the goal is to find nothing, you’re not auditing.
- Findings with no root cause. Without root cause, the corrective action is a patch.
- Zero follow-up. Raising the nonconformity and forgetting it.
- Scattered evidence. Records in emails, shared folders and USB drives nobody finds in time.
- An auditor auditing their own process. Goodbye, impartiality.
If you want these points in depth, we have a dedicated article on the common mistakes in internal audits of the QMS.
How to stop living the internal audit as an emergency
Almost all the pain of the internal audit doesn’t come from the standard: it comes from managing it in Excel and shared folders. The annual program in a spreadsheet only one person understands, the findings in an email, the corrective actions in another sheet, the evidence spread across five places.
A quality management software like QualityWeb 360 gives you one organized place for the whole cycle: schedule the year’s audits, raise findings on site, link them automatically to corrective actions with an owner and a due date, and track them through to closure —with the evidence attached and traceable. When the external auditor arrives, you don’t scramble: everything is one click away.
It’s not a consultant and it won’t tell you how to implement your QMS. It’s the tool to manage what you already have, without the chaos.
Want to know what your manual internal audit costs you today? Use our ISO 9001 internal audit cost calculator and see the number in minutes. And if you’d like to see the whole cycle inside the platform, book a demo.
Frequently asked questions
How often should I run internal audits under ISO 9001?
The standard doesn’t set an exact frequency: it asks that the program consider the importance of processes and the results of previous audits. In practice, the recommended minimum is to cover every QMS process at least once a year, auditing critical or recently problematic processes more often.
Who can be an internal auditor?
Anyone trained in ISO 9001 and audit techniques, as long as they are impartial: they can’t audit their own process or area. No mandatory external certification is required, but documented internal training is.
What’s the difference between an internal audit and a certification audit?
The internal audit is run by your own organization to verify and improve the QMS before certification. The certification (or external) audit is performed by an accredited body to grant or maintain the ISO 9001 certificate.
What if I find a lot of nonconformities?
Finding nonconformities is a good sign: it means the audit is working. What matters is managing them with correction, root cause, corrective action and follow-up through to closure. A system with no findings is usually a poorly audited system.
Do I need software to run internal audits?
It’s not mandatory, but managing the program, findings, corrective actions and evidence in Excel and shared folders scales poorly and gets chaotic. A quality management software centralizes the whole cycle and gives you traceability, which reduces stress and the risk of nonconformities in the external audit.
