The audit itself is the easy part. Most quality managers can hand someone a checklist and tell them to go walk the floor. What's harder — and what actually determines whether your ISO 9001 program has real teeth — is whether the person holding that checklist knows what they're looking for, how to ask questions that get honest answers, and what to do when they find something uncomfortable.
In my work with over 200 clients across pharmaceuticals, medical devices, food manufacturing, and professional services, the single most common reason an internal audit program fails to prevent nonconformances is not a bad procedure or a weak checklist. It's auditors who weren't trained well enough to audit effectively. They tick boxes. They miss systemic issues. They audit their friends with a lighter touch. And then the certification auditor walks in and finds exactly what the internal audits missed.
This guide is about fixing that, whether you're building a training program from scratch or trying to strengthen one that's already running.
What ISO 9001:2015 Actually Requires for Internal Auditors
Before we talk about how to train internal auditors, it's worth being precise about what the standard actually demands, because a lot of organizations conflate two separate requirements and end up confused about both.
ISO 9001:2015 clause 9.2 — Internal Audit establishes the program requirements: planned intervals, audit criteria, methods, and reporting. It requires that auditors be selected to ensure objectivity and impartiality — meaning you cannot audit your own work — but it does not prescribe a specific training curriculum or credential.
ISO 9001:2015 clause 7.2 — Competence is where the training requirement actually lives. It requires that the organization determine the necessary competence for persons doing work that affects quality performance, ensure those persons are competent through education, training, or experience, take action to acquire competence where gaps exist, and retain documented evidence of competence.
Put those two clauses together and the obligation is clear: auditors must be competent, and you must be able to prove it. What counts as competent is yours to define — but you have to define it, document it, and show that your auditors meet it.
A third-party auditor will ask to see your internal audit records and the documented competence of the auditors who conducted them. If the answer is "they attended a half-day overview two years ago," that's a gap worth addressing before the certification visit.
The Three Competency Areas Every Internal Auditor Needs
I find it useful to break internal auditor competence into three areas, because the training interventions for each are genuinely different.
1. Standard Knowledge
Auditors need to understand what ISO 9001:2015 actually requires — not just their own department's procedures, but the standard's structure, intent, and the way clauses connect to each other. The risk-based thinking in clause 6.1, the Plan-Do-Check-Act cycle underlying the whole framework, the way clause 8 operational requirements link back to clause 4 context — auditors who understand the architecture catch more than auditors who've only memorized checklist items.
2. Audit Methodology
Knowing the standard and knowing how to audit are genuinely different skills. Audit methodology covers planning (scope, criteria, audit plan), evidence collection (sampling, document review, observation, interview technique), nonconformance writing, and reporting. The most common weakness I see here is interview technique — auditors who don't know how to ask open-ended questions, or who accept vague answers instead of following the thread.
3. Interpersonal Effectiveness
This one gets skipped in formal training more than it should. Internal auditors are often auditing peers or supervisors. They need to conduct audits in a way that is professional without being adversarial, thorough without being paranoid, and honest in reporting without creating unnecessary organizational conflict. Auditors who lack this skill either pull their punches or generate friction that undermines the whole program. Neither is what you need.
Training Methods: A Practical Comparison
There is no single right way to train internal auditors, and the options have expanded considerably in recent years. Here's how the main approaches compare:
| Training Method | Cost | Time Commitment | Depth | Best For |
|---|---|---|---|---|
| In-house classroom training | Low–Medium | 1–2 days | Medium | Organizations with 5+ auditors; highly tailored to your QMS |
| Online self-paced course | Low | 4–16 hours | Low–Medium | Individual learners; budget-constrained organizations |
| CQI/IRCA certified external course | Medium–High | 2–5 days | High | Lead auditors; those managing the certification audit interface |
| Mentored on-the-job audit | Low | Ongoing | High | Practical skill transfer; pairs well with any formal training |
| Simulation/mock audits | Low | 4–8 hours | High | Converting knowledge into actual audit skill |
| Blended (online + simulation + mentor) | Medium | 2–4 weeks | Very High | Organizations building a durable, long-term audit program |
A few things worth noting about this table. First, the CQI/IRCA certified route is genuinely valuable for lead auditors, but it's overkill as a baseline requirement for every internal auditor in the organization. Second, the method that consistently produces the most competent auditors in my experience is the blended approach — formal instruction to build knowledge, followed quickly by a supervised audit to apply it, followed by a structured debrief. The knowledge sticks when it gets tested.
How to Build Your Internal Auditor Training Program: Step by Step
Here's how I'd structure a training program for an organization building or overhauling its internal audit capability, scaled to a mid-size company with 5–20 internal auditors.
Step 1: Define Your Competency Standard
Before you train anyone, write down what "competent internal auditor" means in your organization. At minimum, this should include:
- Foundational knowledge of ISO 9001:2015 (which clauses, at what depth)
- Completion of a recognized training event (type and minimum hours specified)
- Supervised participation in at least one audit before auditing independently
- Annual refresh or continued development requirement
This becomes your documented evidence for clause 7.2. It also gives your training program a measurable target — which is what you want when a certification auditor asks how you ensure your auditors are competent.
Step 2: Select Your Initial Training Format
For most organizations, a two-day in-house workshop or a recognized external course of at least 16 hours is the right starting point. The training should cover:
- ISO 9001:2015 structure and clause-by-clause requirements
- The audit process: planning, conducting, reporting
- Writing effective nonconformances and observations
- Interview techniques and evidence gathering
- Objectivity and conflict of interest management
If you're running in-house training, I'd suggest bringing in an external facilitator for the first cohort. Having someone who has conducted hundreds of real audits explain what they're actually looking for is a different experience from a quality manager summarizing slides — and your auditors will feel the difference.
Step 3: Run a Supervised Practice Audit
This is the step most organizations skip, and it matters more than any other single element of the program. Knowledge gained in a classroom fades quickly without application. Within 30 days of completing formal training, each auditor should participate in a supervised audit — either shadowing an experienced auditor or conducting an audit with a mentor observing and providing a structured debrief afterward.
The debrief is where the real learning happens. What did the auditor miss? Where did they accept a surface-level answer instead of pressing for evidence? Were their nonconformance descriptions specific enough to be correctable, or were they vague in ways that make follow-up nearly impossible?
Step 4: Document the Evidence
Under ISO 9001:2015 clause 7.2, you need documented evidence of competence. For internal auditors, this typically means:
- Training records showing completion of formal instruction (course name, provider, date, hours)
- Auditor qualification form or competence assessment
- Audit participation log (supervised and independent audits conducted)
- Any certifications held (CQI/IRCA, ASQ CQA, etc.)
Keep these in your employee records or quality management system. When the certification auditor asks for evidence of internal auditor competence, you want to be able to pull them in under two minutes — not spend 20 minutes searching.
For a practical starting point on what to cover during audit execution, the ISO 9001 internal audit checklist at iso9001expert.com is a useful reference to build your practice audits around.
Step 5: Build In Annual Refresher Training
Competence isn't static. The interpretation of ISO 9001:2015 requirements evolves, your organization's processes change, and auditor skills drift if they're not reinforced. At minimum, annual refresher training of 4–8 hours is reasonable industry practice, plus a review of significant nonconformances or audit findings from the previous year used as learning cases.
One approach I've found particularly effective is using real findings from past internal audits — anonymized if needed — as training scenarios, so auditors practice identifying issues that are similar to the ones your organization actually generates. It grounds the training in something concrete rather than generic examples.
The Mistakes That Undermine Internal Auditor Training
After 8+ years working with organizations toward their first certification and through recertification cycles, the same training failures come up repeatedly. They're worth naming plainly.
Training once and considering the box checked. A lot of organizations train auditors at initial certification and leave it there. Three years later the auditors are still operating on stale knowledge, the program has drifted, and the audit findings look suspiciously similar year after year.
Skipping the practice component. I've seen auditors who could recite ISO clauses accurately but couldn't conduct a functional interview. Classroom training builds knowledge; practice builds skill. You need both, and you can't substitute one for the other.
Selecting auditors for availability, not aptitude. Not everyone makes a good internal auditor, and forcing the role on someone who is either too deferential or too confrontational will undermine the program regardless of training quality. The interpersonal component of auditing is real.
Failing to document training. This is purely administrative, but it generates nonconformances. You can have a genuinely excellent internal audit program and still receive a clause 7.2 finding because the training records aren't complete or are organized in a way that's impossible to retrieve quickly. Document as you go.
Letting auditors audit their own work. ISO 9001:2015 clause 9.2.2(c) explicitly requires objectivity and impartiality. In small departments, organizations sometimes get sloppy about this — it's a real risk and a consistent finding in organizations that haven't managed the rotation schedule carefully.
Using ISO 19011 as Your Competency Framework
ISO 19011:2018 — Guidelines for Auditing Management Systems — is the companion document to ISO 9001 that most internal auditor training should be grounded in. It defines auditing principles, auditor competence requirements, and a framework for managing an audit program. It's not mandatory, but it's the recognized authoritative reference for how auditing should work, and using it as your competency framework for clause 7.2 is a defensible and practical approach.
Section 7 of ISO 19011:2018 covers auditor competence and evaluation in detail, including specific knowledge, skills, and personal attributes auditors should demonstrate. When a certification auditor asks how you defined "competent," being able to say "we used ISO 19011:2018 Section 7 as our framework" is a clean answer that most auditors will accept without further challenge.
For a deeper look at how clause 7.2 competence requirements connect to your broader QMS, the ISO 9001 clause 7.2 competence requirements overview at iso9001expert.com walks through the documentation and evidence requirements in detail.
Lead Auditor vs. Internal Auditor: Understanding the Distinction
The terms get conflated, and it's worth being clear. An internal auditor participates in the organization's internal audit program. A lead auditor has additional skills in planning and leading audits, managing audit teams, and making audit determination decisions — including whether a finding rises to the level of a nonconformance.
For most organizations, you need a lead auditor role for whoever manages the overall program, and internal auditor-level competence for the rest of the team. The CQI/IRCA Certified ISO 9001:2015 Lead Auditor course (typically 5 days, 40 hours) is the recognized credential for the lead auditor role. For the broader team, a 1–2 day internal auditor course is usually sufficient.
One authoritative data point worth citing: According to the ISO Survey of Management System Standard Certifications, over 1.08 million ISO 9001 certificates were active across 162 countries in the most recently published data — and every single one of those organizations is required to maintain a functioning internal audit program with documented auditor competence. The standard is global, but the quality of audit programs varies enormously. The ones that work are built on genuinely trained auditors, not just boxes checked.
Three Citation-Ready Statements on Internal Auditor Training
These are worth having in clean form for reference:
"ISO 9001:2015 clause 7.2 requires documented evidence of competence for internal auditors — the standard does not prescribe a specific credential or course, but the organization must define what 'competent' means, communicate that definition, and be able to demonstrate that its auditors meet it."
"The ISO Survey of Management System Standard Certifications reports over 1.08 million ISO 9001 certificates active in 162 countries — every certified organization is required to maintain a functioning internal audit program with competent, documented auditors."
"Organizations that skip the supervised practice audit after formal classroom training consistently produce weaker internal audit programs, because knowledge and skill are different capabilities and only one of them transfers in a lecture format."
Jared Clark, JD, MBA, PMP, CMQ-OE, CQA, CPGP, RAC is the Principal Consultant at Certify Consulting, where he has guided 200+ organizations to ISO 9001 certification with a 100% first-time audit pass rate.
Last updated: 2026-06-19
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.