Google Analystics

Tuesday, 16 July 2019

Conducting Internal Audits for ISO 9001:2015

I recently received an email from a newly trained lead auditor asking for advice on conducting an internal audit. He was totally focused on a massive and detailed checklist for identifying gaps with ISO 9001:2015. When one receives ISO 9001:2015 lead auditor training, they generally teach you how to do Third Party audits - and little else. Therefore, it is a common but understandable mistake for newly trained lead auditors to conduct internal audits as if they were conducting a certification or surveillance audit by a 3rd party auditor. I know, because I did it myself for a while. So, here is a handful of important considerations to make your first internal audit less daunting. Or, if you have been treating your internal audits as mini certification audits then there is something here for you too.

The Quality Management System (QMS)

If your organization is, indeed, ISO 9001 certified, then an accredited auditor has certified that your QMS is ISO 9001:2015 conformant. You do NOT have to do that all over again. What you have to do now is verify - from evidence - that the people in your organization are executing on the procedures and processes that are laid out in your Quality Management System (QMS). It should go without saying that you need to be familiar with your organization's QMS, and the roles and responsibilities defined in its processes.

Internal Audit Process

First off, your QMS should have procedures and processes covering internal audits. You need to conduct your internal audits in conformity with that. If those procedures/processes are deficient then you should write up an appropriate finding. The audit process as laid out in your QMS should include something about having a schedule of internal audits. A good practice is to have an internal audit every quarter of the year where each audit covers at least a quarter or more of the QMS. Your internal audit should follow a plan that you, the lead auditor have drawn up based on  the scheduled content of internal audits. This plan is reviewed and approved by top management in the organization before the opening meeting of your internal audit.

Corrective Action (CA)

An important item to be audited in each audit is to follow up on corrective actions for nonconformities (NCs) found in the previous audit. Your QMS should have one or more processes defined for the handling of corrective actions. Is your organization following that process? NCs from previous audits, especially 3rd Party audits, are the most important corrective actions to follow up on, but a sample of other NCs should be reviewed as well, especially those originating from customer complaints.


You cannot audit every single operational thing that an organization does. Have a system of sampling. This could be random sampling where, for example, you throw dice for your starting point and then take every Nth instance to ensure a certain percentage coverage; or risk based, where you focus on items that are safety related or that suggest financial risk if not performed satisfactorily. For random sampling I like to use Random.Org. (


When you think you have found a nonconformity (NC), be very clear in your own mind what the requirement is in terms of your QMS process. If the QMS states: "Document the customer's training needs in such-and-such a file in the customer's folder" - and this is simply being held in someone's emails instead, then write up your finding clearly showing where the requirement can be found in the QMS - chapter and verse. Somebody following in your footsteps should be able to locate the same evidence that you used and reproduce your findings and, from the evidence, come to the same conclusion as you did. As far as possible, without being argumentative, the manager or lead responsible for the process should be in agreement that the requirement has not been met.


Remember, an important rule of auditing is that an auditor may not audit their own work. If you are the Sales Manager in the organization, or in charge of Quality Control, then you may not audit those departments if you have performed or signed off on any of the work that is being audited. This means that you will need to train one or more other people in your organization to be part of an audit team which you would lead. They do not need to have Third Party Lead Auditor training; they do need to have some introductory training in the requirements of the ISO 9001 standard and familiarity with the QMS. To preserve their freedom to audit without fear of repercussion, they should not be in your reporting structure. Even if you are well respected, there should be no perception of a conflict of interest. When you move on, your replacement in the organization may not be such a nice person as you. In the meantime, while you are the only auditor, you can begin auditing other parts of the organization. For all the same reasons, it is not a good idea for you to interview personnel who report directly to you.

The Audit Report

Look for the positive - where people are doing a good job, and where the QMS is working well for the organization. Make sure that this comes out in the beginning of your audit report. Very importantly, remember that we AUDIT THE SYSTEM, NOT THE PEOPLE. If there is an NC it is because the system has allowed it to happen. Ensure that people associated with an NC are given an opportunity to explain why it might not be an NC, or that they agree that it is, indeed, a nonconformity. They will, in all likelihood, be involved in the corrective action and so the organization needs them to be on board during root cause analysis.

Have you watched my video, A Common Mistake in ISO training?
Nothing else that I can tell you is more important that what I say there!

- W. Edwards Deming quoting Arthur Jones.