Servicio continuo

ISO Internal Audit

When your team lacks trained auditors or simply cannot free up the time, Summum Calidad's outsourced internal audit programme covers the standard requirement with rigour — without adding to your staff's workload. Designed for industrial, service and agri-food SMEs with certified management systems, or working towards certification.

TypeOngoing service
ProfileSME with ISO 9001, 14001, 45001 or similar
FrequencyAnnual, bi-annual or one-off

Every standard in the ISO family — from ISO 9001:2015 to ISO 45001:2018, including ISO 14001, ISO 27001 and ISO 22000 — requires organisations to carry out planned internal audits to verify that the management system is being correctly applied and remains effective. The requirement is clear: clause 9.2 of the High Level Structure (HLS) obliges organisations to establish, implement and maintain an internal audit programme. The real problem for many SMEs is that they have no staff trained as internal auditors, or that person gets pulled into day-to-day operations and the planned audits never happen. The result: minor non-conformities during the certification audit, warnings from the certifying body, and in the worst case, temporary suspension of the certificate.

Summum Calidad provides qualified internal auditors — with accredited training in management system auditing in accordance with ISO 19011:2026 — who execute the audit programme as if they were part of your team, without the cost of putting them on the payroll. This is not a consultancy that comes to inspect: it is a continuous support service that plans audits with your quality manager, carries them out independently, documents the findings and accompanies you through to the close of non-conformities. The auditor's independence — an explicit requirement of the standard — is guaranteed because Summum acts as an external party.

The service adapts to single-site and multi-site organisations, to integrated management systems (for example, quality + environment + occupational health and safety) and to any standard you have implemented. If you are also seeking initial certification or preparing for a recertification audit, the internal audit programme takes you to that appointment with findings already corrected. Since 2007 we have supported more than 200 ISO certifications in Castilla y León and the Canary Islands; we know what the certifier looks for and how to present evidence so that the external audit is a formality, not a surprise.

The ISO Internal Audit process.

The process · four stages
01

Diagnosis of the existing programme

We review the current internal audit programme (or the absence of one), the scope of the management system, critical areas and the history of previous non-conformities. In a one-hour meeting with the quality manager we define the depth and frequency appropriate to the size and risk profile of the organisation.

02

Annual planning and checklist preparation

We draw up the annual audit plan with dates, audited areas, applicable criteria and resources. We prepare verification checklists specific to your standard and to your company's critical processes: we do not use generic templates, but checklists tailored to your activity and to your documented procedures.

03

Audit execution

Our auditors carry out audits on site (or remotely when the process allows), interviewing the staff involved, reviewing records and verifying the actual implementation of controls. At the close of each audit, findings are communicated verbally and deadlines for corrective actions are agreed.

04

Report, follow-up and closure

We deliver the audit report with classified findings (non-conformities, observations and improvement opportunities), referenced to the normative requirements. We follow up the corrective action plan until the effectiveness of each action is verified, leaving everything documented and ready to present to the certifier at the next external audit.

What is included

What ISO Internal Audit includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Annual audit plan

    Document with the calendar, scope by process or area, frequency and audit criteria, in line with requirement 9.2 of ISO standards with High Level Structure.

  • Customised verification checklists

    Checklists tailored to your standard (ISO 9001, 14001, 45001, 22000, 27001 or others) and to the specific processes and procedures of your organisation — not generic templates.

  • Internal audit report

    Detailed report with classified findings, objective evidence and precise references to the normative requirements that were not met or were met deficiently.

  • Non-conformity and corrective action log

    Forms or tracking module to manage the complete cycle: opening, root cause analysis, corrective action, effectiveness verification and closure.

  • Management review support

    Preparation of input data for the management review (HLS clause 9.3), including internal audit results, indicator performance and action status.

  • Pre-certification audit simulation

    When a recertification or initial certification audit is approaching, we run a full simulation to identify and correct weak points before the certifier arrives (AENOR, Bureau Veritas, SGS, TÜV or others).

Frequently asked questions about ISO Internal Audit.

Can an external company carry out my ISO management system's internal audits?

Yes. ISO 19011:2018 and the requirements of clause 9.2 of ISO standards with High Level Structure explicitly allow internal audits to be carried out by personnel outside the organisation, provided the auditor's objectivity and impartiality are guaranteed. Outsourcing the audit function is common practice in SMEs that have no trained internal auditors, or in organisations where workload does not justify maintaining that capability in-house.

How often do internal audits need to take place?

The standard does not set a minimum number of audits per year: it requires the programme to be established taking into account the importance of the processes, changes affecting the organisation and the results of previous audits. In practice, most SMEs conduct one or two audit rounds per year. Certifying bodies (AENOR, Bureau Veritas, SGS, TÜV Rheinland, among others) expect to see evidence that at least one complete internal audit has been completed within the three-year recertification cycle.

What happens if the certifier finds that we have not carried out internal audits?

It is one of the most common non-conformities in recertification audits. Depending on the severity — total absence of the programme or superficial audits with no corrective action follow-up — it can result in a major non-conformity that blocks certificate renewal until the correction is demonstrated. It also undermines the credibility of the management system in the eyes of the certifier.

Does the service cover integrated management systems (quality + environment + safety)?

Yes. Summum Calidad has experience in integrated management systems combining ISO 9001, ISO 14001 and ISO 45001 (and other standards). The audit plan is designed to cover the requirements of each standard in a single round, avoiding duplication of effort and reducing the time that company staff spend attending to auditors.

Does Summum issue the certification after the internal audits?

No. Summum Calidad is a consultancy, not a certification body or an entity accredited by ENAC. Our work is to prepare your system to successfully pass the audit of the certifier you choose (AENOR, Bureau Veritas, SGS, TÜV Rheinland, Lloyd's Register or another). Certification is always issued by an independent accredited third party.