ISO 9001 Internal AuditWhat Clause 9.2 requires and why it matters
Internal audits are a mandatory requirement of ISO 9001:2015. They are how an organisation evaluates whether its Quality Management System is effectively implemented and maintained. This page explains what internal audits are, what the standard requires, and how they support the path to certification.
Clause 9.2
What Is an Internal Audit?
An internal audit is a systematic, documented evaluation of an organisation's Quality Management System against the requirements of ISO 9001:2015 and its own documented policies and procedures.
Internal audits are conducted by or on behalf of the organisation itself. They are distinct from certification audits, which are conducted by an independent accredited body. Both serve different purposes and are both required.
- Process-based evaluation.
- Audits assess whether QMS processes are defined, implemented, and maintained as intended, not just whether documents exist.
- Evidence-driven findings.
- All audit findings must be supported by objective evidence. Opinions and impressions are not audit findings.
- Independence from the audited function.
- Auditors must not audit their own work. ISO 9001 requires impartiality, a person cannot objectively assess a process they are responsible for.
- Planned at defined intervals.
- The organisation determines audit frequency based on the importance of processes, results of previous audits, and changes to the organisation.
- Results reported to management.
- Internal audit results are a required input to the management review process under Clause 9.3.
- All findings documented.
- ISO 9001 requires organisations to retain documented information as evidence of their audit programme and the audit results.
ISO 9001:2015
What Clause 9.2 Requires
Clause 9.2 of ISO 9001:2015 sets out specific requirements for an organisation's internal audit programme. These are not optional, they are normative requirements that certification auditors will assess.
- An audit programme
Organisations must establish, implement, and maintain an audit programme that takes into account the importance of the processes concerned, changes affecting the organisation, and the results of previous audits.
- Defined audit criteria and scope
Each audit must have defined criteria, the set of requirements against which the audit is conducted, and a defined scope that sets the boundaries and extent of the audit.
- Objectivity and impartiality
Auditors must be selected to ensure objectivity and impartiality of the audit process. This is the requirement that prevents people from auditing their own work.
- Results reported to management
The results of the audit programme must be reported to relevant management. This input is required for the management review process under Clause 9.3.
- Corrective action without undue delay
Where nonconformities are identified, the organisation must take appropriate corrections and corrective actions without undue delay.
- Retained documented information
The organisation must retain documented information as evidence of the implementation of the audit programme and the audit results.
Key Distinction
Internal Audit vs Certification Audit
These two types of audits serve different purposes and are conducted by different parties. Understanding the distinction is important for any organisation pursuing ISO 9001 certification.
- Who conducts it.
- Internal audits are conducted by the organisation itself, or by a contracted party acting on its behalf. Certification audits are conducted by an independent accredited certification body such as MSCGlobal.
- Purpose.
- Internal audits evaluate whether your QMS is effectively implemented and identify opportunities for improvement. Certification audits determine whether your QMS conforms to ISO 9001 and whether a certificate should be issued.
- Output.
- Internal audits produce a report and corrective action log used internally. Certification audits produce a conformance decision and, where requirements are met, an accredited certificate.
- Frequency.
- Internal audits occur at planned intervals throughout the year. Certification audits follow a three-year cycle: Stage 1, Stage 2, annual surveillance, and recertification.
Best Practice
Planning Your Internal Audit Programme
ISO 9001 requires an audit programme, not just individual audits. Here is what an effective programme looks like in practice.
Ready for ISO 9001 Certification?
Once your QMS is established and your internal audit programme is underway, MSCGlobal can conduct your independent Stage 1 and Stage 2 certification audits. Our accredited auditors assess conformance to ISO 9001:2015 and issue globally recognised certificates.
Ready to get certified? Start your compliance journey today.
Get expert guidance through ISO certification with our proven process. Fast, transparent, and hassle-free. Let's make compliance simple.