Internal Audit Checklist & Procedure — ISO 9001 Clause 9.2

Internal audits are the quality management system's version of a mirror. Done right, they show you exactly where your processes are strong, where they're drifting, and where you're heading for a finding before your external auditor arrives. Done wrong, they're a compliance checkbox that burns time, frustrates employees, and produces audit reports nobody reads.

The difference isn't the checklist. It's the approach. Organizations that treat internal audits as a genuine improvement tool — not a rehearsal for the external audit — catch problems early, close them properly, and show up to certification audits with confidence. Organizations that treat internal audits as paperwork churn out reports full of "No findings" and then wonder why the registrar keeps writing them up.

This guide walks through what ISO 9001 Clause 9.2 actually requires, the most common internal audit failures (and how to avoid them), a complete step-by-step audit procedure, and a downloadable checklist you can put to work immediately. Whether you're building your first internal audit program or fixing one that isn't delivering, this is the practical starting point.

What ISO 9001 Clause 9.2 Requires

Clause 9.2 is titled "Internal Audit." It sits in Section 9 — Performance Evaluation — alongside monitoring and measurement and management review. The standard's logic is straightforward: you can't improve what you don't measure, and you can't manage what you don't audit.

Specifically, Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the QMS:

• Conforms to the organization's own requirements for its QMS
• Conforms to the requirements of ISO 9001:2015
• Is effectively implemented and maintained

Beyond the "what," the clause prescribes the "how." The organization must plan, establish, implement, and maintain an audit program. That program must consider the importance of the processes concerned, changes affecting the organization, and results of previous audits. For each audit, you must define audit criteria and scope, select auditors who are objective and impartial (they cannot audit their own work), report results to relevant management, and take timely corrective action on any findings without undue delay. All of this must be retained as documented information.

The key word that trips people up is "planned." Your audit schedule must exist as a documented plan — not a rough intention. The plan should specify which processes get audited, how frequently, and who will conduct the audits. When the registrar asks for your internal audit program, they expect to see a living schedule, not a blank template you dusted off the week before the audit.

How Often Must ISO 9001 Internal Audits Be Conducted?

ISO 9001 does not mandate a specific frequency. The standard says internal audits must be conducted "at planned intervals" — which means the schedule is yours to define, but it must be documented, followed, and adjusted based on risk.

In practice, most organizations default to auditing every process and area at least once per calendar year. This satisfies most registrars and provides a reasonable baseline. But the standard explicitly requires that your audit program consider:

• The importance of the processes concerned — high-risk or customer-facing processes warrant more frequent audits
• Changes affecting the organization — new processes, new equipment, acquisitions, or significant procedural changes should trigger an unscheduled audit
• Results of previous audits — areas with recent nonconformities or open corrective actions should be revisited sooner

A common mistake: auditing every area exactly once per year regardless of performance history. If Production Area 3 had five nonconformities last cycle and the corrective actions were only recently closed, auditing it once per year on a fixed schedule is inadequate. Revisit it at six months. Document why. The registrar will appreciate the risk-based thinking.

Before you can build your first audit schedule, it helps to know where your QMS currently stands. A structured gap assessment identifies which clauses are fully implemented, partially implemented, or not yet addressed — so your audit schedule can be weighted toward areas of highest risk from day one.

Who Can Conduct an ISO 9001 Internal Audit?

ISO 9001 Clause 9.2 sets two non-negotiable criteria for internal auditors: they must be objective and impartial. In plain terms, auditors cannot audit their own work. A production supervisor cannot audit their own production area. A quality manager cannot audit their own documentation processes.

Beyond impartiality, the standard implies — and registrars expect — that auditors are competent. Competence for an internal auditor includes:

• Understanding of ISO 9001:2015 requirements and how they apply to the organization
• Ability to gather and evaluate objective evidence (interviewing, record review, process observation)
• Ability to write clear, factual, defensible findings
• Understanding of the audit process itself (opening meetings, evidence trails, closing meetings, reports)

You do not need external auditors or certified lead auditors for internal audits. Many organizations cross-train employees from different departments to serve as internal auditors. Someone from Finance can audit Purchasing. Someone from Engineering can audit Production documentation. The key requirement is that the auditor has no direct responsibility for the area being audited.

Formal auditor training — whether an internal workshop or a recognized lead auditor course — directly improves audit quality and gives your registrar confidence that the program is being executed competently. If budget is limited, at minimum conduct a documented internal training session covering the audit procedure, evidence documentation, and finding classification, and retain records of who attended.

Why Internal Audits Fail

Most internal audit programs fail for the same handful of reasons. Understanding them upfront saves you a lot of pain.

1. Auditing for Compliance, Not Effectiveness

There's a big difference between asking "Do you have a procedure for this?" and asking "Is this procedure actually working?" Compliance audits find documents. Effectiveness audits find problems. An internal auditor who only checks whether documents exist and employees can recite the policy is leaving real issues undiscovered. The question isn't whether a control exists — it's whether the control is doing what it's supposed to do.

2. No Findings Is a Red Flag, Not a Win

If your internal audit program consistently produces reports with zero nonconformities and zero observations, something is wrong. Either the auditors are not digging deep enough, the auditees know how to prepare a clean-looking operation for audit day, or the audit scope is too narrow to catch real issues. Real internal audits find things. That's the point. A registrar who sees years of clean internal audit reports followed by a cluster of findings during the external audit will ask a pointed question: why didn't your internal audits catch these?

3. Auditors Without Adequate Training

ISO 9001 requires that auditors be selected to ensure objectivity and impartiality. It also implies — and most registrars expect — that auditors are competent. That means understanding the standard, knowing how to gather and evaluate objective evidence, and being able to write a clear, defensible finding. Throwing someone into an audit with a checklist and no training produces inconsistent, superficial results. Investing in auditor training (whether formal lead auditor certification or internal coaching) directly improves audit quality.

4. Corrective Actions That Never Get Closed

An audit finding that doesn't result in verified corrective action is worse than no finding at all. It proves you knew about the problem and did nothing. The internal audit cycle only works if findings feed directly into the corrective action process, root causes get addressed, and effectiveness gets verified. Tracking open corrective actions through management review is the mechanism that closes the loop.

5. Auditing the Same Comfortable Areas

Audit programs that develop a rhythm of auditing well-performing areas while avoiding difficult ones miss the point entirely. The standard requires that audit frequency reflect the importance of the processes, changes affecting the organization, and results of previous audits. Areas with recent nonconformities, significant changes, or customer complaints should be audited more frequently — not avoided because they're uncomfortable.

Step-by-Step Internal Audit Procedure

Here is a complete internal audit procedure you can adapt to your organization. Each step maps directly to the checklist and Word template below.

Step 1: Build and Maintain the Annual Audit Schedule

Start of year (or whenever your QMS cycle begins), document an audit schedule covering every process and area within the QMS scope — at minimum once per year. For higher-risk processes, processes that have recently changed, or areas with a history of nonconformities, schedule audits more frequently. Assign lead auditors to each audit, confirming they are not auditing their own area. Get Quality Manager sign-off on the schedule and treat it as a controlled document. For a ready-to-use format, see our free internal audit plan template.

The schedule is living. If a significant customer complaint comes in, or a major process change occurs mid-year, add an unscheduled audit. Document the reason. Clause 9.2 explicitly says the audit program must consider "changes affecting the organization."

Step 2: Prepare for the Audit

At least five business days before the audit, issue a formal audit notification to the auditee (the process owner or department head). The notification should state the scope, the date, the lead auditor, and what records will be reviewed. This is not a courtesy — it is a process step. Surprise audits create defensiveness; planned audits allow the auditee to have the right people and records available.

The auditor should prepare by reviewing the previous audit report for the area, any open corrective actions, relevant procedures, customer feedback, and quality objectives for the process. Come in informed, not blank.

Step 3: Conduct the Opening Meeting

The opening meeting sets the tone. Keep it brief — 15 to 20 minutes. Confirm the scope and objectives. Introduce the audit team. Explain how findings will be recorded and communicated. Confirm the schedule and logistics. The goal is alignment, not intimidation. A good opening meeting puts the auditee at ease and sets up a productive day.

Step 4: Gather Objective Evidence

This is the core of the audit. Use the checklist as your guide, but don't be a slave to it. The checklist ensures coverage; your judgment determines depth. Evidence gathering happens three ways: interviewing personnel, observing processes, and reviewing records. The best audits use all three.

Ask open-ended questions. "Walk me through what happens when a customer complaint comes in" produces far more useful information than "Do you have a complaint procedure?" Follow threads. When a record doesn't match the procedure, ask why. When an employee's description doesn't match the record, note it. Document your evidence as you go — specific document numbers, dates, names, and what was observed. Vague audit notes produce indefensible findings.

Step 5: Classify and Document Findings

Each issue you identify falls into one of three categories. A nonconformity is a direct failure to meet a stated requirement — either from ISO 9001 or from your own documented procedures. An observation (sometimes called an opportunity for improvement, or OFI) is a potential weakness that doesn't yet rise to the level of a nonconformity but warrants attention. A positive finding is something done particularly well — worth noting because it reinforces good practice and can be shared across the organization.

Write findings clearly and factually. State the requirement, state what was observed, state why it's a nonconformity. "Training records for operators in Area 4 could not be located for calendar year 2025, contrary to Clause 7.2 and Section 5.3 of the Training Procedure (QMS-TRN-001)" is a defensible finding. "Training records not available" is not.

Step 6: Conduct the Closing Meeting

Present your findings verbally to the auditee and their management before you leave. This is their chance to correct factual errors before the written report is issued. It is not a negotiation — the findings stand if the evidence is solid — but giving the auditee an opportunity to clarify misunderstandings before the formal report is professional practice and prevents unnecessary disputes later.

Summarize what was done well, what nonconformities were found, what observations were noted, and what happens next (written report within X days, corrective actions required within Y days).

Step 7: Issue the Audit Report

Issue the formal written audit report within five business days of the closing meeting. The report should include the audit scope, date, auditor(s), areas covered, a summary of evidence reviewed, all findings (classified as NC or OFI), and an overall conformance assessment. Distribute to the auditee, their manager, and the Quality Manager. File in the QMS as documented information — this is required by Clause 9.2.

Step 8: Track Corrective Actions to Closure

Every nonconformity requires a corrective action. The auditee initiates the corrective action, conducts root cause analysis, implements a fix, and verifies effectiveness — following the corrective action procedure. The Quality Manager tracks all open corrective actions and reports status at management review. The internal audit cycle is only complete when every finding has a verified, closed corrective action.

Common ISO 9001 Internal Audit Findings

Knowing what auditors routinely find gives you a head start before audit day. These are the most frequently cited nonconformities during ISO 9001 internal audits — and they show up in organizations of every size and industry.

Training Records That Cannot Be Located

The most common Clause 7.2 finding: an operator is performing a quality-critical task, but no training record exists — or the record on file is for an outdated procedure revision. The auditor asks "show me training evidence for the operators running this process" and the response is "I'll have to look for it." That's a nonconformity. Training records must be retained as documented information and must be current to the revision in use.

Quality Objectives Without Measurement

Clause 6.2 requires quality objectives to be measurable, monitored, and communicated. Auditors regularly find objectives that are stated in a document but have no measurement method, no data collection, and no evidence of review. "Improve customer satisfaction" is not a quality objective. "Achieve ≥ 90% on the monthly customer satisfaction survey, measured monthly and reviewed at management review" is. The difference is whether you can actually audit conformance to it.

Documents Controlled — But Not Used

Work instructions and SOPs that exist in the document control system but are not accessible at the point of use, or that describe a process nobody actually follows. Clause 8.5.1 requires controlled documents to be available where they are needed. At ABC Precision Manufacturing, auditors found the welding work instruction was a 2022 revision posted on the wall while the current revision in the QMS had been updated twice. Both problems — inaccessible documents and outdated posted copies — are Clause 7.5 and 8.5.1 issues.

Corrective Actions Without Root Cause Analysis

Clause 10.2 requires that corrective actions address root causes to prevent recurrence. Auditors frequently find CAPAs where the "corrective action" is simply retraining the employee or re-issuing the procedure — with no analysis of why the nonconformity occurred. If a shipment error resulted in the wrong part reaching the customer, and the corrective action is "remind the shipping team to double-check," the root cause has not been addressed. Expect a repeat finding at the next audit.

Supplier Evaluations Not Performed

Clause 8.4 requires that external providers be evaluated and re-evaluated based on their ability to meet requirements. Many organizations have an approved supplier list but cannot demonstrate they have actually evaluated new suppliers before issuing purchase orders, or that they are monitoring existing supplier performance. Purchase orders going to unapproved suppliers — even for low-risk items — are a straightforward Clause 8.4 finding.

Management Review Missing Required Inputs

Clause 9.3 specifies a required list of inputs for management review, including internal audit results, customer satisfaction data, quality objective performance, nonconformity and corrective action status, and process performance data. Auditors often find management review records that are too thin — meeting minutes confirming the review occurred but not demonstrating that required inputs were actually discussed and decided upon. The management review record must be substantive, not a signature page.

What Happens After the ISO 9001 Internal Audit

The audit report is issued. Now what? The post-audit phase is where most organizations' internal audit programs break down — and where the real value gets captured or lost.

Initiating Corrective Actions (CARs)

Every nonconformity requires a corrective action request (CAR) — also called a CAPA (Corrective and Preventive Action). The auditee initiates the CAR, typically within five business days of receiving the audit report. The CAR must include: a description of the nonconformity, a root cause analysis (not just a symptom fix), the planned corrective action, the responsible person, a target completion date, and ultimately, evidence of effectiveness verification.

For a complete guide on structuring and tracking corrective actions, see our corrective action procedure template. The internal audit and the CAPA process are the two interlocked mechanisms that drive real QMS improvement.

Tracking and Verifying Closure

The Quality Manager is responsible for tracking all open CARs and reporting status at management review. An open CAR that sits unresolved for months is itself a nonconformity — the standard requires "timely corrective action." Most organizations set a 30–60 day target for CAR closure, with extensions documented and justified.

Closure is not just implementation — it is verification of effectiveness. The corrective action is only closed when there is objective evidence that the root cause was addressed and the problem has not recurred. For significant nonconformities, this may require a follow-up audit of the affected area.

Feeding Results into Management Review

Internal audit results are a required input to management review under Clause 9.3. The management review agenda should include a summary of: audits completed in the period, findings by clause and area, open CARs and their status, and any trends (are the same clauses showing up repeatedly?). This closes the loop between internal audits, corrective action, and top management oversight — which is the entire intent of Section 9 of the standard.

Internal Audit Checklist

Below is a complete internal audit checklist covering all major requirements of ISO 9001:2015. It is organized by clause for easy navigation. Use it as your starting point — then add process-specific questions based on what you're auditing.

How Training Tiger Helps

The two clauses that come up most often in internal audit findings are Clause 7.2 (Competence) and Clause 7.5 (Documented Information). Both are directly addressed by Training Tiger.

On the competence side: when your internal auditor asks "Show me the training records for the operators who run this process," you pull up Training Tiger, filter by document or training group, and show completion records with timestamps — who completed the training, on which revision, and when. That's your objective evidence. No spreadsheet hunting, no "I think we filed that somewhere."

On the document control side: when the auditor asks "How do you ensure employees are working from the current revision?" you show them the automatic retraining trigger. When a procedure is updated in Training Tiger, employees are automatically flagged for retraining on the new version. No one is working from a procedure they downloaded two years ago and never updated. That's Clause 7.5 compliance built into the workflow.

And when an audit finding generates a corrective action that results in a procedure update? The cycle is clean: update the procedure in Training Tiger, the system triggers retraining, employees complete it, records are captured. The next auditor who reviews that corrective action can see the entire chain — updated procedure, training evidence, and completion timestamps — in one place.

Frequently Asked Questions

What does ISO 9001 Clause 9.2 require for internal audits?

Clause 9.2 requires organizations to conduct internal audits at planned intervals to confirm the QMS conforms to requirements and is effectively implemented. You must plan, establish, implement, and maintain an audit program; define audit criteria and scope; select competent, objective, impartial auditors; report results to management; and take timely corrective action on findings. All documented information must be retained as evidence of the audit program and its results.

How often should internal audits be conducted for ISO 9001?

ISO 9001 does not specify a minimum frequency — it says "at planned intervals." Most organizations audit each area or process at least once per year. Higher-risk areas, areas with recent nonconformities, or processes that have changed should be audited more frequently. Your audit schedule should be documented and followed consistently, with deviations justified and recorded.

Can employees audit their own department?

No. ISO 9001 Clause 9.2 explicitly requires that auditors be objective and impartial — they cannot audit their own work. This does not mean you need external auditors. An employee from one department can audit another department. Many organizations rotate audit assignments across departments to build internal capability while maintaining objectivity. The key is that the auditor has no direct responsibility for the area being audited.

What is the difference between an observation and a nonconformity?

A nonconformity is a direct failure to meet a stated requirement — either from ISO 9001 or from your own documented procedures. An observation (sometimes called an opportunity for improvement or OFI) is a potential weakness that does not yet constitute a full nonconformity but warrants attention before it becomes one. Only nonconformities require formal corrective action. Observations are good practice to document but are not mandated by the standard.

Related Articles