Get AI summaries of any video or article — Sign up free
How to Conduct an Internal Audit thumbnail

How to Conduct an Internal Audit

Citation ISO Certification ·
5 min read

Based on Citation ISO Certification 's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Internal audits verify whether operations and management systems are effective and whether procedures still meet organizational objectives.

Briefing

Internal audits are the mechanism that checks whether an organization’s management systems are actually working—by examining day-to-day operations and management processes to confirm effectiveness or flag where changes are needed. They matter because they keep the organization aligned with its own procedures, verify that processes still support organizational objectives, and generate evidence that feeds corrective action programs and management reviews. By reviewing each department’s function, internal audits also surface opportunities for improvement and support continual improvement through better procedures and targeted corrective actions.

The audit process produces findings that must be documented in a structured way. The guidance emphasizes using internal audit report templates (available from QMS) as a baseline, since they outline the minimum information expected from an audit. Organizations can also create their own reports and store them in a database, as long as the required sections from the templates are included. Once discrepancies are identified, the next step is to raise a non-conformance for each procedural discrepancy. That includes cases where a documented procedure is no longer being followed as written—whether because staff failed to carry out the correct actions (which should be logged as a non-conformance and followed by additional training) or because the procedure has become outdated.

When a procedure is outdated rather than merely misapplied, the response shifts from training to document control. The manual must be rewritten to reflect the updated procedure, and the documented procedure must be located and amended within the documented management system manual. The revision and amendment register also needs updating, using the register found at the front of the QMS manual. The audit documentation therefore isn’t just a record of problems; it becomes a trigger for controlled changes to the management system.

Beyond findings and non-conformances, internal audits must also check the “control of records” section inside the manual. That section lists the records an auditor will inspect at an external audit, so internal audits should confirm those records are still current and that they are being updated and maintained. If record requirements have changed, the manual should be amended accordingly.

Frequency is flexible, but the guidance recommends using an internal audit matrix provided by QMS for routine scheduling. That approach helps spread workload across the year, ensures key responsibilities are completed in time for the external audit, and improves the odds of a positive outcome by incorporating management views into the audit plan.

Cornell Notes

Internal audits evaluate whether an organization’s operations and management systems are functioning effectively and whether procedures still meet organizational objectives. Audit results provide evidence for corrective actions and management reviews, while also driving continual improvement across departments. Findings must be documented using internal audit report templates (or equivalent reports that include the required sections), and each procedural discrepancy should be raised as a non-conformance. Non-conformance handling depends on the cause: failures to follow procedures trigger further training, while outdated procedures require rewriting the manual, updating the revision/amendment register, and amending the documented management system. Internal audits should also verify that “control of records” items remain current and are being updated and maintained, and they can be scheduled routinely using an internal audit matrix to stay ahead of external audits.

What is the purpose of an internal audit, and what outcomes should management expect from it?

An internal audit examines the organization’s operations and management systems to determine whether the system is operating effectively or whether changes are needed. It helps ensure compliance with the organization’s own procedures, checks whether processes still align with organizational objectives, and produces results that serve as evidence for corrective action programs and management reviews. It also identifies opportunities for improvement by reviewing each department’s function, supporting continual improvement through corrective actions and better procedures.

How should internal audit findings be documented, and what minimum content is expected?

Findings should be recorded in internal audit reports using available templates from QMS or an organization-created report format. The key requirement is that the report includes the sections shown on the supplied templates. Reports can be stored in a database, but the documentation must still meet the template’s minimum structure so that findings are complete and auditable.

When a procedural discrepancy is found, what is the required next step?

For each identified procedural discrepancy, a non-conformance should be raised. The audit should also capture situations where a documented procedure is no longer being carried out as stated because it is no longer effective—this still counts as a non-conformance and should be recorded.

How do corrective actions differ when staff fail to follow a procedure versus when the procedure is outdated?

If staff fail to carry out the correct procedure or actions, the failure is logged as a non-conformance and followed by arranged further training. If the documented procedure has become outdated, the manual must be rewritten to reflect the new procedure, the documented procedure must be amended within the documented management system manual, and the revision and amendment register must be updated (located at the front of the QMS manual).

What additional internal audit check is required beyond non-conformances?

Internal audits should check the manual’s “control of records” section. That section lists records an auditor will inspect at an external audit, so the organization must confirm those records are still current and that they are being updated and maintained. If needed, the manual should be amended to reflect changes.

How should organizations decide how often to conduct internal audits?

Frequency is determined by the organization, but internal audits can be scheduled routinely using the internal audit matrix supplied by QMS or conducted more sporadically to fit other commitments. Using the matrix helps manage workload across the year and incorporates management views, ensuring key responsibilities are completed in time for the external audit and improving the chances of a positive result.

Review Questions

  1. What are the main management-level uses of internal audit results, and how do they connect to corrective actions and management reviews?
  2. Describe the documentation and follow-up steps required after identifying a procedural discrepancy, including how the response changes based on the root cause.
  3. What does the “control of records” section require an internal audit to verify, and why does that matter for external audits?

Key Points

  1. 1

    Internal audits verify whether operations and management systems are effective and whether procedures still meet organizational objectives.

  2. 2

    Audit results should feed corrective action programs and management reviews, supporting continual improvement across departments.

  3. 3

    Internal audit findings must be documented in structured reports using QMS templates or equivalent reports that include the required sections.

  4. 4

    Each procedural discrepancy should be raised as a non-conformance, including cases where a documented procedure is no longer effective.

  5. 5

    Non-conformance follow-up depends on cause: staff failures trigger training, while outdated procedures require manual updates and revision register changes.

  6. 6

    Internal audits should confirm that “control of records” items remain current and are being updated and maintained, with manual amendments when necessary.

  7. 7

    Routine scheduling via the internal audit matrix helps spread workload and ensures key responsibilities are completed ahead of external audits.

Highlights

Internal audits generate evidence for corrective actions and management reviews, not just a record of compliance.
A non-conformance should be raised even when a procedure is no longer being carried out because it has become ineffective.
Outdated procedures require rewriting the manual and updating the revision and amendment register—not just retraining staff.
The “control of records” section is a critical internal audit checkpoint because it lists what will be inspected at the external audit.
Using the internal audit matrix supports year-round workload management and helps keep the organization prepared for external audits.

Topics

  • Internal Audit Purpose
  • Non-Conformance Documentation
  • Corrective Actions
  • Control of Records
  • Audit Scheduling

Mentioned

  • QMS UK
  • QMS

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library