One of the most frequent questions when an SME decides to raise the maturity of its management system is this: how much does it cost to outsource an internal ISO audit? The answer has no single figure, because the Spanish market in 2025-2026 shows a wide range depending on scope, the standard being audited, frequency and the profile of the provider. What we can offer in this article are real indicative ranges, the factors that push the price up or down, and the questions you should ask before signing a contract.
Why outsource the internal audit instead of doing it with in-house staff?
ISO management system standards — ISO 9001, ISO 14001, ISO 45001, ISO 27001, among others — require organisations to carry out periodic internal audits to verify that their system works in accordance with the requirements. The question is who executes those audits.
Many SMEs do not have staff trained as internal auditors or, if they do, they face the independence problem: the auditor cannot audit their own work. Outsourcing solves both problems at once: it provides the technical competence and impartiality needed without the company having to invest in auditor training or manage conflicts of interest.
There is also a direct economic argument: the cost of maintaining a trained and up-to-date internal auditor (courses, renewal of accreditations, time spent) can easily exceed the cost of contracting the service externally, especially when only one or two audits per year are needed.
Indicative price ranges in the Spanish market (2025-2026)
The following ranges are based on observation of the quality consulting market in Spain and are indicative, not Summum's own rates. They vary by provider, organisational complexity and the standard being audited.
| Service model | Typical scope | Indicative range (€, excl. VAT) | Source / reference |
|---|---|---|---|
| One-off internal audit (1 standard) | SME <50 employees, single site | €800 – €2,000 per annual cycle | SME consulting market ES, 2025 |
| Annual internal audit (integrated ISO 9001 + ISO 14001) | SME 50-150 employees, 1-2 sites | €1,800 – €4,500 / year | Consulting market ES, 2025 |
| Annual audit programme (3-4 audits) | Mid-size company, mature system | €3,500 – €8,000 / year | Consulting market ES, 2025 |
| ISO 27001 internal audit (information security) | IT SME or companies with cybersecurity requirements | €2,000 – €5,000 per cycle | IT-GRC sector, 2025 |
| Annual outsourced internal audit service (retainer) | Multi-site, multi-standard company | €6,000 – €18,000 / year | Mid-market ES, 2025 |
Important: these ranges do not include the certification body's fee (AENOR, BV, SGS, Applus, TÜV…), which is a separate cost that the company pays directly to the accredited third party. The consultant who outsources the internal audit does not issue the certificate: that is done exclusively by the certification body.
Factors that determine the final price
1. Number of standards and scope of the system
Auditing an ISO 9001 system in a 20-person company with a single production process does not cost the same as an integrated system covering quality, environment and occupational health and safety (ISO 9001 + ISO 14001 + ISO 45001) at a construction company with four work sites. Each additional standard adds audit days and therefore cost.
2. Organisation size and number of sites
ISO management system standards account for complexity factors when calculating audit time. More employees, processes and sites mean more days in the field. A serious provider will calculate audit time following the IAF MD 5 guidelines (for ISO 9001) or the tables in the standard itself. Two or three work sites can double field time.
3. Frequency of service
An annual internal audit is the minimum required by most standards, but more mature systems or higher-risk environments (food, healthcare, information security) may require two or three annual cycles. Contracting an annual programme with several audits usually has a lower unit cost than repeating one-off audits.
4. On-site versus remote format
Remote audits (via video conference and cloud document access) have gained acceptance since 2020 and reduce travel costs, which is particularly relevant for companies outside major urban centres. However, some standards or situations require physical presence, such as reviewing facilities or directly observing production processes.
5. Maturity level of the system
A recently certified system with incomplete documentation or poorly established processes requires more audit time than one with several years of track record and a well-managed non-conformance log. Immature systems generate more findings, which extends the work and may lead to additional follow-up visits.
6. Provider profile and experience
The market ranges from freelance auditors to specialised consultancies with sector teams. An individual auditor may have lower rates, but a consultancy offers methodological backing, continuity when staff leave and the capacity to cover multiple standards with different specialist profiles. For SMEs operating in regulated sectors (food, automotive, healthcare, defence), the auditor's sector experience is a pricing factor and, above all, a real value factor.
What should an outsourced internal audit service include?
Before comparing quotes, it is worth knowing what you are buying. A complete outsourced internal audit service should include, at minimum:
- Audit planning: scope, criteria, detailed programme and prior communication with the auditee.
- Document review: manual, procedures, records and system evidence.
- Field audit: interviews, process observation and evidence verification on-site.
- Audit report: formal document with classified findings (non-conformances, observations and strengths) and precise normative references.
- Closing meeting: presentation of findings to the management team and agreement on correction timelines.
- Corrective action follow-up (optional): verification that detected non-conformances are closed before the certification or surveillance audit.
If the quote does not specify concrete deliverables or does not include a formal report, ask explicitly. A vague audit report without normative references will not help you demonstrate conformity to the certification body.
When does outsourcing make more sense than training internal auditors?
Training an internal ISO 9001 auditor according to ISO 19011 (which sets the guidelines for management system auditing) costs between €300 and €800 per person in accredited courses, not counting the employee's time or periodic knowledge renewal. Moreover, the trained person must still be independent of the process they audit, which in a small SME can be difficult to manage.
Outsourcing clearly makes sense when:
- The company has fewer than 50 employees and cannot assign a person part-time to the audit function.
- The system is in its early years after certification and needs an experienced auditor to detect deviations that the internal team would not spot.
- Several standards requiring different profiles are being audited (quality, environment, information security…).
- The company wants to clearly separate the internal audit function from system management, to avoid conflicts of interest before the certification body.
Conversely, in mid-size companies with more than 150-200 employees and a mature system with several already-trained internal auditors, the total outsourcing cost may exceed that of maintaining the internal function. In that case, the usual approach is to combine: internal auditors for day-to-day work and an independent external audit once a year for critical processes or as a second opinion.
Most common mistakes when contracting this service
Choosing on price alone. A cheap internal audit that fails to detect real non-conformances is more expensive than a well-executed one: the certification body will find them, and then the cost of urgent corrective actions will be higher.
Not verifying the auditor's independence. If the same consultant who implemented your system also audits it, there is a conflict of interest that may invalidate the conformity evidence. ISO standards require impartiality. Some certification bodies view this negatively during the document review.
Confusing internal audit with certification audit. The internal audit is conducted by the company (or a third party on its behalf) for its own assessment. The certification audit is conducted by an accredited certification body (accredited by ENAC in Spain). These are different processes with different objectives, methodology and costs.
Not requesting the audit programme in writing. Without a formal programme specifying processes to audit, criteria and dates, it is difficult to demonstrate to the certification body that the standard's requirement has been met.
If you want to explore how an outsourced internal audit service works, tailored to the standard you already have certified or are implementing, we can advise you with no commitment.
Frequently asked questions
How often does ISO 9001 require internal audits to be carried out?
ISO 9001:2015 (clause 9.2) requires organisations to conduct internal audits at planned intervals, but does not set a minimum annual frequency. In practice, most certification bodies expect at least one complete internal audit per certification cycle (three years), although the norm for SMEs with an active certification is to carry one out once a year, before the surveillance audit. Systems with higher risk or recurring non-conformances may require more frequent cycles.
Does the certification body accept an internal audit carried out by an external consultancy?
Yes. ISO standards do not prohibit outsourcing the internal audit function. What they require is that the auditor be competent (training, experience and knowledge of the standard) and impartial (they cannot audit their own work). If the external consultancy meets those requirements and delivers a formal report with findings, the certification body accepts it as valid evidence. It is advisable to keep the CV of the auditor or auditors involved, in case the certification body requests it during the document review.
How long does an internal ISO 9001 audit take in a 30-person SME?
For an SME of between 20 and 35 employees with a single site and a basic ISO 9001 system, the internal audit typically takes between one and two auditor working days: half a day for document review, one day in the field (interviews and process verification) and half a day to produce the report. Above 50 employees or with more complex processes, the time increases. IAF MD 5 provides a reference table for estimating audit time based on number of employees and system complexity.
What is the difference between an internal audit and a second-party audit?
An internal audit (first party) is conducted by the organisation itself — or a third party on its behalf — to assess its own system. A second-party audit is conducted by a customer or an entity on behalf of the customer to assess a supplier: for example, a large manufacturer auditing its critical suppliers before approving them. A certification audit (third party) is conducted by an accredited certification body to issue or maintain the ISO certificate. These are three types of audit with different purposes; outsourcing them is not the same thing and their costs also differ.