Internal Audit Checklist Guidance

Implementation & Gap Analysis Auditing

Using this audit checklist to undertake a clause-by-clause audit works very effectively for the
initial audits in preparation for implementation, gap analysis or certification. However, once
your quality management system is implemented, your organization is expected to develop a
process approach to its auditing programme.

Each audit question phrases the ISO 9001:2015 'shall' requirements as a question, in order to
elicit either a 'yes' or 'no' response, that can be represented as an 'x'. The 'x' is used by various
formulae to create a graphical output that summarizes audit data. One question might apply to
one or more processes, functions or departments.

A ‘yes’ answer means that your organization is already meeting one of the requirements while
a ‘no’ answer will reveal a gap that exists between requirements and your organization's
management system or processes. A ‘no’ answer might indicate that a process needs to be
developed further, modified or improved in some way to make it compliant.

Process Auditing
We suggest that you make copies of this workbook and create one workbook for each process
that you identified earlier using the Process Matrix & Application Matrix. You can filter the
internal audit checklist questions show those that apply to each process as shown in the
Process Matrix.

The Process Audit Template replicates the turtle diagram (from the internal audit
procedure) and requires the auditor review the inputs, risks, controls, activities, equipment,
materials, personnel, and methods of measurement for each process. You can cross-refer the
clause references in the process audit report to the internal audit checklist questions.

Audit Scoring Criteria

The following qualitative audit scoring criteria are used to identify the level of compliance with
each requirement:

All performance indicators, metrics, objectives, audit results, etc. show

Conforming stability and consistently achieve targets. Process is fully documented and
implemented.
Poor performance/adverse trends, expected results not achieved. Current
Minor practices conform but are not documented. Process partially documented or
nonconformance partially implemented.

Practices are non-conforming, likely to cause safety or regulatory compliance

issues. Likely to have a significant adverse effect on customer satisfaction,
Major
product quality, the environment, health and safety, delivery, or profitability.
nonconformance
Process not implemented, no resources, not documented.

Opportunity for Minor problems exist, otherwise conforming, minor process or product
improvement changes planned. Post audit follow up and review is required to assess new
opportunities.
ISO 9001:2015 Internal Audit Checklist Demo
Any issues that are identified during the
The internal audit checklist ensures your internal audits Each ISO 9001:2015 'shall' requirement has been re-phrased as a Enter the letter 'x' into either Column 'F', Note any process or practice that seems
The general guidance and examples shown in Column 'E' should be referred to when undertaking an internal audit must be documented against
concisely compare your management system against the question to elicit a response that can be represented as an 'x'. 'G' or 'H', to express your answer to each weak, cumbersome, redundant or complex -
internal audit as described by ISO 9001:2015, Clause 9.2. the current ISO 9001:2015 requirements.
requirements of ISO 9001:2015. audt question. but which is still conforms.
The error tracking cells in Column 'M' display an error message
This guidance is not intended to add to, subtract from, or in any way modify the stated requirements Provide a reference to documented
Answer questions 1 to 305 to determine comformance. when more than 1 response is entered in Columns 'F', 'G' and 'H', The scoring formula assumes each An OFI may be an improvement to the QMS
of ISO 9001:2015. The examples shown are things to consider when asking audit the questions and information to justify each audit finding.
The audit results are summarized in the 'Audit Results' or whether a response has yet to be entered. See the summary in requirement conforms, until an 'x' is or something that could prevent future
looking for objective audit evidence to record. Describe the nature of any minor or major
worksheet. Cell 'M3'. entered into Column 'G' or 'H'. problems in an otherwise conforming area.
nonconformance.

Clause Question
Clause Title Audit Question Guidance & Suggestions Conforms Minor NC Major NC OFI Audit Evidence & Notes Opportunities to Improve
No No

4 Context of the Organization

Sources of evidence could come from SWOT or PESTLE analysis results, business strategy plans;
quality plans; information provided on your organization’s website; annual reports; management
meeting minutes; documented procedure; and lists of external and internal issues and conditions.

Has your organization determined external and internal issues Records of meetings where context is routinely discussed and monitored, e.g. as part of the
relevant to its purpose and its strategic direction that affect its structured management review process or within each of the respective function of the organization
4.1 Organizational Context 1 x
ability to achieve the intended result(s) of its quality management (Purchase, HR, Engineering, Sales, Finance etc.).
system?
Interviews with relevant top management in relation to the organization’s context and its strategic
direction are also a good source of compliance evidence, such as: individual strategy or tactical plan
documents written to underpin the organization’s policies and provide a road map for achieving
future goals.

External issues, examples could include:

1. Reports relating to the your organization's competitive environment, new technologies, new
markets, customer expectations, supplier intelligence, economic conditions, political considerations,
investment opportunities, social factors;
2. Identification of factors relating to changing legislation and regulation;
3. Feedback relating to product/service performance and lessons learned;
4. Register of identified external risks and their treatment.
Does your organization monitor and review information about
4.1 Organizational Context 2 x
these external and internal issues? Internal issues, examples could include:
1. Organizational structure, identification of roles/responsibilities and governance arrangements;
2. Reports on how well the organization is performing, statements relating to mission, vision and core
values;
4. Feedback obtained from employees, e.g. survey results;
5. Information and processes for capturing and sharing knowledge and lessons learned;
6. Organizational capability studies: load/capacity, resource requirements to achieve demand;
7. Register of identified internal risks and their treatment.

Examples of interested parties include: customers, partners, end users, external providers, owners,
Does your organization determine the interested parties that are
4.2 Relevant Interested Parties 3 shareholders, employees, trade unions, government agencies, regulatory authorities, and the local x x
relevant to the quality management system?
community.
Include those parties that add direct value to your organisation, or who are affected by your
Does your organization determine the requirements of these
organisation's the activities. Use of surveys, networking, face-to-face meetings, association
4.2 Relevant Interested Parties 4 interested parties that are relevant to the quality management x
membership, attending conferences, lobbying, participation in benchmarking, etc., in order to gain
system?
stakeholder information and their requirements.

Records of meetings where interested parties and their requirements are routinely discussed and
Does your organization monitor and review information about
4.2 Relevant Interested Parties 5 monitored, e.g. as part of the structured management review process, or within each of the x
these interested parties and their relevant requirements?
respective function of the organization (Purchase, HR, Engineering, Sales, and Finance etc.).

Consideration of boundaries and applicability of the QMS includes:

Does your organization determine the boundaries and
4.3 Management System Scope 6 applicability of the quality management system to establish its 1. Range of products and services; x x
scope? 2. Different sites and activities;
3. External provision of processes, products and services.
Ensure that issues relating to organizational context and the needs of interested parties
When determining this scope, has your organization considered encompassed in the scope. A lack of a documented process will require more reliance on objective
4.3 Management System Scope 7 x
the external and internal issues referred to in 4.1? evidence from interviews with Top management and the evaluation of external and internal issues
(see 4.1).
Ensure that issues relating to organizational context and the needs of interested parties
When determining this scope, has your organization considered encompassed in the scope. A lack of a documented process will require more reliance on objective
4.3 Management System Scope 8 x
the requirements of relevant interested parties referred to in 4.2? evidence from interviews with Top management and the evaluation to the requirements of
relevant interested parties (see 4.2).

When determining this scope, has your organization considered all

Obtain evidence that clearly defines what your organisation sells, produces, or provides services for.
4.3 Management System Scope 9 relevant products, services and work-related activities, functions x x
Link this to the relevant standards or ACOPs that they are governed by.
and physical boundaries to the quality management system?

Has your organization applied all the requirements of ISO

Describe the application of ISO 9001 within the scope was determined, and how has it been applied
4.3 Management System Scope 10 9001:2015 if they are applicable within the determined scope of x
by your organization.
the quality management system?

Does the scope state the types of products and services covered,
Describe how the application of ISO 9001 within the scope was determined, and how any clause
and provide justification for any requirement of ISO 9001:2015
4.3 Management System Scope 11 exclusions are justified. There must be alignment between the documented scope of the x
that your organization determines is not applicable to the scope of
organization’s QMS and their agreed scope of certification.
its quality management system?

Is the scope of your organization’s quality management system Verify objective evidence that the scope of documented and available to interested parties. A
4.3 Management System Scope 12 available and maintained as documented information and statement from your organization that the scope will be provided upon request may be accepted as x
available to interested parties and workers? (See 7.5.1a) objective evidence.

Has your organization established, implemented, maintained and ISO 9001 includes specific requirements necessary for the adoption of processes when developing,
continually improved its quality management system, including implementing and improving your QMS. This requires your organization to systematically define and
4.4 Management System Processes 13 x
the processes needed and their interactions, in accordance with manage its processes, and their interactions, in order to achieve the intended results in accordance
the requirements of ISO 9001:2015? with both the policy and strategic direction of your organization.
ISO 9001:2015 Internal Audit Checklist Demo
Any issues that are identified during the
The internal audit checklist ensures your internal audits Each ISO 9001:2015 'shall' requirement has been re-phrased as a Enter the letter 'x' into either Column 'F', Note any process or practice that seems
The general guidance and examples shown in Column 'E' should be referred to when undertaking an internal audit must be documented against
concisely compare your management system against the question to elicit a response that can be represented as an 'x'. 'G' or 'H', to express your answer to each weak, cumbersome, redundant or complex -
internal audit as described by ISO 9001:2015, Clause 9.2. the current ISO 9001:2015 requirements.
requirements of ISO 9001:2015. audt question. but which is still conforms.
The error tracking cells in Column 'M' display an error message
This guidance is not intended to add to, subtract from, or in any way modify the stated requirements Provide a reference to documented
Answer questions 1 to 305 to determine comformance. when more than 1 response is entered in Columns 'F', 'G' and 'H', The scoring formula assumes each An OFI may be an improvement to the QMS
of ISO 9001:2015. The examples shown are things to consider when asking audit the questions and information to justify each audit finding.
The audit results are summarized in the 'Audit Results' or whether a response has yet to be entered. See the summary in requirement conforms, until an 'x' is or something that could prevent future
looking for objective audit evidence to record. Describe the nature of any minor or major
worksheet. Cell 'M3'. entered into Column 'G' or 'H'. problems in an otherwise conforming area.
nonconformance.

Clause Question
Clause Title Audit Question Guidance & Suggestions Conforms Minor NC Major NC OFI Audit Evidence & Notes Opportunities to Improve
No No

4 Context of the Organization

Has your organization determined the process required for the A process is set of interrelated or interacting activities which transforms inputs into outputs. A
quality management system, including their interactions, in procedure is a specified way of fulfilling an activity within a process. QMS processes should be
4.4 Management System Processes 14 x
accordance with requirements and their application throughout defined to address: suppliers, manufacturers, internal or external customer issues, resources, design,
the organization? operation, production, logistics, products, and services, customers and end-users.

What are the expected inputs and outputs from each of the identified processes, together with
Has your organization determined the inputs required and the
4.4 Management System Processes 15 assignment of responsibilities and authorities e.g. Process Owner, Process Champion, Lead Process x
outputs expected from these processes?
User and Process User?
Describe the identification of the processes needed for the QMS, including their sequence and
Has your organization determined the sequence and interaction of interaction, e.g. E.g. process framework, process model, process groupings, process flow diagram,
4.4 Management System Processes 16 x x
these processes? process mapping, value stream mapping, Turtle diagrams, SIPOC (Supplier, Input, Process, Output,
and Customer) charts and process cards.
Has your organization determined and applied the criteria and Describe how what are the criteria, methods, measurement and related performance indicators
methods (including monitoring, measurements and related needed to operate and control those processes? Criteria and methods to ensure effective operation
4.4 Management System Processes 17 x x
performance indicators) needed to ensure the effective operation and control of the identified processes, e.g. process monitoring indicators, process performance
and control of these processes? indicators, target setting, data collection, performance trends, and internal or external audit results.
Has your organization determined the resources needed for these Describe how resources are determined and how they are made available, this might duing
4.4 Management System Processes 18 x
processes and ensure their availability? operational planning or management reviews.
Describe how are responsibilities and authorities assigned for those processes. Information needed to
Has your organization assigned responsibilities and authorities for
4.4 Management System Processes 19 ensure effective operation and control of the processes, e.g. defined process requirements (shall), x
these processes?
good practice (should), defined roles, required competencies, associated training, and guidance.
Describe how risks and opportunities are considered and what plans are made to implement actions
Has your organization addressed the risks and opportunities as to address them? Risks and opportunities relating to the process, resource needs, user
4.4 Management System Processes 20 x
determined in accordance with the requirements of 6.1? training/competency, continual improvement initiatives, frequency of reviews, agenda, minutes, and
actions.
Has your organization evaluated these processes and implement
Describe the methods that are used to monitor, measure and evaluate processes and, if needed,
4.4 Management System Processes 21 any changes needed to ensure that these processes achieve their x
what changes are made to achieve intended results?
intended results?
Describe how opportunities to improve the processes and the QMS are determined. Examples include
Does your organization improve the processes and the quality
4.4 Management System Processes 22 risk and opportunity matrices, corrective action and non-conformance records. Describe the approach x
management system?
towards improvement and action taken when process performance is not meeting intended results.
To the extent necessary, does your organization maintain
Documentation identified and retained by the organization to show that processes are carried it as
4.4 Management System Processes 23 documented information to support the operation of its x
planned, e.g. physical hard copy records, electronic media (data servers, hard drives, CDs).
processes?
Documentation created and maintained that includes a description of relevant interested parties
To the extent necessary, does your organization retain
(4.2), scope of the QMS including boundaries and applicability (4.3), description of the processes
4.4 Management System Processes 24 documented information to have confidence that the processes x
needed for the QMS, their sequence, interaction and application and assignment of responsibilities
are being carried out as planned?
for the processes.
Use this audit checklist to determine the extent to which your quality management system conforms to requirements by
determining whether those requirements have been effectively implemented and maintained. This template will help you to
assess the state of your existing management system and identify process weakness to allow a targeted approach to
priortizing corrective action.

100%
90% 5 Compliance per
80%
Domain
2
This chart displays your
70% 3
organization's
60% conformity to the main
50% clauses of the
40% standards (green bar).
30% 19 Non conforming
20% requirements are
10% shown as the two
0%
orange bars, and OFIs
4 Context 5 Leadership 6 Planning 7 Support 8 Operation 9 Evaluation 10 Improvement are shown as the
yellow coloured bar.
Compliant Minor NC Major NC OFI

Compliance per Standard Non-conformance Summary

This chart displays the percentage and ratio of various audit This chart displays the percentage and ratio of various
non-conformances throughout the requirements of ISO categories of non-conformances throughout the your
9001:2015, ISO 14001:2015 and ISO 45001:2018. organization's management system.

10 Improvement 17%
9 Evaluation
7%
8 Operation
10%
7 Support
66%
6 Planning

5 Leadership

4 Context 3 2

0 1 2 3 4 5 6

Minor NC Major NC Compliant Minor NC Major NC Opportunities