Internal audit — General

ISO 9001:2015 Clause 9.2.1 requires you to run internal audits that can credibly show two things: your QMS conforms to both ISO 9001 requirements and your own documented requirements, and it is effectively implemented in day-to-day operations. To operationalize it, define an audit program, execute audits with independent auditors, document objective evidence, and track corrective actions through closure. ¹

Key takeaways:

• Internal audits must test conformance (to ISO 9001 and your own QMS rules) and effective implementation, not just document presence. ¹
• You need a repeatable method: planned audits, objective evidence, clear results, and follow-through on nonconformities.
• Auditors must be independent from the work audited; evidence must be retained so an external auditor can re-perform your logic.

“Internal audit — General” is one of the fastest ways an ISO 9001 program fails in practice: teams schedule audits, collect checklists, and still cannot demonstrate that the QMS actually works. Clause 9.2.1 is simple on paper, but operators trip over three execution points: (1) audits that only confirm paperwork exists, (2) audits that are not anchored to the organization’s own requirements, and (3) audits that don’t drive corrective action closure.

This page translates the requirement into an operational playbook you can run as a Compliance Officer, CCO, or GRC lead supporting a Quality Management System (QMS). The goal is to help you produce audit outputs that stand up to scrutiny: a risk-based audit program, audit plans and reports that cite criteria, objective evidence that proves implementation, and a traceable path from findings to corrective actions.

You can run internal audits with a dedicated quality function, a cross-functional audit pool, or a co-sourced model. The success criteria stay the same: show that internal audits determine whether the QMS conforms to requirements and is effectively implemented. ¹

Regulatory text

ISO 9001:2015 Clause 9.2.1 (excerpt): “The organization shall conduct internal audits to determine whether the QMS conforms to requirements and is effectively implemented.” ¹

What the operator must do (in plain terms):

• Conduct internal audits as an established management system activity, not ad hoc spot checks.
• Use audits to determine conformance to:
  • Your own QMS requirements (policies, procedures, process maps, work instructions, defined controls).
  • ISO 9001 requirements applicable to your scope. ¹
• Use audits to determine effective implementation, meaning people follow the process, records exist where required, outputs meet defined requirements, and controls work as intended (not just that documents were published).

Plain-English interpretation (what “conforms” and “effectively implemented” mean)

“Conforms to requirements”

Your audit criteria must include:

• ISO 9001 requirements relevant to the process audited; and
• Internal requirements you created (for example: “Purchasing shall evaluate and select third parties based on defined criteria,” or “Calibration records shall be retained”).

A common hangup: teams audit only against ISO clauses or only against internal procedures. Clause 9.2.1 expects you to test conformance to “requirements” broadly, which includes both ISO and your own system rules. ¹

“Effectively implemented”

You must test the “real work”:

• Are approvals happening as required?
• Are required records created and complete?
• Are controls operating (for example: segregation of duties, review steps, quality checks)?
• Are outcomes consistent with requirements (for example: nonconforming outputs are identified and handled)?

If you cannot show objective evidence, you did not “determine” anything.

Who it applies to

Entity scope: Any organization with an ISO 9001 QMS within the certification scope. ¹

Operational contexts where this becomes concrete:

• Organizations with multiple sites, distributed operations, or outsourced processes (you need an audit program that covers how work is actually done).
• Regulated or high-risk production/service environments where nonconformities translate into safety, compliance, customer, or contractual exposure.
• Organizations relying heavily on third parties for production, testing, logistics, IT systems, or customer delivery. Your audits should address controls for externally provided processes, products, and services when they are in scope of the QMS.

What you actually need to do (step-by-step)

Step 1: Define audit criteria and “what good looks like”

Create a clear mapping of:

• Process → internal requirements (procedure steps, required records, control points).
• Process → ISO requirements relevant to that process. ¹

Practical tip: for each process, list the 5–10 most audit-worthy requirements: the ones tied to customer impact, rework, complaints, nonconforming outputs, or recurring issues.

Step 2: Establish an internal audit program (coverage and cadence)

Build an audit program that states:

• Processes/areas to be audited (including support functions that affect quality).
• Audit method(s): interviews, record sampling, observation, walkthroughs, trace tests.
• Responsibilities: audit owner, auditors, auditees, report approver.
• Independence rules: auditors don’t audit their own work.

Keep the program risk-informed: schedule more attention where change, incidents, or complexity increase the likelihood of nonconformity.

Step 3: Plan each audit (scope, criteria, sampling logic)

For each audit, produce an audit plan that includes:

• Scope (process, site, product line, time period).
• Criteria (specific internal procedure sections and relevant ISO clauses). ¹
• Key interfaces (handoffs to other teams, systems, and third parties).
• Sample plan (which records, how you will select them, and why).

Sampling does not need statistics to be credible. It does need rationale: focus on recent transactions, high-risk activities, exceptions, and areas with prior findings.

Step 4: Execute the audit and collect objective evidence

During fieldwork:

• Perform walkthroughs end-to-end (“show me how a request becomes an approved purchase,” “show me how you control a document change”).
• Tie every conclusion to evidence: records, screenshots, logs, labeled photos, training records, inspection results, meeting minutes.
• Record positive controls as well as gaps. Auditors and certifiers look for balance and specificity.

For effective implementation, observation matters. If the procedure says “operator verifies setup before run,” watch a setup and capture the evidence trail.

Step 5: Write an audit report that allows re-performance

A useful audit report includes:

• Audit scope and criteria (explicitly stated).
• Summary conclusion on conformance and implementation.
• Findings with:
  • Requirement reference (internal requirement and/or ISO requirement). ¹
  • Condition (what you observed).
  • Objective evidence (record IDs, dates, screenshots, sample identifiers).
  • Impact/risk (why it matters operationally).

Avoid vague findings like “training records incomplete.” Write “Two of five sampled operators lacked documented training for Work Instruction WI-12 revision C; records reviewed: TR-001, TR-003…”

Step 6: Drive corrective actions to closure (and verify effectiveness)

Clause 9.2.1 is about determining QMS conformance and effective implementation. If you identify breakdowns and do not fix them, you will struggle to claim effective implementation over time. In practice:

• Assign an owner and due date for each nonconformity or corrective action.
• Require root cause and corrective action plan proportional to risk.
• Verify completion with evidence (revised procedure, completed training, corrected records).
• Perform an effectiveness check: confirm the issue no longer recurs in subsequent activity.

A clean operational pattern: findings flow into your corrective action system, and the next audit cycle checks closure and effectiveness.

Step 7: Management visibility and governance

Internal audit results should feed leadership decision-making. Provide:

• Trending themes (repeat findings, systemic issues).
• Process performance risks.
• Resource constraints (for example: training capacity, document control backlog).

If you use Daydream to manage third-party risk and due diligence workflows, treat it as an auditable system in your QMS scope when it supports quality-affecting processes (for example, supplier qualification records, approvals, and evidence storage). The audit then tests whether teams follow the workflow and whether the records prove decisions.

Required evidence and artifacts to retain

Use this checklist to build an “audit-ready” evidence pack:

Artifact	What it proves	What auditors look for
Internal audit procedure / methodology	You have a defined approach	Clear responsibilities, independence, reporting, follow-up
Audit program / schedule	Audits are planned and systematic	Coverage across scope; rationale for focus areas
Audit plans	Criteria and scope were defined	ISO + internal criteria explicitly stated 1
Auditor competence records	Auditors can perform audits	Training, experience, qualification criteria
Working papers / checklists	Fieldwork performed	Notes tied to evidence, not generic yes/no boxes
Objective evidence set	Conclusions are supported	Record IDs, screenshots, traceability
Audit reports	Results are communicated	Clear findings, requirement references, conclusions
Corrective action records	Findings are addressed	Ownership, actions, closure evidence, effectiveness checks

Common exam/audit questions and hangups

• “Show me how internal audits determine QMS conformance to ISO and to your own procedures.” Expect to walk through criteria mapping. ¹
• “How do you ensure auditor independence?” Be ready to show assignment rules and actual examples.
• “How do you decide what to audit and when?” You need a defensible program logic (risk, changes, prior issues).
• “Show objective evidence for this conclusion.” If evidence lives in email threads, shared drives, or tools like Daydream, show stable recordkeeping and traceability.
• “What happened to findings from the last audit?” They will test closure discipline and effectiveness checks.

Frequent implementation mistakes (and how to avoid them)

1. Checklist-only audits. Fix: require each “conforms” conclusion to cite objective evidence.
2. Auditing the procedure, not the process. Fix: include observation, trace tests, and record sampling tied to recent work.
3. No linkage to ISO criteria. Fix: embed ISO clause references in audit plans and reports for each audit. ¹
4. Independence in name only. Fix: maintain an auditor assignment log showing auditors do not audit their own areas.
5. Findings don’t lead to system change. Fix: integrate audits with corrective actions; require effectiveness verification.
6. Poor evidence hygiene. Fix: standardize evidence naming, record IDs, and retention locations so someone else can follow the trail.

Enforcement context and risk implications

No public enforcement cases were provided for this requirement. Operationally, the risk is still real: weak internal audits let nonconformities persist until they surface as customer complaints, product/service failures, or certification findings. Internal audit is also where you detect breakdowns in third-party controls that affect quality outcomes.

Practical 30/60/90-day execution plan

Use this as a startup or reset plan; adjust sequencing to your organizational constraints.

Days 1–30: Establish the minimum viable internal audit engine

• Define audit scope boundaries for your QMS and list in-scope processes.
• Create/update your internal audit procedure and templates (plan, report, evidence log, findings).
• Build criteria mapping for the highest-impact processes (internal requirements + ISO references). ¹
• Stand up an auditor pool and independence rules; document competence expectations.
• Pilot one audit end-to-end and produce a report plus corrective actions.

Days 31–60: Expand coverage and tighten evidence quality

• Publish an audit program covering all in-scope processes across a defined cycle.
• Run audits for the next set of key processes; focus on implementation testing (trace tests, observation).
• Standardize evidence capture and storage, including tool-based records (for example, third-party onboarding and approvals tracked in Daydream).
• Start trending: categorize findings by theme (document control, training, purchasing controls, etc.).

Days 61–90: Prove effectiveness and governance

• Verify corrective action closure for early audits; document effectiveness checks.
• Run a follow-up audit or targeted re-audit on prior findings to confirm the control now works.
• Deliver a management-facing internal audit summary: major themes, systemic risks, and resource asks.
• Confirm readiness: you can produce, on request, the audit program, plans, reports, and closure evidence that demonstrate conformance and effective implementation. ¹

Frequently Asked Questions

Do internal audits have to cover every ISO 9001 clause?

Clause 9.2.1 requires audits to determine whether the QMS conforms to requirements and is effectively implemented. ¹ In practice, you cover applicable requirements by auditing processes and mapping each process to relevant ISO and internal criteria.

Can someone audit their own department if they weren’t involved in the specific work?

Independence is the safe default: avoid auditors auditing their own area because it is hard to defend objectivity. If you must do it due to size, document safeguards and consider peer cross-audits across teams.

What counts as “objective evidence” for effective implementation?

Records produced by the process (forms, system logs, approvals), observations of work performed, and trace tests from input to output. The evidence should allow a reviewer to see what happened, when, and under which requirement.

How do we audit third-party controls under ISO 9001?

If third-party performance affects your QMS outputs, audit the internal controls you use to select, monitor, and manage the third party, plus any quality requirements you impose. Keep objective evidence of decisions and ongoing monitoring in a system that preserves traceability.

What’s the minimum documentation to retain to satisfy Clause 9.2.1?

Retain enough to show audits occurred and that they determined conformance and effective implementation. ¹ Practically, that means an audit program, audit plans, audit reports, and evidence of follow-up on findings.

We have audits, but findings repeat. What will an external auditor conclude?

Repeated findings often signal that corrective actions are not effective or that root causes are not addressed. Expect scrutiny on your corrective action process and on whether internal audits are actually testing implementation rather than paperwork.

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements