An ISO 9001 internal audit is not a compliance checkbox — it is the most powerful diagnostic tool available to a quality management system. When conducted rigorously, a clause-by-clause internal audit identifies systemic gaps before your registrar does, surfaces process inefficiencies before they become customer escapes, and generates the objective evidence your organization needs to drive genuine continual improvement. This checklist maps every major clause of ISO 9001:2015 into actionable audit questions — organized for audit efficiency, written for U.S. manufacturing quality professionals, and structured so findings feed directly into corrective action without a separate data-entry step.
Run Your Internal Audit Digitally — Clause by Clause
iFactory digitizes every ISO 9001 clause, captures findings with objective evidence, auto-generates NCRs, and tracks corrective actions to closure — all in one platform. Book a demo to see it on your QMS.
ISO 9001:2015 — All 10 Clauses at a Glance
ISO 9001:2015 contains 10 clauses. Clauses 1–3 are introductory — they define the scope, normative references, and terms. They contain no auditable requirements. The internal audit checklist begins at Clause 4 because that is where the standard's mandatory requirements start. The visual below maps all 10 clauses so you understand exactly where each audit section sits within the full standard structure.
Defines applicability of the standard. Not auditable.
References ISO 9000 for terms. Not auditable.
Vocabulary definitions. Not auditable.
Internal/external issues, interested parties, QMS scope, process interactions.
Management commitment, customer focus, quality policy, roles & responsibilities.
Risks & opportunities, quality objectives, change planning.
Resources, competence, awareness, communication, documented information.
Customer requirements, design, external providers, production control, nonconforming output.
Monitoring & measurement, internal audit, management review.
Nonconformance, corrective action, continual improvement.
Context of the Organization
Clause 4 establishes the foundation of the QMS. Auditors verify that the organization has formally determined its internal and external context, identified interested parties, defined the QMS scope, and documented the processes that make up the system. Weak Clause 4 documentation is the most common reason organizations receive major nonconformances on their initial certification audit.
Internal & External Issues
Confirm a documented analysis of internal and external issues relevant to the QMS purpose is present, current, and reviewed at defined intervals.
Interested Parties
Verify the organization has identified relevant interested parties and determined their requirements. Confirm requirements are monitored and reviewed.
QMS Scope Defined
Confirm the QMS scope is documented, available, and states which ISO 9001 requirements apply. Any exclusions must be justified with documented rationale.
Process Interactions Mapped
Verify the organization has determined processes needed, their sequence and interaction, ownership, inputs/outputs, risks, and performance metrics.
Leadership
Clause 5 audits top management's demonstrated commitment to the QMS — not just their signatures on a quality policy, but their active involvement in setting objectives, communicating quality importance, and ensuring the QMS achieves its intended results. Leadership findings are frequently cited because quality managers complete the paperwork but management engagement is absent in practice.
Management Commitment Evidence
Verify top management accountability for QMS effectiveness through meeting records, management reviews, and resource allocation decisions — not just policy signatures.
Customer Focus Demonstrated
Confirm customer requirements are determined, risks to conformity are addressed, and customer satisfaction is monitored with defined methods.
Quality Policy Current
Verify the quality policy is appropriate to context, includes a commitment to continual improvement, is documented, communicated, and understood by relevant personnel.
Roles & Responsibilities Assigned
Confirm organizational roles, responsibilities, and authorities for the QMS are assigned, documented, and communicated throughout the organization.
Planning
Clause 6 audits whether the organization has systematically addressed risks and opportunities, set measurable quality objectives, and planned changes to the QMS. Risk-based thinking must be demonstrably embedded in QMS processes — not documented in a risk register that nobody references. Quality objectives must be measurable, monitored, and linked to the quality policy.
Risks & Opportunities Addressed
Verify documented actions to address risks and opportunities. Confirm actions are proportionate to the potential impact and integrated into QMS processes.
Quality Objectives Measurable
Confirm objectives are established at relevant functions, are measurable, monitored, communicated, and updated as needed. Each objective must have a defined method for evaluation.
Change Planning Documented
Verify that planned changes to the QMS are carried out systematically with consideration of purpose, potential consequences, resource availability, and responsibility allocation.
Run Your Internal Audit Digitally — Clause by Clause
iFactory digitizes every ISO 9001 clause, captures findings with objective evidence, auto-generates NCRs, and tracks corrective actions to closure — all in one platform. Book a demo to see it on your QMS.
Support
Clause 7 is the broadest operational clause and generates the highest volume of audit findings in manufacturing environments. It covers resources, competence, awareness, communication, and documented information. Competence records, calibration status, and document control are the three areas most frequently cited as major nonconformances in third-party surveillance audits.
| Sub-Clause | Audit Focus | Evidence to Examine | Common Findings |
|---|---|---|---|
| Cl. 7.1.1 Resources | Adequate resources determined and provided | Budget records, staffing plans, management review minutes | No documented determination of required resources |
| Cl. 7.1.2 People | Persons needed to implement & maintain QMS | Org charts, staffing level records | QMS activities assigned to undertrained personnel |
| Cl. 7.1.3 Infrastructure | Buildings, equipment, IT maintained | PM schedules, equipment logs, calibration records | No documented infrastructure maintenance plan |
| Cl. 7.1.4 Environment | Suitable process environment maintained | Environmental monitoring records, housekeeping audits | Environmental requirements not defined for controlled processes |
| Cl. 7.1.5 Measurement | Calibration status current, MSA performed | Calibration database, MSA records, out-of-cal handling | Out-of-calibration instruments used; no recall procedure |
| Cl. 7.2 Competence | Required competence defined, verified, documented | Training records, skills matrices, on-the-job verification | Training records missing or competence not verified |
| Cl. 7.3 Awareness | Personnel aware of policy, objectives, their contribution | Interview personnel at all levels | Operators unaware of quality objectives or policy |
| Cl. 7.4 Communication | Internal & external communication defined | Communication plan or procedure | No documented communication process |
| Cl. 7.5 Documented Info | Required documents controlled and available | Document control procedure, revision history, access controls | Obsolete documents in use; no control procedure |
Operation
Clause 8 is the largest and most process-intensive clause — it covers everything from customer communication and design control through production planning, external provider management, nonconforming output handling, and product/service release. Most manufacturing organizations have the strongest documentation in Clause 8 but also the highest rate of minor nonconformances, because operational procedures are defined but not consistently followed.
Customer communication channels defined. Requirements for products/services determined, including statutory/regulatory. Changes communicated to relevant persons.
If applicable: design planning, inputs, controls, outputs, and changes documented. Verification and validation records retained. Design reviews held with evidence.
Approved supplier list maintained. Supplier evaluation, selection, and monitoring criteria defined. Purchasing information adequate. Verification activities performed.
Controlled conditions: documented information, monitoring/measurement, suitable infrastructure, competent personnel, validation of special processes, product identification and traceability.
Planned arrangements implemented before release. Documented information includes conformity evidence, authorization, and traceability to the authorizing person.
Nonconforming outputs identified, controlled to prevent unintended use. Disposition documented. Corrective action taken when required. Records retained per clause 7.5.
Performance Evaluation
Clause 9 audits how the organization monitors, measures, analyzes, and evaluates its QMS performance. Customer satisfaction measurement methods, internal audit programs, and management review frequency and content are the three most heavily scrutinized areas. Management review minutes that simply list agenda items without demonstrating decisions and actions taken are a frequent major nonconformance.
Verify methods for monitoring customer satisfaction. Confirm data analysis methods produce actionable outputs. Check that results feed into management review.
Audit program documented with frequency, methods, responsibilities, and criteria. Auditors are objective and impartial. Findings documented and corrective actions tracked. This audit is the evidence.
Reviews conducted at planned intervals. Input includes: audit results, customer satisfaction, process performance, NCR status, opportunities for improvement, and risks. Outputs include decisions and action items with owners and due dates.
Improvement
Clause 10 closes the PDCA loop. The organization must demonstrate that it identifies nonconformances, reacts to them, evaluates their root causes, and implements corrective actions that prevent recurrence. Continual improvement must be demonstrable — not just stated in the quality policy. The most common finding: corrective actions that address the symptom rather than the root cause, with recurring nonconformances as evidence.
Nonconformance Handling & Corrective Action Workflow
Every finding raised during an ISO 9001 internal audit must be documented as a nonconformance and managed through a defined corrective action process. ISO 9001 Cl. 10.2 requires the organization to react to the nonconformance, evaluate the need for root cause analysis, implement corrective actions, and verify their effectiveness. The corrective action loop is the mechanism that converts audit findings into measurable QMS improvement.
Record the nonconformance with objective evidence — specific clause, process, location, date, and evidence observed. Vague findings ("procedure not followed") are not actionable. Specific findings ("operator at Station 4 could not identify quality objectives — Cl. 7.3") are.
Apply 5-Why or Ishikawa to identify the system-level cause — not just the immediate condition. A training record missing is a symptom. The root cause is why the training record is missing: no onboarding process, no competence matrix review trigger, or no document control step requiring it.
Implement the corrective action targeting the root cause. Assign an owner and due date. Schedule an effectiveness verification — typically 30–90 days after implementation — to confirm the nonconformance has not recurred before closing the NCR.
Full vs. Partial QMS Audit — When Each Applies
ISO 9001 Cl. 9.2 requires that the audit program covers the entire QMS over the audit cycle — but it does not require every clause to be audited in a single audit. Most organizations divide the annual audit program into multiple audits by clause group, process area, or functional department, ensuring full coverage by the end of the cycle. High-risk processes, processes with previous nonconformances, and processes undergoing change should be audited more frequently than stable, low-risk processes.
Full QMS Audit Triggers
- Initial certification audit or recertification audit
- Major organizational change (new site, acquisition, restructure)
- Significant QMS change (new processes, scope expansion)
- Customer-required full system assessment
- Following a major corrective action or product recall
- Two or more major nonconformances in the same audit cycle
Partial / Process-Focused Audit
- Annual surveillance audit covering specific clause groups
- Follow-up audit verifying corrective action effectiveness
- Process-specific audit after a significant process change
- High-risk process monitoring between full cycles
- New product or process introduction audit
- Supplier audit covering only applicable QMS elements
What Internal Auditors Get Wrong Most Often
Internal audit programs that produce meaningful improvement share a set of discipline patterns that distinguish them from compliance exercises. The most common failure modes are structural, not technical.
Asking "do you have a procedure for this?" and reviewing the document is not an audit — it is a document review. Effective internal audits verify that the procedure is actually followed, that personnel understand it, and that the outputs match what the procedure requires. Interview line personnel. Observe the process. Verify records match actual practice.
ISO 9001 Cl. 9.2 requires auditors to be objective and impartial. An auditor who has managed an area for years has blind spots, relationships, and assumptions that compromise objectivity — even with good intentions. Rotate auditors across areas annually and use cross-functional audit pairs for high-risk processes.
The most common audit program failure: NCRs are opened, a corrective action is submitted, the NCR is closed, and nobody checks whether the action actually prevented recurrence. Cl. 10.2.1(f) requires effectiveness verification. Schedule it. Document it. If the same issue reappears, the previous corrective action was inadequate — that is now a second nonconformance.
An Internal Audit Is Only as Good as Its Follow-Through
The ISO 9001 internal audit program is the most powerful self-improvement mechanism in your QMS — but only if findings drive documented corrective actions, corrective actions address root causes, and effectiveness is verified before NCRs are closed. A well-executed clause-by-clause internal audit, conducted annually at minimum and risk-stratified across processes, produces the objective evidence your registrar is looking for and the process insight your management team needs.
Digital audit platforms transform internal audits from paper exercises into searchable, trackable quality intelligence. When every finding is timestamped, attributed, linked to a corrective action, and tracked to closure — with effectiveness verification built into the workflow — your internal audit program becomes a genuine competitive asset. Book a demo to see how iFactory manages clause-by-clause ISO 9001 audits across your organization.
Frequently Asked Questions
How often must ISO 9001 internal audits be conducted?
ISO 9001:2015 Cl. 9.2 requires internal audits to be conducted at planned intervals — it does not specify a minimum frequency, but the standard does require that the audit program considers the importance of the processes, changes affecting the organization, and previous audit results. In practice, most certified organizations conduct a full audit cycle annually, with higher-frequency audits on high-risk or high-impact processes. The audit program must be documented and the records retained as documented information.
Who can conduct an ISO 9001 internal audit?
ISO 9001 requires auditors to be objective and impartial — meaning they must not audit their own work. Beyond that, the standard does not require formal certification of internal auditors, though ISO 19011 provides guidance on auditor competence. Most organizations define minimum competence requirements for internal auditors in their audit procedure — typically including knowledge of the ISO 9001 standard, audit technique training, and demonstrated process familiarity.
What is the difference between a major and minor nonconformance in ISO 9001?
ISO 9001 does not define major and minor nonconformances — that classification is used by certification bodies, not the standard itself. A major nonconformance is typically a systematic failure that calls into question the ability of the QMS to achieve its intended results (e.g., no internal audit conducted, no management review, no documented corrective action process). A minor nonconformance is an isolated or limited deviation from a requirement. Major findings typically require a documented corrective action and verification before the registration body will issue or renew certification.
Does ISO 9001:2015 require documented procedures for internal audits?
ISO 9001:2015 does not require a documented procedure for internal audits specifically — it requires documented information as evidence that the audit program is implemented and the audit results are recorded (Cl. 9.2.2). Most organizations maintain a documented internal audit procedure because it provides consistency, defines auditor competence, and demonstrates a controlled process to registrars. The audit plan, checklists used, findings, and corrective actions must all be retained as documented information.
How does digital audit software improve ISO 9001 internal audits?
Digital audit platforms like iFactory improve internal audits in three measurable ways: consistency (every clause is audited against the same criteria every cycle, with no items skipped), traceability (every finding is timestamped, attributed to an auditor, linked to a clause, and connected to a corrective action record), and follow-through (NCR closure requires documented effectiveness verification before the finding can be closed). Audit programs that run on spreadsheets and paper have inconsistent coverage, missing records, and NCRs that get closed without follow-up. Book a demo to see how iFactory handles your specific ISO 9001 audit program.
Digitize Your ISO 9001 Audit Program — Start in Weeks
iFactory loads your clause checklist, assigns auditors, tracks findings, auto-generates NCRs, and monitors corrective actions to closure — so your audit program produces real improvement, not just a filing cabinet of paper. Book a 30-minute demo and we will walk through your current audit workflow.
.jpg)
.jpg)
.jpg)
