Clause 9.2 Compliance
A strong internal audit program is the backbone of ISO 9001 compliance. Clause 9.2 requires planned audits that verify your QMS conforms to the standard and is effectively implemented — turning audit findings into corrective actions and driving continual improvement across every process.
The Standard’s Requirements
ISO 9001:2015 clause 9.2 mandates that organizations conduct internal audits at planned intervals to verify two things: first, that the quality management system conforms to the organization’s own planned arrangements, to the requirements of ISO 9001:2015 itself, and to any additional QMS requirements the organization has established; second, that the QMS is effectively implemented and maintained.
The standard goes further. Organizations must plan, establish, implement, and maintain an audit program that considers the importance of the processes concerned, changes affecting the organization, and the results of previous audits. Audit criteria and scope must be defined for each audit. Auditors must be selected to ensure objectivity and impartiality — meaning you cannot audit your own work. Results must be reported to relevant management, and corrective actions must be taken without undue delay.
These are not suggestions. During a certification or surveillance audit, registrars will examine your internal audit program in detail — reviewing your audit schedule, auditor qualifications, audit reports, nonconformity records, and corrective action closure. A weak internal audit program is one of the most common sources of audit findings.
Building the Foundation
A risk-based audit schedule ensures complete QMS coverage and focuses resources where they matter most.
The audit program starts with an annual schedule that maps every ISO 9001 clause and every organizational process to specific audit dates. A well-designed schedule ensures that every element of your QMS is audited at least once per year — the typical audit cycle. The schedule should be approved by top management and communicated across the organization.
We recommend organizing your schedule by process rather than by clause alone. A single process audit can cover multiple ISO 9001 clauses simultaneously, making better use of auditor time and providing more meaningful insights into how your system actually operates.
Not all processes carry the same risk. ISO 9001:2015 explicitly requires your audit program to account for the importance of the processes concerned, changes affecting the organization, and results of previous audits. This means high-risk processes — production, design and development, customer-related processes — may need to be audited more frequently than lower-risk support functions.
When a process has produced nonconformities, customer complaints, or undergone significant changes, increase its audit frequency. Conversely, processes with a strong track record may be audited less often, freeing auditor resources for areas that need more attention.
Each individual audit must define its scope (which processes, departments, or clauses will be examined) and criteria (the requirements against which performance will be evaluated). Criteria typically include the relevant ISO 9001 clauses, your organization’s documented procedures and work instructions, customer requirements, and applicable regulatory or legal requirements. Clear scope and criteria prevent audits from becoming unfocused reviews that produce vague findings with limited value.
Auditor Requirements
The credibility of your entire internal audit program rests on the competence and independence of your auditors. ISO 9001 clause 9.2.2 is explicit: auditors must be selected to ensure objectivity and impartiality. Auditors shall not audit their own work. This is a non-negotiable requirement that registrars verify during every external audit.
Competence requirements are addressed through ISO 19011:2018 — the international standard for auditing management systems. At minimum, internal auditors need formal training (typically a 16-hour internal auditor course), understanding of ISO 9001 requirements, knowledge of the processes being audited, and demonstrated auditing skills including evidence gathering, interviewing, and report writing.
For small organizations where cross-functional auditing is limited, outsourcing internal audits to a qualified consultant like Certify Consulting ensures both competence and independence without the overhead of maintaining a large internal audit team.
16-hour internal auditor course covering ISO 9001 requirements, audit techniques, evidence evaluation, and reporting. ISO 19011 guidelines for auditing management systems.
Auditors must not audit their own department or their own work. Cross-functional auditing — where department A audits department B — is the standard approach for maintaining impartiality.
Ethical conduct, fair presentation, due professional care, independence, evidence-based approach. Good auditors ask open-ended questions and follow the evidence without preconceptions.
Maintain documented evidence of auditor training, qualifications, and experience. Registrars will review these records to verify your auditors are qualified to conduct the audits assigned to them.
Practical Tools
A clause-by-clause checklist ensures comprehensive coverage. Here are the critical verification points for each major section of ISO 9001:2015.
Verify internal/external issues are identified and monitored. Confirm interested parties and their requirements are documented. Check that QMS scope is defined and available as documented information. Validate process interactions are mapped.
Confirm top management demonstrates commitment to the QMS. Verify the quality policy is established, communicated, and understood. Check that roles, responsibilities, and authorities are assigned. Ensure customer focus is maintained.
Verify risks and opportunities have been identified and actions planned. Confirm quality objectives are measurable, monitored, and aligned with the quality policy. Check that changes to the QMS are planned and managed systematically.
Verify resources are adequate (people, infrastructure, environment, monitoring equipment, organizational knowledge). Confirm competence is determined and training records maintained. Check awareness, communication processes, and documented information control.
Verify operational planning and control. Check requirements for products/services, design and development controls, external provider management, production/service provision, release criteria, and control of nonconforming outputs.
Verify monitoring, measurement, analysis, and evaluation activities. Confirm customer satisfaction is monitored. Check internal audit program effectiveness. Validate management review is conducted with all required inputs and outputs.
Verify nonconformity and corrective action processes are effective. Confirm root cause analysis is performed. Check that continual improvement opportunities are identified and acted upon. Validate improvement results are documented.
The Audit Process
Every internal audit follows a structured process: opening meeting, evidence gathering, and closing meeting. Here is how each phase works.
The opening meeting sets the stage for the audit. The lead auditor confirms the audit scope, criteria, and schedule with the auditee. This is where you establish the ground rules: the audit is a collaborative process, not an adversarial one. Explain the methodology (document review, interviews, observation), confirm the auditee’s availability, and address any logistical concerns.
For internal audits, opening meetings can be brief — 10 to 15 minutes is typical. The goal is alignment on what will be examined, how findings will be categorized (major, minor, observation), and when the closing meeting will occur.
This is the core of the audit. The auditor collects objective evidence through three primary methods: document review (examining records, procedures, and work instructions), interviews (talking with personnel who perform the processes), and observation (watching processes being performed in real time). Effective auditors use their checklist as a guide but follow the evidence wherever it leads.
Key techniques include asking open-ended questions (“Show me how you...” rather than “Do you...?”), tracing a process from start to finish, sampling records to verify consistency, and cross-referencing what the procedure says with what actually happens on the floor. Discrepancies between documented procedures and actual practice are the most common source of nonconformities.
The closing meeting presents audit findings to the auditee and relevant management. The auditor summarizes what was examined, presents any nonconformities with supporting objective evidence, highlights positive observations, and outlines next steps for corrective action. Every finding should be discussed with the auditee to ensure mutual understanding — there should be no surprises.
Agree on corrective action timelines during the closing meeting. For minor nonconformities, 30 days is typical. Major nonconformities require immediate containment action with root cause analysis and corrective action completed within 60 to 90 days. Document the closing meeting outcomes as part of the audit record.
After the Audit
A nonconformity report (NCR) is the formal record of an audit finding where a requirement has not been met. Writing effective NCRs is a critical auditor skill. Each report must include a clear statement of the nonconformity, the specific requirement that was not met (ISO 9001 clause, procedure, or customer requirement), the objective evidence supporting the finding, and the classification (major or minor).
The corrective action process under clause 10.2 requires the organization to react to the nonconformity by taking action to control and correct it and deal with consequences. Then, evaluate the need for action to eliminate the root cause so the nonconformity does not recur or occur elsewhere. Finally, implement the corrective action, review its effectiveness, and update risks and opportunities if necessary.
The most common mistake organizations make is treating corrective action as correction — fixing the immediate problem without addressing the root cause. A missing training record should prompt investigation into why the training management process failed, not simply a rush to create the missing record.
Containment
Immediately contain the nonconformity to prevent further impact. Segregate nonconforming product, stop the process, or implement interim controls.
Root Cause Analysis
Use tools like 5 Why analysis, fishbone diagrams, or fault tree analysis to identify the true root cause — not just the symptoms.
Corrective Action
Implement changes to eliminate the root cause. This may involve procedure updates, additional training, process redesign, or resource allocation.
Effectiveness Verification
After implementation, verify the corrective action actually works. Follow-up audits, data analysis, or monitoring confirm the nonconformity has not recurred.
Closing the Loop
Internal audit results are a mandatory input to management review under clause 9.3. This is where audit data becomes strategic intelligence. Top management reviews nonconformity trends, corrective action effectiveness, audit program coverage, and overall QMS performance to make decisions about resource allocation, process improvements, and strategic direction.
A strong internal audit program does not exist in isolation — it feeds the continual improvement engine that ISO 9001 is built around. Audits identify problems. Corrective actions fix root causes. Management review ensures systemic issues receive leadership attention. Quality objectives drive proactive improvement. Each element reinforces the others, creating a self-sustaining cycle that makes the organization better over time.
Track nonconformity types, frequencies, and recurrence rates across audit cycles to identify systemic issues.
Measure what percentage of corrective actions actually prevent recurrence. Target >90% first-time effectiveness.
Use audit data to drive quality objectives and improvement projects that deliver measurable business results.
Expert Guidance
Many organizations struggle with internal audits because they treat them as a compliance checkbox rather than a strategic tool. The result is superficial audits that miss real problems, poorly written NCRs that don’t drive meaningful corrective action, and management reviews that rubber-stamp reports without engaging with the data.
We take a different approach. We build internal audit programs that are rigorous enough to satisfy any registrar and practical enough that your team can execute them year after year. Every engagement is led personally by Jared Clark, CMQ-OE — so you get expert-level audit program design, not a generic template.
Whether you need to build an audit program from scratch, train your internal auditors, or outsource your entire internal audit function, we have a solution that fits your organization’s size and maturity level.
Complete audit program setup including schedule, checklists, NCR forms, corrective action tracking, and management review templates.
Hands-on training for your team covering ISO 19011 methodology, audit techniques, evidence evaluation, and NCR writing. Includes practice audits with coaching.
We conduct your internal audits as an independent third party. Guaranteed objectivity, professional reporting, and experienced auditors who know what registrars look for.
Common Questions
ISO 9001:2015 clause 9.2 requires internal audits at planned intervals, but does not prescribe a specific frequency. Most organizations conduct a full audit cycle annually, covering every clause and process at least once per year. Higher-risk processes or areas with previous nonconformities may warrant more frequent audits — quarterly or even monthly. The key is that your audit schedule is risk-based and ensures complete QMS coverage within each cycle.
No. ISO 9001:2015 clause 9.2.2 explicitly requires auditor objectivity and impartiality, meaning auditors must not audit their own work or their own department. This independence requirement ensures audit findings are credible and unbiased. In small organizations with limited personnel, cross-functional auditing — where department A audits department B and vice versa — is the standard approach. Outsourcing internal audits to a qualified consultant is another effective option.
A major nonconformity indicates a systematic failure or complete absence of a required process, or a situation that could result in the delivery of nonconforming product or service. A minor nonconformity is an isolated lapse that does not indicate a systemic breakdown. For example, missing a single training record is typically minor, while having no document control process at all would be major. Both require corrective action, but major nonconformities demand immediate attention and root cause analysis.
ISO 9001:2015 requires that internal auditors be competent, which means they need appropriate training and demonstrated ability. At minimum, auditors should complete an internal auditor training course (typically 16 hours), understand the ISO 9001 standard requirements, and have knowledge of the processes they are auditing. ISO 19011 provides detailed guidance on auditor competence, including personal attributes like integrity, fair presentation, and professional judgment.
Yes. ISO 9001:2015 clause 9.3 requires that internal audit results be included as an input to management review. This means top management must receive and evaluate audit findings, nonconformity trends, corrective action effectiveness, and overall QMS performance. Management review is where audit data translates into strategic decisions about resource allocation, process improvements, and quality objectives. Without this feedback loop, the audit program loses its primary purpose.
Schedule a free 30-minute consultation. We’ll evaluate your current audit program, identify gaps, and outline a practical path to clause 9.2 compliance — no obligation.
Or email us at [email protected]