Internal Audit Guide

ISO 9001 Internal Audit Playbook

How to plan, execute, and report ISO 9001:2015 internal audits — from audit program design through CAPA closure and management review. Written for auditors, quality managers, and MRs.

In This Guide

1. Planning Your Audit Program
2. Audit Preparation
3. Conducting the Audit
4. Finding Classification
5. Writing Findings
6. CAPA Workflow
7. Management Review Integration

Planning Your Audit Program

Clause 9.2

An audit program is not a single audit — it is the plan for all audits over a defined period. Clause 9.2 requires you to plan, establish, implement, and maintain an audit program that considers the importance of processes, changes affecting the organization, and results of previous audits.

Frequency

ISO 9001 does not prescribe a specific frequency. Most organizations default to annual coverage of all clauses, but a risk-based approach is more effective:

Higher frequency for processes with recent nonconformities, customer complaints, regulatory changes, or high-risk operations
Standard frequency (annual) for stable, low-risk processes with no recent issues
Reduced frequency is defensible for processes with consistently strong performance — but never skip a clause entirely

Scope

Each audit in the program should define what is being audited:

Process-based: Audit a complete process (e.g., purchasing, production) across all applicable clauses
Clause-based: Audit specific clauses (e.g., 7.5 + 7.2) across all departments
Department-based: Audit a specific department against all applicable requirements

Process-based auditing is generally more effective because it follows the work flow and reveals interaction issues between processes.

Sampling

You cannot audit every record and every transaction. Define your sampling approach: how many purchase orders to review, how many training records to check, how many work instructions to verify. A common approach is the square root of the population — if there are 100 purchase orders, review 10.

In Svend: The audit scheduler lets you create audit programs with ISO clause mapping and department scoping. Schedule audits by date, assign lead auditors, and track completion rates across the program.

Audit Preparation

Preparation determines whether your audit produces meaningful findings or becomes a checkbox exercise.

Review Background Information

Previous audit reports and open corrective actions for the area
Relevant procedures, work instructions, and process maps
Recent nonconformity reports, customer complaints, and performance data
Any changes to processes, personnel, or equipment since the last audit

Prepare Your Checklist

A good checklist is a working tool, not a script. It should contain evidence-based questions that prompt the auditee to show you records, walk you through processes, and demonstrate conformity. Questions like “Show me the calibration records for this instrument” are more effective than “Do you calibrate your instruments?”

Auditor Independence

Clause 9.2 requires auditors to be objective and impartial. You cannot audit your own work. In small organizations where everyone wears multiple hats, this may mean cross-department auditing or using external auditors for specific areas.

Free tool: Use the ISO 9001 Audit Checklist Generator to build clause-specific checklists with evidence-based questions. Select the clauses in scope and print your working checklist.

Conducting the Audit

Opening Meeting

Brief — 5 to 10 minutes. Confirm the scope, explain the process, set expectations. Make it clear that the audit is evaluating the system, not the people. The goal is to identify improvement opportunities, not to assign blame.

Evidence Gathering

Three sources of audit evidence:

Document review: Procedures, work instructions, records, forms, logs. Do they exist? Are they current? Are they being followed?
Observation: Watch processes being performed. Does actual practice match documented procedure?
Interviews: Talk to the people doing the work. Are they aware of the quality policy? Do they know their procedures? Can they explain what to do when something goes wrong?

Interview Techniques

Use open questions: “Walk me through how you handle a nonconforming product.”
Follow the audit trail: start with a record and trace it backward to its origin, or forward to its completion
Avoid leading questions: “You do calibrate these instruments, don’t you?” tells the auditee what answer you expect
Ask “show me” rather than “tell me” — always verify with objective evidence

Closing Meeting

Present preliminary findings. Be specific about what you observed, what requirement it relates to, and whether it is a nonconformity. Give the auditee an opportunity to provide additional evidence or clarification before the finding is formalized.

In Svend: Every QMS record has a full audit trail — every field edit and status transition logged with timestamp, user, old value, and new value. Auditors can trace exactly who changed what and when across NCRs, documents, suppliers, training records, and audit records.

Finding Classification

Every finding must be classified based on severity and systemic impact. Getting this right matters — it determines the corrective action urgency and resource allocation.

Major Nonconformity Systematic failure or complete absence of a required QMS element. Affects the system’s ability to achieve intended outcomes. Requires immediate containment and root cause analysis.

Minor Nonconformity Isolated lapse where the system intent is evident but execution failed in a specific instance. Still requires corrective action, but with less urgency than a major.

Observation Conforming, but a weakness that could become a nonconformity if not addressed. Documented for awareness — corrective action is recommended but not mandatory.

Opportunity for Improvement Beyond compliance. A suggestion for enhancement that goes beyond what the standard requires. Positive feedback that encourages continual improvement.

Classification Decision Factors

Frequency: Is this an isolated instance or a pattern? Multiple minor NCs in the same clause area may indicate a systemic issue (major).
Impact: Could this nonconformity result in nonconforming product reaching the customer?
Intent: Does the system demonstrate intent to meet the requirement, even if execution was imperfect? (Minor) Or is the requirement completely unaddressed? (Major)
Previous findings: Has this same issue been raised in previous audits? Repeat findings escalate in severity.

In Svend: Audit findings are recorded as observation, NC minor, NC major, or opportunity for improvement. Major and minor nonconformities auto-cascade into NCR records with severity classification and ISO clause reference carried over — no manual re-entry.

Writing Findings

A well-written finding is objective, evidence-based, and traceable. It should contain three elements:

1. Requirement

Cite the specific clause, procedure, or work instruction that establishes the requirement.

2. Objective Evidence

Describe exactly what you observed, reviewed, or were told. Include specifics: document numbers, dates, names, quantities.

3. Classification

State whether this is a major NC, minor NC, observation, or OFI, and briefly explain why.

Example Finding

Requirement

Clause 7.1.5 requires monitoring and measuring resources to be calibrated or verified at specified intervals. Procedure QP-CAL-001 requires annual calibration of all torque wrenches.

Objective Evidence

Torque wrench TW-042 (S/N 28491) was found in the production area with a calibration due date of 2025-09-15. No calibration has been performed since that date. The instrument was actively in use at station 4 during the audit.

Classification

Minor Nonconformity — isolated instance. Two other torque wrenches at the same station were within calibration. System intent is evident (calibration schedule exists, labels applied), but this specific instrument was missed.

Common Mistakes

Vague findings: “Training is not adequate” — compared to what requirement? What specific evidence?
Blame language: “Operator failed to follow procedure” — the audit evaluates the system, not the person
Recommendations disguised as findings: “Should implement a barcode system” — auditors report facts, not solutions
Missing requirement linkage: Every finding must trace to a clause, procedure, or documented requirement

CAPA Workflow

Clause 10.2

Nonconformity findings from audits require corrective action per clause 10.2. The CAPA process ensures that root causes are identified and eliminated, not just symptoms.

Containment Immediate action

→

Root Cause 5 Whys / Fishbone

→

Corrective Action Eliminate root cause

→

Implementation Execute the change

→

Verification Confirm effectiveness

Containment

The immediate response to stop the nonconformity from continuing or getting worse. For the torque wrench example: remove the out-of-calibration instrument from service, quarantine any product verified with it, and check other instruments at the same station.

Root Cause Analysis

Determine why the nonconformity occurred, not just what happened. Common methods: 5 Whys (for simple, single-cause issues), fishbone/Ishikawa diagram (for multi-factor issues), or fault tree analysis (for complex failure chains). The root cause should be specific and actionable — “human error” is never an acceptable root cause.

Corrective Action

Address the root cause, not the symptom. If the root cause is “no automated reminder for calibration due dates,” the corrective action is implementing automated alerts — not “recalibrate the wrench.”

Effectiveness Verification

Verify that the corrective action actually worked. This means checking, after a reasonable period, that the nonconformity has not recurred. Verification is not “the corrective action was implemented” — it is “the corrective action prevented recurrence.”

In Svend: NCRs follow a 5-state workflow: open → investigation → CAPA → verification → closed. Linked CAPAs add a 6-state lifecycle with containment. You cannot skip steps or close without verification. Synara AI reviews your root cause analysis and flags blame framing, circular logic, and premature stops.

Management Review Integration

Clause 9.3

Clause 9.3.2 requires audit results as a mandatory input to management review. This is where audit findings drive strategic decisions about the QMS.

What Audit Data to Present

Audit Completion How many planned audits were completed vs. scheduled? Any deferred or cancelled?

Findings Summary Total findings by type: major NCs, minor NCs, observations, OFIs. Comparison to prior period.

Clause Hotspots Which clauses have the most findings? Are certain areas repeatedly problematic?

CAPA Status Open corrective actions, overdue items, average time to closure, effectiveness verification rates.

Repeat Findings Issues raised in previous audits that have recurred. These indicate corrective action failures.

Systemic Observations Patterns the auditor noticed that may not be individual findings but suggest system-level trends.

Management Review Outputs

Based on audit data, management review should produce decisions about:

Resource allocation for areas with persistent quality issues
QMS scope changes if processes are being added, removed, or restructured
Improvement priorities based on the risk profile revealed by audit findings
Training needs identified through competence-related findings
Supplier management actions for externally-provided process findings

In Svend: Management review auto-captures a QMS snapshot — NCR statistics, audit completion rates, training compliance, and supplier performance data are compiled automatically. No manual data gathering. Action items from the review are tracked to completion.

Automate Your ISO 9001 Audit Program

Audit scheduling, finding classification, auto-NCR cascade, CAPA tracking, and management review snapshots. Team plan starting at $99/mo. 14-day free trial.

Start 14-Day Free Trial Free Checklist Generator

Frequently Asked Questions

How often should I conduct ISO 9001 internal audits?

ISO 9001 requires audits at planned intervals (clause 9.2) but does not specify frequency. Most organizations audit annually with higher-risk processes audited more often. Risk-based scheduling means processes with recent nonconformities, customer complaints, or significant changes get audited first.

Who can perform an ISO 9001 internal audit?

Anyone with auditor competence and independence from the area being audited. Clause 9.2 requires auditors to be objective and impartial — you cannot audit your own work. Competence typically means training in ISO 9001 requirements, audit techniques, and the processes being audited.

What is the difference between a minor and major nonconformity?

A major nonconformity is a systematic failure or complete absence of a required QMS element — it affects the system’s ability to achieve intended outcomes. A minor nonconformity is an isolated lapse where the system intent is evident but execution failed in a specific instance. Multiple minor NCs in the same area may indicate a systemic issue (major).

How do I write an ISO 9001 audit finding?

A well-written finding has three parts: (1) Statement of the requirement — cite the specific clause or procedure, (2) Objective evidence — describe exactly what you observed, reviewed, or were told, (3) Classification — major NC, minor NC, observation, or opportunity for improvement. Findings should be factual and evidence-based, never opinions.

What is the CAPA process for audit findings?

CAPA (Corrective and Preventive Action) for audit findings follows: (1) Containment — immediate action to address the nonconformity, (2) Root cause analysis — determine why it happened using 5 Whys, fishbone, or similar methods, (3) Corrective action — implement changes to eliminate the root cause, (4) Effectiveness verification — confirm the corrective action worked and the nonconformity has not recurred.

How do audit results feed into management review?

Clause 9.3.2 requires audit results as a mandatory input to management review. This includes: audit completion rates, nonconformity trends by clause and department, open corrective actions, repeat findings, and auditor observations about systemic issues. Management review outputs should include decisions about resource allocation, QMS scope changes, and improvement priorities based on audit data.

What should an ISO 9001 audit checklist include?

An effective audit checklist includes evidence-based questions for each clause in scope, references to applicable procedures and work instructions, space for recording objective evidence, conformity/nonconformity classification, and notes. Questions should elicit evidence (“Show me the record for...”) rather than yes/no answers. Try our free audit checklist generator.