Internal Audits — Planning and Executing Your First Cycle

Internal Audits — Planning and Executing Your First Cycle

If external audits (from registrars) are about proving your QMS works, internal audits are about making sure it actually does.

An internal audit is a systematic, independent examination of your processes and documentation against the ISO 9001 standard and your own procedures. You're auditing yourself—before the registrar does.

The organisations we work with that pass their certification audits cleanly are invariably those that have conducted rigorous internal audits beforehand. Those that skip internal audits or do them superficially tend to have surprises in the registrar audit.

This chapter walks you through planning an internal audit program, training internal auditors, and executing your first audit cycle.

Why Internal Audits Matter

Internal audits serve multiple purposes:

1. Compliance Verification

Do your actual operations match your documented procedures? ISO 9001 requires that you verify this systematically.

2. Learning and Improvement

Internal audits reveal where things aren't working. That's an opportunity to fix them before they become customer problems.

3. Audit Preparation

When the registrar arrives, you've already audited yourself and fixed issues. You're confident.

4. Culture Building

Audits send a message: "We're serious about this. We check ourselves. We improve based on what we find."

5. Continuous Improvement

Year after year, audits reveal trends. You see what's improving and what's sliding. You adjust focus accordingly.

Designing Your Internal Audit Program

An audit program is your plan for what you'll audit, when, and who'll do it.

Scope of Audits

Most organisations audit against:

• The ISO 9001 standard (all 10 clauses)
• Your own procedures (do people follow what you documented?)
• Regulatory requirements (if applicable)

Audits typically focus on operational processes (production, quality, procurement) rather than administrative functions like HR or finance—unless those directly affect quality.

For a manufacturing organisation, you might audit:

• Order-to-delivery process
• Supplier management
• Production and quality control
• Maintenance and calibration
• Internal documentation and records
• Non-conformance and corrective action

Audit Frequency and Scheduling

ISO 9001 requires internal audits at planned intervals. Industry practice:

Small organisations (under 50 people):

• Comprehensive audit once annually
• OR focused audits of 2-3 areas each quarter
• 20-40 audit hours per year

  Medium organisations (50-200 people):

• Comprehensive audit twice annually
• OR focused audits of all areas at least once per year
• 40-80 audit hours per year

  Larger organisations (200+ people):

• Rolling audit program (some areas audited quarterly, some semi-annually, some annually)
• 80+ audit hours per year

Sample Annual Audit Schedule (Small Operation):

Q1: Audit Order Management and Production Planning

Q2: Audit Production and Quality Control

Q3: Audit Supplier Management and Receiving

Q4: Audit Non-Conformance, Corrective Action, Records

By year-end, you've audited all major processes.

Building an Audit Team

You need auditors—typically 2-3 for a small organisation.

Auditor Qualifications:

• Understanding of ISO 9001
• Understanding of your business processes
• Communication skills (ability to ask good questions, listen)
• Impartiality (willingness to report findings even if they're uncomfortable)
• Open mind (auditing to learn, not to blame)

Training Internal Auditors:

Your auditors should receive formal training in:

• ISO 9001 standard overview
• Audit principles and techniques
• Asking effective questions
• Documenting findings
• Professional communication

Options:

1. External training course ($1,500-$3,000 per person, 16-24 hours, often includes certification)
2. In-house training by an expert (your quality manager, external consultant, registrar)
3. Registrar training (some registrars offer training to customers; check your registrar)

We recommend at least one formal training course for your lead auditor. Other auditors can be trained internally by the lead auditor.

Selecting Auditors

Choose people who:

• Are respected across the organisation
• Have good attention to detail
• Are trusted by their peers (when they report findings, people believe them)
• Have time available (auditing takes 30-50 hours per year per auditor)
• Bring different perspectives (one from operations, one from quality, one from management)

Important: Auditors should audit processes they don't directly manage. A production manager auditing production is less impartial than someone from quality auditing production.

Preparing for Your First Audit

Before you conduct your first internal audit, you need an audit plan.

Creating an Audit Plan

An audit plan documents:

1. Scope

What processes and areas will you audit? Example:

"This audit will examine the Order-to-Production process, including order entry, feasibility review, production planning, supplier material receipt, and production setup."

2. Objectives

What do you want to accomplish? Example:

"Verify that customer orders are reviewed for feasibility before acceptance, production is planned according to customer requirements, suppliers deliver material meeting our specifications, and production is executed per procedure."

3. Auditees (Process Owners)

Who are you auditing? The operations manager, production supervisor, purchasing specialist, etc.

4. Audit Criteria

What will you measure against? Example:

• ISO 9001:2015, Clauses 4.3, 8.1, 8.2, 8.4, 8.5
• Our Feasibility Review Procedure
• Our Production Planning Procedure
• Our Supplier Management Procedure
• Our Production Control Procedure

5. Audit Date and Duration

When will the audit occur? How long will it take? Example:

"March 15-17, 2024. Estimated 16 audit hours (2 days on-site, 4 hours report writing)."

6. Lead Auditor and Team

Who's conducting the audit? Example:

"Lead Auditor: Jane Doe (Quality Manager). Assistant: John Smith (Operations Support)."

7. Preliminary Agenda

What will happen when? Example:

• Day 1, 9:00 AM: Opening meeting with process owners
• Day 1, 9:30 AM: Document review (orders, procedures, records)
• Day 1, 10:30 AM: Walk production floor, observe processes
• Day 1, 2:00 PM: Interview staff
• Day 2, 9:00 AM: Follow-up on specific areas
• Day 2, 2:00 PM: Closing meeting with process owners
• March 20: Draft report due
• March 27: Final report with management response

Creating an Audit Checklist

An audit checklist guides the auditor and ensures nothing is missed.

Sample Audit Checklist: Order-to-Production Process

Scope: Order receipt through production start

Audit Criteria:

• ISO 9001:2015 Clauses 4.3 (Processes), 8.2 (Customer Requirements), 8.5 (Control of Operation)
• Feasibility Review Procedure
• Production Planning Procedure
• Our Quality Policy

Questions and Evidence to Gather:

1. Order Entry and Understanding Requirements

• Observation: Customer PO arrives. Is it logged? Is feasibility review process triggered?
• Interview: Ask order-entry person: "What are the key items you check when an order arrives?"
• Document Review: Review 5 recent orders. Do they show evidence of feasibility review (sign-off, notes, approval date)?
• Interview: Ask production manager: "How do you know what to make? Where do you get the spec?"
• Observation: Check if production floor has access to current drawings/specifications.
• Question: "Have we ever accepted an order we couldn't fulfill? How did we handle that?"

  2. Communication to Production

• Document Review: Review production schedule/work orders for 2-3 recent jobs. Do they include customer spec and delivery requirements?
• Interview: Ask CNC operator: "For a typical job, what information do you get? Where do you get it? How do you know if something's wrong?"
• Observation: Observe production setup. Do operators have spec available? Do they review it?

  3. Feasibility and Resource Planning

• Document Review: Review 3 feasibility reviews. Do they address: capability (can we make this?), timeline (can we meet the deadline?), resources (do we have material, people, equipment?), cost?
• Interview: "What criteria are used to approve/reject an order?" "Who has authority to approve?"
• Question: "What would happen if we accepted an order but couldn't fulfill it? How would we handle it?"

  4. Documentation and Traceability

• Document Review: Review order, planning documents, production records for a recent job. Can you trace the job from order through production?
• Question: "If a customer called and said their part was defective, could you tell them exactly when it was made, who made it, and what inspection happened?"

  5. Changes and Adjustments

• Interview: "What happens if a customer changes their order mid-way? Or if we discover a problem mid-production?"
• Document Review: Look for a change request or modification record. Is it documented? Is it approved? Is it communicated to production?

  6. Quality and Acceptance

• Question: "How do we know a job meets requirements before it ships?"
• Observation: Are there clear acceptance criteria posted or documented?
• Document Review: Review quality records for a recent job. Was there final inspection? Is there evidence?

Conducting the Audit: Step-by-Step

Step 1: Opening Meeting (Day 1, Start)

• Auditor meets with process owner/manager
• Explain the scope, objectives, and timeline
• Ask permission to observe work, review documents, interview staff
• Set closing meeting time
• Answer questions
• Duration: 15-30 minutes

  Step 2: Document Review

• Review procedures, work instructions, forms
• Review records (sample 5-10 recent jobs or transactions)
• Look for evidence that the process is happening
• Note what's documented, what's not, what's unclear
• Duration: 2-4 hours

  Step 3: Observation

• Walk the floor, observe work happening
• Don't interrupt; observe people doing their normal work
• Note: Are they following procedures? Where are they deviating?
• Don't blame; note for follow-up questions
• Duration: 2-4 hours

  Step 4: Interviews

• Interview staff (operators, supervisors, inspectors) individually
• Ask open-ended questions: "Walk me through how you do X"
• Listen carefully
• Ask follow-up questions to understand nuance
• Thank them for their time
• Duration: 1-2 hours

  Step 5: Analysis and Findings

• Based on observations, interviews, and document review, assess compliance
• Are operations matching procedures? Is the standard being met?
• Identify findings:
• Conformity: Evidence that a requirement is being met
• Non-conformity: Evidence of a clear failure to meet a requirement (usually impacts product quality or compliance)
• Observation: An area that could be improved but isn't currently non-compliant
• Duration: 4-6 hours (may happen after the site visit, during report writing)

  Step 6: Closing Meeting (End of Audit)

• Meet with process owner/manager
• Summarize preliminary findings
• Don't surprise them; they should have heard the key concerns during interviews
• Thank them for their cooperation
• Explain next steps (formal report, management response)
• Duration: 30-45 minutes

  Step 7: Report Writing

• Draft audit report (usually within 1 week)
• Document all findings with objective evidence
• Include observations and positive notes (not just problems)
• Be professional and factual
• No blame; no personalities; just facts
• Duration: 4-8 hours

Audit Report Format

Internal Audit Report

Report Title: Order-to-Production Process Audit

Audit Date: March 15-17, 2024

Audited Process/Area: Order Entry, Feasibility Review, Production Planning

Lead Auditor: Jane Doe

Process Owner: John Smith, Operations Manager

Report Date: March 20, 2024

Executive Summary:

The Order-to-Production process is generally well-controlled. Orders are received, reviewed for feasibility, and production is planned and communicated. Process owner and team demonstrate good understanding of customer requirements. One non-conformance was identified regarding documentation of feasibility reviews. Several observations were noted for improvement.

Findings:

1. CONFORMITY: Order Entry and Logging

Observation: Customer orders are consistently logged in the order management system within 1 day of receipt. POs are filed with specification documents. Evidence reviewed: 8 recent customer POs from Feb-Mar 2024; all logged and documented.

2. NON-CONFORMANCE: Documentation of Feasibility Reviews

Finding: ISO 9001:2015 Clause 8.2 requires that orders be reviewed for feasibility before acceptance. Our Feasibility Review Procedure requires documented review (approval, notes, date). Evidence: Review of 8 recent orders found only 5 had documented feasibility reviews. 3 orders had no documented feasibility review, though interviews suggest informal review occurred.

Root Cause (preliminary): Process owner wasn't consistently filling out the form; believed verbal approval with supervisor was sufficient.

Impact: No products delivered non-conforming to customer; however, lack of documentation means we can't prove conformance.

Corrective Action Required: Establish a check that all orders receive documented feasibility review before production planning.

3. OBSERVATION: Specification Availability on Production Floor

Finding: During production floor observation, some specification documents were visible at work stations; others required staff to reference a folder. In one instance, an operator retrieved an outdated drawing from a file; supervisor caught it before use.

Recommendation: Implement a system to ensure all drawings/specs on the production floor are current versions. Consider digital access to specifications or a controlled print system to eliminate manual file management.

4. CONFORMITY: Production Scheduling and Communication

Observation: Production schedules are created for each week, including customer delivery dates. Staff understand their scheduled jobs and associated deadlines. Interviews confirmed staff know "what to make and when to deliver." Evidence: Reviewed 5 recent production schedules; all included customer names, specifications, and delivery dates.

5. OBSERVATION: Change Control

Finding: During interviews, staff mentioned scenarios where customer changes occur mid-production. Process is handled informally (customer calls, supervisor adjusts). No documented change control process for customer-initiated changes. Current practice hasn't led to problems, but formalizing would reduce risk.

Recommendation: Develop a simple Change Request form for customer changes. Document the change, the impact on timeline/cost, customer approval, and notification to production.

Summary of Findings:

• Conformities: 5
• Non-Conformances: 1
• Observations: 2

Auditor Recommendation:

The Order-to-Production process is mature and generally effective. The identified non-conformance regarding documentation is easily correctable. Implementing the observations would further strengthen the process.

Process Owner Response:

Process owner completes within 2 weeks

1. Non-Conformance: Documented Feasibility Review

• Action: Implement a checklist for order entry staff to ensure every order receives documented feasibility review
• Responsible: Operations Manager
• Target Date: April 15, 2024
• Measure of Effectiveness: 100% of orders received after April 15 have documented feasibility review

1. Observation: Specification Availability

• Action: Print only current specifications; outdated versions will be marked "superseded" and archived
• Responsible: Quality Manager
• Target Date: April 1, 2024

1. Observation: Change Control

• Action: Develop Change Request form and procedure; train staff
• Responsible: Operations Manager with Quality Manager support
• Target Date: May 15, 2024

Audit Schedules and Cycles

After your first audit, keep auditing systematically.

A Year of Audits (Small Organisation)

Q1 (Jan-Mar): Order Management and Feasibility (as above)

Q2 (Apr-Jun): Production Control, Quality Inspection

Q3 (Jul-Sep): Supplier Management, Receiving

Q4 (Oct-Dec): Non-Conformance, Corrective Action, Records

Each audit is 20-30 hours of auditor time. By year-end, you've covered all major processes. You also have 4 sets of findings to drive improvement.

Following Up on Findings

Non-conformances and observations require corrective action:

Timeline:

• Auditor issues report: Day 5 after audit
• Process owner submits response: Within 2 weeks (what action will you take? by when? how will you verify effectiveness?)
• Corrective action deadline: Typically 30-60 days from audit
• Auditor follows up: 2-4 weeks after deadline to verify action was taken and effective

Example Follow-Up:

Original Finding (March 20 audit):

"Only 5 of 8 recent orders had documented feasibility reviews."

Process Owner Response (April 5):

"Action: We will implement a checklist for order entry. Before an order is scheduled for production, it must have a documented feasibility review (date, notes, approval signature) on file.

Responsible: Operations Manager

Target Date: April 15, 2024

Verification: Monthly audit of new orders to confirm 100% have documented review."

Auditor Follow-Up (May 15):

• Auditor reviews orders received after April 15
• All have documented feasibility review
• Finding: Corrective action effective
• Auditor closes the finding

Audit Effectiveness: How You Know It's Working

An effective internal audit program:

1. Identifies real problems (not just trivial findings)
2. Drives improvement (findings lead to corrective action, not just paperwork)
3. Builds team engagement (staff see findings as learning opportunity)
4. Prepares for external audit (registrar finds few surprises)
5. Improves year-over-year (trends show fewer non-conformances over time)

Track your audits:

• Number of non-conformances per audit (should trend down)
• Time to close corrective actions (should be consistent)
• Effectiveness of corrective actions (are problems really fixed?)
• Registrar audit findings (should be fewer than internal audit findings)

Readying for the Registrar's Audit

Your internal audit program is the dress rehearsal before the registrar's production show.

Key Indicators You're Ready:

1. ✓ You've completed at least one full audit cycle (all processes audited at least once)
2. ✓ Non-conformances identified in internal audits have been corrected (you can demonstrate closure)
3. ✓ Your team is familiar with procedures and can explain what they do
4. ✓ Records are organized and retrievable
5. ✓ You're confident that what the registrar finds will largely match what you've already found

Red Flags You're Not Ready:

• ✗ No internal audits conducted yet
• ✗ Findings from audits haven't been corrected
• ✗ Staff don't understand procedures
• ✗ Records are scattered and hard to find
• ✗ You find major non-conformances late in your readiness phase

If you see red flags in the month before your Stage 1 audit, postpone the audit. Better to delay and be ready than to fail.

Your Internal Audit Checklist

By the end of this phase, you should have:

• Internal audit program designed (scope, schedule, auditors)
• Auditors trained in audit techniques and ISO 9001
• Audit checklists developed for each major process
• First audit cycle completed (at least one major process audited)
• Audit report template created
• Non-conformances identified in audits have been corrected
• Audit follow-up process established
• Audit records maintained
• Team is familiar with audit process (not afraid; see value)

Need help building your internal audit program?

PinnacleQMS helps organisations design and execute internal audit programs that drive real improvement. We train auditors, conduct joint audits, and help you use findings to strengthen your QMS. Contact us to discuss your audit readiness.

Next: Chapter 7: Management Review — Making It Count.