How to Conduct an ISO 9001 Internal Audit Step by Step

An ISO 9001 internal audit is not about filling out a checklist before the certification auditor arrives. Its real purpose is to verify whether the system is working as planned, whether it meets both internal and standard requirements, and, above all, whether it actually helps control operations.

When the audit is understood this way, it stops being an uncomfortable formality and becomes one of the most useful tools for detecting weaknesses before they turn into major nonconformities.

What Does ISO 9001 Actually Require?

Clause 9.2 requires the organization to perform internal audits at planned intervals to verify two things:

  • That the quality management system conforms to the organization’s own requirements and to ISO 9001.
  • That the system is effectively implemented and maintained.

The key word here is effectively.

It is not enough to confirm that a procedure exists. You need to verify that the process works in practice, produces results, and leaves objective evidence behind.

Step 1: Define Objective, Scope, and Criteria

Before auditing, it must be clear what will be reviewed and what the audit will be measured against.

Every internal audit should define at least:

  • The process or area to be audited.
  • The audit objective.
  • The scope.
  • The audit criteria.
  • The assigned auditor.
  • The planned date.

The criteria are not limited to ISO 9001 itself. They may also include:

  • Internal procedures.
  • Work instructions.
  • Customer requirements.
  • Applicable legal or regulatory requirements.
  • Process objectives.

When this is not clearly defined, the audit becomes vague and often produces findings of little practical value.

Step 2: Build an Audit Program, Not Isolated Events

One of the most common mistakes is auditing only when certification is approaching.

A solid audit program should consider:

  • The importance of each process.
  • Recent operational changes.
  • Results of previous audits.
  • Risks associated with the process.
  • The history of nonconformities.

Not all processes require the same intensity or frequency.

For example, critical purchasing, production, document control, or complaint handling usually deserve more attention than a stable process with low risk and consistently good performance.

If recurring failures keep appearing in the same areas, it is usually worth connecting the audit program with a clearer approach to risk-based thinking in ISO 9001 and to the follow-up logic described in corrective action management.

A well-designed program prioritizes where the system can fail, not where it is easiest to audit.

Step 3: Prepare the Audit Around Evidence

Auditing is not about improvising questions during a walkthrough. Before entering the process, it is useful to review:

  • Applicable procedures and forms.
  • Process KPIs.
  • Previous findings.
  • Recently opened or closed corrective actions.
  • Identified risks related to the area.
  • Relevant changes in personnel, equipment, or methods.

Based on that, the auditor prepares a verification guide.

It does not need to become a rigid questionnaire, but it should direct the audit toward verifiable evidence.

For example, instead of asking, “Do you have document control?” it is more useful to ask:

  • How do you ensure personnel use the current version?
  • What happens when a document changes?
  • Who authorizes publication?
  • Where can the revision history be seen?

That difference changes the quality of the audit completely.

Step 4: Audit the Real Process

During the audit, the priority is not listening to explanations. It is comparing what is supposed to happen with what is actually happening.

The most common sources of evidence are:

  • Interviews.
  • Direct observation.
  • Records.
  • Indicators.
  • Current documents.
  • Follow-up results.

A good internal auditor does not stay at the desk. They follow the process flow.

If they audit purchasing, they review everything from the request to supplier evaluation. If they audit training, they verify everything from needs detection to competence evidence. If they audit corrective actions, they check everything from the original nonconformity to effectiveness verification.

The central question is always the same:

Is there coherence between what the system says it does and what is actually happening?

Step 5: Raise Findings with Precision

Not every finding is a nonconformity. That is why proper classification matters.

In practice, three types of findings usually appear:

  • Conformity: the requirement is met and the evidence demonstrates it.
  • Nonconformity: there is a failure to meet a requirement.
  • Opportunity for improvement: there is no formal failure, but there is still a clear weakness or room for strengthening.

When a nonconformity is documented, it should be clear:

  • Which requirement was not met.
  • What objective evidence demonstrates it.
  • Where it was identified.
  • What factual observation was made, without unnecessary interpretation.

A poorly written finding creates debate. A precise finding creates useful action.

For example, it is not the same to write:

  • “Document control is weak.”

as it is to write:

  • “The production area was observed using work instruction IT-07 revision 2, while the current version in the system is revision 4, which does not comply with the organization’s documented information control requirements.”

The second statement is verifiable, objective, and actionable.

Step 6: Ensure Follow-Up on Actions

An audit without follow-up becomes archive material.

After the report is issued, the organization should:

  • Analyze each finding.
  • Determine causes where applicable.
  • Define corrective actions.
  • Assign owners and deadlines.
  • Verify the effectiveness of what was implemented.

This is where many systems weaken.

The issue is not usually detecting the finding. The issue is preventing it from getting lost among emails, meeting notes, and informal reminders.

When follow-up is digitally structured, closure no longer depends on the memory of the quality manager and becomes part of the normal system flow.

What Does the External Auditor Review About Internal Audits?

When a certification or surveillance audit takes place, the external auditor usually reviews:

  • The audit program.
  • The competence and independence of the internal auditor.
  • The defined criteria and scopes.
  • The quality of findings.
  • The follow-up given to nonconformities.
  • The connection between internal audits, corrective actions, and continuous improvement.

If internal audits always conclude with “no findings” in complex and changing processes, that rarely signals maturity. More often, it signals superficiality.

An effective internal audit does not try to look perfect. It tries to see the system with technical honesty.

Frequent Mistakes That Weaken Internal Audits

The most common ones are:

  • Auditing only to satisfy the calendar.
  • Reviewing documents but not real operations.
  • Using generic checklists without adapting them to the process.
  • Raising vague findings without objective evidence.
  • Closing actions without verifying effectiveness.
  • Assigning an auditor to audit their own work.

Each of these mistakes reduces the value of the audit and weakens the preventive capacity of the system.

When Does It Make Sense to Use Software?

In small organizations, an audit can still be managed with simple forms.

But when processes, locations, findings, and responsibilities increase, manual management starts to fragment. It becomes harder to maintain traceability between:

  • The audit program.
  • Checklists or criteria.
  • Findings raised.
  • Evidence collected.
  • Corrective actions.
  • Follow-up and closure.

In a specialized system such as AdminISO, those elements can be connected in one flow. That does not replace the auditor’s judgment, but it does prevent the audit from depending on scattered folders, duplicated files, or incomplete follow-up.

Internal Auditing as a Real Control Mechanism

A well-conducted ISO 9001 internal audit is not a rehearsal before the certification body’s visit.

It is a mechanism for checking whether the system governs operations or merely documents them.

When the process is well designed, findings become decisions, corrective actions become traceable, and management gains real visibility over the condition of the system.

That is where internal auditing stops being a ritual and becomes management.

Back to Resources