ISO Internal Audits Explained

By Scott Dawson
June 20, 2024

Table of Contents

The ISO Internal Audit Process Explained

The journey to achieving ISO 9001 certification is a meticulous process that ensures an organization’s quality management system (QMS) meets international standards. This process not only demonstrates the organization’s commitment to quality but also enhances operational efficiency, customer satisfaction, and competitive advantage.

Central to this journey are various steps including preparation, conducting gap analysis, internal audits, and finally, external audits. Each step plays a critical role in aligning the organization’s processes with ISO requirements, identifying areas for improvement, and ensuring sustained compliance and continuous improvement.

Company ISO Internal Auditors Auditing

What are the Steps to ISO Certification?

Achieving ISO certification involves a structured process to ensure an organization’s quality management system (QMS) meets the standards set by the International Organization for Standardization (ISO). Here are the key steps involved:

Preparation and Planning

Initial Assessment:

Understand the ISO standard relevant to your organization and determine the scope of certification. This involves defining the processes and departments that will be included in the QMS.

ISO Gap Analysis

Conduct a Gap Analysis:

Perform a detailed assessment to compare the current state of your organization’s processes and systems against the requirements of the ISO standard. This helps identify areas that do not meet the standard and require improvement.

Develop an Action Plan:

Based on the findings from the gap analysis, create a plan to address the identified gaps. This plan should outline specific actions, responsible parties, and timelines for achieving compliance.


Implement Changes:

Execute the action plan to align your processes and systems with the ISO standard. This may involve revising procedures, training employees, and implementing new controls or documentation practices.


Ensure all processes, procedures, and records are documented according to ISO requirements. Proper documentation is crucial for demonstrating compliance during the audits.

ISO Internal Audit

Conduct Internal Audits:

Perform internal audits to verify that the implemented changes meet ISO requirements. Internal audits are conducted by trained personnel within the organization and serve to identify any remaining non-conformities or areas for improvement.

Address Non-Conformities:

Resolve any issues identified during the internal audits. This may involve further adjustments to processes or additional training for employees.

Management Review

Review by Management:

Conduct a comprehensive management review to thoroughly evaluate the effectiveness of the Quality Management System (QMS) and ensure it aligns seamlessly with both the organizational goals and the stringent ISO requirements. This essential review process involves the active participation of top management, ensuring that leadership is fully engaged and accountable.

ISO Internal Audit team

During this review, a detailed assessment is conducted, involving several key components:

Audit Results:

Analyzing the findings from internal audits to identify any non-conformities, areas for improvement, and best practices that can be leveraged across the organization.

Customer Feedback:

Scrutinizing customer feedback, including complaints and satisfaction surveys, to gauge how well the QMS is meeting customer needs and expectations.

Overall System Performance:

Reviewing the overall performance of the QMS, including process efficiency, resource utilization, and adherence to defined quality objectives and key performance indicators (KPIs).

What is an ISO External Audit? (Certification Audit)

Stage 1 Audit (Pre-Audit):

An external auditor from a certification body conducts an initial review of your documentation and readiness for the certification audit. This stage identifies any major issues that need to be resolved before proceeding to the next stage.

Stage 2 Audit (Certification Audit):

The external auditor performs an on-site audit to verify that your QMS is effectively implemented and complies with the ISO standard. This includes reviewing records, observing processes, and interviewing employees.

Certification Decision

Receive Certification:

If the external audit is successful, the certification body issues an ISO certificate, confirming that your organization meets the requirements of the standard. The certificate is typically valid for three years, with surveillance audits conducted annually to ensure ongoing compliance.

Continual Improvement and Surveillance Audits

Maintain Compliance:

Continuously monitor and improve your QMS to maintain compliance with ISO standards. This involves regular internal audits, management reviews, employee training and awareness, document control, risk management, addressing any issues that arise, and continuous improvement.

Surveillance Audits:

The certification body conducts periodic surveillance audits (usually annually) to ensure that your organization continues to meet ISO requirements. These audits focus on critical areas and any changes made to the QMS.

By following these steps, organizations can achieve and maintain ISO certification, demonstrating their commitment to quality and continuous improvement.

internal Auditor for manufacturing plant

Helpful Resources:

Episode 6 – ISO 9001 – The Internal Audit Process Podcast

The ISO 9001 Internal Audit Consultant podcast

In this episode, Suzanne Strausser, VP of Consulting and Development at Core Business Solutions will discuss the ins and outs of Internal Auditing. Suzanne will delve into the key aspects of Internal Auditing including the purpose, the parties involved, findings, and the appropriate responses to them. Listen Now.

What is the Difference Between a Gap Analysis and an ISO Internal Audit?

A Gap Analysis and an ISO Internal Audit serve different purposes when it comes to quality management.

Gap Analysis VS. ISO Internal Audit

A gap analysis seeks to pinpoint missing components, whereas internal audits focus on maintaining the effectiveness of an established process like a quality management system.
A Gap Analysis identifies discrepancies between an organization’s current processes and the requirements of an ISO standard (i.e. ISO 9001), highlighting areas needing improvement to achieve certification. It focuses on uncovering gaps to align with ISO standards.

What is an ISO Internal Audit Checklist?

An ISO Internal Audit Checklist is a structured tool used during internal audits to ensure ongoing compliance with ISO standards requirements. It systematically verifies that the implemented processes adhere to the standard, ensuring continuous improvement and maintenance of quality management systems.

Both the gap analysis and the internal audit are necessary and valuable, especially when used appropriately.

What is an ISO Internal Audit?

An ISO Internal Audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

Typically conducted by internal employees or by ISO consultants, the goal is to assess the effectiveness and compliance of the quality management system (QMS) with ISO standards. Internal audits help identify areas for improvement, ensure processes are being followed correctly, and verify that the organization consistently meets regulatory requirements and customer expectations.

ISO Internal Auditor

By regularly conducting ISO internal audits, organizations can maintain continuous improvement, enhance operational efficiency, and prepare for external audits and certification.

What is a Gap Analysis of a Quality Management System?

Usually conducted before an internal audit, a gap analysis of a quality management system (QMS) is a comprehensive assessment that compares the current state of an organization’s QMS against the requirements of a specific standard, such as ISO 9001.

This process identifies discrepancies, or “gaps,” between existing practices and the standard’s requirements. The goal of a gap analysis is to pinpoint areas needing improvement, highlight non-compliant elements, and provide a roadmap for achieving full compliance. By understanding these gaps, organizations can develop targeted action plans to enhance their QMS, ensuring it meets regulatory standards, improves overall quality, and aligns with industry best practices.

What is the Difference Between an ISO Internal Audit and an ISO External Audit?

An ISO internal audit and an ISO external audit differ primarily in their execution and purpose within an organization’s quality management system (QMS). An ISO internal audit is conducted by the organization’s employees or an internal audit team, focusing on evaluating the effectiveness and compliance of internal processes with ISO standards. It aims to identify areas for improvement, ensure ongoing adherence to the standards, and prepare for external evaluations.

On the other hand, an ISO external audit is carried out by an independent certification body or external auditors. Its primary purpose is to provide an objective assessment of the organization’s compliance with ISO standards, ultimately determining whether the organization qualifies for ISO certification or recertification.

While internal audits are continuous and contribute to internal improvement and readiness, external audits are periodic evaluations that offer third-party validation (ISO certification) of the organization’s compliance and quality management practices.

What are the Different Types of ISO Internal Audits?

Types of ISO Internal Audits

ISO internal audits, also known as ‘first-party audits,’ are conducted by an organization to assess its compliance with various requirements. These requirements can stem from international standards such as ISO 9001:2015, as well as specific customer or regulatory mandates. Internal audits play a crucial role in maintaining and improving the effectiveness of an organization’s quality management system (QMS).

2 ISO internal auditors

Several common methods of internal auditing can be employed to determine compliance:

System Audits

System audits evaluate the overall effectiveness and alignment of the entire quality management system with ISO standards. This type of audit examines whether the organization’s QMS as a whole is functioning correctly and meeting the required standards.

Process Audits

Process audits focus on individual processes within the organization. They assess whether specific processes are operating as intended, efficiently, and in compliance with the standards. This type of audit helps in identifying inefficiencies and areas for improvement within operational processes.

Product Audits

Product audits involve the examination of specific products to ensure they meet defined quality requirements and standards. This type of audit verifies that the final products conform to customer specifications, regulatory requirements, and the organization’s quality criteria.
By utilizing these internal auditing methods, organizations can systematically ensure that their processes and products are compliant, identify opportunities for continuous improvement, and maintain high standards of quality and customer satisfaction.

What is an ISO Certification Audit?

An ISO certification audit is a comprehensive evaluation conducted by an accredited third-party certification body to determine whether an organization’s quality management system (QMS) meets the specific requirements of an ISO standard, such as ISO 9001.

This audit involves a thorough review of the organization’s documentation, processes, and practices to ensure compliance with the standard. The certification audit typically consists of two stages: the first stage involves a preliminary assessment of the organization’s preparedness, while the second stage is a detailed, on-site audit that verifies the implementation and effectiveness of the QMS.

Internal auditors

Successful completion of an ISO certification audit results in the organization being awarded an ISO certificate, which serves as a testament to its commitment to quality, continuous improvement, and adherence to international standards. This certification enhances the organization’s credibility, customer trust, and competitive advantage in the marketplace.

What is the ISO Internal Audit Procedure?

The ISO internal audit procedure is a systematic process designed to evaluate the effectiveness and compliance of an organization’s quality management system (QMS) with ISO 9001 standards.

It typically involves five main steps:

Audit Planning

Audit planning involves defining the scope, criteria, and objectives of the audit, and selecting the audit team.

Audit Preparation

Audit preparation includes reviewing relevant documentation and developing an audit plan and checklists.

Audit Execution

Audit execution is the on-site phase where auditors collect evidence through interviews, observations, and review of documents and records.

Audit Reporting

Audit reporting involves compiling the findings into a report, highlighting non-conformities and opportunities for improvement.

Follow-up Action

Follow-up actions are taken to address any non-conformities identified, ensuring corrective actions are implemented and verified. This structured approach ensures a thorough evaluation of the QMS, fostering continuous improvement and alignment with ISO 9001 requirements.

Who Implements ISO Internal Audits?

ISO internal audits can be implemented by trained personnel within the organization who possess the necessary competence and impartiality to conduct thorough and unbiased evaluations. These auditors are typically employees who have received appropriate training in auditing principles and practices, ensuring they understand the ISO standards and the organization’s processes.

Internal audits can be carried out by members of the internal audit department or cross-functional teams that include employees from different departments to bring diverse perspectives to the audit process.

While internal auditors do not need to be certified, they must have a clear understanding of the ISO requirements, the ability to evaluate evidence objectively, and the capability to report findings accurately. This ensures that the internal audits are effective in identifying areas for improvement and ensuring compliance with the ISO standards.

How to Choose ISO Internal Auditors

Choosing ISO internal auditors requires careful consideration to ensure that the selected individuals are both competent and impartial. Auditors should possess a thorough understanding of the ISO standards relevant to the organization, as well as a solid grasp of the company’s processes and quality management system.

Ideal candidates are those who have undergone formal training in auditing principles and practices, and who have demonstrated analytical and observational skills. To maintain objectivity, auditors should not audit their own work or areas where they have direct responsibility. Instead, cross-functional teams from different departments can provide diverse perspectives and minimize bias.

woman internal auditor

It’s also beneficial to select individuals with strong communication skills, as they need to effectively interact with various stakeholders and clearly report their findings. By carefully selecting qualified and impartial auditors, organizations can ensure effective internal audits that drive continuous improvement and compliance with ISO standards.

What are the Key Principles of ISO Internal Auditing?

Internal auditing is founded on a set of principles designed to make the audit a reliable and effective tool for supporting your company’s management policies and objectives, while providing actionable and objective information to drive continuous improvement. Adherence to these principles ensures that audit conclusions are accurate, objective, and reliable, allowing auditors working independently to reach similar conclusions under similar circumstances.

The key principles related to auditors include:

Ethical Conduct:

Auditors must uphold trust, integrity, confidentiality, and discretion throughout the auditing process.

Fair Presentation:

Audit findings, conclusions, and reports must truthfully and accurately reflect the audit activities, ensuring transparency and reliability.

Professional Care:

Auditors should perform their tasks with due care, reflecting the importance of their role in maintaining and improving the quality management system.


Auditors should be independent of the activities they audit, ensuring objectivity and impartiality in their evaluations.

Evidence-Based Approach:

Audit conclusions should be based on verifiable evidence, derived from samples of available information, ensuring that findings are supported by concrete data.

By adhering to these principles, internal audits can effectively support management in maintaining compliance, enhancing performance, and fostering a culture of continuous improvement.


Achieving ISO 9001 certification is a comprehensive and structured process that involves several crucial steps: preparation and planning, conducting a gap analysis, implementing necessary changes, performing internal audits, and undergoing external audits. Each phase is essential in ensuring that an organization’s QMS is not only compliant with international standards but also effective in driving continuous improvement and operational excellence.

By adhering to these steps, organizations can secure ISO certification, thereby enhancing their credibility, customer trust, and market competitiveness. Ultimately, the ISO certification journey fosters a culture of quality and continuous improvement, benefiting the organization and its stakeholders in the long term.

Outsource Your Auditing Needs to Core

At Core Business Solutions, we’re passionate about helping small businesses succeed. We handle internal audits, gap assessments, and supplier audits so you can focus on your business. You don’t need to stop what you’re doing and become an auditor. Instead, you can outsource your internal and supplier audits to our industry-trained experts. We’ll guide you to certification with a focus on reduced risk, increased quality, and continuous improvement.

About Scott Dawson

Since 2010, Scott Dawson, President of Core Business Solutions, has been an active voting member of the U.S. Technical Advisory Group (TAG) to ISO Technical Committee 176 (TC 176). TAG 176 members meet to discuss and develop U.S. positions for Quality Management standards, including ISO 9001:2015, which will be revised in 2025.

Scott Dawson

Related Articles:

How to Avoid False Claims Act Violations

How to Avoid False Claims Act Violations

Understanding How to Avoid False Claims Act Violations In today's highly regulated environment, understanding the intricacies of the False Claims Act (FCA) is imperative for organizations,...

The ISO 9001:2025 Revision Explained

The ISO 9001:2025 Revision Explained

Understanding the Upcoming ISO 9001 Revision The ISO 9001 standard, a cornerstone for quality management systems (QMS) worldwide, is undergoing a significant revision to stay relevant in the digital...