FAQ · ISO 9001 AUDITING

ISO 9001 Internal Audit: Steps and Checklist

Minimum annual obligation, risk-based planning, auditor independence and the full protocol from opening to closing.

How many internal audits are needed per year?

ISO 9001 requires auditing all processes of the system "at planned intervals," without setting an exact number. In practice, the typical minimum obligation is one complete internal audit per year, covering all processes within the certification cycle.

Many organizations opt for a recommended semi-annual cycle, splitting processes into two rounds according to their criticality, which allows deviations to be caught earlier and spreads the audit team’s workload across the year.

Mandatory minimum

One complete internal audit per year, covering all processes of the quality management system.

Recommended

Semi-annual cycle, prioritizing critical processes or those with a history of non-conformances according to the risk-based program.

Audit protocol: from opening to closing

  1. 1

    Opening

    Initial meeting with the person responsible for the audited area to confirm scope, objectives, criteria and audit schedule.

  2. 2

    Interviews

    Conversations with the area’s staff to understand how processes are actually carried out, not just how they are documented.

  3. 3

    Verification

    Review of objective evidence: records, documents, direct observation of the process on the shop floor, data sampling.

  4. 4

    Closing

    Final meeting to present preliminary findings, detected non-conformances and improvement opportunities before the written report.

Checklist: minimum content of the audit report

  • Scope and criteria of the audit

  • Date, duration, audit team and people interviewed

  • Positive findings and good practices identified

  • Non-conformances classified (major / minor / observation) with objective evidence

  • Conclusion on the effectiveness of the audited process

  • Follow-up plan: who, when and how closure is verified

Frequently asked questions — ISO 9001 internal audit

How many internal audits are required per year under ISO 9001?

ISO 9001 does not set an exact number, but it requires the organization to audit "at planned intervals" all processes of the management system at least once within the certification cycle (typically the three-year cycle between external certification audits). In practice, most certified organizations perform at least one complete internal audit per year, and many opt for a semi-annual cycle for critical or high-risk processes, covering the full system in two rounds.

What does risk-based audit planning mean?

Instead of auditing all processes with the same frequency and intensity, risk-based planning prioritizes processes according to their criticality: impact on customer satisfaction, history of non-conformances, recent changes (new staff, new equipment, new supplier) and complexity. A process with recurring NCs or recent changes is audited more frequently than a stable process with no incidents. This is documented in the annual audit program, justifying why each process has its assigned frequency.

What does internal auditor independence mean?

The auditor cannot audit their own work or the area for which they are directly responsible. A production manager cannot audit the production process they themselves manage; they can audit quality, purchasing or maintenance, and vice versa. In small organizations where this is hard to comply with strictly, it should be documented how the conflict of interest is minimized (for example, cross-auditing between shifts or plants, or occasional support from an external auditor).

Is IRCA training mandatory to be an internal auditor?

It is not a mandatory requirement of the ISO 9001 standard, but it is a widely recommended best practice. Accredited Internal Auditor training (for example, courses aligned with IRCA — the International Register of Certificated Auditors) ensures the auditor understands ISO 19011 (guidelines for auditing management systems), interviewing techniques, sampling and finding write-up. Many certification bodies view evidence of competent training for the internal audit team favorably.

What must the internal audit report contain?

A complete report includes: audit scope and criteria, date and duration, audit team and people interviewed, a summary of positive findings (good practices), non-conformances detected classified by type (major/minor/observation) with the objective evidence supporting them, and an overall conclusion on the effectiveness of the audited process. The report must be distributed to the area owner and to management within a reasonable time frame (typically 5-10 days after closing).

What is the follow-up plan after an internal audit?

The follow-up plan defines how and when it will be verified that the detected non-conformances have been properly closed: who does the follow-up, how often progress on corrective actions is reviewed, and how effectiveness is verified (not just implementation). This plan is typically presented at the management review, where the overall status of the period’s internal audits is reported.

What happens if an internal audit fails to detect a non-conformance that the external auditor later finds?

This is not automatically a system failure, but the certification body may question the effectiveness of the internal audit program if it happens repeatedly. It is advisable to review the competence of the audit team, the depth of sampling, and whether the affected process was correctly prioritized in the risk-based plan.

Can IgeraIndustria help prepare and document internal audits?

IgeraIndustria indexes your audit program, procedures and NC history, allowing the audit team to quickly check which processes carry higher risk, what previous findings exist, and which standard requirements apply to each area, always citing the exact source document.

Prepare your internal audits with indexed documentation

IgeraIndustria indexes your audit program, procedures and NC history so your audit team finds answers instantly, with the source cited.

Request a demo