The ISO internal audit is the mechanism by which an organisation examines, from within, whether its management system meets the requirements of the standard and actually works as documented. It is not a bureaucratic formality: it is the only tool that warns you of problems before the certification body finds them. Doing it well makes the difference between arriving at the certification or surveillance audit with confidence or with unpleasant surprises. In this article we explain how to plan it, what documentation to prepare, what are the most common mistakes in SMEs and when it makes sense to outsource the internal auditor.
What the ISO standard requires regarding internal audits
All ISO management system standards that follow the High Level Structure (HLS) — ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301, ISO 50001 and many more — include clause 9.2 explicitly dedicated to the internal audit. The requirements are the same across all of them and can be summarised in five points:
- Audit programme: a planned programme must exist, with a defined frequency, covering all processes of the management system throughout the cycle (normally one year).
- Criteria and scope: each audit must have clear criteria (the standard, internal procedures, applicable legal requirements) and a defined scope.
- Impartiality: auditors cannot audit their own work. This independence principle is one of the most common failure points in internal audits at small organisations.
- Report of results: findings — conformities, nonconformities, observations and opportunities for improvement — must be documented and communicated to management.
- Corrective actions: nonconformities detected require corrective actions to be opened, with follow-up and verified closure.
The standard ISO 19011:2026 («Guidelines for auditing management systems») provides the reference methodological guide for conducting these audits, although its application is recommended rather than mandatory. It establishes the principles, the management of the audit programme and the competence requirements for the auditor.
The phases of a well-executed internal audit
An ISO internal audit is not an informal review of paperwork. It follows a structured process with four phases that ensure its usefulness and validity before the certification body.
Phase 1: Planning the annual programme
The internal audit programme is normally drawn up at the beginning of the year or the certification cycle. It must include which processes will be audited, how frequently, on what approximate dates, who will act as auditor and what the applicable criteria are. Critical processes or those that have recorded recent incidents deserve greater frequency. A common mistake is leaving all processes until the last quarter before the surveillance audit: the time pressure turns the internal audit into a mere formal compliance exercise.
Phase 2: Preparation of each individual audit
Before each audit session, the auditor must review the results of the previous audit of that process, the current procedures and instructions, process indicators, incident and complaint records, and any regulatory or organisational context changes that may affect the process. On that basis, the audit plan (session agenda, auditees, documents to review) and the specific verification checklist are drawn up.
Phase 3: Execution — opening meeting, evidence gathering and closing meeting
The execution always follows the same sequence. The opening meeting presents the objectives, scope and method to the audited team. Evidence gathering combines interviews, direct observation and record review: the auditor compares what the procedures say with what actually happens. The closing meeting presents preliminary findings, gives the auditee the opportunity to clarify misunderstandings and agrees deadlines for responding to nonconformities.
Phase 4: Report, corrective actions and follow-up
The internal audit report documents findings objectively: what evidence was found, which requirement it fails to meet and what the nonconformity is. From the report, the process owner opens the corresponding corrective actions (root cause analysis, action plan, implementation and verification of effectiveness). Without this closed loop, the internal audit adds no value: it is just paperwork.
Checklist: essential documentation before the audit
The following table lists the documents that the internal auditor will need to review in any audit of an ISO management system based on the HLS. Preparing them in advance significantly reduces audit time and improves the quality of findings.
| Category | Key Documents / Records | Why it matters |
|---|---|---|
| Context and leadership | SWOT/PESTEL analysis, stakeholder matrix, system scope, management policy | Validates that the system responds to the real context of the organisation |
| Planning | Risk and opportunity register, objectives with indicators, action plan | Checks that identified risks have a planned response |
| Support | Competence and training list, calibration records, documented information control | Ensures that resources and infrastructure are adequate |
| Operation | Process procedures, production/service delivery records, change management | Verifies that critical processes are executed as planned |
| Performance evaluation | Process indicators, monitoring and measurement results, customer satisfaction reports | Evidences whether the system is delivering expected results |
| Improvement | Nonconformity and corrective action register, management review report | Closes the PDCA cycle and demonstrates continual learning |
Most common mistakes in SME internal audits
We have been accompanying SMEs and mid-sized companies through ISO certification for more than nineteen years and have seen the same mistakes repeated over and over again in internal audits. Knowing them in advance makes it possible to avoid them.
1. Auditor auditing their own work
In small organisations it is tempting for the quality manager to audit all processes, including those in which they personally participate. The standard expressly prohibits this: the impartiality requirement invalidates such an audit. The solution is to cross-assign auditors between departments or, when the size of the company does not allow this, to use an independent external auditor.
2. Generic checklists copied from the internet
A generic verification list covers the requirements of the standard in an abstract way, but does not examine how the process actually works in that specific organisation. The experienced auditor builds the checklist from internal procedures, historical incident records and the specific objectives of each process. A relevant finding for improvement rarely arises from a generic question.
3. Nonconformities without root cause analysis
Opening a corrective action as «review the procedure» without investigating why the problem occurred guarantees recurrence. Root cause analysis (5 Whys, Ishikawa diagram, 8D method) is essential for the corrective action to be effective. Certification bodies review the closure of nonconformities from the previous internal audit: if they detect that the actions did not address the root cause, it is a warning sign.
4. Audits concentrated in the last month before certification
The audit programme must be distributed throughout the year. When all internal audits are carried out in the month before the external audit, the certification body interprets this as a lack of system maturity. Moreover, the time available to close detected nonconformities is minimal.
5. Audit reports without objective evidence
A finding such as «the purchasing process is not working properly» is useless. The report must include objective evidence: which record, which record was missing, which auditor statement, which direct observation supports the finding. Without evidence, the finding cannot be defended before the certification body or before the auditee who wants to contest it.
In-house internal auditor vs. outsourced internal auditor: what suits each company
One of the most important decisions in managing internal audits is whether to train them in-house or hire an external professional to act as an outsourced internal auditor. There is no single answer: it depends on the size of the organisation, the complexity of the management system and the available resources.
| Criterion | In-house internal auditor | Outsourced internal auditor |
|---|---|---|
| Cost | Initial training + time dedicated (opportunity cost) | Direct cost per session; no training or ongoing update costs |
| Impartiality | Risk in small companies (conflict of interest) | Impartiality structurally guaranteed |
| Contextual knowledge | High: knows the processes, people and history of the organisation | Medium-high: requires onboarding each cycle, but brings an external perspective |
| Regulatory updates | Depends on the internal auditor's own initiative | The external provider updates by trade; applies the most recent standard |
| Added value in findings | May be lower due to proximity to the process | Greater: comparative view across sectors and similar organisations |
| Best suited for | Medium-to-large organisations with consolidated quality teams | SMEs, companies with a single quality manager, or highly specialised standards |
At Summum Calidad we provide the service of outsourced internal auditing for organisations that want to guarantee the impartiality of the process, obtain genuinely useful findings and not burden their internal team with a task for which time and specialist expertise are scarce. With offices in Valladolid, Burgos, Palencia, Aranda de Duero and Las Palmas, and more than nineteen years of experience, we have accompanied nearly two hundred organisations through ISO certification.
How to prepare the internal audit step by step: a practical guide
Below we summarise the complete process in concrete, actionable steps for an SME quality manager:
- Draw up or update the annual audit programme: identify all system processes, assign frequency (minimum once a year per process), name auditors and block dates in the calendar. Communicate it to management for formal approval.
- Check that documentation is current: before auditing a process, verify that procedures and instructions are in force and that the records the standard requires are being generated. A process that exists on paper but not in practice is a certain nonconformity.
- Draw up the plan and checklist for each audit: do not copy generic lists. Start from the specific criteria (the standard, the process procedure, the objectives set for that process) and formulate open questions that invite the auditee to demonstrate what they do.
- Execute the audit with methodological rigour: formally open and close each session, collect documentary evidence, do not settle for verbal answers unsupported by records. Be respectful with the auditee but objective in your findings.
- Write the report on the same day: memory fails. Document findings immediately after the session, with exact reference to the evidence collected and the requirement that was not met.
- Open and follow up corrective actions: assign a responsible person, deadline and criterion for verifying effectiveness. Do not close the action until you have confirmed that the problem has not recurred.
- Include the results in the management review: clause 9.3 of the HLS requires management to review the results of internal audits. Prepare an executive summary with the most relevant findings and the status of corrective actions.
When to outsource the internal audit
There are specific situations in which outsourcing the role of internal auditor is not a luxury but the most efficient option and, sometimes, the only valid one:
- The company has fewer than ten employees and the quality manager participates in all processes. Impartiality is impossible without an external agent.
- The standard is highly specialised (ISO 27001, ISO 13485, IATF 16949…) and the internal team does not have the technical competence to audit in depth.
- The system is in its first certification cycle and the internal team is still learning. An external internal audit at that point acts as a rehearsal for the certification audit and allows the most important gaps to be identified in time to close them.
- The results of previous internal audits have always been without relevant findings, which may indicate that the internal auditor is not being sufficiently rigorous due to proximity to the process.
- The certification body has raised nonconformities in previous audits related to the inadequacy of internal audits. This is a clear signal that the process needs external reinforcement.
If you are considering this option, our outsourced internal audit service includes programme planning, session execution, findings report and support in opening corrective actions.
Frequently asked questions
How often do ISO internal audits need to be carried out?
The standard requires that all processes of the management system be audited at least once within the certification cycle (normally three years), but recommended practice is to cover all processes every year. Critical processes or those with more incidents should be audited more frequently. The audit programme must justify the chosen frequencies based on the risk and importance of each process.
Can the quality manager carry out the internal audit?
Yes, provided they do not audit processes in which they personally participate or have direct operational responsibility. The standard prohibits auditors from evaluating their own work. In organisations where the quality manager is involved in all processes, the solution is to cross-assign auditors with other departments or hire an external auditor. Impartiality is not optional: the certification body will verify it.
What is the difference between an internal audit and a certification audit?
The internal audit is carried out by the organisation itself (or an external party acting on its behalf) and aims to improve the system. The certification audit is carried out by an accredited certification body (AENOR, Bureau Veritas, SGS, Lloyd's Register, TÜV, etc.) with the aim of verifying whether the system meets the requirements of the standard and of issuing — or maintaining or suspending — the certificate. Summum Calidad accompanies the implementation process and prepares the internal audit; the certification is granted by the accredited external body, not by us.
What happens if no nonconformities are detected in the internal audit?
An internal audit report with no findings is, in most cases, a warning sign. No management system is perfect and a rigorous audit will always detect some observation, opportunity for improvement or minor nonconformity. When the report is systematically clean, the certification body tends to question the effectiveness of the internal audit process. If you have doubts about whether your internal audits are sufficiently rigorous, we can carry out an independent review.