8.2.2 Internal audit

An internal audit procedure must define:

  • Criteria
  • Scope
  • Program frequency
  • Method
  • Report results
  • Keep records (see 4.2.4)


Q: What do we audit against?

A: Your procedures, ISO 9001:2008. Plus any industry specific regulations or contractual requirements.

Tip: Read the relevant documentation prior to the audit and make an audit checklist of the key aspects that you wish to audit. The checklist is merely an aide-memoir, don't be blinkered by it.


Q: How far do we go?

A: Far enough to ensure the sequence and interaction of processes.

Program frequency

Q: How often?

A: Internal audit program frequency is not specified in ISO 9001:2008. Normal practice is to audit the whole QMS (but in bite-sized pieces) at least once per year or more often if considered appropriate.

Tip: Use the company process-map (see 4.1 ) as a basis for the audit programme – plan to audit related procedures (e.g. Enquiry and Quotation, Order Receipt, etc.) within a process (e.g. Sales) and ensure there is some overlap into the next process.


Q: How do we audit?

A: Interviewing staff, observing activities and viewing relevant records.

Report results

Report the audit results to management. You need to include in your procedure how any problems and improvements are followed up.

Q: What should be included in my report?

A: Your report should be objective and provide a balanced view. Report good things (conformance), bad things (non-conformance) and observations on possible improvements.

Q: What is a non-conformance?

A: ISO 9000 defines non-conformity as the failure to fulfil a requirement. So, if you can demonstrate that a requirement of ISO 9001, your procedures or other relevant document has not been met then you have a non-conformance.

The term "observation" is your opinion - so make sure you report it as such.

Keep records

Auditor training records are also required, see 6.2.

Job Description:

1. confirm compliance with ISO 9001, any other regulations, company procedures, etc.

2. seek improvements (or simplifications) in processes.

Tip: Don't forget to audit "top management".

There is considerable emphasis on top management being seen to be on-board and playing the game. Top management is defined as the person(s) who direct an organisation at the highest level.

The principal message that management must get across is that the objective of this business is to keep the customer happy.

Specifically, management must communicate these ideas (5.1, 5.2, 5.3, 5.5.1, 5.5.2, 5.5.3) to the employees who should be aware of their own roles and responsibilities (6.2.2).

Notice that few of these clauses specify a procedure or a record – top management are simply required to do it.

As a result, the Certification Body will want to question the Directors and the staff. This something that your own auditors must also do.

Also see ISO 19011.

The Human Aspect of Auditing

Good auditors realise very early on that they are dealing with personalities as much as processes and systems. Whilst the intent of the audit a serious one, often light humour, politeness and diplomacy are the best ways to build rapport. It is vital every effort is made to reassure those being audited that the audit’s primary function is to drive improvement, not to name and shame.

If you are new to auditing, acknowledge this fact, be open and honest. It is also important to explain to the auditees that they are free to express their views during the audit. Remember that you, the auditor, are also there to learn.

Always discuss the issues you have identified with the auditees and always provide guidance on what is expected in terms rectifying any non-conformances or closing out observations you raised. Let the auditees know they are welcome to read your notes and findings; the audit is not a secret.

Try not to be drawn into arguments concerning your observations. It is never appropriate to directly name people in the audit report as this may lead to defensiveness which is ultimately counter productive.

Preparing for the Audit

Preparation is the key to a meaningful audit and, as such, you should have an up-to-date audit schedule and a well defined audit plan for each process. Be sure to communicate the audit schedule to all parties involved as well as to top management as this will help reinforce your mandate.

The audit schedule is a living document and should not be cast in stone, but instead, it should be allowed to evolve organically with the needs of the business. Always review historical audit reports and check during the audit that any previous corrective or preventive actions are still operating.

Elementary Audit Questions

These basic audit questions will help guide the audit in the right direction since the answers they provide often unlock the doors to information the auditor requires in order to accurately assess the particulars of a process.

Consider these common audit questions:

  1. What are your responsibilities?
  2. How do you know how to carry them out?
  3. What kind of training is given to new employees?
  4. How is the effectiveness of training evaluated?
  5. Are training records maintained?
  6. What are the objectives of your processes?
  7. What is the quality policy and where is it found?
  8. Which documents do you use and are they correct?
  9. What outputs does your process create?
  10. How are your records maintained?
  11. How do you ensure that products meet the stated requirements?
  12. Is customer satisfaction data analyzed?
  13. How do you ensure that products meet the stated requirements?
  14. What happens when changes are made to product requirements?
  15. What are the responsibilities/authorities for dealing with non-conformances
  16. Are there trends in non-conforming products and what's being done about it?
  17. Is the non-conformance procedure linked to the corrective action process?
  18. Are employees made aware of the quality policy and objectives?
  19. Are policies and objectives available and relevant?
  20. How are quality objectives determined?
  21. Is there a clear link between the policies and objectives?
  22. How is progress towards objectives measured and communicated?
  23. Has the number of customer complaints changed over time?
  24. What tools are used to identify the causes of complaints?
  25. How are improvement efforts and successes communicated to employees?

How to Audit a Process

If you have been involved in a certification body audit, you will have probably noticed that the professional auditors often use this method to perform the audit. They will start at either the beginning or the end of the organisation's workflow and follow a sample of inputs and outputs (e.g. orders, contracts, projects, products, etc.) through the organisation. This is known as a process audit. On an internal audit, you may not have time to cover the entire process in one audit, in which case, divide the process into manageable units and use that as the basis for your audit schedule and checklist.

The first task for the auditor is to establish what the process is intended to achieve. If it is a sales department, it could be that its primary function is to provide an effective interface between the organisation and its customers and to input clear and accurate customer data onto the computer system in a timely manner. (These may turn out to be the ‘quality objectives' for that process as required by Para 5.4.1). If these are the most important objectives of that process, then the audit must concentrate on verifying whether or not they are being achieved.

Performance is often best proven by looking at how well output of Process A satisfies the input requirements of Process B. For example: how often does Process B have problems with customer data entered on  the system, how many customer complaints have arisen due to inaccurate or late information being entered? If there is a documented procedure in place, it should define the process and the steps to be taken to ensure the objectives are achieved.

Consider these points:

  1. Is there continuity between the various processes in the organisation?
  2. Is the task done consistently on a person-to-person or day-to-day basis?
  3. Do the interfaces between the departments operate smoothly?
  4. Does product information flow freely?
  5. Is the procedure right?
  6. Does it meet the Standard?
  7. Is it helping the organisation effectively?

How to Measure a Process

A clue can be found in ISO 9001:2008 Clause 8.4. We are told to determine, collect, and analyze data to provide insight about the health of your quality management system. It goes on to provide a minimum of four areas that you must perform this analysis for: customer satisfaction, product quality, process performance, and supplier performance.

Clause 8.2.3 broadly addresses the monitoring and measurement of the processes referred to in Clauses 4, 5 and 6. Clause 8.2.4 mainly focuses on monitoring and measurement of the outputs from the Product Realisation process.

The processes that require measurement are:

  1. The establishment of the quality policy and objectives
  2. The establishment of the quality manual
  3. The control of documents
  4. The control of records
  5. The process of defining and communicating responsibility and authority
  6. The management representative appointment
  7. The establishment of internal communication
  8. The conducting of the management review
  9. The provision of human resources
  10. The provision of infrastructure and work environment

A common way measure a process is with quality objectives and key performance indicators. Select an objective or indicator for each core process, ensure it is measurable and track that indicator on a periodic basis (monthly, quarterly, annually, whatever makes sense for that metric). A single indicator may be used for more than one process. Include trend charts showing the performance of the metric from period to period.

How to Audit without Procedures

In cases where an organisation has chosen not to operate a documented procedure, the first in step must be to establish what methods exist to control the process. From there, the auditor can evaluate the effectiveness of the process by testing to ensure it is performed consistently and by comparing it to the appropriate clauses of ISO 9001.

Select the ‘predominant' ISO clause for the process being audited plus the more general ones and you should be able to verify both the effectiveness of the process and also its compliance to the standard.

This can prove particularly useful when performing internal audits, as it helps the organisation to satisfy the requirements of clause 8.2.2 which requires us to ‘determine whether the quality management system conforms to planned arrangements, to the requirements of this International Standard and to the quality management system requirements established by the organisation’.

Getting the Most from the Audit Schedule

The audit schedule is divided up to reflect each section of ISO 9001:2008. You should determine which of these sections are of greatest relevance to your business; in other words, which processes, should there be problems, will affect your customers the most. These are the processes that your company must make certain remain stable and consistent. You might wish to schedule these key processes for additional audits, perhaps two or even three times per year.

The audit schedule provides the following benefits:

  1. Provides a visual plan of the audit programme
  2. Demonstrates coverage of the whole standard
  3. Provide current status of the audit programme
  4. Promotes awareness