9001:2026
All articles
AuditMay 10, 202612 min read

ISO 9001 internal audit checklist: a practical clause-by-clause guide

A working internal audit checklist for ISO 9001 — what to ask, what evidence to look for, and how to write findings that actually drive improvement.

Internal audits are where a QMS either earns its keep or quietly decays. Done well, they surface real risks before customers or external auditors do. Done badly, they generate paperwork nobody reads. The difference is almost entirely in how the auditor prepares and the questions they ask.

This checklist walks clause by clause through ISO 9001:2015 and gives you the questions, the evidence to look for, and the common weak spots in each area. Use it as a starting point — then tailor it to your processes.

Before the audit

  • Confirm scope, audit criteria, and dates with the auditee
  • Review the previous audit report and any open corrective actions
  • Pull the relevant procedures, KPIs, and records for the period
  • Plan opening and closing meetings — they are part of the audit, not a courtesy

Clause 4 — Context of the organization

  • Is the context analysis current? When was it last reviewed?
  • Are interested parties and their relevant requirements identified and monitored?
  • Does the QMS scope match what the organization actually does?
  • Are the processes of the QMS identified, with sequence and interaction shown?

Common weak spot: a context analysis written once at certification and never revisited. Look for evidence of review at management review.

Clause 5 — Leadership

  • Can top management explain the quality policy in their own words?
  • Are quality objectives connected to business objectives, not floating in isolation?
  • Are roles, responsibilities, and authorities documented and known?
  • Is the customer focus visible in decisions, not just in the policy statement?

Clause 6 — Planning

  • Risks and opportunities identified for each key process — not just at the organizational level
  • Quality objectives are SMART: measurable, time-bound, with an owner
  • Changes to the QMS are planned, not reactive — look at recent changes and the planning evidence

Clause 7 — Support

  • Resources: are infrastructure, environment, and monitoring equipment adequate? Calibration records up to date?
  • Competence: requirements defined per role; gaps identified and addressed
  • Awareness: sample 3–5 staff at different levels — can they describe the policy and their contribution?
  • Documented information: version control, approval, and access — pick 5 documents and trace the chain

Clause 8 — Operation

8.1–8.3: Planning, requirements, design

  • Are customer requirements captured, reviewed, and confirmed before commitment?
  • If design applies: inputs, controls, outputs, reviews, verification, validation, and changes traceable

8.4: Externally provided processes, products, and services

  • Supplier evaluation criteria and records
  • Re-evaluation cycle — when was it last performed, with what result?
  • Controls proportionate to the impact of the supplier on conformity

8.5–8.7: Production, release, nonconforming output

  • Work instructions present where needed; traceability where required
  • Release of products/services authorized — sample release records
  • Nonconforming output: identification, segregation, disposition, records

Clause 9 — Performance evaluation

  • What is monitored, by whom, how often, and with what method?
  • Customer satisfaction — how is it measured, and what changed as a result?
  • Internal audit programme covers all processes and clauses across the cycle
  • Management review: all required inputs (9.3.2) and outputs (9.3.3) evidenced

Clause 10 — Improvement

  • Nonconformities and corrective actions: root cause analysis is real, not a copy of the description
  • Trend analysis across nonconformities — are recurring issues being addressed systemically?
  • Evidence of continual improvement beyond closing CARs

Writing findings that actually drive improvement

A useful finding has three parts: the requirement, the evidence observed, and the gap between them. Avoid auditor-speak. "Procedure XYZ-001 rev 3 was not available to operators on Line 2 (Clause 7.5.3.1)" is more useful than "document control issue."

  • Distinguish nonconformity, observation, and opportunity for improvement — and use them honestly
  • One finding per issue — don't bundle
  • Always cite the clause and the evidence
  • Discuss findings with the auditee before the closing meeting — no surprises

After the audit

Issue the report within a week while the audit is still fresh. Track corrective actions to closure with verification of effectiveness — not just verification that something was done. The next audit cycle should start by reviewing whether last cycle's actions actually held.

Keep reading

Strategy

Success with a QMS: what separates leaders from compliance-only adopters

Most organizations get a certificate. A few get a competitive advantage. Here is what the leaders consistently do differently with their quality management systems.

AI & Quality

QMS in the age of AI: rethinking quality when the work itself is changing

AI is reshaping how products are designed, how decisions get made, and how nonconformities are detected. ISO 9001:2026 takes a first step, but the implications go further.