ISO 9001 clause 9.2 requires internal audits at "planned intervals" to check that your quality management system conforms to your own requirements and to the standard — and that it's effectively implemented and maintained. It doesn't prescribe a specific checklist or frequency, which is both freedom and a trap: too loose, and audits become a formality; too rigid, and they become a burden nobody wants to run.
How often should you audit?
There's no fixed rule, but a workable default for most SMEs is:
- High-risk / high-change processes (production, design changes, supplier onboarding) — quarterly.
- Stable, lower-risk processes (HR records, internal comms) — annually.
- Full-system coverage — every clause and process audited at least once within a 12-month cycle, so you enter your certification/surveillance audit with no blind spots.
Risk-based scheduling — auditing more often where nonconformities, complaints or process changes have clustered — is more defensible to an auditor than a flat annual sweep of everything.
A clause-by-clause checklist structure
Rather than a generic checklist, structure your audit program around the clauses that generate the most findings in practice:
Clause 4 — Context of the organization
- Is the scope statement current and does it match what you actually do?
- Are internal/external issues and interested-party needs reviewed, not just filed once and forgotten?
Clause 5 — Leadership
- Is the quality policy communicated and understood at the working level, not just posted on a wall?
- Are responsibilities and authorities (who owns what) actually assigned and known?
Clause 6 — Planning (risk & objectives)
- Are quality objectives measurable, and is progress actually tracked?
- Is there evidence risks and opportunities were considered when planning changes?
Clause 7 — Support (resources, competence, documented information)
- Is training/competence evidence current for people in the process you're auditing?
- Are documents the version actually in use — check the shop floor copy against the master.
Clause 8 — Operation
- Are customer requirements captured and reviewed before order acceptance?
- Is incoming/in-process/final inspection evidence complete and traceable?
- Are nonconforming outputs identified, segregated and controlled?
Clause 9 — Performance evaluation
- Is customer satisfaction actually monitored, not just assumed from lack of complaints?
- Do internal audit results feed management review with real substance?
Clause 10 — Improvement
- Are nonconformities linked to CAPAs, and are those CAPAs actually closed — with verification, not just a status flip?
Auditor tip: the fastest way to find real issues is to trace a single order, batch or record end-to-end through the system — "follow the thread" — rather than checking each clause in isolation. Systemic gaps show up at the seams between processes.
Turning findings into action
A finding that doesn't lead anywhere is worse than not auditing at all — it tells your team the audit is theatre. The fix: findings should raise a nonconformity in the same system you track everything else in, immediately, with evidence attached, so it flows straight into your CAPA process rather than living in a separate audit report that nobody revisits.
AI can help here too — drafting the audit agenda from your actual scope (standard, department, site) and producing a first-pass report, so the audit team spends its time on judgment, not formatting.
See Audit Management Software in ISOXPERT Compliance360 →