Internal audit programme

ISO 9001:2015 Clause 9.2.2 requires you to plan, establish, implement, and maintain an internal audit programme that covers what gets audited, how often, by what methods, with clear responsibilities, and how results are reported and acted on. To operationalize it fast, build a risk-based audit schedule, assign competent independent auditors, execute audits to a consistent method, and track corrective actions to closure with evidence. ¹

Key takeaways:

• Your audit programme must be planned and maintained, not ad hoc, and it must reflect process importance, changes, and prior results. ¹
• Audits must be executed consistently (scope, criteria, method, reporting) with auditor independence and competency.
• The programme must produce usable outputs: findings, corrective actions, and management visibility with retained records.

An “internal audit programme” in ISO 9001 is the operating system for verifying your QMS works as designed and drives improvement, not a set of occasional checklists. Clause 9.2.2 is brief, but it implies a complete mechanism: you decide the audit universe (processes, sites, shifts, outsourced activities under QMS control), prioritize it based on importance and change, set frequency, define audit methods, assign responsibilities, execute audits, report results, and keep the programme current. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat the audit programme as a control with inputs, outputs, and records. Inputs include your process map, changes, customer complaints, nonconformities, KPIs, and prior audit performance. Outputs include an approved audit plan, completed audit reports, nonconformities, corrective action records, and evidence that leadership reviews outcomes. Your certification auditor will test whether the programme is systematic, risk-based, and maintained over time, and whether it drives corrective action where needed. ¹

Regulatory text

Requirement (excerpt): “The organization shall plan, establish, implement and maintain an audit programme.” ¹

Operator meaning: You need a living audit programme that (1) defines the set of internal audits you will run, (2) schedules them with appropriate frequency and method, (3) assigns responsibility and competent auditors, (4) produces reports and findings, and (5) is kept current based on process importance, changes, and previous audit results. ¹

Plain-English interpretation (what an auditor expects)

An ISO 9001 auditor is looking for proof that you:

• Planned the programme (documented scope, priorities, approach, schedule, ownership).
• Established it as a repeatable process (standard method, templates, criteria, reporting rules).
• Implemented it (audits happened as planned; deviations are justified; results are recorded).
• Maintained it (you update the plan when risks, processes, sites, or performance change). ¹

Who it applies to

Entity scope: Any organization operating a Quality Management System (QMS) aligned to ISO 9001. ¹

Operational context: Applies across the QMS boundary, including:

• Core operational processes (production/service delivery, design, purchasing, etc.)
• Enabling processes (training, document control, calibration, IT where it supports QMS)
• Locations, shifts, and teams performing QMS-scoped work
• Outsourced processes that are controlled under your QMS (you may audit your controls over them, and where appropriate, audit the third party). ¹

What you actually need to do (step-by-step)

1) Define the audit universe (what can be audited)

Create a simple inventory of audit subjects aligned to your process map:

• Process name and owner
• Site(s)/function(s) covered
• Key requirements/controls (procedures, work instructions, quality plans)
• Key risks and performance indicators tied to the process

Practical tip: If you already maintain a compliance control library or process register, reuse it rather than starting a new spreadsheet.

2) Set programme rules: frequency, methods, responsibilities, reporting

Write an “Internal Audit Programme Procedure” (or equivalent work instruction) that answers:

• Frequency: How you decide audit cadence based on importance, change, and prior results. ¹
• Methods: Process audits, product audits, system audits, remote vs. on-site, sampling approach, interview rules, evidence expectations.
• Responsibilities: Programme owner, audit scheduler, auditors, process owners, corrective action owners.
• Reporting: Report format, grading or categorization of findings, distribution list, escalation triggers, and timing expectations.

Decision matrix you can adopt immediately (example):

• High-impact or heavily changed processes: audit more often, deeper sampling.
• Stable, low-impact processes with strong history: audit less often, lighter sampling.
• Processes with repeat findings: audit sooner and include effectiveness checks.

(Keep the matrix qualitative if you don’t have internal criteria yet; auditors mainly want to see a rational basis.) ¹

3) Build and approve an audit plan (schedule + scope)

Produce an audit plan that includes for each audit:

• Audit objective
• Scope (process/site/shift)
• Criteria (internal procedures + applicable ISO 9001 requirements)
• Planned date/window
• Assigned auditor(s)
• Planned method (on-site, remote, document review, shop-floor observation)

Get approval from the accountable QMS leader (often Quality Manager) and make sure process owners know their windows.

4) Ensure auditor competence and independence

Maintain:

• Auditor qualification criteria (training, experience, shadowing)
• Independence rules (auditors do not audit their own work; if unavoidable in small orgs, document mitigations such as cross-audits or management oversight)

Retain evidence of auditor competence (training record, evaluations, witnessed audits).

5) Execute audits consistently

For each audit:

• Issue an audit notice (scope, criteria, logistics)
• Collect objective evidence (records, observations, interviews)
• Record conformities and nonconformities against criteria
• Hold a closing meeting confirming facts and next steps

Common operational hangup: Teams confuse “audit” with “inspection.” Audits test process conformity and effectiveness; they are not limited to end-product checks.

6) Report results and control corrective actions

For each audit, generate an audit report that includes:

• Summary of what was audited and how
• Findings (with evidence)
• Nonconformities (clearly stated requirement + observed condition)
• Opportunities for improvement (optional, but keep them separate from nonconformities)

Then route nonconformities into your corrective action process and track:

• Containment or immediate corrections where needed
• Root cause and corrective action plan
• Due dates and owners
• Verification of implementation
• Effectiveness check (did it prevent recurrence?)

7) Maintain the programme based on change and results

Update the audit programme when:

• Processes change (new equipment, new software, reorg, new supplier/third party dependencies)
• Performance shifts (complaints, scrap/rework, missed KPIs)
• Audit results show recurring issues or control failures (increase priority, broaden scope)

Document why you changed the plan. “Maintained” means the programme reacts to real risk signals. ¹

Required evidence and artifacts to retain

Keep records that show the programme exists, runs, and stays current:

• Internal audit programme procedure / methodology document
• Audit universe (process inventory) and risk/priority rationale
• Approved audit plan (schedule) and changes log
• Auditor competency and independence records (training, assignments, evaluations)
• Audit working papers (checklists, notes, sampling logs as appropriate)
• Audit reports and attendance/closing meeting notes
• Nonconformity records and corrective action tracking to closure
• Effectiveness verification evidence
• Management review inputs/outputs that reference audit outcomes (if captured as part of your management review process)

Common exam/audit questions and hangups (what gets tested)

Expect certification auditors to ask:

• “Show me how you decided audit frequency for each process.” ¹
• “What changes triggered updates to your audit plan?”
• “How do you ensure auditors are competent and independent?”
• “Pick one nonconformity: show the audit evidence, the corrective action, and proof it worked.”
• “How do you handle missed audits or reschedules? Where is that documented?”

Hangups that drive nonconformities:

• The audit plan exists but isn’t followed, with no documented rationale.
• Audits happen, but findings aren’t written as requirement-based nonconformities with objective evidence.
• Corrective actions close without effectiveness checks.

Frequent implementation mistakes and how to avoid them

1. Calendar-driven audits with no risk logic
   Fix: Document a simple prioritization approach tied to process importance, changes, and previous results. ¹

2. Auditors auditing their own work without mitigation
   Fix: Use cross-functional auditors, rotate assignments, or add second-party oversight and document why independence was constrained.

3. Checklists that don’t map to criteria
   Fix: Tie each checklist section to the process procedure and relevant ISO 9001 clauses. Keep the checklist as a prompt, not the audit record.

4. Findings that are vague (“training needs improvement”)
   Fix: Write nonconformities in a disciplined format: requirement, evidence, statement of nonconformity, impacted area, and reference to records reviewed.

5. Corrective actions treated as paperwork
   Fix: Require objective evidence of implementation and a defined effectiveness check before closure.

Enforcement context and risk implications

ISO 9001 is a certifiable standard rather than a regulator-issued rule. Your “enforcement” mechanism is certification audit outcomes and contractual consequences. A weak internal audit programme can lead to:

• Major nonconformities at certification/surveillance audits
• Loss of certification or delayed certification decisions (depending on certification body rules)
• Customer trust issues when audit results don’t drive corrective action
• Operational risk: recurring defects, escapes, or uncontrolled process changes that internal audits should have surfaced earlier

Treat the programme as an internal control that protects product/service conformity and reduces repeat failures. ¹

Practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Name the audit programme owner and define responsibilities.
• Inventory audit subjects (process list, sites, outsourced processes under QMS control).
• Draft the audit programme method: frequency logic, methods, reporting rules, independence/competence.
• Identify available auditors and gaps in competence/independence; schedule training or shadowing.
• Publish a baseline audit schedule and get leadership approval.

By 60 days (Operational execution)

• Run initial audits for the highest-priority processes (those with recent changes or poor performance).
• Standardize audit reporting and nonconformity writing.
• Stand up corrective action tracking with clear ownership and evidence requirements.
• Perform a quality review of audit files to confirm consistency across auditors.

By 90 days (Sustainment and proof)

• Demonstrate closed-loop corrective action with at least one completed effectiveness check.
• Update the audit plan based on early results (increase scope where you see repeat patterns).
• Prepare an “audit programme packet” for certification auditors: plan, procedure, sample audit reports, corrective action linkage, competence records.
• If you use tooling (e.g., Daydream), configure workflows for scheduling, audit execution templates, evidence retention, and corrective action tracking so you can produce records on demand without chasing files.

Frequently Asked Questions

Do we need a written “audit programme,” or is a schedule enough?

A schedule alone rarely satisfies “plan, establish, implement and maintain.” You need documented rules for frequency, methods, responsibilities, and reporting, plus records showing audits occurred and the programme is updated based on change and results. ¹

How do we decide audit frequency without overcomplicating it?

Use a simple prioritization method tied to process importance, change, and prior audit results, then document the rationale. Start qualitative, then refine as you learn where failures cluster. ¹

Can a small organization meet independence requirements if people wear multiple hats?

Yes, but you must avoid auditing your own work where possible and document mitigations where separation is constrained. Common mitigations include cross-audits, management witness, or using an external auditor for selected areas.

What’s the minimum evidence we need to show an audit happened?

Keep the audit plan entry, audit notes/working papers (as appropriate), the final audit report, attendance/closing confirmation, and any resulting nonconformity and corrective action records through closure.

Do we have to audit third parties and suppliers under this requirement?

Clause 9.2.2 requires auditing your QMS; that can include how you control outsourced processes within QMS scope. Whether you audit a third party directly depends on your outsourcing model and your supplier controls, but you should at least audit your internal controls over that outsourcing relationship. ¹

What typically causes a major nonconformity against the audit programme requirement?

Patterns include missed audits with no justification, auditors lacking competence/independence evidence, findings not tied to requirements and objective evidence, and corrective actions closed without demonstrating effectiveness.

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements