Internal Audit as the QMS Self-Assessment Mechanism
Internal audit is the QMS self-assessment mechanism. It is required by ISO 9001 Clause 9.2 and serves two purposes: verify conformance to ISO 9001 requirements and the organization's own documented procedures; and determine whether the QMS is effective at achieving its intended results (preventing nonconformities, meeting quality objectives, satisfying customer requirements). Internal audit differs from external certification audit. The certification auditor is verifying conformance for external assurance; the internal auditor is helping the organization improve by identifying gaps before the external auditor arrives. The internal audit is an improvement opportunity, not just a compliance checkpoint.
ISO 9001 Internal Audit Requirements
ISO 9001 Clause 9.2 requires that organizations: conduct planned audit programs; establish audit criteria and scope; assign auditors who are impartial and objective (cannot audit their own work); ensure audit findings are reported; ensure that correction and corrective actions are taken for nonconformities; and retain documented audit records. The audit program must be risk-based, meaning higher-risk processes are audited more frequently. The organization must complete at least one full audit cycle covering all QMS clauses and processes annually. However, before Stage 2 certification audit, at least one full cycle of internal audits must be completed, demonstrating to the certification body that the organization has assessed itself and addressed gaps.
Audit Program Design
| Audit Program Element | Requirement | Best Practice |
|---|---|---|
| Coverage | All processes and clauses at least annually | Risk-based: high-risk processes semi-annually |
| Frequency | At least one full cycle before Stage 2 | Quarterly partial audits feeding annual full cycle |
| Scope | Defined before each audit | Specific clauses and processes targeted per audit |
| Auditor | Impartial — cannot audit own work | Trained and competent; rotate assignments |
| Duration | Sufficient to obtain objective evidence | 1–2 hours per process; full cycle 2–4 days |
Internal Auditor Competence
Internal auditors must be trained and competent. The standard reference is ISO 19011, which describes audit principles (ethical conduct, fair-minded assessment, due professional care) and auditor qualities (open-minded, diplomatic, observant, perceptive, versatile, tenacious, decisive, self-reliant). Qualified internal auditors typically have: training in ISO 19011 audit methodology (usually a two-day course); supervised experience conducting at least 2–3 audits; and knowledge of ISO 9001 requirements and the organization's QMS. Many organizations have internal auditors trained by the lead auditor certification program (IRCA, PECB, or equivalent). Alternatively, organizations can develop internal auditors through ISO 19011 training plus mentored audits under an external auditor. In small organizations (under 50 staff), even one trained internal auditor is sufficient if combined with annual external support. The minimum viable internal audit team is one trained auditor supplemented by process experts who provide technical knowledge.
Audit Methodology
The standard audit sequence is: document review (examine procedures and records before the audit); opening meeting (explain audit scope, confirm access); process walkthrough (observe the process in operation); staff interviews (understand how staff perform work, verify training); evidence examination (verify that process outputs match requirements); closing meeting (summarize findings, confirm no surprises); report (document findings with supporting evidence). The audit follows the PDCA cycle: Plan (scope, schedule), Do (conduct audit), Check (document findings), Act (follow up). Sampling is essential: you cannot audit every instance of a process. The auditor samples documented information, records, and observations to build an evidence base. The finding hierarchy distinguishes: Major nonconformity (systematic failure of a requirement, likely to affect product/service quality); Minor nonconformity (isolated or administrative non-conformance); Observation (potential issue not yet a nonconformity); Opportunity for improvement (suggestion for enhancement).
Common Internal Audit Findings in ISO 9001
| Finding Category | Example | Clause | Response |
|---|---|---|---|
| Documented information not current | Procedure describes process that has changed | 7.5 | Procedure revision, document control review |
| Evidence of operation not maintained | No records of process execution | 7.5.3 | Record-keeping process implemented |
| Objectives not being monitored | Quality objective data not collected | 6.2 | Measurement process implemented |
| Corrective actions not closed | CA register shows overdue items | 10.2 | CA review meeting, owner accountability |
| Competence not demonstrated | Training records but no competence assessment | 7.2 | Competence assessment procedure |
From Audit to Improvement
The audit cycle is complete only when findings drive improvement. Internal audit findings must be documented in an audit report. Nonconformities must flow to the corrective action process — root cause analysis, CA planning, implementation, and effectiveness verification. This is the same NCR process used for customer complaints and process failures. Observations (not yet nonconformities) should also be tracked; if the same observation appears in multiple audits, it becomes a systemic issue requiring investigation. The audit program generates data that feeds into the management review: trends in audit findings, recurring nonconformities, processes that are consistently failing, and processes that are well-controlled. Over multiple audit cycles, the organization's self-knowledge improves and quality performance improves.
| KEY IDEA | Internal audit has two purposes: verify conformance and drive improvement. Organizations that treat internal audit purely as a pre-certification compliance check miss half the value. Use the internal audit to find real quality gaps that improve the organization — not just to produce a clean record for the certification body. |
| IMPORTANT | Auditor impartiality is a hard requirement, not a guideline. A person cannot audit their own work or the work of their direct team. In small organizations where the QMS Lead is also a process owner, a creative approach is required: bring in an external auditor for the processes the QMS Lead owns, or cross-train another manager to audit those specific processes. |
| BITLION INSIGHT | The most common internal audit failure in Indonesian ISO 9001 implementations is the audit that is planned, initiated, and then never completed before certification. Build the internal audit into the project plan with named auditors, scheduled dates, and a completion checkpoint that is a gate before Stage 2 audit is booked. Treat an incomplete internal audit as a project risk that must be escalated to the steering committee. |