How to prepare for an ISO internal audit

What internal audits are really for

Internal audits are not for impressing the certification body. They exist so you find the issues before the external auditor does. A good internal audit is mildly uncomfortable.

Step 1 — Plan the programme

Cover every clause of the standard at least once per certification cycle (3 years). Schedule by process, not by clause — auditing "the sales process" is more useful than auditing "clause 8.2."

Step 2 — Pick the right auditors

Auditors must be independent of the area being audited. In small teams, you can swap: ops audits sales, sales audits ops. External contract auditors are fine for very small companies.

Step 3 — Prepare the audit checklist

For each process, write 8–15 questions tied to:

• The standard clause
• Your own SOP
• Customer requirements

Step 4 — Run the audit

• Opening meeting — 10 minutes, confirm scope and timing.
• Evidence gathering — interview, observe, sample records. Aim for 3 evidence points per finding.
• Closing meeting — present findings before you leave the area.

Step 5 — Report findings

Classify each as: nonconformity (major/minor), opportunity for improvement, or observation. Be specific — "Training records missing for 3 of 8 production staff" beats "training inadequate."

Step 6 — Track corrective actions

Every NC needs root cause analysis, corrective action, and verification of effectiveness. This is the #1 thing external auditors check.

Common mistakes

• Treating the audit as a tour
• Auditing your own work
• Writing vague findings
• Closing CAPAs without verifying effectiveness