News & Commentary on ISO Management System Standards

    ISO 9001 Internal Auditing: DOs and DON'Ts

    Pair of auditors examining the contents of a document

    Practical advice on ISO 9001:2015 Clause 9.2

    NOTE: The advice here applies to all Management System Standards (MSS) and not just to implementing ISO 9001:2015.

    For whatever MSS you need to conduct internal audits, you have two basic approaches to choose from:

    Option 1: do the minimum necessary to satisfy the Certification Body (CB) [or Accreditation Board (AB)] Auditors

    Option 2: take the best advantage of the opportunity the mandatory requirement offers.

    You may well ask: Is it really worth my while putting time and effort into internal auditing, especially when I am going to meet resistance at every turn?

    Here we’re going to consider both options and then you can decide which is best for your organization.

    Option 1: Do the minimum to satisfy Clause 9.2 requirements

    Action The benefit to the Organization
    • Focus on the basic performance and effectiveness of the management system (MS) from an impartial viewpoint (through choosing impartial internal auditors)
    Satisfies a requirement of Clause 9.2
    • Ensure that planned arrangements have been completed, not forgetting to audit processes that do not have procedures associated with them (Clauses 4 and 5 in particular)
    Satisfies a requirement of Clause 9.2
    • Ensure that the MS is effectively implemented and maintained.
    Satisfies a requirement of Clause 9.2


    With Option 1, you’ll have done a good job.  But at what cost in terms of lost opportunity?

    New call-to-action

    Option 2: Take full advantage of the opportunity Clause 9.2 presents

    Action The benefit to the Organization
    (As with Option 1) Satisfies a requirement of Clause 9.2
    • Develop an audit program directed toward ensuring the performance and effectiveness of the management system.
    The internal audit becomes part of monitoring the system to check progress towards achieving the Management System Objectives and KPIs chosen and prompting timely action to ensure that they are going to be successfully met.
    • Develop an Audit Schedule (as part of the audit programme) to conduct audits throughout the year (e.g. monthly, quarterly, or annually) and that differs for different areas or processes over the course of a year. 
    Audit activity provides an ongoing reminder to colleagues of the importance of the Management System and its contribution to its success.  Reinforces any awareness training or similar provided.
    • In developing the audit program apply a risk-based approach to consider:
      • how critical each process of the MS is to success,
      • how often each process is performed,
      • how mature or how complex the processes are,
      • any recent changes in the process, and
      • the objectives of the audit program.
    Processes will be audited at suitable frequency with important/critical/failure-prone ones being audited most frequently.  Early detection of failing processes will save time, money and reinforce customer and other stakeholders’ satisfaction.
    • Ensure that, in addition to the importance of the processes, the audit programme considers:
      • managerial priorities (e.g., strategic business objectives),
      • performance of the processes,
      • both internal and external changes affecting the organization,
      • results from previous audits and non-conformance history,
      • trends in customer complaints and
      • statutory and regulatory issues.
    Common sources of noncompliance with both CB and regulatory are addressed, and the possibility of a major non-compliance is significantly reduced (self-preservation, perhaps?)
    • Plan and conduct audits according to the requirements of your Management System by project or process rather than by the specific clauses in ISO 9001. Prepare an ISO 9001:2015 Audit Checklist to address requirements not normally directly involved in operational processes (e.g., Parts 4 and 5).
    Auditors find it easier and more natural to follow workflows, material flows, and information flows with this approach.  Consequently, a more thorough audit is conducted, and significant, disjointed steps in processes, procedures and methods are less likely to be missed.
    • Have internal auditors professionally trained to include interview, observational, sampling and information reviews skills.
    With a variety of evidence-collection methods in use, the dependability of compliance and noncompliance findings is enhanced, as is management’s confidence in the Management System.
    • Ensure for each internal audit ISO 9001 or other Standard that, while interviewing, the auditors actively seek out improvement opportunities no matter how minor these may seem.
    Large numbers of incremental improvements and corrections to processes and procedures will result, as well as the occasional major improvement opportunity.  Remember, innovative thinking is to be found at all levels and functions within the organization and often from those working with the issues day-in, day-out.
    • Follow-up on findings of good compliance and on the improvement opportunities identified.
    Individual audit reports will consequently be balanced in their reporting of the state of compliance and will help ensure that internal audits are not perceived as ‘witch-hunts’.  Instances of good compliance in one area may be an improvement opportunity for another.
    • In addition to evidence of non-compliance, present evidence of good compliance and of improvement opportunities identified to top management.
    An ISO 9001 Audit Report presented at Management Review meetings that highlight the positives will confirm to management the usefulness of the Management System, and make it easier for you to secure additional resources for your Management System improvement projects.



    In our opinion, Option 1 is 'what not to do' and Option 2 is 'what to do' and, if you are the Audit Programme Manager for your organization, we strongly recommend it to you as part of your ISO 9001 implementation and maintenance.  Yes, it is a lot more work, but the results will significantly benefit your organization (and mostly on the ‘bottom line’). It won’t do your career prospects any harm, either.

    ISO 9001 Internal Auditor Training and Certification course button

    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn  October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.

    We offer Courses for ISO 9001. ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Data Protection and Risk Management. 


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts