An ISO 9001 internal audit is a planned, independent check that your quality management system matches both the ISO 9001 standard and your own documented processes, and that it is working in practice. It is required by Clause 9.2, and it runs on a program: schedule, checklists, trained auditors, findings, and closure.

Done well, an internal audit is the cheapest way to find problems before a customer or a certification body does. Done badly, it is a box-ticking ritual that produces a folder of "no findings" reports and zero improvement. The difference is almost entirely in the program and the mindset, not the paperwork.

What is an ISO 9001 internal audit?

An internal audit is a first-party audit: your own organization auditing itself against a standard. ISO 9001 Clause 9.2 requires it, and it has two jobs. First, conformity: does the QMS meet the requirements of ISO 9001 and the requirements you set for yourself? Second, effectiveness: is the system actually implemented and maintained, or does it only exist on paper?

That second job is what separates a real audit from a document review. Anyone can confirm a procedure exists. An auditor confirms the procedure is followed, produces the records it claims to, and delivers the result it was meant to. Internal audit is one of the three pillars of Clause 9 performance evaluation alongside monitoring and management review, and its findings are a required input to the management review.

The value is protective, not decorative. An internal audit is a rehearsal for the certification audit and a warning system for the plant. Every nonconformity you find and fix yourself is one the external auditor will not write up, and one that will not reach a customer as a defect. Companies that treat internal audit as a genuine hunt for weak points walk into their certification audits calm; companies that treat it as a formality tend to discover their real problems in front of the registrar, which is the most expensive place to find them.

How do you build an internal audit program?

Clause 9.2 requires an audit program, not just audits. The program defines what gets audited, how often, by whom, and how results feed back. The core rule: frequency and depth should reflect the importance of each process and its past performance. A process that failed last audit or drives most of your complaints gets audited more often than a stable one.

The program is usually owned by an audit program manager, often the quality manager, who plans the year, assigns auditors, and makes sure results get reviewed. That single point of ownership is what keeps audits from quietly slipping when the plant gets busy, which is exactly when the audit matters most. A workable program has these elements:

Risk-weighted audit program scheduleAudit frequency follows risk, not the calendarPROCESSQ1Q2Q3Q4Welding (high risk)Purchasing (medium)Design (medium)Document control (low)Training (low)highmediumlow
A risk-weighted schedule: the welding cell that drives most nonconformities gets four looks a year; document control gets one.

How do you write an audit checklist by clause and process?

The strongest checklists follow the process, not just the clause list. You still map to ISO 9001 requirements, but you walk the process the way the work actually flows: inputs, activities, outputs, and the measures that prove it worked. That turtle-diagram habit keeps the audit grounded in reality instead of reading procedures back at people.

For each line of the checklist, capture three things: the requirement (from ISO 9001 or your own procedure), what evidence would show it is met, and where to find that evidence. Keep the checklist flexible; if the evidence leads somewhere unexpected, follow it. A good auditor uses the checklist as a map, not a script. Our quality audit checklist guide gives you a reusable structure, and the broader auditing discipline is well documented by ASQ.

How do you conduct the audit?

The on-site audit follows a predictable arc, and ISO 19011 formalizes it. Open with a short meeting to confirm scope and logistics. Gather evidence by sampling records, observing the work, and interviewing the people who do it, always asking to see the proof rather than accepting "yes, we do that." Note conformities and nonconformities against your checklist as you go. Close with a meeting where you present findings so there are no surprises in the report.

Two habits separate strong auditors from weak ones. The first is following the trail: when an operator says a check gets done, ask to see the last ten records, then trace one back to the calibrated gauge that produced it. The second is auditing the process, not the person. The tone is set in the opening meeting; if people believe the audit exists to find fixable gaps rather than to assign blame, they show you the real problems instead of hiding them, and the audit becomes worth far more than its cost.

Sampling is the auditor's main tool and its main limit. You cannot check every record, so you check enough to form a defensible opinion and you weight your sample toward where risk lives. If three of five sampled records show the same gap, that is a systemic finding, not a one-off. If you find nothing, say so plainly, but be honest about whether you looked hard enough to earn that conclusion.

Internal audit conduct flowConducting the audit, opening to closureOPENING MTGGATHEREVIDENCERECORDFINDINGSCLOSING MTGREPORTCORRECTIVE ACTION + VERIFY CLOSURE → into management review
The audit does not end at the report. A finding that never closes is worse than no finding, because now the failure is documented and ignored.

How do you write and close findings?

A good finding is three parts and no adjectives: the requirement, the objective evidence, and the gap between them. "Procedure QP-07 requires calibration every 12 months; gauge #114 was last calibrated 16 months ago per the calibration log" is a finding. "Calibration seems disorganized" is an opinion, and it will not survive pushback.

Classify findings honestly, usually as major nonconformity, minor nonconformity, or opportunity for improvement. Then drive each nonconformity through correction and, where warranted, root cause and corrective action so it does not come back. Record every finding on a nonconformance report and track it to verified closure. Findings that sit open for months are the single clearest sign of a program that audits but does not improve.

Not every finding needs a full root-cause investigation. A minor slip with an obvious fix gets a correction and a due date. A recurring or systemic nonconformity earns the full treatment, because the goal is to stop it returning, not just to patch this instance. Match the rigor of the response to the risk of the finding, and record the reasoning either way.

A 7-step internal audit playbook

Here is the sequence a competent internal auditor runs, from assignment to closure:

  1. Confirm scope and criteria. Which processes, which clauses, which shift, which records. Pull the relevant procedures and the last audit's findings so you know where the bodies are buried.
  2. Build the checklist. Walk the process, list the requirements, and note the evidence you expect for each. Leave room to follow surprises.
  3. Hold the opening meeting. Confirm scope, timing, and logistics with the area owner. Set the tone: this finds problems to fix, not people to blame.
  4. Gather objective evidence. Sample records, watch the work, interview operators, and always ask to see the proof. Follow the evidence where it leads.
  5. Document findings. Requirement, evidence, gap. Classify each. No opinions, no ambush; the area owner should hear every finding before the closing meeting.
  6. Close with a debrief and report. Summarize conformities and nonconformities, agree on the facts, and issue a written report with due dates for responses.
  7. Drive corrections to verified closure. Track each nonconformity through correction, root cause, and corrective action, verify it held, and roll the results into management review.

Internal audit facts worth anchoring on

A few reference points from the standards bodies:

The recurring pain of running audits is not judgment; it is evidence-wrangling. Records live on clipboards, in spreadsheets, and in three different systems, so the auditor spends more time hunting for proof than evaluating it, and findings get lost in email between audit and closure. Harmony's part is narrow: it captures checks and records digitally where the work happens and keeps them searchable, so pulling evidence and tracking findings to closure takes minutes, working alongside your QMS rather than replacing it. No rip-and-replace. You can see that pattern in a real plant on our customer story. The standard's bar never moves: independent eyes, objective evidence, and findings that actually close.