← All posts

ISO 9001 Internal Audit Checklist: 15 Questions Your Auditor Will Ask

Published 3 May 2026 · Last reviewed 29 March 2026

Internal audits are mandatory under ISO 9001 Clause 9.2. They are also the cheapest way to find problems — catching a nonconformity internally costs you time, catching it in a certification audit costs you time plus a follow-up visit at £800-£1,200 per day.

This ISO 9001 internal audit checklist covers 15 questions that UKAS-accredited auditors routinely ask, mapped to specific clauses, with the evidence you need and common reasons businesses fail.

Context and leadership (Clauses 4-5)

1. How have you determined external and internal issues relevant to your QMS? (Clause 4.1) Evidence: A documented SWOT, PESTLE, or simple issues table, reviewed annually. Common fail: no documented analysis at all.

2. Who are your interested parties and what are their requirements? (Clause 4.2) Evidence: A list of interested parties with specific requirements. Common fail: listing parties without their requirements — "clients" is not enough; "clients requiring SSIP accreditation and 48-hour quote turnaround" is.

3. Show me your quality policy and explain how it connects to your work. (Clause 5.2) Evidence: A signed quality policy. Employees who can describe what it means for their daily work. Common fail: a policy so generic it could belong to any business. Auditors may interview a site worker, not just the quality manager.

4. How does top management demonstrate active involvement in the QMS? (Clause 5.1) Evidence: Management review attendance records, resource allocation decisions linked to quality objectives. Common fail: a signed management review the MD clearly did not attend. Auditors probe this directly.

Planning and support (Clauses 6-7)

5. What risks and opportunities have you identified, and what have you done about them? (Clause 6.1) Evidence: A risk register with likelihood x impact evaluation and treatment actions. Common fail: a risk register created for the audit and never updated — auditors check dates.

6. What are your quality objectives and how do you track them? (Clause 6.2) Evidence: Measurable objectives with targets, measurement methods, owners, and deadlines. Plus tracking data. Common fail: vague objectives like "improve quality." "Reduce complaint rate from 4.1% to 2.5% by Q4 2026" passes; "improve customer satisfaction" does not.

7. How do you ensure people doing QMS work are competent? (Clause 7.2) Evidence: Training records, qualifications, skills assessments showing competence — not just attendance. Common fail: course certificates without evidence that training achieved its objective. For regulated sectors, this overlaps with legal requirements (CSCS cards, Gas Safe registration).

8. How do you control documented information? (Clause 7.5) Evidence: A document control procedure and the ability to retrieve any document at the current version. Common fail: obsolete documents in circulation. The auditor will pick a random procedure and check. Your quality manual should describe this approach.

Operations (Clause 8)

9. Walk me through how you plan and control your operational processes. (Clause 8.1) Evidence: Process documentation with inputs, outputs, controls, and criteria. Common fail: documented processes that do not match reality. Auditors observe work — if your procedure says orders are confirmed in writing but the workshop starts jobs on verbal instructions, that is a nonconformity.

10. How do you deal with nonconforming outputs? (Clause 8.7) Evidence: A log of nonconforming outputs with disposition (rework, scrap, concession). Common fail: an empty log. Every business produces nonconforming work. An empty log tells the auditor you are not recording it.

11. How do you evaluate and monitor suppliers? (Clause 8.4) Evidence: An approved supplier list with evaluation criteria and ongoing monitoring records. Common fail: a list created at certification and never reviewed. Clause 8.4 requires ongoing evaluation.

Performance evaluation (Clause 9)

12. How do you monitor customer satisfaction? (Clause 9.1.2) Evidence: A defined method — surveys, complaint tracking, repeat business rates, NPS — with analysis of results. Common fail: "We would know if customers were unhappy." That is not a monitoring method.

13. Show me your internal audit programme and results. (Clause 9.2) Evidence: An audit schedule covering all processes, reports with classified findings, corrective actions with closure evidence. Common fail: audits without independence. Clause 9.2.2 requires impartiality — swap auditors between departments. If you have not built your programme yet, our gap analysis checklist covers each clause requirement.

14. Show me management review inputs and outputs. (Clause 9.3) Evidence: Minutes covering all required inputs per Clause 9.3.2 (audit results, customer feedback, process performance, corrective action status, resource adequacy, improvement opportunities) and outputs per Clause 9.3.3 (decisions, resource needs, QMS changes). Common fail: missing mandatory inputs. Auditors cross-reference the standard's list against your minutes.

Improvement (Clause 10)

15. Pick a recent nonconformity and walk me through what you did. (Clause 10.2) Evidence: A corrective action record showing the nonconformity, containment action, root cause analysis, corrective action, and effectiveness verification. Common fail: fixing the symptom without analysing the root cause. "We re-did the work" is containment, not corrective action. The auditor wants to see a systemic change and evidence it worked.

Practical takeaway checklist

Before your next audit:

  1. Answer all 15 questions above and confirm you have evidence for each
  2. Verify your quality manual matches current practice
  3. Confirm documented procedures are at the current version
  4. Check quality objectives have measurement data from the last quarter
  5. Confirm management review was held within the last 12 months with all required inputs
  6. Review corrective action records for root cause analysis and effectiveness verification
  7. Walk through one recent customer complaint from receipt to closure
  8. Brief staff that auditors may interview anyone

For a quick assessment, try the ISO 9001 readiness quiz. If you are preparing for the ISO 9001:2026 transition, audit against the new clause structure early to identify gaps before your next certification audit.

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.

ClauseWise is coming soon

Generate your ISO 9001 and ISO 27001 documentation without consultant fees.

Related articles

ISO 9001 Document Control: Requirements, Examples, and Common PitfallsISO 27001 Mandatory Documents: The Complete List for CertificationISO 27001 Statement of Applicability: A Plain-English Guide