An ISO 9001 internal audit should help an organisation understand whether its Quality Management System is working as intended.
It should not become a search for minor mistakes or a paperwork exercise completed shortly before a certification audit.
A useful internal audit examines how work is actually performed, whether planned controls are being followed and whether the processes are producing the expected results.
This guide explains how to plan and conduct an ISO 9001 internal audit, what evidence to examine, how to report findings and which questions to ask when auditing Clauses 4 to 10.
It also includes a practical 48-question checklist that can be adapted to different organisations and industries.
Revision update: ISO 9001:2015 remains the current published edition. A revised edition is expected in September 2026. Organisations should continue auditing against ISO 9001:2015 until the new edition and applicable transition arrangements are officially published.
What is an ISO 9001 internal audit?
An ISO 9001 internal audit is a systematic and impartial examination of an organisation’s Quality Management System.
Its purpose is to determine whether the QMS:
- Meets the organisation’s own requirements.
- Meets the applicable requirements of ISO 9001.
- Has been effectively implemented.
- Is being maintained.
- Supports the organisation’s intended results.
The audit should provide management with reliable information about the condition of the system.

This includes identifying processes that are working well as well as weaknesses that need attention.
Internal audits are required by Clause 9.2 of ISO 9001. However, the value of an audit depends on how it is planned and conducted—not simply whether an audit report exists.
What is the difference between an internal and external audit?
An internal audit is performed on behalf of the organisation.
It may be conducted by trained employees, another part of the organisation or a competent external consultant acting as the internal auditor.
An external audit is performed by someone outside the organisation. Examples include:
- A certification audit.
- A customer audit.
- A supplier audit.
- A regulatory audit.
An internal audit should help the organisation identify and correct problems before they affect customers or are discovered during an external audit.
It should not attempt to imitate a certification audit exactly. Internal auditors can examine known weaknesses in greater depth and follow issues across departmental boundaries.
Why are ISO 9001 internal audits important?
A well-conducted internal audit can help an organisation:
- Confirm that processes are being followed.
- Verify that responsibilities are understood.
- Identify ineffective or unnecessary controls.
- Detect problems before they reach the customer.
- Check whether previous corrective actions were effective.
- Identify inconsistent practices between teams or locations.
- Evaluate whether records provide reliable evidence.
- Find opportunities to simplify or improve processes.
- Prepare for certification and surveillance audits.
- Give management better information about QMS performance.
The objective is not to produce an audit report with no findings.
An audit that reports no problems despite repeated complaints, missed objectives or operational failures may not have examined the system deeply enough.
What does ISO 9001 require?
ISO 9001 requires the organisation to conduct internal audits at planned intervals.
The audit programme must consider:
- The importance of the processes concerned.
- Changes affecting the organisation.
- The results of previous audits.
The organisation must also:
- Define the audit criteria and scope.
- Select auditors who can remain objective and impartial.
- Report results to relevant management.
- Take correction and corrective action without undue delay.
- Retain evidence of the audit programme and audit results.
ISO 9001 does not require every process to be audited annually.
The frequency should be based on process importance, risk, performance, change and previous results.
A stable, low-risk process with strong performance may need less frequent attention than a critical process with recurring nonconformities.
Important internal audit terms
Audit programme
The audit programme contains the overall arrangements for one or more audits over a defined period.
It may identify:
- Processes to be audited.
- Planned dates.
- Audit frequency.
- Assigned auditors.
- Locations.
- Previous findings.
- Audit status.
Audit plan
The audit plan covers the arrangements for an individual audit.
It normally identifies:
- The audit objective.
- Scope.
- Criteria.
- Date and duration.
- Auditor.
- People or functions involved.
- Processes and activities to be examined.
Audit scope
The scope defines the boundaries of the audit.
It may identify a process, department, location, project, product line or part of the QMS.
Audit criteria
The audit criteria are the requirements against which the evidence will be evaluated.
They may include:
- ISO 9001 requirements.
- Company procedures.
- Customer requirements.
- Contract requirements.
- Legal and regulatory requirements.
- Specifications.
- Process controls.
Audit evidence
Audit evidence is verifiable information relevant to the audit criteria.
It may come from:
- Interviews.
- Observations.
- Documents.
- Records.
- Data.
- Completed products or services.
- Electronic systems.
Audit finding
An audit finding is the result of comparing the evidence with the audit criteria.
A finding could identify:
- Conformity.
- Nonconformity.
- An opportunity for improvement.
- A positive practice.
Who can conduct an ISO 9001 internal audit?
An internal auditor should be competent to conduct the audit and understand the activities being examined.
Competence may be based on:
- Internal-auditor training.
- Knowledge of ISO 9001.
- Understanding of auditing principles.
- Relevant technical or operational experience.
- Supervised audit experience.
- Communication and report-writing ability.
An auditor does not need to memorise ISO 9001.
They should be able to interpret the relevant requirements, ask useful questions, evaluate evidence and distinguish between a genuine requirement and personal preference.
The organisation should retain appropriate evidence of auditor competence.
Can employees audit their own work?
Internal auditors should be objective and impartial.
An employee should not normally audit activities for which they are directly responsible because this could affect the reliability of the audit.
In a small organisation, complete independence may be difficult.
Possible arrangements include:
- Employees auditing processes outside their normal responsibilities.
- Managers auditing one another’s departments.
- Using personnel from another location.
- Arranging reciprocal audits with another business.
- Appointing an external internal auditor.
The important point is that the auditor can examine the work fairly and challenge the evidence without auditing their own decisions.
How often should internal audits be conducted?
ISO 9001 does not prescribe a fixed audit frequency.
The organisation should create a risk-based programme.
Consider auditing a process more frequently when:
- It directly affects product or service conformity.
- It is new or has recently changed.
- Previous audits identified significant findings.
- Performance targets are not being achieved.
- Customer complaints are increasing.
- Employee turnover has affected competence.
- New technology or equipment has been introduced.
- The process is complex or highly regulated.
- Corrective actions require an effectiveness check.
An organisation might audit high-risk operational processes every six months while auditing stable support processes annually or less frequently.
Audits may also be triggered by events. A serious complaint, major process change or repeated defect may justify an additional audit.
Process-based audits versus clause-based audits
A clause-based audit examines the QMS one ISO 9001 clause at a time.
This can help confirm that all requirements have been covered. However, it may produce an audit that follows the structure of the Standard rather than the way the organisation operates.
A process-based audit follows the actual flow of work.
For example, an auditor examining order fulfilment might review:
- Customer requirements.
- Contract review.
- Planning.
- Competence.
- Supplier controls.
- Operational instructions.
- Inspection and release.
- Records.
- Performance measures.
- Nonconformities.
- Improvement actions.
This single audit may examine requirements from several ISO 9001 clauses.
A process-based approach normally provides a more realistic picture because it examines interactions and handovers as well as individual controls.
A clause checklist can still be used to confirm coverage, but it should support the audit rather than control the entire conversation.
How to plan an ISO 9001 internal audit
Step 1: Establish the audit objective
Decide what the audit should achieve.
Possible objectives include:
- Confirming conformity with ISO 9001.
- Evaluating a particular process.
- Investigating poor performance.
- Checking a recently changed procedure.
- Verifying corrective-action effectiveness.
- Preparing for certification.
- Assessing consistency between locations.
A clear objective helps the auditor select relevant evidence.
Step 2: Define the scope
State exactly what is included.
For example:
The receipt, review, processing and fulfilment of customer orders at the organisation’s Birmingham facility.
Avoid a scope such as “audit the sales department” if the actual process crosses sales, planning, purchasing and operations.
Step 3: Define the audit criteria
Identify the requirements that apply.
These may include:
- Relevant ISO 9001 clauses.
- The organisation’s procedures.
- Customer specifications.
- Contract requirements.
- Applicable legislation.
- Quality objectives.
- Previous corrective actions.
The auditor should know which requirement supports any finding raised.
Step 4: Select the auditor
Confirm that the auditor:
- Is competent.
- Understands the process sufficiently.
- Can remain objective.
- Is available for the required time.
- Has access to relevant information.
A technical specialist may support the auditor where additional knowledge is required.
Step 5: Review background information
Before the audit, review relevant information such as:
- Process maps.
- Procedures and work instructions.
- Previous audit reports.
- Open corrective actions.
- Process risks.
- Quality objectives.
- Performance data.
- Complaints.
- Nonconformity reports.
- Management-review actions.
- Applicable customer requirements.
This helps focus the audit on the areas that matter.
Step 6: Prepare the audit plan
The plan should be proportionate to the scope and complexity of the audit.
A simple plan might include:
| Time | Activity | People involved |
|---|---|---|
| 09:00 | Opening discussion | Process owner |
| 09:15 | Review process inputs and controls | Process owner |
| 10:00 | Observe operational activities | Relevant employees |
| 11:00 | Sample records and performance data | Process owner |
| 12:00 | Auditor review | Auditor |
| 12:30 | Closing discussion | Process owner and manager |
Allow enough time to observe work and sample evidence. An audit conducted entirely from a meeting room will rarely provide a complete picture.
Step 7: Prepare questions and sampling priorities
The checklist should act as a prompt rather than a script.
Prepare open questions and identify records or activities to sample. Adjust the questions as new information is discovered.
How to conduct an internal audit
Hold a short opening discussion
Explain:
- The purpose of the audit.
- The scope and criteria.
- The planned activities.
- How findings will be reported.
- When the closing discussion will take place.
Employees should understand that the audit examines the process—not their personal performance.
Follow the process
Begin by asking the process owner to explain:
- What the process should achieve.
- Which inputs it receives.
- What outputs it produces.
- Who is responsible.
- Which risks need to be controlled.
- How performance is measured.
- What happens when something goes wrong.
Then follow a real example through the system.
For an order-fulfilment audit, the auditor might select a recently completed order and trace it from customer enquiry through review, planning, delivery and final records.
Ask open questions
Useful audit questions often begin with:
- How do you…?
- What happens when…?
- Who is responsible for…?
- How do you know…?
- Where is this recorded?
- Can you show me an example?
- What has changed recently?
- How is performance reviewed?
Avoid questions that suggest the expected answer.
Instead of asking:
You always use the latest drawing, don’t you?
Ask:
How do you confirm that the drawing you are using is the current approved revision?
Interview the people performing the work
Managers may describe how a process is supposed to operate. Employees can explain how it works in practice.
Ask employees to show:
- Where instructions are obtained.
- How requirements are confirmed.
- Which records are completed.
- What happens when information is unclear.
- How problems are reported.
- How changes are communicated.
- Which checks must be completed.
- How competence or authorisation is confirmed.
The purpose is to evaluate the process, not test an employee’s memory.
Observe activities
Observation can identify differences between documented arrangements and actual practice.
Look for:
- Availability of current information.
- Identification and traceability.
- Inspection or approval status.
- Protection of products.
- Equipment condition.
- Handling of customer property.
- Segregation of nonconforming outputs.
- Completion of records.
One observation should not automatically lead to a broad conclusion. Establish whether it represents an isolated event or a wider weakness.
Sample records
An audit is normally based on sampling.
Consider sampling:
- Different dates.
- Different customers.
- Different products or services.
- Different employees or shifts.
- Normal and unusual activities.
- Successful and problematic work.
- Recently changed processes.
- Records connected with complaints or defects.
Avoid examining only a perfect record selected by the process owner.
Compare evidence with requirements
A finding must be supported by evidence and connected to a requirement.
Personal preference is not an audit criterion.
An auditor should not raise a nonconformity merely because they would have designed the process differently.
Hold a closing discussion
At the end of the audit:
- Summarise what was examined.
- Explain positive observations.
- Present findings clearly.
- Confirm the supporting evidence.
- Resolve factual misunderstandings.
- Explain the reporting and follow-up process.
The closing discussion should not be the first time the process owner hears about a significant concern.
ISO 9001 internal audit checklist: 48 example questions
The following checklist contains 48 practical questions covering Clauses 4 to 10.
It is intended to help organisations prepare and conduct a basic internal audit. It is not a substitute for understanding the Standard, defining the audit scope or following evidence discovered during the audit.
Clause 4: Context of the organisation
- What internal and external issues could affect the intended results of the QMS?
- Which interested parties are relevant, and what requirements do they have?
- How are changes to organisational context and interested-party requirements monitored?
- Does the QMS scope accurately describe the activities, locations, products and services covered?
- What are the organisation’s main processes, and how do they interact?
Clause 5: Leadership
- How does top management demonstrate active involvement in the QMS?
- How is customer focus promoted throughout the organisation?
- Is the quality policy appropriate to the organisation and its strategic direction?
- Do employees understand the quality policy and how it relates to their work?
- Are QMS responsibilities and authorities clearly assigned and understood?
Clause 6: Planning
- How are risks and opportunities identified and addressed?
- Are actions proportionate to their possible effect on products, services and customer satisfaction?
- How is the effectiveness of actions addressing risks and opportunities evaluated?
- Are quality objectives measurable and relevant to the organisation?
- Who is responsible for each objective, and how is progress monitored?
- How are changes to the QMS planned and controlled?
Clause 7: Support
- Are sufficient people, infrastructure and working conditions available to operate the processes effectively?
- How does the organisation determine the competence required for relevant roles?
- What evidence demonstrates that employees are competent?
- Do employees understand how their work contributes to quality and what can happen when requirements are not followed?
- How is important QMS information communicated internally and externally?
- How are documents reviewed, approved and updated?
- How do employees confirm they are using the current approved version of a document?
- How are records stored, protected, retrieved and retained?
Clause 8: Operation
- How are customer requirements identified and reviewed before work is accepted?
- How are changes to customer or contract requirements controlled and communicated?
- Where design applies, how are design inputs, reviews, verification, validation and changes controlled?
- How are external providers selected, approved and monitored?
- Are purchasing requirements communicated clearly to suppliers?
- Are production or service activities performed under controlled conditions?
- How are inspection, testing and acceptance requirements defined?
- How are products, services and their inspection status identified where necessary?
- Who is authorised to approve the release of products or services?
- How are nonconforming outputs identified, controlled and prevented from unintended use or delivery?
Clause 9: Performance evaluation
- What process and QMS performance information is monitored and measured?
- How does the organisation evaluate customers’ perceptions and satisfaction?
- Are complaints, defects and other performance data analysed for trends?
- Is there an internal audit programme based on process importance, change and previous results?
- Are internal auditors competent, objective and impartial?
- Are audit findings reported and addressed without unnecessary delay?
- Does management review consider the required QMS performance information?
- Do management reviews result in clear decisions about improvement, changes and resources?
Clause 10: Improvement
- How are opportunities to improve products, services, processes and the QMS identified?
- How are nonconformities corrected and contained?
- How does the organisation determine whether root-cause investigation and corrective action are required?
- Are corrective actions proportionate to the effects of the problem?
- How is the effectiveness of corrective action verified?
- What evidence demonstrates that the QMS is improving over time?
How to use these questions
Do not ask all 48 questions during every audit.
Select the questions relevant to the audit objective, scope and process.
Use the answers to develop follow-up questions such as:
- Can you show me an example?
- Where is that requirement recorded?
- Who reviews this information?
- What happened the last time the process failed?
- How do you know the action was effective?
- Does the same arrangement apply at every location?
The questions start the audit trail. The evidence determines where the auditor goes next.
How to record an audit finding
A well-written nonconformity should contain three elements:
- The requirement.
- The objective evidence.
- A clear statement of the failure.
For example:
The document-control procedure requires approved work instructions to display their current revision status. Three of the five work instructions sampled in the assembly area did not show a revision number. The organisation has therefore not implemented its defined document-identification controls consistently.
This is stronger than writing:
Document control needs improvement.
The second statement does not identify the requirement, evidence or exact failure.
Nonconformity, observation or opportunity for improvement?
Organisations may use different finding classifications.
A practical internal system might include the following.
Major nonconformity
A significant failure affecting the organisation’s ability to achieve the intended results of its QMS.
Examples might include:
- A required process has not been implemented.
- Internal audits have not been conducted.
- A widespread control failure affects several departments.
- Products are released without required verification.
- A systemic failure creates a significant risk to customers.
Internal classifications should be clearly defined rather than copied from another organisation.
Minor nonconformity
An isolated or limited failure that does not indicate a complete breakdown of the system.
Examples might include:
- One required record is missing from an otherwise implemented process.
- One sampled document is obsolete.
- A planned supplier re-evaluation is overdue.
Several related minor findings may indicate a wider systemic problem.
Opportunity for improvement
A suggestion that could improve effectiveness or efficiency where no requirement has been breached.
An opportunity for improvement should not be used to disguise a nonconformity.
If a requirement has not been met, record the nonconformity clearly.
What happens after an internal audit?
The audit is not complete when the report is issued.
The responsible manager should:
- Correct the immediate problem.
- Assess its extent and consequences.
- Determine whether corrective action is required.
- Investigate the cause where appropriate.
- Establish and implement action.
- Provide evidence of completion.
- Verify effectiveness.
- Close the finding when the action has worked.
The auditor may confirm that evidence has been provided, but responsibility for resolving the issue normally belongs to the process owner.
The auditor should avoid prescribing the exact solution. Management should determine how to correct the system unless specialist advice is specifically requested.
How quickly should findings be closed?
ISO 9001 requires correction and corrective action to be taken without undue delay, but it does not prescribe one universal deadline.
Timescales should reflect the significance and risk of the finding.
For example:
- A problem that could affect customers may require immediate containment.
- A significant control failure may require a short deadline.
- An improvement involving investment or system development may require more time.
Where permanent corrective action takes time, temporary controls may be necessary.
A finding should not remain open simply because its target date is repeatedly extended.
How to verify corrective-action effectiveness
Completion and effectiveness are not the same.
A revised procedure, completed training session or new checklist demonstrates that an action was implemented. It does not prove that the original problem has been prevented from recurring.
Effectiveness may be verified by:
- Sampling later records.
- Repeating part of the audit.
- Observing the changed process.
- Reviewing performance data.
- Checking for repeat complaints or defects.
- Interviewing relevant employees.
- Confirming that the control works across affected locations.
The verification method should relate to the original failure.
Common internal-audit mistakes
Using the checklist as a script
Reading questions in order can prevent the auditor from following important evidence.
Use the checklist to support the audit—not replace professional judgement.
Auditing documents without auditing the work
A procedure may look correct while actual activities differ.
Combine document review with interviews, observation and record sampling.
Asking only managers
Managers may explain the intended process. Employees performing the work can provide evidence of actual implementation.
Raising findings based on preference
Auditors must compare evidence with requirements.
“This is not how I would do it” is not a valid audit criterion.
Focusing only on minor paperwork errors
Record control matters, but the audit should also examine customer requirements, process performance, risk and effectiveness.
Accepting explanations without evidence
A confident explanation does not demonstrate that a process is consistently implemented.
Ask to see a recent example.
Sampling only perfect records
Samples should represent the process, including difficult, unusual or unsuccessful work where relevant.
Writing vague findings
A finding should identify the requirement that was not met and the evidence supporting the conclusion.
Prescribing the corrective action
The auditor should explain the failure. The process owner should normally determine the solution.
Closing findings when actions are merely completed
Important corrective actions should only be closed after their effectiveness has been verified.
Example ISO 9001 internal audit report structure
A practical audit report may contain:
- Audit title or reference.
- Audit date.
- Auditor.
- Process owner.
- Objective.
- Scope.
- Criteria.
- People interviewed.
- Documents and records sampled.
- Summary of the process.
- Positive practices.
- Nonconformities.
- Opportunities for improvement.
- Required actions and responsibilities.
- Target dates.
- Follow-up and closure information.
The report should be clear enough for someone who did not attend the audit to understand what was examined and what needs to happen next.
Simple internal audit preparation checklist
Before beginning an audit, confirm that you have:
- Defined the audit objective.
- Established the scope.
- Identified the audit criteria.
- Selected a competent and impartial auditor.
- Agreed the date and duration.
- Informed relevant managers.
- Reviewed previous findings.
- Reviewed process performance and complaints.
- Identified significant risks and changes.
- Prepared suitable questions.
- Selected initial samples.
- Allowed time for observing activities.
- Planned an opening and closing discussion.
Questions employees may be asked during an audit
Employees are often concerned about what an auditor might ask.
The questions are normally straightforward:
- What is your role?
- What are you responsible for?
- How do you know what the customer requires?
- Where do you find the current instructions?
- What checks do you perform?
- What records do you complete?
- What do you do if something is wrong?
- How do you report a problem?
- What training have you received?
- How are changes communicated to you?
- How does your work affect quality?
- Can you show me a recently completed example?
Employees should answer honestly and demonstrate the process they actually use.
They should not be coached to memorise prepared answers.
How should an organisation prepare for an internal audit?
The organisation should make the relevant people and evidence available.
It should not create missing records, hide known problems or temporarily change normal practices for the benefit of the auditor.
Useful preparation includes:
- Confirming the scope and timetable.
- Making process owners available.
- Ensuring relevant systems can be accessed.
- Gathering applicable procedures and records.
- Reviewing the status of previous findings.
- Informing employees that the audit is taking place.
The best preparation is an effectively implemented process.
The difference between this checklist and a complete audit toolkit
The questions in this article provide a practical starting point for planning a basic audit.
A complete internal audit toolkit should go further by providing:
- Detailed questions mapped to individual ISO 9001 subclauses.
- Suggested evidence for every question.
- Fields for recording the evidence sampled.
- Clause-based and process-based audit checklists.
- An annual audit programme.
- A risk-based audit schedule.
- An individual audit plan.
- An editable audit report.
- A findings and corrective-action register.
- Effectiveness-review fields.
- Automatic status and overdue tracking.
The value of an editable toolkit is not simply that it contains more questions. It provides the structure needed to plan, conduct, document and follow up an audit consistently.
Final thoughts
An ISO 9001 internal audit should provide an honest view of how the Quality Management System operates.
The strongest audits follow real work, speak with the people performing it and compare objective evidence with defined requirements.
They do not focus exclusively on documents, and they do not treat the absence of findings as the measure of success.
A useful audit identifies weaknesses early, confirms whether controls are effective and gives management reliable information for making improvements.
When internal auditing becomes part of normal business management rather than a yearly compliance exercise, it can prevent problems, improve consistency and strengthen the entire QMS.