Welcome to Amtivo in Ireland, formerly Certification Europe and EQA

cert eu logo eqa Logo white

Conducting an ISO 9001 Internal Audit

Get Started Today

  • Customised certifications
  • Located nationwide
  • Save time & money
  • No extra or hidden fees
Get a Quote

ISO 9001 is the internationally recognised global standard for Quality Management Systems (QMS). It confirms an organisation’s commitment to improving quality, delivering more efficient operations and boosting customer satisfaction.

A crucial part of maintaining ISO 9001 certification is conducting regular internal audits. These audits, when done correctly, allow organisations to scrutinise their processes, identify areas for improvement, and help sustain the high-quality service clients come to expect.

But what is an internal audit, and how do you conduct one? Read on to learn more about our ISO 9001 internal audit plan.


What is an internal audit?

An internal audit is a core part of the ISO 9001 certification process. It’s an organised process that aims to verify that an organisation’s Quality Management System complies with ISO 9001 requirements and specifications.

The purpose is to identify any gaps or areas of noncompliance within an organisation’s QMS so they can be addressed before the certification audit. It also has to identify any areas of noncompliance with ISO 9001.

Unlike an external audit, which is conducted by a third-party certification body, an internal audit is undertaken by the organisation seeking certification.


The objectives of an internal audit

Conducting an internal audit can help organisations achieve several objectives:

  • To determine the effectiveness of the QMS in delivering high-quality output

  • To ensure the QMS is meeting ISO 9001 requirements and industry regulations

  • To identify areas for improvement in operations

  • To ensure the QMS is meeting specified financial and quality business objectives

  • To help an organisation identify any areas of weakness they have ahead of their certification audit


Who should perform an internal audit?

An internal audit is conducted by the organisation seeking ISO certification.

The individual or team conducting the process should not be responsible for the activities being audited to ensure that the process is unbiased and objective.

The individual or team conducting the audit – often referred to as the ‘internal auditor’ – needs to have a good understanding of the ISO 9001 standard and its requirements, the organisation’s processes, audit principles and techniques. Internal auditors should also have the skills to objectively evaluate the implementation of the QMS and identify nonconformities and areas for improvement.

The organisation needs to be able to demonstrate to a certification body that any auditors it uses for internal audits are competent. Internal auditors also require strong communication skills to interact successfully with staff throughout the auditing process and precisely report the outcomes.

Read our FAQ guide to ISO certification.


Step-by-step guide to an ISO 9001 audit

Step 1 – Create an ISO 9001 internal audit plan

Before you conduct an audit for your organisation, create an audit plan. You may want to define the following:

  • Objectives – Clarify what the audit aims to achieve, including identifying and assessing risks and opportunities related to the QMS

  • Scope – Define the areas of the organisation to be audited

  • Criteria – Identify the standards against which the organisation will be assessed

  • Timeline – Specify when each phase of the audit will happen

Read more about how to prepare for an ISO audit.

Step 2 – Select the audit team

Select the individual or team who will be responsible for carrying out the audit – this will depend on the size of your organisation.

Consider potential conflicts of interest and ensure that team members have the necessary competencies.

For a smaller organisation, you may only need one auditor. But for larger organisations, a team consisting of an audit leader, several auditors and technical experts could make the undertaking more manageable.

The audit lead would oversee the entire process and liaise with the auditee, while the auditors would conduct the audit and report their findings. The technical experts could provide specific contextual knowledge.

Step 3 – Conduct the opening meeting

An opening meeting is the initial meeting that takes place at the start of an audit between the auditors and the auditee.

In this meeting, you might discuss a number of topics, including:

  • The audit’s objectives, scope and criteria

  • How the audit will be conducted

  • The schedule

  • The confidentially of the audit’s results

Step 4 – Gather and review documentation

Before conducting the audit, ensure you have read the following:

  • Quality manual – An overview of the organisation’s QMS

  • ISO regulations – The requirements of the ISO 9001 standard

  • Procedures – Specific steps to perform key tasks

  • Records—Evidence that procedures are being followed—documenting the audit plan and criteria is crucial to ensuring transparency and accountability

Step 5: Conduct the audit

An audit can be conducted using various data-collection methods, including interviews, observations and document reviews (including data records). To ensure consistency and efficiency, use checklists or audit criteria.

Both qualitative and quantitative data is important in a quality management audit. During these activities, auditors should also assess how risks and opportunities are being managed within the QMS. Direct discussions with employees to understand current processes and outcomes and on-site observation of work activities and conditions can be helpful in collecting real-time data.

Step 6: Record all findings, identifying both good practices and nonconformities, plus opportunities for improvement

Using the data collected during the audit, you will then need to document and categorise all findings. This includes good practices and areas that do conform, as well as any identified nonconformities, ensuring each finding is supported by objective evidence. You will then be able to recommend opportunities for improvements based on this.

Step 7: Hold the closing meeting

Wrap up your internal audit with a closing meeting. This meeting should cover the findings of the internal audit, the identified nonconformities and potential risks. Also include the next steps in systematically correcting them.

ISO 9001 Checklist

ISO 9001 requirements relevant to internal audits

ISO 9001 emphasises the importance of internal audits, particularly under Clause 9.2 Internal Audit and Clause 9.3 Management Review, and your ISO 9001 internal audit plan needs to take this into account.

Clause 9.2 highlights that organisations must conduct internal audits at planned times to ensure that their QMS conforms to the organisation’s own requirements and ISO 9001’s requirements. These audits should not only verify conformity but also assess how the QMS manages risks and opportunities. The QMS processes must be effectively implemented and maintained. This clause also requires organisations to maintain records of the audit programme and the audits completed.

Clause 9.3 requires top management to review the organisation’s QMS. This includes the results of internal audits to ensure its continuing suitability, adequacy, effectiveness and alignment with the organisation’s strategic choices.

Under ISO 9001 requirements, internal auditors must have the appropriate skills and knowledge and follow a planned and documented audit process.

Download our guide to ISO 9001’s key requirements.


Tips for a successful ISO 9001 internal audit plan

Our guidance can help your organisation conduct a successful internal audit:

  • Maintain independence and objectivity – Auditors should not audit their own work or work done by their own department. This is to help keep any findings and actions unbiased and credible. It could also mitigate any in-team tension that could disrupt workflow.

  • Maintain effective communication – Ensure auditors communicate clearly with all parties involved in your audit before, during and after the audit. They should share information promptly so any areas of nonconformance or potential issues can be handled.

  • Positive problem-solving is key – When nonconformities are identified, auditors should maintain a proactive and positive attitude toward the problem-solving process, focusing on the root cause rather than just the symptoms.

  • Use checklists and tools – Checklists, flowcharts and other audit tools can help ensure all areas are covered and make the audit process more time- and resource-efficient.

  • Focus on collaboration – Approach the audit as a tool for improvement, not as a fault-finding mission. Collaborating directly with the auditees to get their input and identify effective solutions can increase productivity and engagement.

  • Follow up on actions – After the audit, check that any corrective actions are implemented and monitor their effectiveness.

Remember, the aim of an audit isn’t to lay blame but to uncover opportunities for improvement.

ISO 9001 Internal Auditor Course

What happens after an internal audit?

Report the findings

Once the internal audit has been conducted, you need to prepare a comprehensive audit report that includes:

  • Summary of findings – An overview of what was observed, including good practices and areas needing improvement

  • Nonconformities – List and explain any identified noncompliances and their severity

  • Recommendations – Suggest actions to address the nonconformities

You may also need to keep this report safe so that it can be referenced during future QMS internal audits

Implement corrective actions

Implementing corrective actions promptly and effectively is a critical part of any ISO 9001 internal audit plan. This involves identifying the root causes of nonconformity, determining the appropriate corrective actions, implementing them, and monitoring their effectiveness over time.

Focus on continuous improvement

A key tenet of ISO 9001 is continual improvement, and should form part of your ISO 9001 internal audit report. This requires organisations that are ISO 9001 certified or looking to be certified to continually strive for better, more efficient processes that help them maintain or provide high-quality output.

A continual improvement strategy might include regular data analysis and process updates, employee training and keeping detailed records of past nonconformities to inform future strategies.

Learn more about how to conduct internal audits and best practice for internal auditors – take our ISO 9001 Internal Auditor online training course.

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.

Amtivo Group (Formerly Certification Europe and EQA) - Worker in a data centre