ISOXPERT Compliance360 logo Open the app
Quality & Compliance Basics

ISO 9001 Internal Audit Checklist: What to Check and How Often

2026-06-22  ·  8 min read

Internal audits are how you find out if your QMS actually works before your certification body does. Here’s a practical checklist structure and a sane audit schedule.

ISO 9001 clause 9.2 requires internal audits at "planned intervals" to check that your quality management system conforms to your own requirements and to the standard — and that it's effectively implemented and maintained. It doesn't prescribe a specific checklist or frequency, which is both freedom and a trap: too loose, and audits become a formality; too rigid, and they become a burden nobody wants to run.

How often should you audit?

There's no fixed rule, but a workable default for most SMEs is:

Risk-based scheduling — auditing more often where nonconformities, complaints or process changes have clustered — is more defensible to an auditor than a flat annual sweep of everything.

A clause-by-clause checklist structure

Rather than a generic checklist, structure your audit program around the clauses that generate the most findings in practice:

Clause 4 — Context of the organization

Clause 5 — Leadership

Clause 6 — Planning (risk & objectives)

Clause 7 — Support (resources, competence, documented information)

Clause 8 — Operation

Clause 9 — Performance evaluation

Clause 10 — Improvement

Auditor tip: the fastest way to find real issues is to trace a single order, batch or record end-to-end through the system — "follow the thread" — rather than checking each clause in isolation. Systemic gaps show up at the seams between processes.

Turning findings into action

A finding that doesn't lead anywhere is worse than not auditing at all — it tells your team the audit is theatre. The fix: findings should raise a nonconformity in the same system you track everything else in, immediately, with evidence attached, so it flows straight into your CAPA process rather than living in a separate audit report that nobody revisits.

AI can help here too — drafting the audit agenda from your actual scope (standard, department, site) and producing a first-pass report, so the audit team spends its time on judgment, not formatting.

See Audit Management Software in ISOXPERT Compliance360 →


Related reading

See it for yourself

Explore ISOXPERT Compliance360 in Guest Demo Mode — no account required.

Open ISOXPERT Compliance360