ISO 9001 Internal Audit Program: How to Plan, Execute, and Close Findings

Q: What qualifications do internal auditors need?

Internal auditors need understanding of ISO 9001:2015 requirements, knowledge of audit principles (ISO 19011 guidance), sufficient process knowledge, and communication skills. Formal internal auditor training (typically 2-3 days) is strongly recommended, followed by mentored audit experience.

Q: What is the difference between a nonconformity and an observation?

A nonconformity is a failure to meet a specific requirement, requiring mandatory correction and corrective action. An observation identifies an area that is currently conforming but could be strengthened. Observations are advisory and do not require mandatory action.

Q: How should corrective actions be tracked?

Maintain a formal corrective action register recording each finding, root cause analysis, planned actions, assigned owners, deadlines, and verification of effectiveness. Track both correction (fixing the instance) and corrective action (eliminating root cause).

Q: Do internal audit records need to be kept?

Yes. ISO 9001 Clause 9.2 requires documented information as evidence of the audit program and results. This includes audit schedules, plans, checklists, reports, corrective action records, and effectiveness verification evidence.

Key Takeaways

Internal audits are a Clause 9.2 requirement and must cover the full QMS over the audit program cycle.
Audit programs should be risk-based, giving more attention to higher-risk processes and areas with previous findings.
Auditor independence is mandatory -- you cannot audit your own work or your own department.
Findings must distinguish between nonconformities (requirement not met) and observations (improvement opportunities).
Corrective actions must address root cause and prevent recurrence, not just fix the immediate symptom.

Internal Audit Requirements (Clause 9.2)

ISO 9001:2015 Clause 9.2 requires organizations to conduct internal audits at planned intervals to provide information on whether the QMS conforms to the organization's own requirements, the requirements of ISO 9001:2015, and whether it is effectively implemented and maintained.

The standard specifically requires:

Planned audit program: Taking into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits
Defined audit criteria and scope: For each audit, what is being audited and against what criteria
Auditor objectivity and impartiality: Auditors must not audit their own work
Reporting to relevant management: Audit results must be communicated to management
Corrective actions: Taken without undue delay for nonconformities found
Documented information: Retained as evidence of the audit program and audit results

Internal Audit vs External Audit

Internal audits serve a fundamentally different purpose from certification (external) audits. Internal audits are a management tool for self-assessment and improvement. They should be more thorough, more frequent, and more focused on adding value than simply checking compliance. Organizations that treat internal audits as rehearsals for external audits miss their true purpose.

Audit Program Planning

The audit program is the overarching plan that defines the schedule, scope, and approach for all internal audits over a defined period (typically one year).

Risk-Based Planning

The audit program should allocate more audit time and frequency to:

High-risk processes: Processes with significant impact on product/service quality or customer satisfaction
Processes with previous nonconformities: Areas where past audits or external audits have found issues
Recently changed processes: New processes, updated procedures, or organizational changes
Customer complaint areas: Processes associated with recurring customer issues
Critical supplier processes: Outsourced processes that directly affect quality

Coverage Requirements

Over the audit program cycle (typically 12 months), the program must cover:

All ISO 9001:2015 clauses (4 through 10)
All QMS processes (core, support, and management)
All sites within the QMS scope
The organization's own QMS requirements (policies, procedures, objectives)

Audit Program Structure

Approach	Description	Best For
Process-Based	Each audit covers one or more complete processes end-to-end	Organizations with a mature process approach; mirrors how external auditors audit
Clause-Based	Each audit covers specific ISO 9001 clauses across the organization	New QMS implementations verifying clause-by-clause compliance
Department-Based	Each audit covers a specific department or function	Large organizations with distinct functional units; easier to schedule
Combined	Mix of process-based and clause-based audits	Most organizations; provides both process perspective and clause coverage

Preparing Audit Checklists

An audit checklist is a structured list of questions or criteria that the auditor will use to evaluate conformity. Effective checklists:

Reference specific ISO 9001 clause requirements
Include the organization's own procedure requirements
Ask "how" and "show me" questions, not just "do you have" questions
Include criteria for process effectiveness (not just existence)
Leave space for auditor notes, evidence references, and findings
Are tailored to the specific process or area being audited

Checklist Tip

Avoid checklists that simply restate ISO 9001 clauses as yes/no questions. A question like "Is there a quality policy?" is far less useful than "Can you describe the quality policy? How was it communicated to your team? How does it relate to your daily work?" Good checklists probe implementation effectiveness, not just document existence.

Audit Execution

The execution phase is where the audit plan comes to life. A structured approach ensures consistency and thoroughness.

Opening Meeting

Every audit should begin with a brief opening meeting to:

Confirm the audit scope, objectives, and criteria
Explain the audit methodology and timeline
Confirm availability of auditees and access to evidence
Explain finding categories (NC, observation, OFI)
Answer any questions from the auditee

Evidence Collection Methods

Auditors gather evidence through three primary methods:

Interviews: Asking people about their processes, responsibilities, training, and how they handle specific situations. Interview at multiple levels (management, operational staff, support functions).
Document and Record Review: Examining procedures, work instructions, forms, records, reports, meeting minutes, and other documented information for conformity and completeness.
Observation: Watching processes in action to verify that documented procedures are being followed, work conditions are appropriate, and controls are effective.

Sampling Strategy

Auditors cannot review every record or interview every person. Sampling must be:

Representative: Covering different time periods, product types, shifts, and locations
Risk-based: Higher sample sizes for higher-risk areas
Sufficient: Large enough to draw reasonable conclusions about process conformity
Documented: Record what was sampled to support finding conclusions

Closing Meeting

At the end of the audit, hold a closing meeting to:

Present preliminary findings (nonconformities and observations)
Ensure the auditee understands and agrees with the factual basis of each finding
Discuss the corrective action process and timelines
Thank the auditee for their cooperation
Confirm the audit report timeline

Reporting Findings

Findings are the core output of an internal audit. How they are written determines whether they drive meaningful improvement or are simply filed and forgotten.

Finding Categories

Category	Definition	Action Required	Example
Major Nonconformity	Absence of or total failure of a required process; systemic breakdown	Immediate correction and corrective action; must be resolved before next external audit	No management review has been conducted in the past 18 months
Minor Nonconformity	Single or isolated failure to meet a requirement; not systemic	Correction and corrective action within defined timeline	Three of twenty sampled training records were missing competence evaluation signatures
Observation / OFI	An area that is conforming but could be improved; a potential future issue	Optional; recommended for consideration	Customer satisfaction surveys achieve 60% response rate; consider follow-up methods to improve data quality

Writing Effective Findings

Each nonconformity should contain four elements:

Requirement: What the standard, procedure, or policy requires (cite the specific clause or section)
Evidence: What the auditor observed, reviewed, or was told that demonstrates the nonconformity (specific facts, dates, records, names)
Statement: A clear declaration of how the evidence fails to meet the requirement
Classification: Whether it is a major or minor nonconformity

A well-written finding is factual, specific, and traceable. Avoid vague language like "inadequate" or "not properly." Instead, state exactly what was found, where, when, and what requirement it fails to meet. Good findings are indisputable because the evidence speaks for itself.

Audit Report

The audit report should include:

Audit identification (date, scope, criteria, audit team)
Summary of findings (number and type of NCs and observations)
Detailed finding descriptions (requirement, evidence, statement, classification)
Positive observations (areas of good practice)
Overall assessment of the process or area audited
Corrective action deadlines

Closing Findings

An internal audit is not complete until all findings have been addressed and closed. The corrective action process is where the real value of auditing is realized.

Correction vs Corrective Action

Correction: Immediate action to fix the specific issue identified. This addresses the symptom. Example: Complete the three missing training records.
Corrective Action: Action to eliminate the root cause and prevent recurrence. This addresses the underlying problem. Example: Implement a quarterly training records review by HR to catch missing records before they accumulate.

Both are required for nonconformities. Correction without corrective action means the problem will recur. Corrective action without correction means the specific instance remains unresolved.

Root Cause Analysis

Effective corrective action depends on identifying the true root cause. Common root cause analysis methods include:

5 Whys: Asking "why" repeatedly until the fundamental cause is reached
Fishbone (Ishikawa) Diagram: Categorizing potential causes by people, methods, machines, materials, environment, and measurement
Fault Tree Analysis: Mapping the logical pathway from the effect back to potential causes

Root Cause Depth

Common root causes that auditors expect to see addressed include: lack of training or awareness, unclear or missing procedures, inadequate resources, ineffective supervision, communication failures, and process design flaws. "Human error" is almost never an acceptable root cause because it does not explain why the error was possible or not caught by process controls.

Verification of Effectiveness

After corrective actions are implemented, the auditor (or audit program manager) should verify:

The correction has been completed (specific issue resolved)
The corrective action has been implemented (root cause addressed)
The corrective action is effective (the problem has not recurred after a reasonable period)
No unintended consequences have been introduced

Closing Timeline

Define clear timelines for corrective action closure:

Major NCs: Correction within 1-2 weeks; corrective action within 30 days; effectiveness verification within 90 days
Minor NCs: Correction within 2-4 weeks; corrective action within 60 days; effectiveness verification within 6 months
Observations: No mandatory timeline, but track and review at next management review

Auditor Competence

The quality of internal audits depends directly on the competence of the auditors. ISO 9001 requires auditor selection to ensure objectivity and impartiality, but the standard also implies a need for appropriate competence.

Knowledge Requirements

ISO 9001:2015 requirements: Thorough understanding of the standard's clauses and intent
Audit principles and methodology: How to plan, conduct, report, and follow up audits (ISO 19011 provides guidance)
Process understanding: Sufficient knowledge of the processes being audited to ask meaningful questions
Industry knowledge: Understanding of the organization's sector, products/services, and regulatory environment

Skills Requirements

Communication: Active listening, questioning techniques, clear and concise writing
Analytical thinking: Ability to evaluate evidence, identify patterns, and draw conclusions
Objectivity: Ability to assess facts without bias or preconception
Interpersonal skills: Diplomacy, professionalism, and the ability to put auditees at ease
Time management: Ability to cover the audit scope within the allocated time

Independence Requirements

Auditors must not audit their own work. This means:

A process owner cannot audit their own process
A department manager cannot audit their own department
Someone who designed or wrote a procedure should not audit against that procedure

For small organizations with limited staff, independence can be achieved through:

Cross-functional auditing (each department audits other departments)
Using external auditors or consultants for areas where independence cannot be achieved internally
Peer auditing across shifts or locations

Competence Area	How to Develop	How to Demonstrate
ISO 9001 Knowledge	Internal auditor training course (2-3 days)	Training certificate, exam results
Audit Methodology	ISO 19011 training, mentored audits	Training records, supervised audit participation
Process Knowledge	Cross-training, process documentation review, job shadowing	Training records, audit quality assessments
Audit Experience	Observe audits, participate as team member, then lead audits	Audit logs, mentor evaluations, audit report quality

Common Audit Program Failures

These failures frequently undermine the effectiveness of internal audit programs and are commonly identified during external certification audits:

1. Superficial Audits

Audits that only scratch the surface -- confirming documents exist without verifying they are followed, or asking leading questions that guarantee compliant answers. Effective audits probe depth: "Show me the last five inspection records" reveals more than "Do you inspect products?"

2. Not Covering All Areas

An audit program that consistently skips certain processes, clauses, or sites. Every part of the QMS scope must be audited within the program cycle. External auditors will check the audit program schedule against actual completion and will raise nonconformities for gaps.

3. No Follow-Up on Findings

Raising findings without tracking them to closure is a systemic failure. If nonconformities from previous audits remain open, it demonstrates that the corrective action process is not working and that the audit program is not driving improvement.

4. Lack of Auditor Independence

Allowing people to audit their own processes, even informally, compromises the integrity of the entire audit program. External auditors check auditor assignments against organizational charts and will raise findings for independence violations.

5. Insufficient Audit Time

Trying to audit too many processes in too little time results in superficial coverage. Allocate realistic time based on process complexity and risk. A one-hour audit of a major production process is unlikely to be thorough enough.

6. Findings That Do Not Drive Improvement

An audit program where every finding is "minor" and every corrective action is a simple re-training exercise suggests the audits are not probing deeply enough or that the organization is not performing genuine root cause analysis. Over time, audit findings should lead to meaningful process improvements, not just paperwork corrections.

7. No Risk-Based Prioritization

Treating all processes as equal in the audit program ignores the risk-based thinking principle. High-risk processes, processes with previous issues, and recently changed processes should receive more audit attention. A purely rotational schedule misses this.

The best internal audit programs are those where management actively requests audits of areas they are concerned about, where auditors are respected for their expertise, and where findings are treated as opportunities rather than blame. When internal audit adds value, it becomes a strategic asset rather than a compliance burden.

Frequently Asked Questions

How often should internal audits be conducted?

Internal audits should be conducted at least annually, with all QMS processes and ISO 9001 clauses covered within the audit program cycle (typically 12 months). High-risk processes or areas with previous findings may need more frequent auditing. Over the 3-year certification cycle, every process and clause must be audited at least once, but best practice is to cover everything annually.

Can employees audit their own department?

No. ISO 9001 requires auditor objectivity and impartiality, meaning auditors must not audit their own work. A process owner cannot audit their own process, and a department manager cannot audit their own department. For small organizations, independence can be achieved through cross-functional auditing, using external auditors for certain areas, or peer auditing across shifts or locations.

What qualifications do internal auditors need?

Internal auditors need a thorough understanding of ISO 9001:2015 requirements, knowledge of audit principles and methodology (ISO 19011 provides guidance), sufficient process knowledge to ask meaningful questions, and communication skills for conducting interviews and writing findings. Formal internal auditor training (typically 2-3 days) is strongly recommended, followed by mentored audit experience before leading audits independently.

What is the difference between a nonconformity and an observation?

A nonconformity is a failure to meet a specific requirement of ISO 9001, the organization's own procedures, or applicable regulations. It requires mandatory correction and corrective action. An observation (or opportunity for improvement) identifies an area that is currently conforming but could be strengthened, or a potential future issue. Observations are advisory and do not require mandatory action, though they represent good practice to address.

How should corrective actions be tracked?

Maintain a formal corrective action register that records each finding, its root cause analysis, planned corrective actions, assigned owners, deadlines, and verification of effectiveness. Track both the correction (fixing the specific instance) and the corrective action (eliminating the root cause). Verify effectiveness after implementation by confirming the issue has not recurred. Review open and closed actions at management review meetings.

Do internal audit records need to be kept?

Yes. ISO 9001 Clause 9.2 requires retained documented information as evidence of the audit program implementation and audit results. This includes the audit program schedule, individual audit plans, audit checklists, audit reports with findings, corrective action records, and evidence of effectiveness verification. These records are reviewed by external auditors during certification and surveillance audits.