ISO Internal Audit Explained 

[with Procedures & Checklists]

What is an ISO Internal Audit?

The purpose of an ISO internal audit is to assess the effectiveness of your organization’s quality
management system and your organization's overall performance. Your internal audits demonstrate
compliance with your ‘planned arrangements’, e.g. the Quality Management System (QMS) and how
its' processes are implemented and maintained.

Contents

 What is an ISO Internal Audit?

 Why perform Internal Audits?

 Principles of Internal Auditing

 Types of Internal Audit

 Use an Internal Audit Checklist

 Do We Need An Internal Audit Procedure?

 A Gap Analysis

 Preparing the Audit Report

 Getting the Most from the Audit Schedule

Don't Try To Manage It All Alone!

Our Internal Audit Procedures & Checklists is proven to work.

Why Perform Internal Audits?

Your organization will likely conduct internal audits for one or more of the following reasons:

1. Ensuring compliance to the requirements of internal, international and industry standards &
regulations, and customer requirements

2. To determine the effectiveness of the implemented system in meeting specified objectives

(quality, environmental, financial)

3. To explore opportunities for improvement

4. To meet statutory and regulatory requirements

5. To provide feedback to Top Management

ISO 9001:2015 ISO 9001:2008 Summary of Changes

 9. Internal Audit 8.2.2 ISO Internal This requirement is unchanged from the
2 Audit requirements of ISO 9001:2008 Clause 8.2.2 –
Internal Audit.

Principles of Internal Auditing

Auditing relies on a number of principles whose intent is to make the audit become an effective and
reliable tool that supports your company’s management policies and policies whilst providing suitable
objective information that your company can act upon to continually improve its performance.

Adherence to the following principles are considered to be a prerequisite for ensuring that the
conclusions derived from the audit are accurate, objective and sufficient. It also allows auditors working
independently from one another to reach similar conclusions when auditing in similar circumstances.

The following principles relate to auditors.

1. Ethical conduct: Trust, integrity, confidentiality and discretion are essential to auditing

2. Fair presentation: Audit findings, conclusions and reports reflect truthfully and accurately the
audit activities

3. Professional care: Auditors must exercise care in accordance with the importance of the task
they perform;

4. Independence: Auditors must be independent of the activity being audited and be objective

5. Evidence-based approach: Evidence must be verifiable and be based on samples of the

information available.
Selection of Auditors

Competence level may be measured by training, participation in previous audits and experience in
conducting audits. Auditors may be external or internal personnel; however, they should be in a position
to be impartial and objective.

When internal personnel are selected to perform an audit, a mechanism needs to be established to
ensure objectivity, for instance, a representative from another department may be selected to do the
audit.
Audits are demanding and require various forms of expertise. The size of the audit team will vary
pending the size of the organization, size and type of operations and the scope of the audit.

Start with Expert Templates, then Make Them Yours

Our Internal Audit Procedures & Checklists is proven to work.

Preparing for the Audit

Before the audit, prepare thoroughly! Spending time in preparation will make you much more effective
during the audit - you will become a better auditor. Auditors should not skip this step as it provides
much needed value to the audit. Taking the time to prepare and organize actually saves time during the
audit.

You should have an up-to-date audit schedule and a well defined audit plan for each process. Be sure to
communicate the audit schedule to all parties involved as well as to Top Management as this will help
reinforce your mandate.

Gather together all the relevant documented information that relates to the process you will be
auditing. Look at process metrics, work instructions, turtle diagrams, process maps and flowcharts, etc.
If applicable, collect and review any control plans and failure mode effects analysis work sheets too.
Review these thoroughly and highlight the aspects that you plan to audit. Using the documented
information in this way ensures they become audit records.

Your organization’s documented information may not cover all of the requirements that may be
relevant to the process. If certain information is not available, it may become your first audit finding, not
bad for the pre-audit review!

Certain information and linkages should be audited. Some are required and some are simply good audit
practice. Putting these sections into a worksheet format gives auditors a guide to follow, to ensure the
relevant links are audited.

The Human Aspect of Auditing

Good auditors realize very early on that they are dealing with personalities as much as processes and
systems. Whilst the intent of the audit a serious one, often light humor, politeness and diplomacy are
the best ways to build rapport. It is vital every effort is made to reassure those being audited that the
audit’s primary function is to drive improvement, not to name and shame.
If you are new to auditing, acknowledge this fact, be open and honest. It is also important to explain to
the auditees that they are free to express their views during the audit. Remember that you, the auditor,
are also there to learn.

Always discuss the issues you have identified with the auditees and always provide guidance on what is
expected in terms rectifying any non-conformances or closing out observations you raised. Let the
auditees know they are welcome to read your notes and findings; the audit is not a secret.

Try not to be drawn into arguments concerning your observations. It is never appropriate to directly
name people in the audit report as this may lead to defensiveness which is ultimately counter
productive.

Definition of Internal Auditing

"Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by bringing
a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control and governance processes."

Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors
Research Foundation. Florida, USA, January 2011

Types of ISO Internal Audit

Internal audits are commonly referred to as ‘first-party audits’ and are conducted by an organization to
determine compliance to a set of requirements which might arise from standards like ISO 9001:2015, as
well as customer or regulatory requirements.

There are common methods of internal auditing that may be used to determine compliance:

1. System Audits

2. Process Audits

3. Product Audits

System Audits

The system audits are best undertaken using the internal audit checklist. This type of audit focuses on
the organization’s quality management system as a whole, and compares the planning activities and
broad system requirements to ensure that each clause or requirement has been implemented.

Process Audits

The process audit is an in-depth analysis which verifies that the processes comprising the management
system are performing and producing in accordance with desired outcomes. The process audit also
identifies any opportunities for improvement and possible corrective actions. Process audits are used to
concentrate on any special, vulnerable, new or high-risk processes.

Product Audits
The product audit may be a series of audits, at appropriate stages of design, production and delivery to
verify conformity to any specified product requirements, such as dimensions, functionality, packaging
and labeling, at a defined frequency.

So, how is an audit conducted?

Use an Internal Audit Checklist

An internal audit checklist will help you to determine the extent to which your organization’s quality
management system conforms to the requirements by determining whether those requirements have
been effectively implemented and maintained. The internal audit tool will help you to assess the status
of your existing management system and identify process weakness to allow a targeted approach to
prioritizing corrective action to drive improvement.

Why Reinvent the Wheel?

Our Internal Audit Procedures & Checklists is proven to work.

The internal audit checklist is just one of the many tools which are available from the auditor’s toolbox
that helps to ensure each internal audit addresses the necessary requirements. It stands as a reference
point before, during and after the audit process and if developed for a specific audit and used correctly
will provide the following benefits:

1. Checklists can be used as a reference for planning future audits

2. Checklists can be provided to the auditee prior to the audit

 3. Checklists can provide a means of communication

4. A completed checklist provides evidence the audit was performed

5. Ensures the audit is conducted systematically and consistently

6. Ensures a consistent audit approach

7. Actively supports the organization’s audit process

8. Provides a repository for notes collected during the audit process

9. Ensures uniformity in the performance of different auditors

10. Provides reference to objective evidence

11. Audit checklists provide assistance to the audit process

The internal audit checklist comprises tables of the certifiable (‘shall’) requirements, from Section 4.0 to
Section 10.0 of ISO 9001:2015, each requirement is phrased as a question.

Do We Need An Internal Audit Procedure?

Yes, we recommend you document an Internal Audit Procedure - this addresses two of the ISO 9001
clauses - Performance Evaluation and Improvement. It will greatly help you with the process of auditing
and internal audit management.

Control of Internal Audits Procedure

The purpose of this procedure is to define your organization’s process for undertaking QMS audits,
process audits, and supplier and legislation audits in order to assess the effectiveness of the application
of the quality management system and its compliance to ISO 9001:2015.

This procedure also defines the responsibilities for planning and conducting audits, reporting results and
retaining associated records.

Looking For Help with Your Internal Audit Procedure?

Our Control of Internal Audits Procedure includes:

 Procedure - view sample

 Internal Audit Porcess Flowchart

 Audit Report

 Audit Feedback Form - view sample

 Internal Audit Process Map - view sample

Save Time and Money — Proven to Work

Before you invest all the hours reinventing the wheel, before you spend countless dollars outsourcing
the task — try our Internal Audit Checklist.
A Gap Analysis

The gap analysis will likely be your first ISO 9001:2015 internal audit. The gap analysis checklist
highlights the new requirements contained in ISO 9001:2015 but it not intended to cover all of the
requirements from ISO 9001:2015 comprehensively.

The unique knowledge obtained about the status your existing quality management system will be a key
driver of the subsequent implementation approach. Armed with this knowledge, it allows you to
establish accurate budgets, time-lines and expectations which are proportional to the state of your
current management system when directly compared to the requirements of the standards.

Your organization may already have in place an ISO 9001:2008 compliant quality management system or
you might be running an uncertified system. If this is the case, you will want to determine how closely
your system conforms to the requirements ISO 9001:2015.

The results of a gap analysis exercise will help to determine the differences, or gaps, between your
existing management system and the new requirements. Not only will the analysis template help you to
identify the gaps, it will also allow you to recommend how those gaps should be filled.

The gap analysis output also provides a valuable baseline for the implementation process as a whole and
for measuring progress. Try to understand each business process in the context of each of the
requirements by comparing different activities and processes with what the standard requires. At the
end of this activity you will have a list of activities and processes that comply and ones that do not
comply. The latter list now becomes the target of your implementation plan.

Preparing the Audit Report

A good summary report is the output which is the value of the audit. It deserves an appropriate amount
of attention and effort. As you moved through the audit, you should have noted the issues and
improvements you saw. These should have been marked clearly so you are now able to quickly review
and capture them as you write the report.

These findings and conclusions should be formally documented as part of the summary report. Too
often, the audit report only recites back facts and data the managers already know. The value is in
identifying issues and opportunities they do not know! This summary should be reviewed first with the
lead auditor, then the Process Owner and Management Team. Make final revisions and file the audit
report and all supporting audit materials and notes.

Gather the whole audit package together, in an organized manner. The rest of the work instructions,
flowcharts, notes and relevant papers should be gathered into the audit package as supporting records.
All findings should also be documented on your corrective action forms. The audit summary and the
corrective action forms should be attached to the audit package, which now becomes the audit record.
Only the summary report and corrective actions need be given to the process owner.

Elementary Audit Questions

These basic audit questions will help guide the audit in the right direction since the answers they
provide often unlock the doors to information the auditor requires in order to accurately assess the
particulars of a process.

Consider these common audit questions:

1. What are your responsibilities?

2. How do you know how to carry them out?

3. What kind of training is given to new employees?

4. How is the effectiveness of training evaluated?

5. Are training records maintained?

6. What are the objectives of your processes?

7. What is the quality policy and where is it found?

8. Which documents do you use and are they correct?

9. What outputs does your process create?

10. How are your records maintained?

11. How do you ensure that products meet the stated requirements?

12. Is customer satisfaction data analyzed?

13. How do you ensure that products meet the stated requirements?

14. What happens when changes are made to product requirements?

 15. What are the responsibilities/authorities for dealing with non-conformances

16. Are there trends in non-conforming products and what's being done about it?

17. Is the non-conformance procedure linked to the corrective action process?

18. Are employees made aware of the quality policy and objectives?

19. Are policies and objectives available and relevant?

20. How are quality objectives determined?

21. Is there a clear link between the policies and objectives?

22. How is progress towards objectives measured and communicated?

23. Has the number of customer complaints changed over time?

24. What tools are used to identify the causes of complaints?

25. How are improvement efforts and successes communicated to employees?

Getting the Most from the Audit Schedule

The audit schedule is divided up to reflect each section of ISO 9001 You should determine which of these
sections are of greatest relevance to your business; in other words, which processes, should there be
problems, will affect your customers the most. These are the processes that your company must make
certain remain stable and consistent. You might wish to schedule these key processes for additional
audits, perhaps two or even three times per year.

The audit schedule provides the following benefits:

1. Provides a visual plan of the audit programme

2. Demonstrates coverage of the whole standard

3. Provide current status of the audit programme

4. Promotes awareness