Internal Auditing Explained

Internal auditing explained

Internal auditing is the part of the management system where an organisation looks at itself honestly. It exists to answer two practical questions: are we doing what we said we would do? and is what we said we would do still working? Done well, it surfaces problems early - when they can be fixed cheaply and without external pressure. Done badly, it becomes a paperwork exercise that reassures nobody and adds no value.

All of the major ISO management system standards require internal audits. ISO 9001 Clause 9.2 is the headline requirement for quality, with equivalent clauses in ISO 14001, ISO 45001, ISO 27001, ISO 22301 and ISO 37001. The wording differs slightly but the core requirement is the same: plan and run a programme of internal audits, use competent and impartial auditors, report the results to management, take action on findings, and keep records of what was done.

What internal audits are not

Three common misunderstandings get in the way of useful internal audits.

The first is that internal audits are a compliance exercise to satisfy the certification body. They are not. The certification body audits the organisation externally - and they will check that internal audits have been done, but the audits themselves exist for the organisation's benefit. A management system that only gets looked at once a year by an external auditor is one that drifts between visits.

The second is that internal audits are about catching people out. They are not. The purpose is to find problems with processes and the system, not with the individuals running them. An internal audit that turns into a personal performance review will not get honest answers, and the next one will be even harder to do.

The third is that internal audits have to mirror the structure of the ISO standard. They do not. Auditing process by process - sales, purchasing, production, despatch - usually surfaces more useful findings than auditing clause by clause, because the work happens in processes, not in clauses.

What ISO requires from internal audits

Stripped of the formal language, the standards expect six things.

An audit programme. Not a single audit, but an ongoing programme that covers the whole management system over time. The programme accounts for the importance of each area, results from previous audits and any significant changes in the organisation.

Defined scope and criteria for each audit. What is being audited and what it is being audited against - the organisation's own procedures, the standard, applicable legislation, customer requirements.

Competent, impartial auditors. People who know what they are looking at and are not auditing their own work. In a small organisation this is a real constraint that has to be planned for.

Evidence-based findings. Audit findings come from documents, observations and conversations - not from opinion. The evidence is recorded so the finding can be defended later.

Reporting to management. Audit results go to the people with authority to act on them, not just into a folder.

Action and follow-up. Findings get addressed without undue delay, and the actions taken are checked for effectiveness. Records are kept of the audits and the actions.

How internal audits feed the rest of the management system

Internal audits are not standalone. The findings link directly to several other parts of the management system, and missing those links is one of the most common audit findings on internal audits themselves.

Significant findings - non-conformities - go onto the issues and actions register, which is where they are tracked through investigation, action and verification under ISO 9001 Clause 10.2. The audit programme is reviewed at management review, where management approves the forward schedule and reviews findings from completed audits. Trends in findings feed risk and opportunities thinking. Patterns of repeated findings in the same area suggest something deeper than the immediate problem - usually a process design issue or a competence gap.

Where these connections are working, internal audits become one of the main engines of improvement in the management system. Where they are not, audits get done, findings get filed, and nothing changes.

Internal audits in an integrated management system

For organisations running more than one ISO standard, the audit programme is usually integrated rather than parallel. A single audit of the purchasing process can cover quality (supplier appraisal under ISO 9001), environment (supplier environmental criteria under ISO 14001), H&S (contractor competence under ISO 45001) and information security (supplier security assurance under ISO 27001) in one visit. Three separate audits of the same process would be wasteful and would still miss the integration questions.

The audit checklist needs to be wide enough to cover the relevant ISO requirements across all standards in scope. The toolkit provides combined audit checklists for the common standard combinations.

An internal audit is not the same as the certification audit. The certification body comes once a year and checks a sample. The internal audit is how you stay on top of things between their visits. If you only ever look at your own management system when an external auditor is in the building, you are not really running a management system - you are running a year-long performance for the auditor.

For internal audits I check three things. Has the organisation actually run audits across the whole management system in a sensible cycle. Have findings been recorded with evidence and not just opinion. And have the findings been acted on - not just logged.

The pattern I see most often when internal audit is weak is a flurry of audits in the month before my visit, followed by a quiet year. That is not an audit programme, it is a fire drill. I can usually tell from the dates on the records and the nature of the findings.

We treat internal audits as something we do for ourselves, not for the auditor. The auditor coming once a year checks a sample. We need to know that the system is working all year round.

The audits that surface real findings tend to be the ones where the auditor goes and watches what people actually do, then compares it with what the procedure says. The audits that find nothing tend to be the ones where the auditor just reads the procedure and ticks boxes.

Practical compliance guidance

IMS1 Section 5.3 Management System Audits sets out the internal audit framework across the integrated management system - audit planning and the schedule, conducting audits, reporting findings, and reviewing audits at management review.

The toolkit includes the audit schedule, audit checklist, audit report template, and the policy and guidance documents covering the internal audit process.

alphaZ document	How to use it
ISO 9001 Management System Toolkit	Full toolkit including the IMS1 manual, audit schedule, audit checklist and supporting policies for setting up an internal audit programme.
ER11 Internal Audit Schedule	The audit programme template - records what is to be audited, when, by whom and the audit frequency for each area.
F-Q2 Internal Audit Checklist	Generic audit checklist for recording what was audited, the evidence reviewed and any findings raised during the audit.
PP-1-10 Internal Auditing and ISO Compliance Policy	Policy and procedure setting out how internal audits are planned, conducted, reported and followed up.
GG-1-10 Internal Audits Guidance	Plain-language guidance on running internal audits, with practical examples of audit planning, evidence gathering and reporting.
Internal Audit Training Course Toolkit	Training materials for developing internal audit competence within the organisation, including a presentation and certificate template.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How often do internal audits need to be done?

The standards require an audit programme that covers the management system at planned intervals - they do not specify a frequency. In practice the whole system should be audited at least once over a typical certification cycle (annually or three-yearly), with more frequent audits in higher-risk or higher-change areas. Most small and medium organisations run audits monthly or quarterly across rotating areas.

Can the same person do all the internal audits?

Yes, provided they do not audit their own work. The standards require auditors to be impartial and objective, which means they cannot audit a process they are personally responsible for. In small organisations one trained auditor often covers the whole system. The constraint is on what they audit, not on how many auditors there are.

Should internal audits be by clause or by process?

Auditing by process usually surfaces more useful findings, because the work happens in processes rather than in clauses. A process audit covering, for example, the order-to-despatch flow will pick up issues across multiple ISO clauses in one go. Some organisations also run periodic clause-based audits to confirm coverage, but a process-based programme is the more common pattern.

Can internal audits be combined across ISO standards?

Yes, and this is the recommended approach for organisations certified to multiple standards. A single audit of a process such as purchasing or production can cover the requirements of ISO 9001, ISO 14001, ISO 45001 and ISO 27001 at the same time. Combined audit checklists make this practical without losing coverage of any individual standard.

UK Legislation relevant to internal auditing

Internal auditing under the ISO standards is a contractual rather than legal obligation - certification bodies require it, but no UK statute mandates ISO-style internal audits. Several laws do require organisations to monitor and review their compliance with regulatory duties, which internal audits typically support. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources