If your company operates under ISO 9001 or is working toward certification you’ve almost certainly encountered the term internal audit. But what does it actually mean? What is it supposed to achieve? And how do you run one that genuinely improves your organization rather than just checking a compliance box?
This guide breaks it down clearly and practically.
What Is an Internal Audit Under ISO 9001?
An internal audit is a systematic, documented self-assessment of your organization’s quality management system (QMS). The term “audit” traces back to the Latin audire meaning to hear or listen and that’s exactly what a well-run internal audit does: it listens carefully to how your processes actually work, then compares that reality to how they’re supposed to work.
Under ISO 9001 (Section 9.2), every organization with a certified or developing QMS is required to conduct internal audits at planned intervals. The purpose is to verify that your management system:
- Conforms to the requirements of ISO 9001
- Conforms to your organization’s own planned processes and policies
- Is being effectively implemented and maintained
In short, an internal audit checks whether your actual operations match your documented standards — and identifies where they don’t.
Not yet certified? Our ISO 9001 consulting service guides you from gap analysis to certification — including building your internal audit program from scratch.
Why Internal Audits Matter: The Goals
Too many organizations treat the internal audit as a rehearsal for the external certification audit. That’s a missed opportunity. When planned and executed well, internal audits are one of the most powerful levers for organizational improvement.
Here are the core goals they pursue:
1. Verify Conformity to ISO 9001 Requirements
The most fundamental purpose: do your processes meet the standard’s requirements? Any gaps — called nonconformities — need to be identified and corrected. These can be major (critical failures in the system) or minor (smaller deviations that still require attention).
2. Identify Improvement Opportunities
Beyond finding what’s wrong, a skilled auditor looks for what could be better. Improvement potentials — sometimes called “observations” or “opportunities for improvement” — are areas where performance falls short of what’s possible, even if no rule is technically broken. This is where internal audits generate real business value.
3. Support Risk Management
Internal audits help surface risks and uncertainties in your business processes before they become problems. By regularly reviewing how processes are performing, your team can take preventive action rather than reactive firefighting.
4. Drive Continuous Improvement (the Kaizen Principle)
ISO 9001 is built on the principle of continual improvement. Internal audits are a core mechanism for this. They create a regular rhythm of honest self-assessment, which keeps your QMS from stagnating and encourages teams to keep optimizing.
5. Strengthen Management Review Input
The findings from internal audits feed directly into management reviews, helping leadership make data-driven decisions about resources, process changes, and quality objectives.
The Strategic Approach: Aligning Audits with Business Goals
Here’s where most organizations leave value on the table: they run the same internal audits in the same processes year after year, regardless of what the business is actually trying to achieve.
A better approach — sometimes called strategy-oriented auditing — connects your audit program directly to your company’s current goals and challenges.
For example, if customer complaints have spiked due to quality issues that trace back to employee training gaps, your audit program should shift focus toward the training and qualification processes — not spend the same hours auditing a well-functioning maintenance process.
This requires:
- An audit program (your annual or multi-year audit plan) that prioritizes processes based on their strategic importance and risk
- Individual audit objectives derived from your quality goals and management review findings
- Flexible planning that allows the audit focus to shift as business priorities evolve
A process that significantly impacts your ability to meet quality objectives deserves more frequent and thorough auditing. One that’s been consistently performing well and poses little risk may need less attention. This is not about reducing rigor — it’s about directing your resources where they create the most value.
Need an independent audit? Sternberg Consulting conducts professional internal audits across Germany — structured, objective, and aligned with real certification expectations.
Planning an Internal Audit: The Key Steps
A well-planned internal audit follows a clear structure:
1. Define the scope and objectives. Which processes will be audited? What specific outcomes are you trying to assess? Objectives should be derived from your quality targets, not just from a generic checklist of ISO clauses.
2. Assign qualified auditors. The auditors conducting the assessment must have appropriate training and knowledge — both of ISO 9001 requirements and of the processes being reviewed. Critically, auditors must not audit their own work (the independence requirement). In larger audit teams, a Lead Auditor with broad auditing competency often pairs with a Co-Auditor who brings deep process-specific expertise.
3. Prepare the documentation baseline. Before entering the audit, review the relevant documents: quality manual, process descriptions, work instructions, KPIs, previous audit results, and any relevant customer feedback or complaints.
4. Develop audit questions. A good audit checklist has three layers:
- General process environment questions (consistent across audits)
- Strategy-specific questions (tailored to this audit’s objectives)
- Conformity questions tied directly to ISO 9001 clause requirements
5. Communicate with process owners. Share the audit plan with the people who will be audited. Transparency reduces anxiety and improves the quality of evidence gathered.
Conducting the Audit: Best Practices
The audit itself begins with an opening meeting, where the auditor explains the purpose, scope, and process. From there, the auditor observes actual work, reviews records, and interviews staff — using primarily open-ended questions to gather as much honest information as possible.
A common structural approach:
- Strategic opening: Start with goal-level questions (“What are you trying to achieve with this process? How do you measure success?”)
- Main body: Work through your three-part question structure, examining conformity and performance
- Strategic close: End with forward-looking questions (“What will this process look like in a year? What would make it significantly better?”)
Good auditors listen more than they talk. They follow threads, notice inconsistencies, and remain curious rather than accusatory. The goal is accurate understanding, not catching people out.
Documenting Findings: The Four Categories
At the close of each audit, findings are categorized and documented:
| Finding Type | Meaning |
|---|---|
| Positive observation (Strength) | Something working particularly well |
| Major nonconformity | Serious failure to meet a requirement; requires corrective action |
| Minor nonconformity | A smaller deviation requiring attention |
| Opportunity for improvement | A gap between current and optimal performance |
All findings go into the audit report, which is shared with the audit commissioner (typically senior management) and relevant process owners.
After the Audit: Follow-Up and Effectiveness Verification
The audit report is not the finish line — it’s the starting gun. Corrective and improvement actions must be:
- Assigned to responsible persons with clear deadlines
- Implemented
- Verified for effectiveness using measurable evidence (data, KPIs, records)
Only once an action has been shown to actually change the root cause of a nonconformity — not just document that someone tried — is it considered closed. This effectiveness check is a requirement of ISO 9001 and a key discipline that separates mature QMS organizations from box-checkers.
Who Conducts Internal Audits?
Any company operating under ISO 9001 is required to have trained internal auditors. These individuals must have:
- Knowledge of audit principles and methods (as defined in ISO 19011, the auditing guideline)
- Understanding of the relevant ISO 9001 clauses
- Familiarity with the organization’s industry and processes
The number of trained internal auditors needed depends on your organization’s size and complexity. Smaller companies may need just one or two; larger ones may have a pool of trained auditors who rotate through different process areas.
Investing in proper internal auditor training pays dividends: it creates internal expertise, builds a quality culture, and significantly improves the return on your audit program.
Want to build internal audit capability in your team? Our Quality Management Training workshops equip your staff with practical auditing tools and methodologies — on-site, tailored to your processes.
Common Mistakes to Avoid
- Treating internal audits as certification rehearsals. They’re much more than that — use them strategically.
- Auditing the same processes with the same questions every year. Shift your focus based on risk and business priorities.
- Failing to follow up on findings. An audit that produces a report but no action changes nothing.
- Letting auditors audit their own work. Independence is non-negotiable.
- Focusing only on nonconformities. Equally important is identifying strengths and improvement opportunities.
Heads up — ISO 9001 is being revised. The new ISO 9001:2026 standard will affect how internal audits are planned and documented. Read our full breakdown of what’s changing and how to prepare your audit program now.
Frequently Asked Questions
How often must internal audits be conducted under ISO 9001?
ISO 9001 does not prescribe a fixed frequency — it requires audits to be conducted at “planned intervals.” In practice, most certified organizations audit all relevant processes at least once per year. However, the standard explicitly expects you to adjust frequency based on risk and importance: processes with a higher impact on quality objectives, or those with a history of problems, should be audited more often. A risk-based audit program is both best practice and the spirit of the standard.
What is the difference between an internal audit and an external audit?
An internal audit is conducted by your own trained staff (or a hired consultant acting on your behalf) to assess your QMS from the inside. It is a self-evaluation tool. An external audit is conducted by an independent third party — either a certification body (for ISO 9001 certification) or a customer auditing a supplier. Internal audits are typically less formal and more focused on improvement; external audits result in official findings that affect your certification status.
Can an employee audit their own department or process?
No. ISO 9001 Section 9.2 requires that auditors be objective and impartial, which means they must not audit their own work. This independence requirement exists to prevent bias — conscious or not — from distorting findings. In small organizations where this is difficult, hiring an external consultant to conduct internal audits is a practical and fully compliant solution.
What happens if a nonconformity is found during an internal audit?
A nonconformity triggers a corrective action process. The responsible process owner must analyze the root cause, define and implement corrective measures, and then verify that those measures actually resolved the problem. This effectiveness check — not just the action itself — is what closes a nonconformity. The entire cycle must be documented. Major nonconformities, if unresolved, can jeopardize your certification status in a subsequent external audit.
What is the difference between a major and minor nonconformity?
A major nonconformity is a significant failure: the complete absence of a required process, a systemic breakdown, or a deficiency that directly threatens the integrity of your QMS or customer requirements. A minor nonconformity is an isolated lapse or partial fulfillment of a requirement — something that needs correction but doesn’t indicate a systemic failure. The distinction matters because major nonconformities typically require faster and more rigorous corrective action.
Do internal audits need to cover every clause of ISO 9001 every year?
Not necessarily all at once, but over time your audit program should cover all relevant clauses and processes. ISO 9001 requires that the audit program takes into account the importance of the processes concerned and the results of previous audits. This means you can — and should — prioritize depth and frequency based on risk, rather than mechanically ticking through every clause on a fixed schedule.
Can a small company with few employees still conduct compliant internal audits?
Yes, and it’s actually one of the most valuable investments a small company can make. The scale adapts to your size: a small organization may only need one trained internal auditor and a simple annual audit covering all processes in a single day. If objectivity is a concern (e.g., the only qualified person is involved in all processes), bringing in an external consultant for the audit is a recognized and compliant approach. Sternberg Consulting offers exactly this service — independent internal audits for organizations that need objective, expert oversight without a full-time quality hire.
What is the audit program vs. the audit plan?
The audit program is the big-picture, long-term framework: which processes will be audited, how often, by whom, and with what overall objectives — typically planned annually or multi-annually. The audit plan is the detailed schedule for a specific audit: exact timing, scope, auditors assigned, documents to review, and people to interview. Think of the program as your strategy and the plan as your tactics.
How Sternberg Consulting Can Help
Whether you’re implementing ISO 9001 for the first time, running audits that feel like they’re going through the motions, or preparing for the upcoming ISO 9001:2026 transition, Sternberg Consulting brings practical, certification-body-level expertise to every engagement.
What we offer:
- Internal Audit Services — Independent audits conducted across Germany, structured to find real problems and real improvement potential, not just tick boxes
- External QMR Support — An experienced Quality Management Representative on your side, without the overhead of a full-time hire
- ISO 9001 Consulting — End-to-end support from gap analysis through certification, including audit program design
- QM Training — On-site workshops to build your team’s internal auditing capability
- ISO 13485 Consulting — For medical device companies navigating the additional regulatory layer
Get in touch — tell us where you are in the process and we’ll recommend the right starting point.
