How to Conduct an Internal Audit Step by Step
Conducting an Audit in Brief
- Opening meeting confirms scope and approach with the auditee
- Evidence gathered through interview, observation and document review
- Closing meeting presents findings before the report is written
Conducting an internal audit
The plan, the schedule and the checklist are all preparatory. The audit itself is the time the auditor actually spends gathering evidence about the area being audited. A well-conducted audit looks unremarkable from the outside - a few hours of asking questions, looking at records and watching work being done - but the technique behind those few hours is what separates a useful audit from a tickbox one.
The standards do not prescribe a method for conducting audits. ISO 9001 Clause 9.2 and the equivalent clauses in the other ISO standards require evidence-based findings, impartiality and reporting to relevant management - but the mechanics are left to the organisation. The structure described here is the conventional one used across most certification bodies and consultants and works for most internal audits.
The opening meeting
An opening meeting at the start of the audit takes five to ten minutes and sets up everything that follows. It usually covers four things.
Confirm scope and criteria. The auditor reads back the scope statement and the criteria so the auditee knows what is being audited and what against. Misalignment here is the most common cause of audits going wrong, and it is much cheaper to fix at the start than at the end.
Confirm logistics. Who will be available, where the audit will happen, where the records and documents are kept, who else may need to be involved.
Set expectations. Findings will be raised against evidence, not opinion. Anything significant will be discussed with the auditee at the time, not stored up for the closing meeting. The audit is looking at the process, not at individuals.
Take questions. The auditee may have specific concerns or context the auditor should know about. Listening to these now reduces friction and often surfaces useful audit leads.
For very short audits the opening meeting can be a brief verbal check at the start. For longer audits a short minute is sometimes recorded.
Evidence gathering - documents, observation, interviews
Internal audits use three sources of evidence in combination. Each surfaces different kinds of finding.
Documents and records. The auditor reviews a sample of records relevant to the process - completed forms, signed minutes, calibration certificates, training records, supplier appraisals. Document review is good at finding consistency issues (records not completed in line with the procedure), retention issues (records missing for periods that should have them) and approval issues (records not signed off as required).
Observation. The auditor watches the work being done in real time. Observation is good at finding gaps between what the procedure says and what actually happens, particularly where the procedure has drifted from current practice. Things like the right PPE being used, the right equipment being checked, signage being followed and access controls being applied are usually best confirmed by observation.
Interviews. The auditor asks open questions of the people who do the work - walk me through how you do this, what happens if X, who would you go to if you had a problem with Y. Interviews surface understanding (or lack of it), training gaps and informal workarounds. They also tend to surface honest feedback about the management system itself.
Audits relying on a single source - usually documents only - find the issues that source can find and miss the rest. Combining all three is what makes process audits more useful than desk audits.
How to ask audit questions
The default audit question type is open. How do you..., what happens when..., show me the last time you..., walk me through.... These produce explanations the auditor can probe.
Closed questions - do you do X, yes or no? - get yes or no answers. They are useful for confirming specific facts but not for understanding how a process actually works. A whole audit conducted in closed questions usually finds nothing because the auditee answers what was asked rather than what was meant.
Three other techniques help.
First, follow the trail. When something interesting comes up - a record that does not look right, a procedure that does not match practice, a name that comes up unexpectedly - the auditor follows it. The original checklist topic can wait. Most useful audit findings come from following trails.
Second, ask about exceptions. What happens when this does not work, when X is not available, when there is a rush, when the system is down. Exception handling is where management systems most often fall short of how they are documented.
Third, ask the same question of more than one person. Where two people in the same area give different answers about how the process works, that is a finding in itself.
Recording evidence
Audit notes need to be specific enough to support any findings raised. Vague notes - training records reviewed and acceptable - do not stand up to challenge later. Specific notes - reviewed training records for J Smith, R Jones and S Patel covering inductions in the past six months; all complete and signed - do.
The F-Q2 Internal Audit Checklist provides a structure for this. For each item, the auditor records what was checked, what evidence was reviewed and whether the result was acceptable, with space for any finding to be elaborated.
Notes should distinguish between things the auditor saw directly and things the auditor was told. Observed three sample inspection records, all signed and dated is direct evidence. Told that all sample inspections are signed and dated is testimony, which usually needs to be confirmed by direct evidence before it supports a positive audit conclusion.
The closing meeting
The closing meeting at the end of the audit serves three purposes.
It summarises what was audited, so the auditee knows the auditor covered the agreed scope.
It reviews the findings - both positive (where the area was working well) and negative (where issues were identified). Sharing findings before they are formalised gives the auditee a chance to provide additional evidence or context that might change the finding. Auditors who only share findings in writing after the audit are more likely to get things wrong.
It confirms next steps - when the audit report will be issued, who will receive it, and how any non-conformities will be progressed.
For internal audits the closing meeting can be brief - five to ten minutes is usually enough. The point is the conversation, not the formality.
The audits that find the most useful things in our company are the ones where the auditor walks the floor and watches what is actually happening, then sits down with whoever is doing the work and asks them to talk through it. The audits where the auditor sits in the office and reads procedures find very little that is new.
The other thing that works is asking about exceptions. Everyone can describe how the process works on a normal day. Asking what happens when the system is down, when staff are short, when there is a rush, gets you to the real issues.
I assess audit conduct mainly through the audit notes and reports. Specific evidence cited - record numbers, observation locations, names of people interviewed - tells me the audit was actually done. Generic statements - records found acceptable, training in place - tell me very little.
I will also sometimes shadow part of an internal audit when I am on site, to see how the auditor actually conducts it. The conduct on the day is often more informative about audit quality than the report afterwards.
Open questions, not closed ones. How do you do this, not do you do this. Watch as well as read. Talk to more than one person if you can. That is most of what makes a useful audit. Everything else is detail.
Practical compliance guidance
IMS1 Section 5.3.2 Internal Audits - Audit Completion describes how internal audits are conducted, including the use of pre-prepared checklists, gathering evidence through observation, interview and document review, and recording the audit on the F-Q2 audit checklist.
The toolkit provides the audit checklist, audit report template and supporting policy and guidance documents covering audit conduct.
| alphaZ document | How to use it |
|---|---|
| ISO 9001 Management System Toolkit | Full toolkit including the audit checklist, schedule and supporting documents for conducting internal audits under ISO 9001. |
| F-Q2 Internal Audit Checklist | Audit checklist used during the audit to record what was checked, evidence reviewed and findings raised. |
| F-Q31 Audit Report Template | Audit report template used after the audit to summarise scope, criteria, evidence, findings and conclusions. |
| A-C Operational Processes Audit Checklist | Pre-prepared checklist for process-focused audits covering core operational areas. |
| PP-1-10 Internal Auditing and ISO Compliance Policy | Policy and procedure setting out how individual audits are conducted, including evidence gathering and reporting. |
| GG-1-10 Internal Audits Guidance | Plain-language guidance on conducting individual audits with practical examples of opening meetings, evidence gathering and closing summaries. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to conducting audits
UK legislation does not specify how internal audits are conducted, but several laws require organisations to keep accurate records of compliance monitoring activities, which include internal audit records. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
