Labs Support
EN SV

Internal Audit According to ISO Clause 9.2 - A Practical Guide

Practical guide to internal audits according to ISO clause 9.2. Learn how to plan, conduct and document audits for ISO 9001, 14001, 27001 and 45001.

Patrik Björklund
Co-Founder, AmpliFlow
ISO 9001 ISO 14001 ISO 27001 ISO 45001 internal audit audit programme

Internal Audit According to ISO Clause 9.2 - A Practical Guide

Internal audit is a requirement in every management system that follows the ISO standard. The requirement is in clause 9.2 and applies to ISO 9001, ISO 14001, ISO 27001 and ISO 45001. But internal audit is more than a certification requirement - it is a tool that helps you find improvements before they become problems.

This guide shows you how to plan, conduct and document internal audits in practice.

What Is an Internal Audit?

An internal audit is a systematic review of your management system. You check that processes work as planned and that you follow your own procedures as well as the ISO requirements.

ISO 9001:2015 requires you to conduct internal audits at planned intervals. The audits shall provide information on whether:

  • The management system conforms to your own requirements
  • The management system conforms to the ISO standard requirements
  • The management system is effectively implemented and maintained

Internal audit is part of performance evaluation (clause 9) together with monitoring, measurement and management review. It is part of the “Check” phase of the PDCA cycle (Plan-Do-Check-Act) that drives improvement in the management system.

ISO 19011:2018 is the standard that provides guidance on how to conduct internal audits. It describes audit principles, how to manage an audit programme and what competence auditors need.

Why Is Internal Audit Valuable?

Many see internal audit as a requirement from the certification body. But when you do it right, you discover:

Problems before customers notice them The audit shows where processes do not work as intended. You can fix issues before they affect deliveries.

Improvement opportunities When you go through processes systematically, you see where you waste time or resources. It could be documentation nobody uses or unnecessary control steps.

How well employees understand their roles The audit shows whether everyone knows what is expected of them and why the procedures exist.

Whether documentation matches reality Does the procedure say one thing but you do another in practice? Then either the procedure or the way of working needs to change.

How effective your processes are By asking about results and measurements, you see which processes perform well and which need improvement.

ISO 9001 emphasises that management systems should deliver business value - not just meet requirements. Internal audit is the tool that ensures the system actually helps you reach your goals.

How to Plan an Audit Programme

An audit programme is a plan for all internal audits over a period, typically one year. ISO 9001 requires you to plan, establish, implement and maintain the programme.

Determine Scope and Frequency

Which processes shall be audited? All processes within the scope of the management system shall be audited. Which ones these are varies between organisations, but common examples are sales, product development, production, purchasing and supplier management, warehousing, customer service, and competence management. Start from your own process maps - every process that is part of your management system should be reviewed.

How often shall each process be audited? ISO 9001 says “at planned intervals” but does not specify exact frequency. You decide based on:

  • Risk and opportunity: Critical processes are audited more often
  • Previous results: Processes with many nonconformities are followed up more frequently
  • Changes: New or changed processes need faster review
  • Complexity: Complex processes may need more attention

A common model is to audit all processes at least once per year, with critical processes twice per year and high-risk processes every quarter. Smaller organisations with fewer processes may manage with annual audits of everything, while manufacturing companies with complex production processes often need more frequent follow-up.

Define Audit Criteria

Audit criteria are what you audit against - the requirements the process must meet. Typically you combine several types of requirements: ISO standard requirements (e.g. clause 8.2.3 on review of requirements), your own procedures and process descriptions, work instructions, legal requirements applicable to the business, and customer requirements in contracts.

Write down which criteria apply for each audit so the auditor knows what to check. An audit of the purchasing process could for instance have “ISO 9001 clause 8.4, procedure SP-02 Supplier Evaluation, and contract terms with strategic suppliers” as criteria.

Ensure Auditors Are Objective and Impartial

ISO 9001 requires auditors to be objective and impartial. This means:

Auditors do not audit their own work A process owner should not audit their own process. They cannot be objective when reviewing their own responsibility.

Rotate auditors Let different people audit the same process over time. This brings new perspectives and reduces the risk of familiarity affecting the review.

Separate roles The person conducting the audit should not be the one deciding on corrective actions. The process owner is responsible for fixing issues.

ISO 19011 emphasises seven audit principles:

  1. Integrity: The auditor is honest and reliable
  2. Fair presentation: The report is accurate and truthful
  3. Due professional care: The auditor uses sound judgement
  4. Confidentiality: Audit information is handled discreetly
  5. Independence: The auditor is independent of what is being audited
  6. Evidence-based approach: Conclusions are based on verifiable facts
  7. Risk-based approach: The audit focuses on risks and opportunities

Determine Auditor Competence

Ensure that auditors are competent and can conduct audits objectively - this is mandatory according to ISO 9001. But the standard does not specify exactly how competence should be achieved, which makes the requirement flexible to interpret.

Competence requirements (based on ISO 19011 guidance):

  • Knowledge of the ISO standard: Understand what the requirements mean
  • Understanding of audit techniques: Ability to interview, observe, review documents
  • Knowledge of the process: Basic understanding of what the process does (does not need to be an expert)
  • Communication skills: Ask open questions and listen
  • Objectivity and impartiality: Review without personal conflicts of interest

Recommended path to competence:

Even though the ISO standard does not require specific training, we strongly recommend combining training with practical experience:

  1. Internal audit training: A course based on ISO 19011 provides structured knowledge of audit methodology, interview techniques and documentation
  2. Practical experience: Conduct audits together with an experienced auditor or consultant who supervises you
  3. Progressive competence building: Start with simpler processes and increase complexity over time

Practical competence models:

  • Own staff + training: Send employees on an internal audit course, let them audit together the first few times
  • Consultant model: Hire an external auditor initially, have internal staff participate in every audit to learn, take over after 2-3 years of experience
  • Hybrid model: Combination of an internal auditor with training and an external consultant for quality assurance

The most important success factor is not formal education or certificates - it is that the auditor actually possesses the competence when the audit is conducted. The combination of training and practical experience gives the best results.

Create an Annual Plan

A practical audit plan could look like this:

  • February - Sales process: Review of requirements and contract review. Auditor: Anna Svensson. Criteria: ISO 9001 clause 8.2, procedure RR-01.
  • March - Production: Production control and monitoring. Auditor: Erik Larsson. Criteria: ISO 9001 clause 8.5, work instructions.
  • April - Purchasing: Supplier evaluation. Auditor: Anna Svensson. Criteria: ISO 9001 clause 8.4, procedure SE-02.
  • May - Development: Design control. Auditor: Maria Andersson. Criteria: ISO 9001 clause 8.3, DP procedures.
  • June - Customer service: Complaint handling. Auditor: Erik Larsson. Criteria: ISO 9001 clause 10.2, procedure CH-01.

Schedule dates and notify those concerned well in advance so they can prepare.

How to Conduct an Internal Audit

The audit itself consists of several steps: preparation, execution and reporting.

Preparation

1. Review documentation Read through process descriptions, procedures and previous audit reports before meeting the process owner. Understand what should happen in the process.

2. Create interview questions Prepare open questions that show how the process works in practice. Avoid questions that can be answered with yes or no.

Example interview questions for the sales process:

  • “Walk me through what happens when a new customer contacts you with an enquiry?”
  • “How do you review the customer’s requirements before submitting a quote?”
  • “Can you show me an example of a requirements review from last month?”
  • “What happens if you discover that the customer’s requirements cannot be met?”
  • “How do you document the agreement with the customer?”
  • “How do you follow up whether the delivery met the customer’s expectations?”

Example interview questions for production:

  • “Describe how you start a new production order?”
  • “How do you know what requirements apply to the product?”
  • “Can you show me where you find the work instructions?”
  • “What checks do you perform during production?”
  • “What do you do if you discover a deviation?”
  • “How do you document that the check has been completed?”

3. Book the meeting Inform the process owner about:

  • Date and time
  • What will be audited
  • Who you want to talk to
  • Which documents you want to see

Execution

Opening meeting (10-15 minutes) Start with a short meeting where you:

  • Confirm what will be audited
  • Explain how the audit will work
  • Answer questions

Interviews and observations Talk to people who work in the process. Ask your prepared questions and follow-up questions based on the answers.

Observe the work:

  • Do employees follow the procedures?
  • Are work instructions available?
  • Can you see how quality checks are performed?

Document review Ask to see examples of:

  • Completed forms and checklists
  • Meeting minutes
  • Measurement results
  • Previous corrective actions
  • Training records

Check that the documents:

  • Are current and approved
  • Are filled in correctly
  • Show that the process is followed

Look for evidence ISO 19011 emphasises that conclusions shall be based on evidence - verifiable facts. Evidence can be:

  • Documents and records
  • Observation of work
  • Interview responses confirmed by several people

If something does not match, collect concrete evidence. “The procedure says X but I observed Y” or “The document lacks an approval date as required by clause 7.5”.

Closing meeting (15-30 minutes) Summarise the audit:

  • What works well
  • Which nonconformities you found
  • Which improvement opportunities you see

Give the process owner a chance to ask questions or clarify.

Document Findings

After the audit, you write an audit report. It should include:

Basic information

  • Date of audit
  • Area/process audited
  • Auditor
  • Participants from the organisation
  • Audit criteria (which requirements were reviewed)

Summary

  • Overview of what was reviewed
  • General impression of the process status

Nonconformities Nonconformity = something that does not meet the requirement.

Example of a documented nonconformity:

Nonconformity 1: Missing requirements review Requirement: ISO 9001:2015 clause 8.2.3 requires customer requirements to be reviewed before commitment. Evidence: Review of 5 orders from March 2025 shows that 3 orders lack documented requirements review (orders 2034, 2041, 2055). Process owner confirms that requirements review is done verbally but not documented. Consequence: Risk that unclear requirements lead to production errors.

Observations (opportunities for improvement) Observation = something that works but could be improved.

Example:

Observation 1: Checklists not used consistently Evidence: Checklist for production start exists but is used by 2 out of 5 operators. The others say they “know what to do”. Opportunity: Consistent use of the checklist would reduce the risk of missed steps.

Positive findings Also document what works well. This encourages continued good work.

Example:

Positive: All interviewed employees could explain the quality requirements for their tasks. Work instructions are readily available at each workstation.

How to Follow Up Corrective Actions

ISO 9001 clause 9.2 requires you to report audit results to relevant management and to “take appropriate correction and corrective actions without undue delay”.

Difference Between Correction and Corrective Action

Correction = action to fix the concrete error. Example: Complete the requirements review for the three orders that lacked documentation.

Corrective action = action to remove the root cause so the error does not recur. Example: Add a mandatory field in the order system that requires requirements review documentation before the order can be approved.

Follow-Up Process

1. Process owner plans actions The process owner is responsible for:

  • Analysing the root cause of the nonconformity
  • Planning corrective action
  • Setting a timeline
  • Assigning responsibility

2. Implementation Actions are carried out according to plan.

3. Verification The auditor or another independent person verifies that:

  • Actions have been completed
  • The nonconformity no longer exists
  • The action works as intended

4. Documentation Document what was done and the result. This becomes input for the next audit of the same process.

Example of Follow-Up Documentation

Nonconformity: Missing requirements review for orders 2034, 2041 and 2055.

Root cause: No systematic way to ensure documentation happens.

Corrective action: Added mandatory field in the order system and trained sales staff.

Responsible: Anna Svensson. Due date: 2025-04-15. Verified: Yes, 2025-04-20.

Common Challenges and How to Handle Them

”We don’t have time for internal audit”

Internal audit does not have to take long. An audit of a simple process can take 1-2 hours including preparation and reporting. Spread the audits throughout the year instead of doing everything at once.

Also consider: The time you spend on audit saves time later by catching problems early.

”The auditor never finds anything because everyone prepares”

It is good that employees prepare - they learn what is expected. If everything is perfect during the audit, check whether the process is sustainable over time:

  • “How do you ensure this is done every time, not just before the audit?”
  • “Show examples from different weeks/months"

"The same person has to audit because only they understand the process”

If only one person understands the process well enough, you have a knowledge dependency that is a risk. Solve it by:

  • Having an auditor with basic knowledge conduct the audit together with the process owner the first time
  • Documenting the process more clearly
  • Training more people in the process

”Internal audit is just a paperwork exercise”

If the audit only becomes document review without understanding reality, you get no value. Instead:

  • Spend more time on interviews and observations than on documents
  • Ask open questions about how the work is actually done
  • Ask employees to show how they work
  • Focus on results, not just procedures

”We never find any nonconformities”

If you never find nonconformities, it could be because:

  • The auditor is not critical enough
  • The audit is too superficial
  • The same processes genuinely work excellently (verify that you are auditing the right things)

An audit should find both strengths and areas for improvement. If everything is perfect, check whether your requirements and targets are ambitious enough.

How AmpliFlow Supports Internal Audit

A management system like AmpliFlow helps you organise internal audits by:

Storing the audit plan Create the annual plan as a document or use task management to schedule audit occasions.

[IMAGE: AmpliFlow audit program overview showing scheduled audits for the year with status indicators]

Documenting findings Register nonconformities and observations directly in the system, linked to the right process.

Managing corrective actions Create tasks for corrective actions with an owner and deadline. Track status until actions are verified.

[IMAGE: Deviation form in AmpliFlow showing linked corrective action with owner, deadline and status]

Preserving evidence Save audit reports and verifications as documented information according to the ISO requirement.

Tracking trends Analyse which processes have the most nonconformities over time and prioritise improvement work.

[IMAGE: Dashboard showing deviation trends by process over 12 months]

Want to see how AmpliFlow can simplify your internal audits? Contact us for a walkthrough of how you can plan, conduct and follow up audits in one integrated system.

Summary

Internal audit according to ISO clause 9.2 is a systematic way to check that your management system works. When you do it right, it becomes a tool for improvement, not just a certification requirement.

Remember:

  • Plan audits based on risk and opportunity
  • Ensure auditors are independent and competent
  • Focus on evidence and reality, not just documents
  • Ask open questions that show how the process really works
  • Document both nonconformities and strengths
  • Follow up corrective actions systematically
  • Use the results to improve the business

A well-conducted internal audit gives you valuable information about how your management system performs and where you can improve. It is time invested that pays back in fewer problems, happier customers and more efficient processes.

Related articles

The more afraid of AI people are, the more they use it

The more afraid of AI people are, the more they use it

 AI agents and management systems: hype, reality, and what we actually built

AI agents and management systems: hype, reality, and what we actually built

 AI Doesn't Give People More Time - It Gives Them More to Do

AI Doesn't Give People More Time - It Gives Them More to Do