Internal Quality System Audit: a complete methodology

·

The internal audit is the mechanism an organisation uses to check, on its own and before anyone else does, whether its quality management system works as documented and delivers the intended results. The ISO 9001:2015 standard requires it explicitly in clause 9.2 ("Internal audit"), and the reference methodological guideline is ISO 19011:2018, which sets out how to audit management systems. This article develops the complete methodology: how the audit programme is planned, how each audit is carried out in the field, and how findings are documented so that they deliver real improvement value.

It is worth clarifying a distinction from the outset that is often confused. The internal audit (first party) is performed by the organisation on itself; a second-party audit is performed by a customer on its supplier; and a third-party audit is performed by an independent certification body. All three share the same method, but only the first is the self-monitoring tool we deal with here.

Regulatory framework: what ISO 9001 requires and what ISO 19011 contributes

Clause 9.2.1 of ISO 9001:2015 requires internal audits to be conducted at planned intervals in order to verify two things: that the system is conforming with the organisation's own requirements and with those of the standard, and that it is effectively implemented and maintained. Clause 9.2.2 adds specific operational requirements: plan an audit programme considering the importance of the processes and the results of previous audits; define the criteria and scope of each audit; select auditors who guarantee objectivity and impartiality (a key principle: no one audits their own work); report to the relevant management; correct nonconformities without undue delay; and retain documented information as evidence.

ISO 19011:2018 is not certifiable, but it is the methodological guide that gives substance to that "how". It introduces seven audit principles—integrity, fair presentation, due professional care, confidentiality, independence, an evidence-based approach and a risk-based approach—and describes the complete cycle of programme management, the conduct of each audit and the evaluation of auditor competence. Applying 19011 prevents the internal audit from degenerating into a box-ticking formality.

Phase 1: planning the audit programme

The audit programme is the annual (or multi-year) view: which processes are audited, how often and with what priority. Not every process deserves the same attention. A process with a history of nonconformities, with a direct impact on product safety or subject to legal requirements should be audited more often than a stable, low-risk one. This risk-based approach is what distinguishes a mature programme from a rigid calendar that audits everything alike every twelve months.

For each specific audit, an audit plan is prepared that sets out: the objective, the scope (processes, areas, locations and period covered), the criteria (the documentation against which it is checked: standard, procedures, legal requirements, customer specifications), the audit team and the schedule of meetings and interviews. The plan is shared with the auditee far enough in advance to let them prepare evidence and make the right people available.

Before setting foot in the audited area, the auditor reviews the process documentation and prepares a checklist that translates the requirements of the standard and the internal procedures into concrete, verifiable questions. The checklist is a guide, not a straitjacket: a good auditor knows when to abandon it to pull on a promising thread when an answer opens an unexpected line of investigation. The prior documentary preparation also makes it possible to detect inconsistencies on paper—contradictory procedures, obsolete versions—even before checking actual practice in the field, which focuses the visit on the points of greatest risk.

Phase 2: conducting the audit in the field

Execution begins with a brief opening meeting in which the scope, method and schedule are confirmed. From there, the auditor gathers evidence using three complementary techniques: interviews with those who carry out the process, direct observation of the activity and review of records. The guiding principle is sampling: not one hundred per cent of the records is examined, but a representative sample sufficient to support a reasonable conclusion.

One particularly effective technique is tracing or thread-following: taking a real case—an order, a batch, a complaint—and following it end to end through all the processes that touch it. This is how the real integration of the system is checked, not just the isolated compliance of each procedure. Any observation that is going to support a finding must be recorded with objective data: document number, date, person, equipment. The statement "it seems they don't control calibrations well" is not a finding; "gauge 14-B shows a calibration that expired on 12/11/2025 according to record CAL-2025-088" is.

Classifying findings and the closing meeting

Findings are classified into three usual categories. A major nonconformity means the total failure to meet a requirement or a systemic failure that compromises the capability of the system (for example, the complete absence of a required process). A minor nonconformity is an isolated, one-off failure that does not invalidate the system. An opportunity for improvement is not a failure but a recommendation to raise effectiveness. At the closing meeting the audit team presents the findings to the auditee, misunderstandings are clarified and deadlines for corrective actions are agreed.

Comparison of finding types in an internal audit
TypeDefinitionAction requiredIndicative deadline
Major nonconformityTotal failure or systemic breakdown of a requirementCorrection + root cause analysis + verified corrective actionImmediate / 30 days
Minor nonconformityIsolated failure that does not invalidate the systemCorrection + corrective action60-90 days
Opportunity for improvementRecommendation with no associated failureAssessment by the process ownerAt discretion

Phase 3: documentation, corrective actions and closure

The audit report is the formal deliverable and must allow any reader to understand what was audited, against which criteria, what evidence was gathered and what conclusions were reached. Each nonconformity leads to a corrective action, and this is where the real value of the whole exercise is decided: correcting the one-off symptom is not enough. Clause 10.2 of ISO 9001 requires determining the root cause using tools such as the "5 Whys" or the Ishikawa diagram, implementing the action that eliminates that cause and then verifying its effectiveness at a later date. A nonconformity is only closed once it has been demonstrated that the action worked.

Common mistakes that invalidate an internal audit

Frequently asked questions

How often must internal audits be carried out?

ISO 9001 does not set a specific numerical frequency: it requires "planned intervals" according to the importance and risk of each process. Common practice is to cover the entire scope of the system at least once a year, increasing the frequency for critical processes or those with recent incidents.

Can an employee audit their own department?

Not for their own work or the process for which they are directly responsible. The impartiality requirement of clause 9.2.2 obliges objectivity to be guaranteed; the usual approach is cross-auditing between areas or relying on contracted external auditors.

What is the difference between an internal audit and a management review?

The internal audit gathers evidence on the conformity and effectiveness of the system; the management review (clause 9.3) is the meeting in which top management evaluates that evidence—together with indicators, complaints and objectives—to make strategic decisions about the system.

Is it mandatory to certify internal auditors?

There is no obligation for an official certification to audit internally, but ISO 19011 requires competence to be demonstrated: training in the standard, knowledge of the audited processes and auditing skills. Many organisations train their staff with specific courses and record that competence.

Conclusion

The internal audit is not a dress rehearsal for certification: it is the organisation's immune system, the mechanism that detects deviations while they are still cheap to correct. An audit that is well planned according to risk, conducted with rigorous sampling and objective evidence, and closed only when the corrective action has proven its effectiveness, turns ISO 9001 compliance into real organisational learning. The indicator of a mature programme is not how many nonconformities are raised, but how quickly the causes that originate them stop recurring. At Summum Quality we design tailored audit programmes and train internal audit teams so that this capability stays within the company itself.