ISO Internal Audit Explained [with Procedures & Checklists]

An ISO internal audit is a disciplined approach to assessing compliance against the requirements of ISO 9001:2015. Internal audits are performed by employees who are selected and trained to evaluate the quality management system and its processes. Known as 'first-party audits', they help identify gaps, nonconformities, and opportunities for improvement and ensure ongoing compliance.

What is the Definition of Internal Auditing

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors Research Foundation. Florida, USA, January 2011.

Why Perform Internal Audits?

Your organization will likely conduct internal audits for one or more of the following reasons:

• Ensuring compliance with the requirements of internal, international, and industry standards and regulations, and customer requirements
• Identify good practice and promote the use of good practice across the organization
• Identify areas for improvement and promote appropriate action plans
• To determine the effectiveness of the implemented system in meeting specified objectives (quality, environmental, and financial)
• To explore opportunities for improvement
• To meet statutory and regulatory requirements
• To provide feedback to Top Management

Principles of Internal Auditing

Auditing relies on several principles that intend to make the audit an effective and reliable tool that supports your company’s management policies and provides suitable objective information that your company can act upon to continually improve its performance.

The following principles relate to auditors:

1. Ethical conduct: Trust, integrity, confidentiality and discretion are essential to auditing
2. Fair presentation: Audit findings, conclusions and reports reflect truthfully and accurately the audit activities
3. Professional care: Auditors must exercise care by the importance of the task they perform
4. Independence: Auditors must be independent of the activity being audited and be objective
5. Evidence-based approach: Evidence must be verifiable and be based on samples of the information available

Adherence to these principles is considered a prerequisite for ensuring that the conclusions derived from the audit are accurate, objective and sufficient. It also allows auditors to work independently from one another to reach similar conclusions when auditing in similar circumstances.

How Do I Select Internal Auditors?

The selection of internal auditors should not be limited to a few employees from lower-ranking levels or, even worse, only employees from the quality department. The selection of internal auditors must be from across functions, preferably at the highest possible level.

Identify and train appropriate staff to undertake the role of internal auditor. When internal audit personnel are selected to perform an audit, a mechanism needs to be established to ensure objectivity; for instance, a representative from another department may be selected to do the audit.

All internal auditors will have completed a recognised auditor course, providing them with the knowledge and skills to conduct internal audits against ISO 9001 as appropriate. They need experience and knowledge of the relevant audit criteria and activities they are auditing to evaluate performance and determine areas for effective improvement.

Internal auditors should be familiar with the quality requirements, the risks of the areas they are auditing, and any applicable legal requirements. Audits are demanding and require various forms of expertise. The size of the audit team will vary depending on the size of the organization, the size and type of operations, and the scope of the audit.

Due care must be taken when selecting staff to perform the role of internal auditor. Individuals who show potential as auditors should be given formal training by a registered training organization. All internal auditors' required competence should be maintained via refresher training or, more importantly, active participation in the internal audit programme.

Apart from having the appropriate training, selected staff should also possess the necessary personal qualities and attributes that enable them to act in accordance with the principles of auditing. It is strongly recommended that the internal auditors widely publish an audit programme, as it will provide a helpful planning tool for key stakeholders.

The Quality Manager should ensure that internal audits are conducted by staff who do not work in the area being audited. It should be noted that exchanging internal auditors among different organizations can be helpful. The exchange of auditors, where possible, can also be used to enhance the value of the internal audit and the individual auditor’s competencies.

How Do I Get Internal Auditor Training?

Internal auditing is a requirement of modern management system standards. Internal auditor resources, including training and qualification, and the selection of auditors to ensure independence of the area or process being audited.

Competence levels may be measured by training, participation in previous audits, and experience in conducting audits. Auditors may be external or internal personnel; however, they should be in a position to be impartial and objective.

Competence has to be evaluated through a process that considers personal behaviours and the ability to apply the knowledge and skills gained through education, work experience, auditor training, and audit experience.

• auditortrainingonline.com/courses
• caliso9000.com
• bsigroup.com/en-GB/our-services/training-courses

Evaluate the competence of the organization's internal auditors and audit teams. There should be evidence that your organization:

• has identified the competence requirements for its internal auditors;
• engages auditors with the appropriate training;
• has in place a process for monitoring the performance of its internal auditors and audit teams;
• includes personnel on its audit teams who have appropriate sector-specific knowledge.

The Lead Auditors (whether for ISO 9001, ISO 14001, or ISO 45001) should maintain a team of qualified auditors and ensure that the Team collectively has the experience and expertise necessary to ensure effective system audit, and is an adequate cross-sectional representation of the company to ensure impartiality and objectivity of audit.

If you do not have enough qualified auditors to ensure impartiality, we suggest that:

• Department Managers identify suitable candidates to receive auditor training;
• Conduct or arrange for suitable internal auditor training to meet qualification criteria;
• Verify qualifications and maintain records of training, including a certificate of completion;
• Respective Lead Auditor updates the list of trained auditors;
• The trained internal auditor is recorded on the list of trained auditors.

Internal auditors should maintain their auditing competence through regular participation in management system audits and continual professional development. It involves the maintenance and improvement of competence. This can be achieved through additional work experience, training, private study, coaching, seminars and conferences, or other relevant activities.

What Are The Internal Audit Criteria?

We've all heard the term 'internal audit criteria,' but what exactly are they? As defined in ISO 19011:2018, audit criteria are used as a reference against which conformity is determined. It goes on to say that 'The criteria may include one or more of the following’:

1. Policies, processes, and procedures
2. Performance criteria including objectives, statutory and regulatory requirements, and management system requirements
3. Information regarding the context and the risks and opportunities as determined by the auditee (including relevant external/internal interested parties' requirements)
4. Business sector codes of conduct or other planned arrangements

All documented information that helps you prove the consistency and compliance of the quality management system should be part of your internal audit criteria for each audit. If you are auditing to verify that the requirements of the standards are implemented, then the standard itself becomes the internal audit criteria.

Suppose you are going to audit your quality management system documentation; in that case, the audit criteria would be the relevant sections of the standards and the relevant management system documentation, such as the manual, procedures, work instructions, SOPs, and forms.

If you conduct a product audit against a production control plan, the internal audit criteria will be the control plan itself or relevant parts of it. The same applies when auditing an operator to see whether they follow the work instructions; the audit criteria are the work instructions for that process and any applicable criteria.

Preparing For The Audit

Prepare thoroughly before the audit! Spending time in preparation will make you much more effective during the audit—you will become a better auditor. Auditors should not skip this step, as it provides much-needed value to the audit. Taking the time to prepare and organize saves time during the audit.

Use an Internal Audit Checklist.

You should have an up-to-date audit schedule and a well-defined audit plan for each process. Communicating the audit schedule to all parties involved and to Top Management will help reinforce your mandate.

Gather all the relevant documented information related to the process you will be auditing. Look at process metrics, work instructions, turtle diagrams, process maps, flowcharts, etc. If applicable, collect and review any control plans and failure mode effects analysis worksheets, too. Review these thoroughly and highlight the aspects that you plan to audit. Using the documented information in this way ensures they become audit records.

Your organization’s documented information may not cover all of the process requirements. If certain information is not available, it may become your first audit finding—not bad for the pre-audit review!

Certain information and linkages should be audited. Some are required, and some are good audit practices. Putting these sections into a worksheet format gives auditors a guide to auditing the relevant links.

Documentation Reviews

The following are examples of information that should be gathered and reviewed. The internal audit scope, objectives, and criteria are required, and this information must be defined and documented. Usually, this is just basic formality; document it and move on.

1. The audit scope defines what is included and excluded from the audit, what will be audited
2. The audit objectives define the purpose and what the audit should achieve
3. The audit criteria define what systems, standards, and documented information will be audited

Process Criteria and Objectives

Each process is required to define this in the quality management system. Evaluate metrics and objectives to determine strengths and weaknesses. Compare actual performance to targets. This will guide you on how to allocate your audit time. If targets are not met, identify them as an audit trail. Where goals are met, focus more on other areas with bigger issues.

Previous Audit Findings

Verify if actions from previous audits remain effective and closed. Review previous audit trails to see if there is more to review or whether they should be audited again. Past problem areas may reveal more improvement opportunities.

Customer Complaints

Review previously identified problems and the effectiveness of any actions taken. Note what should be re-verified to ensure problems and issues remain closed. There could be incomplete actions or new personnel unaware of previous issues.

Inputs and Outputs

The quality management system must define and document each process's inputs, activities, and outputs. It should be documented there if your management system uses flowcharts, turtle diagrams, process maps, etc. Are inputs and outputs clearly defined? Do you see issues?

Relevant ISO Standards

Review relevant sections of applicable ISO standards relevant to the process you will be auditing. Print those pages and highlight any requirements to ensure they are documented correctly within the quality management system and that they get audited.

Flowcharts, turtles, procedures, work instructions, records, process sequence. Review the documented information that describes and controls the process. Review all the essential steps and activities of the process being audited. This information must be documented within the quality management system.

Evaluate how effectively the process flows through each step. Do you see any roadblocks or issues? Make notes directly on the documents. During the audit, use them as check sheets and audit the trails and notes you marked.

Metrics and Performance

Review metrics and performance with appropriate managers, supervisors, and operators. They will know how well things are running, as well as objectives, customer issues, and problem areas. If they do not, the requirements are not met.

Audit the sequence of the process with the people actually performing the process. Do people know and follow the steps? Is what they do the same as what is documented? Are best practices documented and followed? Do personnel have changes they would recommend?

Review all the relevant steps of the assigned process. Evaluate how the process flows through the steps. Are the process steps effective? Do you see roadblocks or issues? Notate and follow audit trails you find with the relevant personnel. Observe their work. Look for things that are not as they should be.

Competencies of Personnel

Training, skills, and competencies are always potential areas for improvement. Training and competency are vital; you should always review whether training could be improved. Pay particular attention to newer employees or people who do not demonstrate good skills or competencies.

Put people at ease so they are not nervous. If there are people who do not seem to be 'up on their game,' note their names and review this with the training process owner.

Links to skills, competencies, and training needed for each process must be documented. Review skill lists for the assigned process. Are there clear lists of skills for each position? Do they show enough detail?

This is often a finding where lists are generic with inadequate detail. Training is a key process of any system. Are there specific people or new hires you wish to review? Are there particular skills you want to evaluate? Collect names to review later.

Linkages and Interactions

Linkages and interactions with other processes are always critical. As you audit the assigned process, you will see how it connects and interacts with other processes. As you audit, also audit the relevant links to related processes and support processes.
These would include the input handover from the previous process and the output handover to the following process. It should include interactions with relevant supporting processes, such as training, quality, maintenance, calibration, record and document control, etc.
Often, a process will work pretty well, but it does not always sit well with other processes at the handover points. These must be audited to determine how they perform and interact with the primary process. Note: Don't audit each linked process at this time; only audit the pieces that interact with the assigned process. The full processes will get audited as a separate process audit.

The Human Aspect of Auditing

Good auditors realize very early on that they deal with personalities as much as processes and systems. While the intent of the audit is serious, often light humor, politeness, and diplomacy are the best ways to build rapport. Every effort must be made to reassure those being audited that the audit’s primary function is to drive improvement, not to name and shame.

If you are new to auditing, be open and honest and acknowledge this fact. It is also essential to explain to the auditees that they can express their views during the audit. Remember that you, the auditor, are also there to learn.

Always discuss the issues you have identified with the auditees and provide guidance on what is expected regarding rectifying any non-conformances or closing out observations you raised. Let the auditees know they can read your notes and findings; the audit is not a secret.

Try not to be drawn into arguments concerning your observations. It is never appropriate to directly name people in the audit report, as this may lead to defensiveness, which is ultimately counterproductive.

6 Types of ISO Internal Audit

ISO 9001:2015 does not specify the techniques for conducting an audit. Unlike certification audits, internal audits are less formal and should be scheduled according to the QMS demands, priorities, available resources, and operational risks.

Internal audits are commonly referred to as ‘first-party audits’. An organization conducts these tests to determine compliance with requirements that might arise from standards like ISO 9001:2015 and customer or regulatory requirements.

There are standard methods of auditing that may be used to determine compliance:

1. Gap Analysis
2. System Audits
3. Process Audits
4. Product Audits
5. Certification Audits
6. Surveillance Audits

There are several methods for undertaking internal auditing. Each of the different types of audits is explained in the sections below:

Gap Analysis

The unique knowledge obtained about the status of your existing quality management system will be a key driver of the subsequent implementation approach. Armed with this knowledge, you can establish accurate budgets, timelines, and expectations that are proportional to the state of your current management system when directly compared to the requirements of the standards.

The gap analysis exercise results will help determine the differences, or gaps, between your existing management system and the requirements of ISO 9001. Not only will the analysis template help you to identify the gaps, but it will also allow you to recommend how those gaps should be filled.

The gap analysis output also provides a valuable baseline for the implementation process and measuring progress. Try to understand each business process in the context of each requirement by comparing different activities and processes with what the standard requires.

At the end of this activity, you will have a list of activities and processes that comply and those that do not. The latter list now becomes the target of your implementation plan.

System Audits

System audits are commonly referred to as a 'first-party audit'. An organization conducts these tests to determine compliance with a set of internal audit criteria in the form of requirements that arise from standards like ISO 9001 and customer or regulatory requirements.

System audits are best undertaken using the internal audit checklist to appraise your management system and processes concisely against the requirements of ISO 9001:2015. This type of audit focuses on the quality management system and compares the planning activities and broad system requirements to ensure that each clause or requirement has been implemented.

Process Audits

Adopting the 'process approach' is mandated by ISO 9001:2015 and is one of the most important concepts relating to quality management systems. Process auditing is about auditing your organization's processes and interactions, which comprise the quality management system.

The process audit is an in-depth analysis that verifies that the processes comprising the management system are performing and producing the desired outcomes. It also identifies any opportunities for improvement and possible corrective actions. Process audits concentrate on unique, vulnerable, new, or high-risk processes.

The process audit checklist replicates the turtle diagram (from the internal audit procedure). It requires the auditor to review each process's inputs, risks, controls, activities, equipment, materials, personnel, and measurement methods. You can cross-reference the clause references in the process audit report to the internal audit checklist questions.

Product Audits

The product audit may be a series of audits at appropriate stages of design, production, and delivery to verify conformity to specified product requirements, such as dimensions, functionality, packaging, and labeling, at a defined frequency.

Certification Audits

Certification Audit (also known as an ISO Compliance Audit). Certified Auditors typically work for external, third-party accreditation bodies such as DNV, UKAS, and LRQA. They will perform the Certification Audit to assess your organization's management system against the requirements of ISO 9001 and provide your certificate of compliance.

Surveillance Audits

Surveillance Audit (this is also an ISO Audit). They will also conduct Surveillance Audits to ensure that your certification is maintained. They would not be involved in day-to-day internal auditing operations.

How do I Conduct an Internal Audit?

The internal audit should be conducted within the timeframes discussed and agreed with the auditee. At the end of the audit, the auditor and auditee should agree on the central issues of the audit and the findings, both positive and negative.

The audit team may consist of one or more auditors. A Lead Auditor must be identified when more than one person is involved. The auditor must ensure comprehensive notes are made and retained throughout the audit. During the internal audit, the lead internal auditor may change the internal audit assignments or plans to achieve the objectives.

During each internal audit, previous audit findings should be verified, covering the past year of audit findings to ensure the effectiveness of any corrective actions implemented. The audit will also include a tour of the work areas, and positive and negative findings will be recorded as part of the audit report.

The internal auditors will collect evidence through interviews, examination of documents and records, and observation of activities and conditions in areas of concern. Information gathered through interviews is verified by acquiring the same information from other independent sources, such as physical observation and records.

A closing meeting may be conducted if the internal audit's scope or the findings' nature necessitate it. This provides opportunities to dispute potential nonconformances and for clarification of findings and requirements.

Once the audit is completed, the Lead Auditor will produce the draft audit report. Internal audit reports are prepared and reviewed with area management at the conclusion of the internal audit. The reports will include findings of conformance and actual and potential nonconformances, as well as employee suggestions for improvement.

Should I Use An Internal Audit Checklist?

Using an internal audit checklist will help you determine the extent to which your organization’s quality management system conforms to the requirements by determining whether those requirements have been effectively implemented and maintained.

Our Internal Audit Checklist Template will save you hours; all the preparation is already done.

The Excel-based internal audit workbook is more than just a static checklist. It offers a practical and versatile solution for evaluating process performance, analyzing data, and generating actionable insights. It enables you to easily input audit findings data to generate interactive trend charts and to develop improvement plans based on the collected data.

The audit checklist is just one of the tools available from the auditor's toolbox to help ensure your audits address the necessary requirements. The checklist stands as a reference point before, during, and after the audit and will provide the following benefits:

• Ensures the audit is conducted systematically
• Promotes audit planning
• Ensures a consistent audit approach
• Actively supports your organization's audit process
• Provides a repository for notes collected during the audit process
• Ensures uniformity in the performance of different internal auditors
• Provides a reference to objective evidence

The internal audit workbook will help you determine the extent to which your organization's management system conforms to the requirements by determining whether those requirements have been effectively implemented and maintained.

The templates will help you assess the status of your existing quality management system and identify process weaknesses to allow a targeted approach to prioritizing corrective action to drive improvement.

The audit checklist comprises tables of the certifiable ('shall') requirements from Section 4.0 to Section 10.0 of ISO 9001; each requirement is phrased as a question. This audit checklist may be used for element-based audits and for process audits when filtered.

The audit results charts quantify and visualize the conformity of your quality management system to the requirements and clauses of the standard. Not only does it facilitate quantitative comparisons between various processes and their audit results, the audit checklist generates data-driven recommendations and prioritizes the most frequent problems.

The data labels summarize the count to help you assess the status of your existing management system and identify process weaknesses to allow a targeted approach to prioritizing corrective action to drive improvement.

1. Audit checklist metrics dashboard graphically displays status attributes
2. Quickly identify and target system weaknesses
3. Real-time charts display audit result data - ideal for reports or presentations.

The dashboard provides fast and reliable access to system and process metrics, precluding the need to know where all performance data is stored or how to locate the metrics champion for current data. It also reduces the likelihood that data is lost when metrics owners change or leave the company, and reduces the learning curve for new metrics owners.

Do I Need an Internal Audit Procedure?

Yes, we recommend you document an Internal Audit Procedure. This addresses two of the ISO 9001 clauses: Performance Evaluation and Improvement. It will significantly help you with the auditing process and audit management.

Internal Auditing Procedure

Combined with the audit checklists, these management system procedures create a world-class audit system that rivals commercial solutions and demonstrates professional-grade quality management capabilities.

The internal audit procedure defines your organization’s process for undertaking QMS audits, process audits, and supplier and legislation audits to assess the effectiveness of the quality management system's application and compliance with ISO 9001:2015.

This procedure also defines the responsibilities for planning and conducting audits, reporting results, and retaining associated records.

Looking For Help with Your Internal Audit Procedure?

Our Internal Audits Procedure includes:

• Procedure - view sample
• Internal Audit Process Flowchart
• Audit Report
• Audit Feedback Form - view sample
• Internal Audit Process Map - view sample

How Do I Prepare The Internal Audit Report?

A good audit report is the output, which is the value of the audit. It deserves an appropriate amount of attention and effort. The report should include a summary of what was audited, the findings, and plans for follow-up.

As you moved through the audit, you should have noted the issues and improvements you saw. When you finish auditing, you should have a collection of various findings to review. Organize the notes you made; these audit findings need to be transferred to the internal audit report and communicated to top management.

Audit teams should review their findings with the Lead Auditor or management representative, as it is essential to calibrate the findings, and this serves as a learning process. If there is disagreement over some findings, the Lead Auditor has the final vote.
Objective evidence of the document and records audited needs to be maintained; it can be attachments or notations on the checklists. When using the checklists, the revision level of the procedure, the date of record or report, and the individual interviewed need to be recorded.

Gather the whole audit package together in an organized manner. The rest of the work instructions, flowcharts, notes, and relevant papers should be gathered in the audit package as supporting records. All findings should also be documented on your corrective action forms.

Nonconformances should include a description of the requirement, the nonconformance, and the supporting evidence. When an auditor provides an opportunity for improvement, the auditor should review whether the process owner accepts the suggestion and the plan for dealing with the suggestion.

The internal audit report and the corrective action forms should be attached to the audit package, which now becomes the audit record. Only the summary report and corrective actions need to be given to the process owner.

What are some Elementary Internal Audit Questions?

These basic audit questions will help guide the audit in the right direction since the answers they provide often unlock the doors to information the auditor requires to accurately assess the particulars of a process.

Consider these common internal audit questions:

1. What are your responsibilities?
2. How do you know how to carry them out?
3. What kind of training is given to new employees?
4. How is the effectiveness of training evaluated?
5. Are training records maintained?
6. What are the objectives of your processes?
7. What is the quality policy, and where is it found?
8. Which documents do you use, and are they correct?
9. What outputs does your process create?
10. How are your records maintained?
11. How do you ensure that products meet the stated requirements?
12. Is customer satisfaction data analyzed?
13. How do you ensure that products meet the stated requirements?
14. What happens when changes are made to product requirements?
15. What are the responsibilities/authorities for dealing with non-conformances
16. Are there trends in non-conforming products, and what's being done about them?
17. Is the nonconformance procedure linked to the corrective action process?
18. Are employees made aware of the quality policy and objectives?
19. Are policies and objectives available and relevant?
20. How are quality objectives determined?
21. Is there a clear link between the policies and objectives?
22. How is progress towards objectives measured and communicated?
23. Has the number of customer complaints changed over time?
24. What tools are used to identify the causes of complaints?
25. How are improvement efforts and successes communicated to employees?

Want to get the Most from your Internal Audit Program?

An internal audit program is a system of audit timelines and activities that the auditors will carry out to help businesses maintain an effective system of internal controls. The internal audit program, also known as an audit schedule, and functions as a guide for conducting various types of audits in a company.

The advantages of using an internal audit programme include increased efficiency, standardization, improved accuracy, increased transparency, and cost savings. The audit programme ensures standardization by providing a consistent methodology that ensures consistency across all audit activities.

The internal audit programme represents the arrangements for a cycle of one or more audits based on a risk-based approach. The Quality Manager or their designee creates, executes, and monitors the audit programme. The detailed annual audit programme provides:

• Tactical execution planning with specific dates
• Resource allocation and coordination
• Project management with Gantt chart integration
• Performance monitoring and progress tracking.

Based on your organization's unique needs, use an internal audit programme to establish, implement, monitor, review, and improve your audit process. The worksheet can be used to select and manage your internal auditors and ensure audit activities' consistency.

A critical aspect of an internal audit programme is to have a clear schedule of internal audits agreed upon in advance and provide assurance that appropriate controls are in place. This allows both the internal auditor and the auditee to plan, prepare, and allocate resources, but also helps ensure that audit coverage is sufficient and reflects more significant organizational objectives.

The goals of any audit programme are considered two-fold. One goal is to assess management system compliance, and the other is to identify opportunities for continual improvement. Audits should be well planned, and various auditing techniques appropriate for the procedures and processes being evaluated should be employed.

During the initial stages of implementing any management system standard, the internal audit programme will often focus on ensuring that clause compliance issues or nonconformities are discovered and rectified before the Certification Body assessment.

However, once your organization becomes certified, the audit programme must evolve. The focus of the internal audit programme should be directed away from 'elemental' compliance with the standard clauses to an audit strategy that considers the risks inherent to each process.

When applying risk-based thinking to determine audit frequency, consider the following:

1. Which processes are critical to product and service quality?
2. Which processes are complex and require close monitoring and control to ensure conformity?
3. What processes utilize qualified personnel?
4. Are activities or processes that occur across multiple locations?
5. Have new or changed processes been introduced?
6. Are there changes affecting the organization?
7. Are there statutory and regulatory issues?

Improving the audit programme will help to ensure your audits are fully resourced and effective. Once approved, implement the audit programme by communicating the relevant parts of your internal audit programme, including risks and opportunities, to all stakeholders participating in the programme. As the programme progresses, progress updates and any issues must be communicated regularly.

The Lead Auditor should review the internal audit programme to assess whether it meets the audit objectives. These ‘lessons learned’ can be used to improve the internal audit programme.

This review should also factor in alternative or new auditing methods, any changes relevant to the audited areas, and the effectiveness of the actions to address any risks, opportunities, and issues associated with the internal audit programme.