ISO 9001 Internal Audit Checklist: A Practical Guide for UK Manufacturers
What ISO 9001 Requires for Internal Audits
An internal audit is not optional under ISO 9001:2015. Clause 9.2 ("Internal audit") requires organisations to conduct internal audits at planned intervals to provide information on whether the quality management system conforms to the organisation's own requirements and to the requirements of the standard, and is effectively implemented and maintained.
The clause has two sub-sections:
9.2.1 requires the organisation to plan, establish, implement, and maintain an audit programme. That programme must take into account the importance of the processes concerned, changes affecting the organisation, and the results of previous audits.
9.2.2 defines what each audit must do: define audit criteria and scope, select auditors to ensure objectivity and impartiality (auditors cannot audit their own work), report results to relevant management, and take appropriate correction and corrective action without undue delay. The organisation must also retain documented information as evidence of the audit programme and the audit results.
For a UK manufacturing SME with 20-50 employees, that typically means one full-system audit cycle per year, with process-level or high-risk-area audits scheduled more frequently when previous audits found non-conformances.
The Objectivity Requirement — Where Most Small Teams Struggle
The most common audit compliance gap in smaller manufacturers is auditor independence. Clause 9.2.2 is explicit: auditors must not audit their own work.
In a five-person quality department, this matters. The quality manager who wrote the non-conformance control procedure should not be the sole auditor of how that procedure is followed. Options for small teams:
- Cross-functional auditing — the quality engineer audits production processes; a production supervisor audits the document control system. Neither is auditing their direct area of responsibility.
- Trained auditor pool — train two or three people from different functions as internal auditors. Annual training from a UKAS-accredited provider counts toward competence evidence.
- External internal auditor — hire a freelance quality consultant to conduct the audit. The consultant is external to the organisation, satisfying independence. Perfectly compliant, and useful when the team is too small to cross-audit effectively.
What fails an audit: a single quality manager who plans, conducts, reports, and closes every internal audit across all processes, including their own. An external auditor will raise this as a nonconformance against clause 9.2.2.
Building the Audit Programme
A clause-9.2-compliant audit programme does not need to be elaborate. What it must show:
Coverage — every element of the QMS must be audited over the programme cycle. For ISO 9001:2015, that means all ten clauses (4-10) and all significant processes. You do not need to audit everything every year to the same depth, but nothing can be permanently excluded.
Risk-based scheduling — processes with past non-conformances, significant customer complaints, or recent changes get audited more frequently. A process with a clean two-year record can be scheduled less often. Document the rationale so your certification body auditor can see it was deliberate, not accidental.
Change consideration — when a significant process changes (new ERP system, new product line, new supplier qualification process), schedule an audit of that process earlier than the routine cycle. Clause 9.2.1 specifically cites "changes affecting the organisation" as a scheduling input.
Competence records — the audit programme should identify who will conduct each audit and confirm their competence. A one-day internal auditor training course plus supervised audits is the typical evidence baseline.
The ISO 9001 Internal Audit Checklist — Practical Structure
A checklist keeps your audit focused and your findings structured. This framework covers the areas a UKAS-accredited certification body auditor will check when reviewing your internal audit programme.
Context and planning (Clause 4-6)
- Does the organisation understand its internal and external context and how it affects the QMS?
- Are interested parties (customers, regulators, suppliers) identified and their requirements documented?
- Are the scope and boundaries of the QMS documented and maintained?
- Is there evidence of leadership commitment to the QMS — signed quality policy, visible to employees?
- Are quality objectives documented, measurable, and communicated?
- Is there a documented risk register or risk and opportunity assessment?
Process control (Clause 8)
- Are critical production and service delivery processes documented (procedures, work instructions, control plans)?
- Are documented procedures being followed in practice? Verify by observing the process and comparing to the procedure.
- Is incoming inspection documented for each batch/delivery? Verification method? Acceptance criteria?
- Is in-process inspection documented? Who checks, what they check, where the record goes?
- Is final inspection documented before product is released? Release authority identified?
- Are non-conforming outputs controlled (quarantined, labelled, dispositioned)? NCRs raised and tracked?
- Are calibration records current for all measurement equipment used at inspection points?
- Are changes to production processes controlled through the change management procedure?
Documented information (Clause 7.5)
- Can the organisation retrieve any quality record requested within a reasonable time?
- Are records protected from unintended alteration (version control, access controls)?
- Do documents carry revision status and approval? Are obsolete versions removed from use?
- Is there a document register or master list?
Supplier management (Clause 8.4)
- Is there an approved supplier list or equivalent evidence of supplier evaluation?
- Are supplier performance records maintained (delivery, quality, SCAR history)?
- Are purchase orders specifying the requirements the supplier must meet?
- Has the organisation defined what verification it performs on externally provided products or services?
Monitoring and measurement (Clause 9.1)
- Are quality KPIs defined, measured, and reviewed at a defined frequency?
- Is customer satisfaction monitored? Method, frequency, and who reviews the results?
- Is there evidence of data analysis being used to drive improvement decisions?
Management review (Clause 9.3)
- Are management reviews conducted at planned intervals?
- Do review records include the required inputs: audit results, customer feedback, process performance, NCRs, and progress against quality objectives?
- Are review outputs (decisions and actions) recorded and tracked to completion?
Internal audits (Clause 9.2 — the meta-audit)
- Does an audit programme exist covering all QMS processes over the programme period?
- Is the programme risk-based (higher-risk or recently-changed processes audited more frequently)?
- Are auditors independent of the processes they audit?
- Are audit findings documented and communicated to relevant management?
- Are corrective actions from previous audits tracked and verified as effective?
- Has the organisation retained audit reports as documented information?
Nonconformity and improvement (Clauses 10.1-10.3)
- Are NCRs raised for all detected nonconformities (internal, supplier, customer-returned)?
- Are root cause analyses conducted for significant or recurring nonconformances?
- Are corrective actions verified for effectiveness before closure?
- Is there evidence of improvement actions beyond the corrective action process?
What Auditors Check When They Review Your Internal Audit Programme
When a UKAS-accredited certification body conducts your surveillance visit, their review of your internal audit programme focuses on four things:
Completeness — has every clause of ISO 9001:2015 been addressed in at least one internal audit during the programme cycle? An audit of Clause 8 (operations) with no audit of Clause 6 (planning) or Clause 9.3 (management review) is an incomplete programme.
Independence evidence — the audit reports must show who conducted each audit. The auditor should not appear as the process owner or responsible manager for the area audited.
Follow-through — unclosed corrective actions from previous internal audits are the most common surveillance visit finding. If your internal audit raised a nonconformance 6 months ago and the corrective action is still open with no evidence of progress, the certification body auditor will raise it as a major or minor nonconformance.
Proportionality — a 20-person manufacturer running one audit per year (full system, well-documented) passes. The same manufacturer with no audits for 18 months does not. The phrase "at planned intervals" in clause 9.2.1 means you must have a plan and evidence that you followed it.
Setting Up Your Audit Programme Records
At minimum, retain:
- Audit programme or schedule — which processes, which clauses, who audits, which dates, over what period
- Audit plans (optional but useful) — scope, criteria, and audit questions for each individual audit
- Audit reports — findings, observations, nonconformances identified, any opportunities for improvement
- Corrective action records — from audit nonconformances, tracked through root cause, action, and effectiveness verification
- Auditor competence records — training certificates, supervised audit logs
These five records give a certification body auditor complete visibility of your programme without needing to ask follow-up questions. They also make it straightforward to demonstrate continuous improvement across audit cycles: last year's NCR rate, this year's lower rate, with identifiable corrective actions connecting the two.
Connecting Internal Audits to Your ECM Process
For manufacturers certified to ISO 9001:2015, internal audits and engineering change management are more connected than they first appear.
Clause 8.5.6 requires that changes to production processes are reviewed, authorised, documented, and that results of the change are documented. Your internal audit programme should verify that this clause is working: are process changes going through a formal change control procedure? Are engineering change requests being raised before changes are implemented? Are non-conformances that trigger process changes being closed with verified corrective action?
An internal audit that only checks Clause 9.2 in isolation — "yes, we're doing audits" — misses the systemic question: is your QMS actually working as a system? The audit is the mechanism for answering that question across all interconnected processes.
This guide describes the requirements of ISO 9001:2015 clause 9.2 as published by the International Organization for Standardization. The full standard text is available from ISO. For certification purposes, consult your UKAS-accredited certification body — this guide is a practical reference, not a substitute for the standard itself or professional audit advice.
Sources
- ISO 9001:2015 — Quality management systems — Requirements. Available from ISO.
- ISO/TC 176 — the ISO Technical Committee responsible for ISO 9001: iso.org/committee/53882
- UKAS — United Kingdom Accreditation Service, the national accreditation body for the United Kingdom.
ChangeRoute is a quality management tool for ISO 9001-certified UK manufacturing SMEs. Join the waitlist to be notified when it launches.