Get AI summaries of any video or article — Sign up free
How to perform an internal audit thumbnail

How to perform an internal audit

Citation ISO Certification ·
6 min read

Based on Citation ISO Certification 's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Internal audits verify that management system requirements and internal procedures are actually followed and producing expected outcomes, not just documented on paper.

Briefing

Internal audits are a structured way to verify that a company’s management system is actually being followed—both against the requirements of standards such as ISO 9001 (quality), ISO 14001 (environment), and ISO/IEC 27001 (information security), and against the organization’s own internal procedures. Done well, auditing functions as a “spot check” that checks whether documented processes are implemented, maintained, and producing the outcomes management expects—like error-free service delivery, effective risk controls, and continual improvement.

The session frames internal auditing as more than compliance paperwork. Audits help organizations confirm planned arrangements are in place, identify where processes are less effective than intended, and feed corrective actions that prevent recurring failures. They also strengthen communication across teams by involving staff in the review of how work is performed, and they can highlight training gaps or resourcing needs when problems appear in specific areas. For senior leadership, audit findings provide feedback on whether established processes are effective and where improvements should be targeted.

A practical audit starts with principles that guide how auditors behave and how evidence is handled. Key themes include fair presentation, confidentiality (including information security and GDPR considerations), independence (for example, auditing a purchasing process using people from other departments), an evidence-based approach, professional care, impartiality, and integrity. These principles matter because audit credibility depends on what is checked, how it is checked, and how findings are documented.

The briefing then breaks internal audits into four main types: system audits, process audits, project audits, and product audits. A system audit checks the management system against the standard’s structure—often clause-by-clause—so organizations can confirm the overall system is operating as required. A process-based audit groups related clauses into real operational workflows (such as handling customer inquiries or managing emergency controls) and checks whether day-to-day activities match documented procedures. Project audits follow a project from start to finish to confirm that requirements are addressed throughout delivery—whether it’s new product development, construction, or an IT implementation where information security concerns must be embedded. Product audits focus on how a specific product is produced, manufactured, packaged, and delivered, often using customer orders as the boundary for what is audited.

Preparation is treated as a planning discipline. Organizations create an audit schedule (often mapped on a 12-month matrix) to ensure coverage of management system elements and to demonstrate planning as required by many ISO standards. Scheduling also accounts for timing, availability of the right people, auditor training and experience, and practical logistics such as what equipment is needed (including whether calibration checks are possible). The plan can be adjusted when serious problems or nonconformities are found, including adding rechecks after corrective actions.

Audit execution and reporting are presented as evidence-driven. Auditors typically use checklists derived from procedures or manual sections, sample activities, record what was expected, and document the evidence found. If expected elements like risk assessments, signed daily notes, or required approvals are missing, nonconformities are raised. The report’s purpose is assurance: either confirming processes run as planned or identifying where corrective actions, resources, or procedural changes are needed.

Finally, the Q&A emphasizes how to choose audit type and frequency. Clause-based coverage is commonly spread across a year, while full coverage may extend up to three years for larger implementations. Audits can be done by observation, interviews, and document review, but reliance on interviews alone is cautioned because people may unintentionally provide answers that sound correct without proof. External auditors generally sample across the management system, so internal audits should align with what the organization’s manual and processes claim to do. The session closes by pointing to internal audit training and mentoring options for building audit capability across teams.

Cornell Notes

Internal audits verify that a management system is both compliant and actually implemented—matching documented procedures to real evidence and outcomes. Audits provide assurance to leadership, uncover where processes are ineffective, and trigger corrective actions, training, or resourcing when gaps appear. The session distinguishes system audits (clause-based), process audits (workflow-based), project audits (start-to-finish delivery), and product audits (manufacture/packaging/delivery). Effective auditing relies on principles like independence, confidentiality, evidence-based checks, and integrity, and it requires careful preparation through an audit schedule and resourcing plan. Audit reports document expected requirements, the evidence found, and any nonconformities, supporting continual improvement and readiness for external certification audits.

What makes an internal audit more than a compliance exercise?

An internal audit is framed as a “spot check” that confirms whether documented processes are implemented, maintained, and producing expected outcomes. It checks planned arrangements are followed, identifies deviations that reduce effectiveness, and feeds corrective actions. It also improves communication across teams, helps spot training or resourcing needs when problems recur, and gives senior management feedback on whether processes are working as intended.

How do system, process, project, and product audits differ in what they check?

A system audit checks the management system against the standard’s structure—often clause-by-clause—so the organization can verify the system operates as required. A process audit follows real operational workflows (e.g., customer inquiries, emergency controls) and checks whether day-to-day activities match procedures. A project audit tracks a project from start to finish to ensure requirements are addressed throughout delivery (new product development, construction, or IT delivery). A product audit focuses on how a specific product is made, manufactured, packaged, and delivered, typically within the context of customer orders.

Why do audit principles like independence and evidence-based checking matter?

Independence reduces bias—for example, auditing purchasing using people from other departments. Confidentiality protects sensitive information, with explicit mention of GDPR and information security. Evidence-based auditing requires recording what was expected and what evidence was found, rather than relying on assumptions. Professional care, impartiality, and integrity support credibility so findings can be trusted and acted upon.

What should go into internal audit preparation before auditors start sampling?

Preparation includes creating an audit schedule (often a 12-month matrix) to show planning and coverage of management system elements. It also requires resourcing decisions: timing, who must be available, whether the auditor is trained and experienced, and what equipment is needed (including calibration checks where relevant). The plan should define start/finish boundaries so audits can review the right activities and records.

How does the audit report structure turn checks into actionable findings?

The report is built from audit questions derived from the organization’s procedures or manual sections. For each question, auditors record what was expected, then document the evidence found. If required items (like risk assessments, signed daily notes, or logged telephone call records) are missing, a nonconformance is raised. The report then supports decisions about corrective actions, resources, and procedural changes.

What guidance is given on audit frequency and choosing an audit approach?

For quality management systems, clause coverage is commonly spread across a 12-month period, with the full system sometimes extended up to three years for larger implementations. The approach depends on how the management system is structured: clause-based organizations may prefer system audits, while manufacturing or process-structured organizations may use process or product audits. The Q&A also notes that interviews and document review can be used, but observation is important because people may provide answers that sound right without proof.

Review Questions

  1. If an organization’s manual says risk assessments exist for a service activity, what evidence should an internal audit look for, and how would a missing assessment typically be recorded?
  2. Compare a system audit and a process audit: what is the audit “unit” in each case, and how does that change the checklist questions?
  3. How should an audit schedule be adjusted after serious nonconformities are found, and what resourcing factors must be reconsidered?

Key Points

  1. 1

    Internal audits verify that management system requirements and internal procedures are actually followed and producing expected outcomes, not just documented on paper.

  2. 2

    Audits support continual improvement by identifying ineffective processes, recurring issues, and training or resourcing gaps.

  3. 3

    Audit credibility depends on principles such as independence, confidentiality (including GDPR considerations), evidence-based checking, impartiality, and integrity.

  4. 4

    Audit types map to different “objects of verification”: system (clauses), process (workflows), project (end-to-end delivery), and product (manufacture/packaging/delivery).

  5. 5

    Preparation should include a planned audit schedule, defined audit boundaries (start/finish), and resourcing decisions covering auditor competence and availability of relevant staff.

  6. 6

    Audit reports should translate expectations into audit questions and record objective evidence; missing required elements become nonconformities that trigger corrective actions.

  7. 7

    Audit frequency is commonly annual for full coverage, with longer cycles possible (up to three years) depending on implementation scale and organizational capacity.

Highlights

Internal audits function as evidence-based “spot checks” that confirm documented procedures are implemented and effective, generating assurance for leadership.
Independence can be operationalized by auditing a function (like purchasing) using people from other departments to reduce bias.
System, process, project, and product audits offer different ways to cover management system requirements depending on how work is organized.
A practical audit schedule can be built as a 12-month matrix to demonstrate planning and ensure coverage of clauses or processes.
Audit reports work best when each checklist question is tied to documented expectations and supported by recorded evidence; missing evidence becomes a nonconformance.

Topics

  • Internal Audit
  • ISO 9001
  • Audit Planning
  • Audit Evidence
  • Nonconformance Classification

Mentioned

  • Robert Crosby
  • ISO
  • GDPR
  • HSE

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library