Internal audit

ISO 9001:2015 Clause 9.2 requires you to run internal audits on a planned schedule to confirm your QMS conforms to requirements and is effectively implemented and maintained ¹. To operationalize it fast, define an audit program, audit criteria and scope, auditor independence, reporting and corrective actions, then retain objective evidence that audits occurred and drove improvements.

Key takeaways:

• You need a planned internal audit program with defined scope, criteria, methods, and frequency ¹.
• Audits must produce objective evidence, findings, and follow-through (corrective actions and verification).
• “Planned intervals” means risk-based scheduling with complete coverage over time, not ad hoc spot checks.

Internal audit is one of the fastest ways to prove your quality management system (QMS) is real, not just documented. ISO 9001:2015 Clause 9.2 is short on purpose. The standard sets the requirement outcome (audits occur at planned intervals) and leaves the operating model to you ¹. That flexibility is useful, but it creates predictable audit failures: no clear audit program, unclear criteria, auditors auditing their own work, weak evidence, and findings that never close.

If you’re a Compliance Officer, CCO, or GRC lead supporting an ISO 9001-certified organization (or preparing for certification), treat internal audit as a control cycle: plan the audit program, execute audits consistently, document objective evidence, escalate systemic issues, and verify corrective actions. Your goal is not “pass the audit.” Your goal is to continuously validate whether processes conform to your own QMS requirements and whether they actually work in practice ¹.

This page translates Clause 9.2 into an implementation checklist, evidence package, and exam-ready talking points you can put in place quickly.

Regulatory text

Excerpt: “The organization shall conduct internal audits at planned intervals.” ¹

Operator meaning: You must establish and maintain an internal audit program with a defined schedule. The schedule must be deliberate (planned), repeatable, and sufficient to provide information on whether the QMS conforms to requirements and is effectively implemented and maintained ¹. Audits cannot be “when we have time,” and they cannot be limited to a single department unless that is truly your full QMS scope.

Plain-English interpretation (requirement-level)

Internal audit under ISO 9001 is a governance control for your QMS. You are expected to:

1. Decide what “good” looks like (audit criteria: ISO requirements, your procedures, customer requirements you adopted into the QMS).
2. Check reality against that criteria (audit execution with objective evidence).
3. Record gaps and strengths (findings and conclusions).
4. Fix what’s broken and prove it stayed fixed (corrective action and verification).

Clause 9.2’s “planned intervals” is the trap door: external auditors will ask how you decided frequency and coverage, and they will expect a rational explanation tied to process criticality, change, and performance, not convenience ¹.

Who it applies to

Entity types: Organizations operating a QMS, and quality management practitioners responsible for maintaining it ¹.

Operational context where it shows up:

• ISO 9001 certification and surveillance audits.
• Organizations scaling operations and needing consistent process control.
• High-change environments (new products, new sites, reorganizations).
• Functions with recurring quality escapes, customer complaints, or rework.
• Third-party-supported processes inside QMS scope (for example, outsourced calibration, manufacturing steps, logistics, software development). The internal audit still needs to cover how you control those processes within your QMS scope.

What you actually need to do (step-by-step)

1) Define your internal audit program (the “system”)

Build a short, operational document or procedure that answers:

• Scope: What sites, departments, and processes are in the QMS scope?
• Audit criteria: ISO 9001 requirements you audit against plus internal QMS documents (policies, SOPs, work instructions).
• Frequency approach: How you choose planned intervals (risk and performance-based logic).
• Methods: Interview, observation, sampling of records, walk-throughs, traceability checks.
• Roles: Audit program owner, auditors, auditees, approvers.
• Independence: How you prevent auditing your own work (or how you manage conflicts in small teams).
• Reporting and escalation: How findings are graded, who reviews results, when leadership is informed.
• Corrective action linkage: How findings feed into corrective actions and how closure is verified.

Practical tip: keep the program lean, but explicit. Most breakdowns happen because “everyone assumes” what an audit is supposed to include.

2) Build an audit schedule that proves “planned intervals”

Create an audit calendar or schedule that maps:

• Processes/areas to be audited
• Planned timing
• Assigned auditor(s)
• Status (planned / in progress / completed / deferred)
• Notes on changes (reschedule reason and approval)

A workable approach is to prioritize audits based on:

• Process criticality to product/service conformity
• Recent changes (people, process, tooling, suppliers)
• Poor performance signals (complaints, nonconforming output, rework)
• Past audit results and open corrective actions

3) Establish audit criteria and checklists per process

For each audit, define:

• The process being audited and its boundaries
• Applicable procedures/work instructions
• Records that must exist (training records, inspection logs, approvals, etc.)
• Process outputs (what “conforming” looks like)
• Sampling plan (what records you will review)

Avoid “checkbox audits.” Your checklist should drive evidence gathering: show me the record, show me the control, show me the approval trail.

4) Ensure auditor competence and independence

Maintain evidence that auditors can perform audits (training, experience, or documented qualification). Then address independence:

• Use cross-functional auditors (quality audits operations; operations audits purchasing).
• If the organization is small, document mitigations (peer review of audit results, management oversight, or rotating auditors between areas).

5) Execute audits and collect objective evidence

During the audit:

• Interview process owners and operators.
• Observe actual work.
• Trace a transaction end-to-end (for example, a purchase to receipt to use; a complaint to investigation to disposition).
• Capture objective evidence: record IDs, screenshots, log extracts, document references, calibration certificate numbers, training record IDs.

Write findings so they are actionable:

• Condition: what you saw
• Criteria: what requirement it did not meet (internal procedure or ISO clause reference)
• Impact: why it matters (risk to conformity/effectiveness)
• Evidence: the record(s) you reviewed

6) Report results and drive corrective actions

Produce an audit report that includes:

• Audit scope and criteria
• Participants
• Evidence summary
• Findings (nonconformities and observations)
• Conclusions on conformity and effectiveness
• Required actions, owners, and due dates (as your internal governance sets)

Then track findings through corrective action, including root cause analysis and verification of effectiveness. The core compliance point: internal audit is not complete until issues are either closed or formally accepted with rationale and risk ownership.

7) Management visibility and continuous improvement

Feed audit trends into management review and improvement work. Even if you don’t cite another clause, operationally you want a closed loop: audits generate insights; leadership removes blockers; the QMS improves ¹.

8) Use tooling that makes evidence retrieval easy (optional, but practical)

Many teams fail audits because evidence is scattered across email, shared drives, and ticketing tools. If you use Daydream to manage compliance workstreams, set up an “Internal Audit” workspace with:

• Audit schedule as a controlled plan
• Templates for audit plans, checklists, and reports
• A findings register linked to corrective action tasks
• An evidence library with consistent naming and retention

That structure reduces scramble time during surveillance audits and helps you prove “planned intervals” and follow-through without rebuilding context each cycle.

Required evidence and artifacts to retain (exam-ready)

Maintain a tight evidence pack. Auditors typically ask for proof of planning, execution, competence, and follow-up.

Planning

• Internal audit procedure/program document
• Audit schedule/calendar with scope coverage
• Defined audit criteria (mapping to QMS documents and requirements)

Execution

• Audit plan per audit (scope, criteria, participants, agenda)
• Completed checklists/working papers
• Objective evidence references (record IDs, samples reviewed list)
• Audit report with findings and conclusions

People

• Auditor qualification/competence records
• Conflict-of-interest or independence notes (where relevant)

Follow-through

• Findings/nonconformity log
• Corrective action records linked to each finding
• Verification of effectiveness evidence and closure approvals
• Escalations and management review inputs (where used)

Common exam/audit questions and hangups

Use these as a pre-brief for process owners and internal auditors.

1. “Show me your audit program and how you decide planned intervals.”
   Hangup: no rationale, only a calendar.

2. “Which processes are in scope, and how do you ensure coverage over time?”
   Hangup: important processes missed because the schedule follows org chart instead of process map.

3. “How do you ensure auditors are independent?”
   Hangup: the same person audits their own work with no mitigation.

4. “Show objective evidence from the audit, not just a checklist.”
   Hangup: checklists with “OK” but no record references.

5. “What happened to prior findings?”
   Hangup: corrective actions exist but no effectiveness verification, or findings were re-labeled as “observations” to avoid closure discipline.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Audits are scheduled “as time allows”	Not “planned intervals” 1	Publish a schedule, control changes, document deferrals and approvals
Checklists with no evidence	You can’t prove conformity	Require evidence references for every key control tested
Auditing only documents	Conformity on paper doesn’t prove effectiveness	Include observation, traceability, and record sampling every audit
Independence ignored in small orgs	Credibility problem in certification audits	Use cross-audits, rotate auditors, add management review of results
Findings don’t drive corrective action	QMS does not improve; repeat findings	Use a single findings register tied to corrective action workflow and closure gates
Scope creep or scope gaps	Over-auditing low-risk areas, missing core processes	Use a process map and risk/performance signals to set priorities

Enforcement context and risk implications

No public enforcement cases were provided for ISO 9001 Clause 9.2 in the source catalog. Operational risk is still real: weak internal audit programs correlate with repeat nonconformities, uncontrolled process drift, and unpleasant surprises during certification/surveillance audits. Commercially, customers often view certification outcomes as a trust signal; internal audit failures can threaten that signal if they lead to major nonconformities.

Practical 30/60/90-day execution plan

First 30 days (stabilize and prove “planned”)

• Confirm QMS scope and process list you will audit.
• Write or refresh the internal audit program document (scope, criteria, roles, independence, reporting, corrective action linkage) ¹.
• Publish an audit schedule and get leadership approval.
• Select auditors; document competence and independence approach.
• Create standard templates: audit plan, checklist/working papers, report, findings log.

Days 31–60 (run audits and build the evidence pack)

• Execute priority audits (high-risk/high-change processes first).
• Issue audit reports quickly; log findings in a single register.
• Open corrective actions for nonconformities; assign owners and due dates.
• Start a simple trend view: repeat issues, systemic causes, late closures.

Days 61–90 (close the loop and harden the program)

• Verify effectiveness for closed actions; document the verification method and evidence.
• Calibrate auditors (peer review a sample of audit files for evidence quality and consistency).
• Adjust the audit schedule based on what you learned (more attention to unstable processes; less to stable ones), and document the rationale.
• Package a “surveillance-ready” binder (digital is fine): program, schedule, completed audits, auditor competence, findings and corrective actions, effectiveness checks.

Frequently Asked Questions

What does “planned intervals” mean in practice?

It means you set a deliberate schedule and can explain why audits occur when they do, based on QMS scope, process criticality, change, and performance signals ¹. You also control and document any schedule changes.

Do we need to audit every department every year?

ISO 9001:2015 Clause 9.2 does not prescribe a fixed frequency ¹. Auditors look for complete coverage of the QMS scope over time and a rationale for frequency.

Can the Quality Manager audit their own area if we’re a small company?

Independence is a practical expectation for credible internal audits. If staffing makes separation impossible, document mitigations like cross-checks, management review of audit workpapers, and rotation across processes.

What’s the minimum documentation to pass an ISO 9001 internal audit requirement review?

Keep proof of planning (program and schedule), proof of execution (plans, evidence, reports), proof of competence/independence, and proof of follow-through (findings register and corrective action closure with effectiveness checks) ¹.

How detailed should audit evidence be?

Detailed enough that a third party can re-perform your logic: what you sampled, what you saw, and what record IDs support your conclusion. “Reviewed and OK” without references usually fails under scrutiny.

How do we handle third-party-provided processes inside our QMS scope?

Audit how you control the third party within your QMS (requirements, approvals, monitoring, acceptance criteria, records). Your internal audit should test those controls with objective evidence, even if you cannot audit the third party directly.

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements