Carrying out internal audits ISO 9001: checklist, process and templates for the QMB
ISO 9001:2015 Section 9.2 requires internal audits at scheduled intervals, with a documented program, qualified auditors and tracked actions. This checklist guides you through the program, plan, implementation, report and follow-up activities, with mandatory questions, templates and typical findings.
ISO 9001:2015 Section 9.2 requires that the organisation conducts internal audits at scheduled intervals to check whether the quality management system meets its own requirements, ISO requirements and planned regulations and is effectively implemented. A documented audit program is mandatory, objective and impartial auditors are mandatory, reporting to management is mandatory, corrective measures with effectiveness testing are mandatory.
This checklist accompanies the quality management representative through the five phases of an internal audit: program, plan, implementation, report, follow-up activities. It lists the mandatory questions, describes the templates and names the typical findings that certification auditors see during internal audits. The goal is an audit cycle that runs cleanly in two weeks for each area and does not become a weak point during external certification.
Key Takeaways
- The audit program must be planned over several years and must cover all processes, locations and shifts in a defined cycle.
- Audit questions are based on ISO 9001:2015 clauses 4 to 10, supplemented by process and risk-specific questions from the internal context.
- The audit report must classify findings by type (conformity, observation, deviation) and transfer them to the list of measures with a deadline and person responsible.
Audit program: multi-year planning with risk orientation
ISO 9001:2015 Clause 9.2.2 a) requires a documented audit program with frequency, methods, responsibilities and reporting. The frequency and depth of the audits depend on the importance of the processes, the results of previous audits and the changes in the organisation. This is not a call for egalitarianism, but rather for risk orientation: A process with a high volume of complaints, new employees or regulatory changes is audited more frequently and more deeply than an established standard process.
Typical program structure: Three-year program with annual updates, in which every process is audited at least once per cycle, critical processes more frequently. For each audit, the area, auditor, date, clauses and preparation time are recorded. The program planning takes place in the fourth quarter for the following year, together with management, coordinated with vacation planning and major projects. A common finding from external certification auditors: Program exists, but no risk orientation is evident because every process is audited the same number of times. Anyone who runs a risk-oriented program documents the justification for the audit frequencies, ideally with reference to KPIs, complaints or previous year's findings.
Audit plan: preparation and selection of auditors
Every individual audit requires a written audit plan. Mandatory content: Audit objective and scope, audit criteria (which ISO clauses, which internal procedures), date and duration, participants, planned process, auditor and co-auditor, reporting path. The plan is distributed to the audited area two to four weeks before the audit to allow preparation. Stealth is not a methodology of internal audits, the purpose is improvement, not surprise.
When selecting auditors, ISO 9001:2015 clause 9.2.2 c): Auditors must be selected so that objectivity and impartiality are maintained. This excludes self-auditing, i.e. an area may not be audited by people working there. In smaller organisations, this is solved through cross-auditing between areas or through external auditors. Qualification requirements are not explicitly standardised; in practice, ISO 9001 auditor training with proof, plus audit experience as a co-auditor before the first lead function, is proven. CIVAC provides qualified supplier and process auditors with documented qualifications for external audits if internal capacity is limited.
Audit checklist: Mandatory questions per ISO 9001 clause
The audit checklist is the operational heart. It lists the mandatory questions for each clause, plus process- and risk-specific additions. Excerpt for the central clauses. Clause 4 Context: Are interested parties identified? Are requirements documented? Has the scope of application been justified? Clause 5 Leadership: Commitment of top management, quality policy, roles and responsibilities, appointment of the QMB. Clause 6 Planning: risks and opportunities, quality objectives, action plans. Clause 7 Support: resources, competence, awareness, communication, documented information.
Clause 8 Operations: planning and control, customer-related processes, development, external provision, production and service provision, release, incorrect results. Clause 9 Assessment: Monitoring, customer satisfaction, internal audits, management review. Clause 10 Improvement: Corrective Action, Continuous Improvement. The evidence to be checked is specified for each question: which document, which recording, which interview. A good checklist contains not just yes/no questions, but open-ended questions that provoke justifications and examples. Template recommendation: 30 to 60 questions per audit, tailored to the area, with reference to specific procedural instructions.
Implementation: opening, questioning, observation, conclusion
The audit begins with an opening meeting to confirm the purpose, scope, methodology and schedule. The auditor, auditee and department manager are present. Data is then collected using three methods: interviewing employees, observing activities and checking documents and records. The methodology mixes open questions with concrete samples. Example: "Please show me the incoming goods inspection of the last batch XY and explain to me how you check the specification against the delivery."
Findings are noted during the audit, classified and made transparent to the auditee. Classification: Conformity (everything is fine), Room for Improvement (Observation), Deviation (non-conformity, minor or major). The auditor collects evidence, not opinions. A deviation must be proven by reference to a clause and a concrete observation, otherwise it cannot be maintained in the final discussion. The audit ends with a final meeting in which the findings are presented and the classification and deadline for corrective measures are agreed upon. The report will follow in writing within one to two weeks. Audit proof, documented, ISO 9001:2015 proof.
Audit report: structure and mandatory content
The audit report is the documented information according to ISO 9001:2015 clause 9.2.2 e). Mandatory content: Identification of the audit (date, area, auditor), audit criteria, method, participants, findings according to classification, corrective measures with responsible person and deadline, assessment of the effectiveness of the audited area, distribution list. The length varies depending on the area, typically four to twelve pages.
Common weakness in practice: Reports describe activities instead of documenting findings. A good audit report is concrete. "When checking five supplier releases from 2025, the documented incoming goods inspection according to procedure instruction VA-04 was missing in three cases, which represents a deviation from clause 8.4.2." This is usable because it contains the sample size, findings, clause reference and approach to the measures. “Incoming goods have been discussed, there are some gaps” is not it. The list of measures is coordinated with the person being audited because deadlines must be realistic. With the CIVAC compliance platform and Officer-as-a-Service, 490 audit templates are available, including audit plan, checklist template for ISO 9001:2015 with clause reference, report template and action list with follow-up. Others run compliance like a filing cabinet. We run it like software.
Corrective actions and effectiveness testing
A deviation alone does not produce an improvement. ISO 9001:2015 Clause 10.2 requires root cause analysis, corrective action and effectiveness testing. The following process works well in practice. First, emergency action to mitigate the immediate impact if necessary. Second: root cause analysis using an appropriate method (5-Why, Ishikawa, fault tree), not just symptom treatment. Third: corrective action with responsible person, deadline and defined result. Fourth: Implementation with evidence. Fifth: effectiveness test after a defined period of time, often three to six months after implementation.
The most common finding by external certification auditors during internal audits: corrective measures were implemented, but the effectiveness test is missing or was only carried out formally. Effectiveness testing means: We check again whether the cause has been eliminated and the finding does not recur. This presupposes that the measure was formulated in a measurable way. “Training carried out” is not an effective measure, “random testing of ten processes three months after training with a rate of correctly carried out incoming goods inspections over 95 percent” is. The list of measures must reflect this full cycle, otherwise recurring findings will arise that external auditors consider to be a systemic weakness.
Management assessment and audit program review
ISO 9001:2015 Clause 9.3 requires a management review at planned intervals, incorporating the results of internal audits. The evaluation is more than a status report: it is the management decision about the QMS. Inputs (clause 9.3.2): status of previous management reviews, external and internal issues, customer satisfaction, target achievement, process performance, audit results, supplier performance, resources, risks and opportunities, opportunities for improvement.
Results (clause 9.3.3): decisions on improvement measures, adjustments to the QMS, resource requirements. Common Findings: Management review occurs annually, formally covers the required inputs, but does not contain any identifiable decisions. A strong evaluation contains three to seven resolutions with a deadline, responsible person and success criterion. The audit program is reviewed as part of the management review and adjusted for the following year. Licence the workspace for your internal representatives, or have our representatives order it. CIVAC provides a management assessment template with inputs, list of results and links to audit and risk inventory.
Typical findings of external certification audits for internal audits
With external ISO 9001 certification, the certifier checks the internal audits intensively because they are the central self-control of the QMS. Five recurring findings. First: Audit program exists, but risk orientation is not evident. Second, auditor independence is violated because people audit their own processes. Third: Audit report too general, no specific findings with reference to clauses and documents. Fourth: Measures implemented, but effectiveness testing is missing. Fifth: Audit findings are not included in the management review because the interface is not established.
The countermeasures are of an organisational nature. The audit program is provided with risk justification. Auditors are selected from other areas or appointed externally. The checklists are structured based on clauses, and reports contain samples of data. Measures are provided with measurable results and effectiveness testing. The management review addresses audit results in a fixed manner. Anyone who manages these five building blocks in a platform with audit templates, resubmissions and versioning will survive external certification without any major deviations. The auditor calls, the evidence is ready.
Turn reading into an assignment
If your audit program lives in an Excel file without any risk justification, if reports remain general and effectiveness tests are canceled, the need for action is known. Before the next external certification, it is worth making the leap from index cards to structured audit workflows, because otherwise the main deviations regularly arise in the internal audit process itself.
CIVAC provides the compliance platform and Officer-as-a-Service: Workspace with audit program, audit plan, checklists according to ISO 9001:2015, report template, list of measures and effectiveness check, EU data residence, ISO 27001:2022 ISMS. Optionally with your internal QMB or with our appointed quality management representative and external auditors. Turn reading into a mandate.: Write to info@civac.de or book a 20-minute audit check using the contact form. You will receive an assessment of your current audit program and a suggestion for optimization within two working days.
FAQ
How often do internal audits need to be carried out?
ISO 9001:2015 does not specify a fixed frequency, but requires planned intervals based on the importance of the processes, previous results and changes. A three-year full cycle with annual audits in critical areas is usual. Before external certifications, an additional internal audit is often carried out as preparation.
Who is allowed to carry out internal audits?
Auditors must be objective and impartial. You are not allowed to audit your own work area. In practice, internal auditors qualify as co-auditors through ISO 9001 auditor training with evidence and experience. If internal capacity is limited, an external auditor can carry out the audit, for example via an external quality management representative.
How does an internal audit differ from a certification audit?
The internal audit is the organisation's self-control, the certification audit is an examination by an accredited certification body. Methodologically, both are similar, but the internal audit also has the task of identifying potential for improvement. The certification audit checks conformity and decides on the certificate.
What needs to be in an audit checklist?
A good checklist contains mandatory questions per ISO clause and process- and risk-specific additions. For each question, the evidence to be checked is named, such as a specific document or a recording. Open-ended questions are better than pure yes/no questions because they provoke examples and justifications. 30 to 60 questions per audit are usually sufficient.
How do you deal with a serious deviation?
Serious deviations require an immediate containment measure, a documented root cause analysis, a corrective action with a person responsible and a deadline, implementation with evidence and an effectiveness test after three to six months. If it impacts customers, the information provided to customers is checked and, if necessary, a complaint analysis is initiated.
How long must audit reports be retained?
ISO 9001:2015 requires documented information as evidence of audit results without a fixed minimum interval. Retention is usual for at least a full certification cycle of three years, often longer. Tax and contractual retention requirements may require longer periods, such as ten years in regulated industries.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.