Why Internal Audits Matter
Internal audits are a mandatory requirement of most ISO management system standards — including ISO 9001, ISO 14001, and ISO 27001. But beyond ticking a compliance box, a well-run internal audit program is one of the most powerful tools available for identifying weaknesses in your management system and driving genuine improvement.
Think of internal audits not as inspections to be feared, but as structured opportunities to ask: "Is our system working as intended, and is it achieving its objectives?"
What Does an Internal Audit Assess?
An ISO internal audit evaluates whether your management system:
- Conforms to the requirements of the relevant ISO standard
- Conforms to your own organization's documented requirements and procedures
- Is effectively implemented and maintained
Note: an internal audit is not about finding fault with individuals. It is a process-level assessment.
Step 1: Build an Audit Programme
Your audit programme covers all planned internal audits over a defined period (typically 12 months). When designing the programme, consider:
- The status and importance of each process
- Results of previous audits (higher-risk areas may need more frequent auditing)
- Any significant changes to the organization or its context
- Customer complaints or non-conformance trends
Document the programme and ensure it covers all processes and departments within the scope of your management system at least once per cycle.
Step 2: Plan Individual Audits
For each audit, prepare an audit plan that defines:
- Audit objectives and scope
- The ISO standard clauses and internal procedures to be assessed
- Audit criteria (what you'll measure conformance against)
- Schedule and location
- Names of the auditor(s) and auditees
Prepare an audit checklist of questions and evidence to look for. A good checklist ensures consistency and keeps the audit focused, but auditors should remain flexible and follow up on interesting findings.
Step 3: Select and Train Internal Auditors
ISO standards require that internal auditors are competent and that they audit areas in which they have no direct responsibility (to ensure objectivity). Auditor competence typically includes:
- Knowledge of the relevant ISO standard
- Understanding of audit principles and techniques
- Familiarity with the organization's processes and context
Consider sending internal auditors on an accredited ISO internal auditor training course — it's a worthwhile investment.
Step 4: Conduct the Audit
A typical on-site audit follows this structure:
- Opening meeting — Introduce the audit team, confirm the scope and objectives, and set the tone.
- Evidence gathering — Interview staff, observe processes, and review documented information. Look for objective evidence of conformance or non-conformance.
- Auditor team meeting — Review findings and agree on conclusions before the closing meeting.
- Closing meeting — Present findings to management, confirm any non-conformances, and outline next steps.
During interviews, use open-ended questions ("Can you show me how you...?" or "What happens when...?") to encourage detailed responses.
Step 5: Report Findings
Audit findings fall into three main categories:
| Finding Type | Description |
|---|---|
| Conformance | Requirements are being met effectively |
| Observation / Opportunity for Improvement | Not a non-conformance, but a potential risk or improvement area |
| Non-conformance | A requirement of the standard or procedure is not being met |
Produce a clear, factual audit report. Non-conformances must reference the specific requirement not met and be supported by objective evidence.
Step 6: Corrective Actions and Follow-Up
For each non-conformance, the responsible process owner must:
- Identify the root cause (not just the symptom)
- Define and implement a corrective action
- Verify the effectiveness of the action
Track corrective actions through to completion and review their effectiveness at the next management review. This closes the loop and demonstrates that your management system is genuinely improving — exactly what ISO auditors want to see.