Educational Explainers
ISO Internal Audits: A Practical Guide
What an ISO internal audit is, why it is mandatory, how to run one effectively, and how it helps you find and fix problems before the certification auditor does.
The internal audit is one of the most powerful tools in any ISO management system, and also one of the most commonly mishandled. Done well, it finds and fixes problems before they cost you, and it makes the certification audit almost a formality. Done as a token exercise, it is a frequent cause of delayed certification and a missed opportunity for genuine improvement. Yet many businesses approach it with dread or confusion. This guide explains what an internal audit really is, why every ISO standard requires it, and how to run one that actually adds value.
In short: an internal audit is your own structured check that your management system is working as intended and meeting the requirements of the standard. It is mandatory in every ISO management system standard, it is conducted by your own people or someone acting on your behalf, and its real purpose is to catch issues early so you can fix them, not to assign blame.
What an internal audit actually is
An internal audit is a planned, objective examination of part or all of your management system, comparing what you actually do against what the standard requires and what your own system says you do. It looks for evidence, examining records, observing work and interviewing the people who do it, to confirm the system is both in place and effective. It is sometimes called a first party audit, because you are auditing yourself, as distinct from the certification body's third party audit.
Crucially, an internal audit is not a witch hunt. Its purpose is improvement, not punishment. The findings belong to the organisation, and the point is to surface problems while they are still cheap and easy to fix, long before they reach a customer, a regulator or the certification auditor. A culture where people fear internal audits produces hidden problems; a culture where they welcome them produces a genuinely improving business.
Why it is mandatory
Every ISO management system standard, under clause 9 on performance evaluation, requires internal audits. The reason is simple: a management system that is never checked from the inside drifts. Processes that looked good on paper quietly stop being followed, records lapse, and small problems accumulate. The internal audit is the mechanism that keeps the system honest between certification audits. It is also, along with management review, one of the elements certification auditors check most closely, and a missing or token internal audit is a common reason certification is delayed.
How to run an effective internal audit
Plan
Establish an audit programme that covers the whole system over time, and plan each audit with a clear scope and objective. Audits should be scheduled so that, across a cycle, every part of the system and every requirement of the standard is examined. Risk and past performance can guide where to focus more attention.
Ensure auditor independence
Auditors must be objective and should not audit their own work. In a small business this can be a challenge, which is why many bring in an external person to conduct internal audits on their behalf, a perfectly legitimate approach that preserves independence and brings fresh eyes.
Prepare
Before the audit, review the relevant processes, the standard's requirements and previous findings, and prepare an audit checklist or plan. Good preparation is what separates a searching audit from a superficial one.
Conduct
During the audit, gather objective evidence by examining records, observing how work is actually done, and interviewing the people involved. Follow the evidence rather than assumptions, and look for whether the system is both followed and effective, not just whether documents exist.
Report
Document what you found, including conformities, nonconformities and opportunities for improvement. Findings should be factual, specific and tied to evidence, so that anyone reading them understands exactly what was observed and against which requirement.
Act and follow up
For each nonconformity, the relevant area takes corrective action to address the cause, and the auditor or system owner verifies that the action was effective before closing the finding. Open findings that are never closed undermine the whole exercise.
Internal audit and management review work together
Internal audit feeds management review, the other mandatory check, where top management formally examines how the system is performing. The audit findings, along with performance data, customer feedback and the status of corrective actions, give leadership the information they need to make decisions and commit resources. Together, internal audit and management review form the loop that turns an ISO system from a static set of documents into something that actually improves.
Common mistakes to avoid
- Treating it as a tick box just before the certification audit, rather than a genuine ongoing check.
- Auditors checking their own work, which destroys objectivity.
- Vague findings that no one can act on, instead of specific, evidence based observations.
- Findings that are never closed, leaving the same problems to recur.
- A blame culture that drives problems underground rather than surfacing them.
How ISO Accreditation can help
We help Australian businesses run internal audits that genuinely improve their systems, and we can conduct independent internal audits on your behalf where you lack the in house objectivity, which is common in smaller teams. We coach your people, build practical audit programmes and make sure your internal audits and management reviews are ready well before the certification auditor arrives. Book a free consultation to discuss your system.
Book a free consultation → isoaccreditation.com.au/contact-us
Call 1800 577 060 · info@isoaccreditation.com.au
Frequently asked questions
Is an internal audit mandatory for ISO certification?
Yes. Every ISO management system standard requires internal audits under clause 9, and a missing or token internal audit is a common reason certification is delayed.
Who can conduct an internal audit?
Your own people can, provided they are objective and do not audit their own work. Many smaller businesses engage an external person to conduct internal audits on their behalf to preserve independence.
What is the difference between an internal audit and a certification audit?
An internal audit is your own first party check of your system. A certification audit is conducted by an independent third party certification body. The internal audit helps you prepare for and pass the certification audit.
How often should internal audits happen?
Across an audit programme, every part of the system and every requirement of the standard should be covered over time. Many businesses audit throughout the year rather than in one large annual exercise.
What happens to internal audit findings?
Nonconformities lead to corrective action to address the cause, which is then verified as effective before the finding is closed. Findings also feed management review.