Quality Management · From the Auditor's Desk

ISO 9001 internal audit checklist (UK, 2026).

Internal audit is the clause most organisations treat as a box-tick — and the one a certification auditor leans on hardest. Here is a practical, clause-by-clause checklist an auditor actually uses, the objective evidence to look for at each stop, and how to write up what you find.

Jason Misters · IRCA® Registered Principal Auditor · 22 June 2026

The internal audit is the part of an ISO 9001 quality management system that organisations most often underestimate. It is treated as a formality — a checklist filled in the week before the certification body visits — when in reality it is the mechanism the standard relies on to keep the whole system honest between external audits. Get internal audit right and the surveillance visit becomes a confirmation exercise. Get it wrong and the external auditor finds the gaps you should have found yourself, which reads as a system that doesn't self-correct.

This guide sets out why internal audit matters under ISO 9001 Clause 9.2, how to plan a risk-based audit programme, and a clause-by-clause checklist you can actually take into a working area. It is written from the auditor's side of the table. References are to the well-established Annex SL clause structure (clauses 4 to 10) shared across ISO 9001 and the other management-system standards — you should still work from your own legally-obtained copy of ISO 9001:2015 for the precise wording of each requirement.

Why internal audit matters (Clause 9.2)

Clause 9.2 requires you to conduct internal audits at planned intervals to provide information on whether the quality management system both conforms to your own requirements and to the requirements of ISO 9001, and is effectively implemented and maintained. Those are two distinct tests. Conformity asks "does the documented system meet the standard?" Effectiveness asks "is it actually working in practice and achieving its intended results?" A system can be fully conformant on paper and quietly ineffective on the ground — and a good internal audit is designed to catch exactly that gap.

The clause also sets out what the audit programme must do: be planned taking into account the importance of the processes concerned and the results of previous audits; define audit criteria and scope for each audit; select auditors and conduct audits to ensure objectivity and impartiality; report results to relevant management; take appropriate correction and corrective action without undue delay; and retain documented information as evidence of the programme and the results. That list is, in effect, your compliance checklist for the audit function itself.

The single most common internal-audit finding I raise is that auditors check whether a document exists, not whether the process described in it is the one actually being followed. Conformity without effectiveness is the easiest thing in the world to evidence and the least useful.

Planning the audit programme — risk-based, not calendar-based

The standard expects a risk-based programme. That does not mean every process gets audited with the same depth on the same annual cycle. It means you weight your audit effort towards the areas that matter most to conforming product and service, customer satisfaction, and your own objectives — and towards areas that have a track record of problems.

A workable approach:

  • Map every process and clause to the programme so that, across the programme cycle (typically a year), the whole system and every applicable clause is covered at least once. Nothing should fall through the cracks.
  • Prioritise by risk and history. A process with recent nonconformities, customer complaints, high turnover, or significant change since the last audit warrants more frequent or deeper auditing than a stable, low-risk back-office process.
  • Set clear criteria and scope per audit. "Audit of the despatch process against ISO 9001 Clause 8.5 and the despatch procedure DC-12" is auditable. "Audit of the warehouse" is not — it has no defined yardstick.
  • Protect objectivity. Auditors must not audit their own work. In a small business this is the hardest rule to satisfy; the usual answer is to cross-audit (the quality lead audits operations, an operations manager audits the quality function) or to bring in an external internal-auditor for the areas no one independent can cover.
  • Schedule, then track completion. A programme that slips — audits planned for Q2 still outstanding in Q4 — is itself a nonconformity against Clause 9.2.

The clause-by-clause checklist

Below is the structure of a real internal-audit checklist, walking the Annex SL clauses 4 to 10. For each clause I have given example questions an auditor would ask and the kind of objective evidence that answers them. Objective evidence means records, observations and statements that can be verified — not opinions and not "we always do that."

Clause Example audit questions Objective evidence to look for
4 — Context of the organisation How have you determined the internal and external issues relevant to your purpose? Who are your interested parties and what are their relevant requirements? Is the scope of the QMS defined, documented and justified? A context analysis (SWOT/PESTLE or equivalent) that has been reviewed recently; an interested-parties register; a documented scope statement that matches what the business actually does.
5 — Leadership How does top management demonstrate commitment? Is there a quality policy, communicated and understood? Are roles, responsibilities and authorities assigned and known? Quality policy on display and explainable by staff in their own words; evidence of management review participation; an org chart or responsibility matrix; resourcing decisions traceable to leadership.
6 — Planning How are risks and opportunities determined and acted on? Are quality objectives established, measurable, and resourced? How is change planned and controlled? A risk register with actions and owners; SMART quality objectives with progress data; change records showing planning rather than reaction.
7 — Support Are resources, people, infrastructure and environment adequate? How is competence determined and evidenced? Is documented information controlled — current versions, protected, available where needed? Training and competence records mapped to roles; calibration records for monitoring equipment; a document control system showing version control and removal of obsolete documents.
8 — Operation Are operational processes planned and controlled? How are customer requirements reviewed before commitment? How is design (if applicable) controlled? How are external providers evaluated? How is nonconforming output controlled? Job records, contracts/order reviews, design records, supplier evaluations and approved-supplier lists, nonconforming-product records with disposition.
9 — Performance evaluation What is monitored and measured, and how? How is customer satisfaction tracked? Is internal audit itself being run to programme? Is management review happening with the required inputs and outputs? KPI data and trends; customer satisfaction evidence (surveys, complaints, feedback); the internal audit programme and reports; management review minutes covering the mandated inputs.
10 — Improvement How are nonconformities handled? Is corrective action addressing root cause, not just symptoms? Is the system demonstrably improving over time? Nonconformity and corrective-action records with root-cause analysis, effectiveness checks, and a closure trail; evidence of improvements implemented and sustained.

How to actually walk it

The checklist is a route map, not a script. The strongest audits follow the work, not the document index — pick a real job, order or customer and trace it through the system end to end. Where did the requirement come from? How was it reviewed before you committed? What controlled the work? How was competence assured? What records were generated? That single thread will touch clauses 7, 8, 9 and often 10, and it tests effectiveness far better than reading procedures in a meeting room.

Common findings

After years of internal and external audits, the same handful of issues come up again and again. Knowing them in advance lets you audit towards them:

  • Objectives that aren't measurable or aren't measured. "Improve customer satisfaction" with no metric and no data behind it is a Clause 6.2 finding waiting to happen.
  • Document control drift. Two versions of the same form in circulation, uncontrolled spreadsheets doing critical work, or obsolete documents still in use — all Clause 7.5.
  • Competence asserted, not evidenced. "Everyone's trained" with no records mapping competence to the roles that need it.
  • Supplier evaluation that happens once and never again. Approval at onboarding with no re-evaluation or performance monitoring — Clause 8.4.
  • Corrective actions that treat symptoms. "Re-trained the operative" as the entire response to a recurring defect, with no root-cause analysis — Clause 10.2.
  • An audit programme that slipped. Audits planned but not completed, or completed but never reported to management.

Recording nonconformities and corrective action (Clause 10.2)

An audit finding is only as useful as the record it produces. When you identify a nonconformity, Clause 10.2 requires you to react to it — take action to control and correct it and deal with the consequences — and then to evaluate whether action is needed to eliminate the cause so it doesn't recur. That second step is where most systems are weak.

A defensible nonconformity record contains:

  • A clear statement of the nonconformity — what was found, against which requirement (the clause and/or your own procedure), with the objective evidence that supports it.
  • Immediate correction — what was done to contain or fix the specific instance.
  • Root-cause analysis — a genuine investigation (5 Whys, fishbone, or similar) into why it happened, not a restatement of the symptom.
  • Corrective action — what will be changed to stop recurrence, with an owner and a due date.
  • Effectiveness review — a check, after the action has had time to bed in, confirming the problem has not come back. An action closed without verifying it worked is not closed.

Keeping that thread intact — finding, correction, root cause, action, verified closure — is exactly what an external auditor traces, and it is the single clearest signal that your management system actually drives improvement rather than just documenting it.

Keeping the audit programme and findings in one place

The administrative weight of internal audit — scheduling the programme, recording findings against the right clauses, raising and tracking corrective actions to verified closure, and being able to produce all of it on demand — is exactly the part worth systematising. PICMS keeps the audit programme, the findings, and the resulting CAPAs linked together, so that the golden thread from a finding through to a closed-out corrective action is traceable in a few clicks rather than reconstructed from a folder of spreadsheets. Its AI evidence-to-clause mapping also helps surface which documents you actually hold against each Clause 4 to 10 requirement before you audit, so you walk in knowing where the gaps are likely to be.

To be clear about what software does and doesn't do: PICMS doesn't make you certified, and it doesn't replace a competent, objective auditor doing the walk. What it does is keep the evidence behind your audit programme complete, current and traceable — and demonstrably aligned to the clauses — so the internal audit becomes the early-warning system the standard intends it to be rather than a scramble before the surveillance visit.

Jason Misters — IRCA® Registered Principal Auditor

Lead auditor and ISO consultant. Founder of Training Assurance Consultancy and PICMS. Writes from years of hands-on experience implementing and auditing management systems in UK businesses. Verifiable on the CQI-IRCA register.

Run your audit programme from one place.

PICMS keeps your ISO 9001 audit programme, findings and corrective actions linked and audit-ready — with AI evidence-to-clause mapping so you know where the gaps are before you walk the floor.

Explore SHEQ Software Start Free Trial