ISO 9001:2015 Clause 9.

2 Internal Audit
Definition:
ISO defines audits as Systematic, independent

and documented process for obtaining audit evidence

and evaluating it objectively to determine the extent to which audit criteria are fulfilled.
Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself for
management review and other internal purposes, and may form the basis for an organizations declaration of conformity.
In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from
responsibility for the activity being audited. External audits include those generally termed second- and third-party
audits. Second-party audits are conducted by parties having an interest in the organization, such as customers, or by other
persons on their behalf. Third-party audits are conducted by external, independent auditing organizations, such as those
providing certification/ registration of conformity to ISO 9001 or ISO 14001. When two or more management systems
are audited together, this is termed a combined audit. When two or more auditing organizations cooperate to audit a
single auditee, this is termed a joint audit.
Introduction:
An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively
to determine the extent to which audit criteria are fulfilled. Audits are structured and formal evaluations. The term
systematic means the company must plan and document its system for auditing. It must have management support and
resources behind it. Audits must be performed in an impartial manner, which requires auditors to have freedom from bias
or other influences that could affect their objectivity. For example, having responsibility for the work, or a vested interest
or shares in a supplier or third party company they are assigned to audit, would be conflicts of interest. Internal audits
must be carried out to a procedure according to requirements given in clause 9.2 of ISO 9001:2015. The procedure must
address the responsibilities for conducting the audits, ensuring independence, recording results, and reporting to
management. Audits obtain objective evidence of conformity with requirements. The evidence must be based on fact and
may be obtained through observation, measurement, test, or by other means. Evaluating the extent to which audit criteria
are fulfilled involves an assessment of both implementation and effectiveness. Is the organization practicing what it
described in its documentation? Are the practices being carried out well? The presence of nonconformities in a
department or process may indicate the system is ineffective for those areas.
9.2 Internal Audit
9.2.1
The organization should conduct internal audits at planned intervals to provide information on whether the quality
management system conforms to the organizations own requirements, the requirement of ISO 9001:2015 standards and
is effectively implemented and maintained
9.2.2
The organization must plan, establish, implement, and maintain an audit program, which must include frequency,
methods, and responsibilities, planning requirements and reporting. While making an audit program, consideration must
be given to the importance of concerned processes, changes impacting the organization and the results of previous
audits. It must define audit criteria and scope for each audit. It must select auditors and conduct audits for impartial and
objective audit process. It must ensure results of audits are reported to relevant management. it must take necessary
correction and corrective actions without undue delay. It must retain evidence of audit program implementation and
audit results.
Internal audit is the one of the important tool required by this standard used to gauge the health of your QMS. How
effective is it in meeting ISO 9001, your own QMS, customer and regulatory requirements. You must have a documented
procedure for your internal audit process.The scope of your internal audit program must cover the:
Audit of operation processes to determine conformity of both product / services and their processes to customer and
applicable regulatory requirements.
Audit of the QMS to determine conformity to the ISO 9001 standard.
Audit of the QMS to determine conformity to organizational requirements.
Audit of QMS processes and their interaction to determine if the QMS has been effectively implemented and maintained.
In determining the time frame for your audit program, you should consider organization size, complexity of product and
processes, health of the QMS, customer, registrar and regulatory requirements, etc. The most common time frame is six
months. Consider adjusting the audit frequency and perhaps even the audit scope, of specific processes or group of
processes, when:
You experience internal or external nonconformities.
Get customer complaints.
Have critical or high risk processes.
Have frequent or significant changes to processes and product.
Your internal audit program should consider the following:
Input from audited area and related areas
Key customer oriented processes
Process and product performance results and expectations

 Opportunities for continual improvement

Feedback from customers
Audit criteria, refers to the specific QMS policies, objectives, ISO requirements, documentation, customer and regulatory
requirements, etc., that the audit is referenced to or conducted against. Audit criteria may relate to the whole audit
program as well as each individual audit. Audit methods refer to the specific techniques that auditors use to gather
objective audit evidence that can be evaluated to determine conformity to audit criteria. Examples of audit methods
include interview of personnel, observation of activities, review of documents and records, etc. You must define the
minimum qualification requirements for internal auditors. These requirements include knowledge of QMS processes and
their interaction, related QMS controls, customer requirements, applicable regulatory requirements, the ISO 9001
standard, the audit process and audit techniques. Internal auditors needs to be trained in the ISO 9001 standard as they
generally audit for conformity to organizational requirements and also for conformity to ISO 9001 requirements.
Additionally, the ISO 19011:2002 Guidelines for quality and environmental auditing says that auditors should have
knowledge of quality management system standards and their application to the organization.
You must have appropriate resources for your annual audit program. These include having sufficient trained auditors
available to conduct scheduled audits, sufficient time to perform audits, availability of department or process personnel to
be audited, time and tools to prepare audit records and reports, etc. Auditor should be Independent. During the audit
Auditors should ensure that the objectivity and impartiality of the audit is not compromised. Auditors cannot audit their
own work. Auditor independence must be ensured when assigning personnel to specific audits. Process owners must take
timely corrective action on nonconformities found in their area. They should use the corrective action procedure to
determine root cause, take appropriate action and follow-up to determine if results indicate that the root cause has been
eliminated. Audit results must be summarized and reported for management review. The Process manager must also
report any opportunities for QMS improvement. The Process manager must analyze the results of each audit as well as
the annual audit program to determine strengths and weaknesses in QMS processes, interactions, functions, products,
etc., to identify and prioritize opportunities for improvement. Audit records include annual audit schedule, audit planning
such as criteria, scope, frequency, methods, auditor selection and assignment, etc., auditor competence and training, audit
checklists and forms, audit notes and other evidence gathered, audit findings, nonconformity reports, audit reports,
corrective actions and follow-up of internal audit nonconformities, analysis of audit program performance indicators and
trends, and identified improvement opportunities. Performance indicators should be used to measure the effectiveness of
your internal audit process and monitor trends in these indicators, to continually improve your audit program.
Performance indicators may include reducing the number of late or delayed audits, incomplete audits, incomplete audit
records and late reports, auditor errors, auditee complaints, and use of untrained auditors, etc.
The output of your internal audit program may be used as performance indicators to:
Determine the degree of conformity of the QMS to ISO 9001, customer and regulatory requirements.
Determine the effectiveness of QMS implementation and maintenance.
Determine the degree of conformity of product to contractual and regulatory requirements.
Identify areas of the QMS that need improvement.
Audit Objectives
Always establish the objectives of the audit. Audit objectives are not limited to the ISO 9001 standard. Clear audit
objectives help determine the scope and depth of the audit, as well as, the resources needed. Being clear on the objectives
provides focus and helps the auditor from being distracted and going off on unnecessary detours beyond the scope of the
audit. Audit objectives may include:
Evaluating conformity of requirements to ISO 9001
Evaluating conformity of documentation to ISO 9001
Judging conformity of implementation to documentation
Determining effectiveness in meeting requirements and objectives
Meeting any contractual or regulatory requirements for auditing
Providing an opportunity to improve the quality management system
Permitting registration and inclusion in a list of registered companies
Qualifying potential suppliers
Types of Audits
Audits that are carried out to determine whether an organization conforms to a quality Standard may be termed Quality
System Audits. This type of audit requires the auditor to use a fair degree of judgment to establish whether controls are
adequate. Many second and third party audits are carried out as Quality System Audits. Audits that are carried out against
specifically defined practices, procedures, and instructions, and that are perhaps (but not necessarily) more limited in
their scope, are termed conformity audits. Many internal audits and many contract related audits between two parties are
carried out as conformity audits. Process and product audits are subsets of QMS conformity audits and therefore limited
in scope..An ISO 9001 process audit evaluates the controls and characteristics of a specific process, as well, as its
relationship with other processes and may include using some or all of the following approaches:
Individual processes in terms of:

Input / Output / Value-added activity

Plan / Do / Check / Act
Relationship to other processes in terms of:
Flow / Sequence / Linkage / Combination
Interaction / Communication
Customer contract for conformity to contractual requirements through the various processes used to fulfill the customers
order
Audit trails following concerns or unresolved issues to processes or departments, that are be beyond the scope of a
specific audit.
Process audits may include the following processes, as well, as related sub-processes Context of organization;
Leadership; Planning; support; Operations; Performance evaluation; Improvement. A product/Service audit is a process
audit that focuses on the processes needed for executing operations for the product or service realization.