Internal Audits for ISO Management Systems: A Practical Guide

What Is an Internal Audit?

An internal audit is a systematic, independent, and documented examination of an organization's management system against the requirements of a relevant ISO standard and the organization's own policies and objectives. It is a mandatory requirement under standards such as ISO 9001, ISO 14001, and ISO 27001.

Unlike external audits conducted by certification bodies, internal audits are carried out by (or on behalf of) the organization itself. Their primary purpose is not to find fault, but to identify opportunities for improvement and verify that the system is working as intended.

Why Internal Audits Matter

• They provide objective evidence of conformance for management and certification bodies.
• They surface non-conformances before external auditors do.
• They drive continual improvement by identifying inefficiencies and gaps.
• They ensure accountability and process discipline across departments.
• They support informed decision-making in management reviews.

Audit Programme vs. Individual Audit

It is important to distinguish between the audit programme and an individual audit. The audit programme is the annual plan covering all audits to be conducted within a given period — including their scope, frequency, and scheduling. Each individual audit is a specific instance carried out within that programme.

ISO 19011 (Guidelines for Auditing Management Systems) provides comprehensive guidance on establishing and managing audit programmes.

Planning an Internal Audit

Define the Scope and Criteria

Clarify what processes, departments, or clauses of the standard the audit will cover. The criteria are the requirements against which conformance will be assessed — typically the ISO standard, internal procedures, and legal requirements.

Prepare an Audit Checklist

Develop a checklist of questions and evidence to look for, mapped to each clause or process being audited. A good checklist guides the auditor without being so rigid that it prevents exploring issues that arise during the audit.

Schedule and Notify Auditees

Inform the relevant departments or process owners in advance. This is not about giving them time to "prepare a show" — it's about ensuring the right people and records are available.

Conducting the Audit

Opening Meeting

Begin with a brief meeting to confirm the audit scope, explain the process, and answer any questions from auditees. Set a professional, collaborative tone.

Gathering Evidence

Collect objective evidence through three main methods:

1. Interviews: Ask open-ended questions to understand how processes are actually performed.
2. Document Review: Examine policies, procedures, records, and logs.
3. Observation: Watch activities being performed in real time where relevant.

Identifying Findings

Audit findings are typically classified as:

• Non-Conformance (Major): A significant failure to meet a requirement that could affect the integrity of the management system.
• Non-Conformance (Minor): A lapse or isolated failure that does not fundamentally undermine the system.
• Observation / Opportunity for Improvement (OFI): A situation that does not yet constitute a non-conformance but could lead to one, or an area where improvement is recommended.

Closing Meeting and Reporting

Conclude the audit with a closing meeting to present preliminary findings to the auditees. Follow up with a formal written audit report that documents the scope, criteria, findings, and any non-conformances raised.

Corrective Action Process

Non-conformances must be followed up with a formal corrective action process. This involves:

1. Root cause analysis — understanding why the non-conformance occurred.
2. Developing and implementing corrective actions to address the root cause.
3. Verifying the effectiveness of the corrective action within an agreed timeframe.

Auditor Competence and Independence

Internal auditors must be competent — possessing knowledge of the standard, auditing techniques, and the processes being audited. Critically, auditors must not audit their own work. Independence is non-negotiable for audit objectivity.

Consider investing in formal internal auditor training, such as courses based on ISO 19011, to build a capable in-house audit team.