Internal audits are meant to be the early warning system for your management system. Done properly, they find the things your external auditor will find before your external auditor does. Done badly, and most are done badly, they produce a folder of completed checklists that nobody reads and nothing changes. The mistakes are predictable, and they are the same across ISO 9001, 14001, 27001 and 45001.
Internal Audit Mistake One: Auditing Your Own Work
Clause 9.2 is explicit. Auditors must be objective and impartial, and that means not auditing the area they work in. Yet plenty of small organisations have the quality manager auditing the quality processes they themselves designed and run. It looks efficient. It is not an audit. If you only have one trained auditor, swap audit areas with a peer at another site, bring in an external auditor for the parts you cannot cover internally, or train a second person. What you cannot do is mark your own homework and call it compliance.
Internal Audit Mistake Two: Generic Checklists Lifted from an ISO Standard
An internal audit checklist that just lists clause numbers and asks "do we comply with this clause?" produces yes-or-no answers and no insight. The auditor walks away with a tidy spreadsheet and zero useful findings. A good internal audit checklist asks process questions. How does this actually happen here? Show me the last three records. Who decided that? When did training last happen? The ISO clauses are only relevant for a very specific ISO-compliance audit you should complete when you first set management systems up for ISO compliance, but the ISO clauses are of no relevance when you are auditing your actual management system and processes going forwards - move on!
Internal Audit Mistake Three: No Follow-Through on Findings
This is the one external auditors look for hardest. Findings raised, issues logged, then nothing. Six months later the same finding appears again because nobody closed the loop. An internal audit programme without a working corrective action process is just a documentation exercise. Every finding needs an owner, a deadline, and a verification step that confirms the action taken actually fixed the problem rather than just being marked complete. If you cannot show closed-out evidence for last year's findings, your audit programme is not functioning.
Internal Audit Mistake Four: Scheduling Everything Before Re-Certification
Cramming the year's audits into the days before the external visit is common and counterproductive. It strips the audit programme of its real purpose, which is continuous monitoring. It also produces rushed audits, surface-level findings, and no time to fix anything before the assessor arrives. A risk-based audit schedule spreads coverage across the year, audits high-risk areas more often, and gives the organisation time to actually act on what comes out of each audit.
Our F-Q2 Audit Checklist is a blank template designed for process-based auditing rather than clause-ticking, with example checklists included to show the questions worth asking. The ER11 Audit Schedule handles risk-based scheduling across the year so audits are not all stacked before re-certification.
Download the F-Q2 Audit Checklist
Download the ER11 Audit Schedule
Published: 27 April 2026
