ISO 9001:2015 Clause 9.2 Internal Audit — Complete Guide

Introduction

ISO 9001:2015 Clause 9.2 requires organizations to conduct systematic internal audits of their Quality Management System to verify it conforms to both ISO 9001 requirements and their own documented policies — and that it's actually working in practice.

This guide is written for quality managers, operations leaders, and business owners in manufacturing, services, and other industries implementing or maintaining ISO 9001 certification.

Without a functioning audit program, nonconformities go undetected, management lacks reliable QMS performance data, and external certification audits are put at serious risk.

ISO 9001 is the world's most widely adopted quality standard, with over 1 million valid certificates across more than 190 countries — yet many organizations treat Clause 9.2 as an annual checkbox rather than a genuine diagnostic tool.

This guide covers what Clause 9.2 actually requires, how to build a compliant audit program, how the audit cycle runs from planning through corrective action, and the mistakes that most commonly cause organizations to fall short.

TL;DR

  • Clause 9.2 requires planned internal audits to verify QMS conformance to ISO 9001 and your own documented requirements
  • Your audit program must be written, risk-based, and reviewed regularly — a living document, not a fixed annual calendar
  • Auditors must be competent and impartial; they cannot audit their own work
  • Nonconformities must be reported to management and resolved through documented corrective action
  • Retain two record types: evidence the program was implemented, and evidence of individual audit results

What Is ISO 9001:2015 Clause 9.2?

Clause 9.2 sits within Section 9 (Performance Evaluation) of ISO 9001:2015, alongside Clause 9.1 (Monitoring, Measurement, Analysis and Evaluation) and Clause 9.3 (Management Review). Together, they define how an organization measures, reviews, and acts on how well its QMS is actually working.

The clause has two sub-clauses:

  • Clause 9.2.1 defines what internal audits must determine: whether the QMS conforms to the organization's own requirements and to ISO 9001, and whether it is effectively implemented and maintained
  • Clause 9.2.2 defines how the audit program must be managed — including frequency, methods, responsibilities, reporting, criteria and scope, auditor impartiality, and required records

The Intended Purpose

Internal audits are not a pass/fail test. Their function is to give management objective, factual information about how the QMS is actually performing — so decisions about where improvement is needed are grounded in fact, not assumption.

A well-run internal audit program answers three questions at once:

  1. Are we meeting ISO 9001 requirements?
  2. Are we following our own documented procedures?
  3. Are our processes operating as intended on the floor?

Those three questions also explain why the distinction between internal and external audits matters in practice.

Internal vs. External Audits

Internal audits (first-party) are conducted by or on behalf of the organization. External audits are conducted by certification bodies such as DNV, BSI, LRQA, or NQA. Organizations with strong internal audit programs consistently perform better in external certification reviews — the same evidence gaps that trip up internal audits will surface during a registrar's Stage 2 audit.

What Your Audit Program Must Include Under Clause 9.2

An audit program — often called an audit schedule — is a required documented tool that plans all internal audits across a defined period. Most organizations structure theirs around a 12-month cycle, though many map the program across the full 3-year certification cycle to ensure all QMS elements receive adequate coverage.

The Six Required Elements of Clause 9.2.2

Clause 9.2.2 explicitly requires the audit program to address:

Element What It Means in Practice
Frequency When and how often each process or area is audited
Methods How audits are conducted (document review, interviews, observation)
Responsibilities Who is responsible for auditing which areas
Planning requirements How audits are prepared and scheduled
Reporting structure How results are communicated to relevant management
Program rationale How decisions account for process importance, organizational changes, and prior audit results

Six required elements of ISO 9001 Clause 9.2.2 audit program infographic

Risk-Based Scheduling

The audit program should not rotate through all processes at equal intervals regardless of performance history. ISO 19011:2018 incorporates a risk-based approach to auditing principles that directly informs how Clause 9.2 programs should be structured.

Prioritize higher audit frequency for:

  • Processes with previous nonconformances
  • Areas affected by recent organizational changes (new personnel, new equipment, new procedures)
  • High-risk or customer-critical processes
  • Processes where prior audits revealed weak implementation

Stable, well-performing areas with clean audit histories can reasonably be audited less frequently. The program itself should be reviewed and updated at least annually — triggered by significant organizational changes, audit findings, or management review outputs, not just the calendar.

Audit Criteria and Scope

Each individual audit requires two documented elements that organizations frequently conflate. Criteria define what the audit measures against — specific ISO 9001 clauses, internal procedures, or customer requirements. Scope defines the boundaries — which departments, locations, activities, or time periods are covered. The distinction matters: criteria tell auditors what to look for; scope tells them where to look. Both must be defined and documented before each audit begins.

Clause 9.2.2(f) also requires retained records as evidence that the program was implemented and that audit results were captured — this means keeping the audit schedule, completed audit reports, nonconformance records, and corrective action documentation.

How the ISO 9001 Internal Audit Process Works

A well-structured internal audit follows a consistent cycle. The standard does not prescribe a single audit technique, but typical information-gathering methods include document review, personnel interviews, direct observation of operations, and examination of records. Checklists are a useful preparation aid, though they need regular updates to stay current and shouldn't become a crutch that causes auditors to miss context-specific issues.

Audit Planning and Preparation

Before stepping on the floor, the audit team needs:

  • Defined scope, objectives, and criteria for this specific audit
  • Selected audit team with confirmed independence from the area being audited
  • Review of relevant documented information (procedures, prior audit reports, corrective action records)
  • Advance communication of the audit schedule to affected personnel

Solid preparation is what separates a productive audit from one that generates paperwork without insight.

Audit Execution and Evidence Collection

Every audit is bookended by two structured meetings:

  • Opening meeting — aligns scope and expectations with the auditee team before evidence collection begins
  • Closing meeting — communicates findings before the written report is finalized, giving auditees a chance to clarify factual questions on the spot

Findings — both conformances and nonconformances — are documented in a structured audit report distributed after the closing meeting.

Reporting, Corrective Action, and Follow-Up

Once the audit wraps up, the work shifts to documentation and follow-through:

  1. Distribute the audit report to relevant management — not just the quality department
  2. Initiate correction for any nonconformities (fix the immediate problem)
  3. Conduct root cause analysis and develop a corrective action plan per Clause 10.2
  4. Implement the corrective action within the agreed timeframe
  5. Verify effectiveness before formally closing the finding

5-step ISO 9001 internal audit corrective action and follow-up process flow

This last step — verifying that the corrective action actually resolved the root cause — is one of the most scrutinized areas during external certification audits. Documented evidence of follow-up verification is required.

As part of Synergistic Systems' 10-step implementation methodology, a system-wide internal audit is conducted at Step 8, after documentation development and QMS embedding are complete. This positions the internal audit as a genuine pre-certification validation — one where real issues can still be surfaced and resolved before the registrar arrives.

Auditor Competence, Independence, and Impartiality

Competence Requirements

Internal auditors need two types of knowledge to be effective:

  • Auditing principles and techniques — how to plan, conduct, document, and close an audit
  • Process and requirements knowledge — familiarity with the specific QMS processes and ISO 9001 requirements being audited

ISO 19011:2018 provides guidance on evaluating auditor competence and selecting appropriate evaluation methods for different audit program needs.

ISO 9001 doesn't mandate a specific external certification for internal auditors, but competence must be demonstrable. Sending someone to conduct an audit with no training and a borrowed checklist doesn't meet the intent of the requirement.

Synergistic Systems includes ISO 9001 internal auditor training in every implementation engagement — covering both auditing methodology and QMS-specific content — so client teams can manage their own audit cycles after initial certification.

The Impartiality Requirement

Auditors cannot audit their own work. ISO/IAF guidance specifically identifies self-review as a direct threat to audit objectivity — it undermines the unbiased conclusions that make internal audits meaningful.

For small organizations where staff wear multiple hats, practical solutions include:

  • Cross-assigning auditors across departments (operations audits HR, HR audits purchasing, etc.)
  • Engaging a qualified external consultant to cover areas where no impartial internal auditor exists

Synergistic Systems conducts the system-wide internal audit during implementation for this reason: client personnel often can't audit their own systems without a conflict of interest.

For ongoing audit cycles, document how impartiality is maintained — cross-assignment records, job descriptions, or organizational charts all work. External auditors will look for this evidence.

Common Mistakes Organizations Make with Clause 9.2

DNV's registrar guidance identifies five recurring audit failures: lack of preparation, inadequate documentation, insufficient communication, poor root cause analysis, and failure to follow up on corrective actions. Three patterns show up consistently in practice:

1. Treating the audit schedule as a fixed rotation

Audits scheduled at equal intervals regardless of process risk, previous nonconformance history, or recent changes don't reflect the intent of Clause 9.2. If a process has had three nonconformances in 18 months and is still being audited annually at the same frequency as a stable, clean process, the program isn't functioning as a risk-based tool.

2. Recording nonconformities without verifying closure

Identifying a nonconformity and documenting it is only half the work. The most common failure point is corrective actions that are recorded but never verified as effective. External auditors specifically check whether actions were completed within the stated timeframe and whether the root cause (not just the symptom) was addressed.

3. Confusing audit scope with audit criteria

These are two distinct requirements. Scope defines what areas or processes are covered; criteria define what requirements they're being measured against. Both must be documented for each audit. Organizations using a single generic checklist for every audit, without tailoring it to scope, routinely miss applicable requirements.

Conclusion

A compliant Clause 9.2 program requires five things working together:

  • A documented, risk-based audit schedule that covers the full QMS scope
  • Competent, impartial auditors who can evaluate processes objectively
  • Structured audit execution with findings reported clearly and consistently
  • Timely corrective action with verified closure — not just logged and forgotten
  • Retained records that prove the program is active and effective

When those elements are in place, internal audits become the most reliable tool an organization has for identifying where the QMS is genuinely working — and where it needs attention before a registrar or a customer finds it instead.

Frequently Asked Questions

What is the standard Clause 9.2 internal audit strategy?

Clause 9.2 calls for a risk-based program that prioritizes higher-risk processes, areas with previous nonconformances, and processes affected by recent organizational changes — a dynamic schedule that reflects where the QMS needs the most scrutiny, not a uniform rotation that treats all processes as equal.

Which category of ISO 9001:2015 does Clause 9.2 fall under?

Clause 9.2 sits within Section 9 (Performance Evaluation), alongside Clause 9.1 (Monitoring, Measurement, Analysis and Evaluation) and Clause 9.3 (Management Review).

How often should internal audits be conducted under ISO 9001?

ISO 9001 doesn't specify a minimum frequency. The standard requires audits at "planned intervals" determined by the organization based on process risk, previous audit results, and organizational changes. Most organizations audit the full QMS at least once per year, with higher-risk areas reviewed more often.

What documented information is required under Clause 9.2?

Two categories are required: evidence of the audit program's implementation (such as the audit schedule) and evidence of audit results (completed audit reports, nonconformance records, and corrective action documentation). Both are required by Clause 9.2.2(f).

Can a small business use an external provider to conduct internal audits?

Yes — outsourcing to a qualified, impartial external party is a recognized and compliant approach. Synergistic Systems serves as that qualified external party for organizations where no internal employee can audit without a conflict of interest.

What happens if nonconformities are found during an internal audit?

Nonconformities must be documented, reported to relevant management, and addressed through correction and corrective action (eliminating the root cause) under Clause 10.2. The finding cannot be formally closed until follow-up verification confirms the corrective action was effective.