Chapter 24: Building a Risk-Based Audit Schedule for a 50–500 Person Plant
The standard says you must conduct internal audits, but doesn't prescribe frequency. This is where most plants default to either "one big annual audit" or "monthly audits of everything." Both approaches miss the mark.
A risk-based audit schedule starts with the principle that not all processes deserve equal audit attention in a given year. Your scheduling should account for:
- Process criticality to customer satisfaction. If a process directly affects product that ships to customers, it needs more frequent audits than a support process. Your design control process (if you do custom work) should be audited more often than your document control process, even though both matter.
- History of nonconformances. If a particular process has generated corrective actions in the past two years, it belongs on the more frequent audit list. This isn't punishment—it's risk management. A process that's had findings has demonstrated a control gap.
- Rate of operational change. Processes that change frequently—because of new equipment, staff turnover, or updated customer requirements—need more regular verification that controls are still effective. A process that's been stable for three years can often go longer between audits.
- Regulatory exposure. If you operate in a sector with heavy regulatory oversight (food contact surfaces, medical device suppliers, aerospace), certain processes may face external audit scrutiny that justifies higher internal audit frequency.
Here's a practical framework for a plant with 50–500 people and a mixed manufacturing operation:
| **Process Category** | **Risk Level** | **Audit Frequency** | **Duration** | **Annual Audits** |
|---|---|---|---|---|
| Customer-facing core processes (assembly, finishing, testing) | High | Quarterly | 6–8 hours | 4 |
| Design control, process validation | High | Semi-annual | 4–6 hours | 2 |
| Supply chain management, incoming inspection | Medium-High | Quarterly or semi-annual | 4–6 hours | 2–4 |
| Production planning, scheduling, material handling | Medium | Semi-annual | 3–4 hours | 2 |
| Document control, records management | Medium | Annual | 2–3 hours | 1 |
| Management review, internal communication | Medium | Annual | 2–3 hours | 1 |
| Calibration, maintenance of equipment | Medium | Semi-annual | 3–4 hours | 2 |
| Training, competence | Low-Medium | Annual | 2–3 hours | 1 |
This structure assumes you have at least two trained internal auditors and that audits are scheduled during normal operating hours (not squeezed in on nights or compressed into marathon sessions). For a 200-person plant, this schedule yields roughly 15–18 audits per year, spread across the calendar. No single month is overwhelmed.
Pro Tip: The audit schedule is not carved in stone. Review it every January during management review. If a particular process has had three nonconformances in the past year, consider moving it to quarterly. If another has been stable for 18 months with zero findings, you might stretch it to 18-month intervals. The schedule should adapt to your actual risk profile.
Chapter 23: Why Most Internal Audit Programs Fail: The Three Root Causes
Internal audits are a mandatory requirement under ISO 9001 Clause 9.2, but the standard leaves the design largely in your hands. That flexibility is both a gift
Chapter 25: Training Effective Internal Auditors From Your Existing Team
You have two paths to building internal audit capability: send people to an external ISO 9001 lead auditor course (typically 40–60 hours over 5 days), or develo
Request a Consultation
Fill in your details and we'll get back to you.
