Internal Audit Checklist Guidance

Implementation & Gap Analysis Auditing

Using this audit checklist to undertake a clause-by-clause audit works very effectively for the initial audits
in preparation for implementation, gap analysis or certification. However, once your quality management
system is implemented, your organization is expected to develop a process approach to its auditing
programme.

Each audit question phrases the ISO 9001:2015 'shall' requirements as a question, in order to elicit either a
'yes' or 'no' response, that can be represented as an 'x'. The 'x' is used by various formulae to create a
graphical output that summarizes audit data. One question might apply to one or more processes,
functions or departments.

A ‘yes’ answer means that your organization is already meeting one of the requirements while a ‘no’
answer will reveal a gap that exists between requirements and your organization's management system or
processes. A ‘no’ answer might indicate that a process needs to be developed further, modified or
improved in some way to make it compliant.

Process Auditing
We suggest that you make copies of this workbook and create one workbook for each process that you
identified earlier using the Process Matrix & Application Matrix. You can filter the internal audit checklist
questions show those that apply to each process as shown in the Process Matrix.

The Process Audit Template replicates the turtle diagram (from the internal audit procedure) and requires
the auditor review the inputs, risks, controls, activities, equipment, materials, personnel, and methods of
measurement for each process. You can cross-refer the clause references in the process audit report to the
internal audit checklist questions.

Audit Scoring Criteria

The following qualitative audit scoring criteria are used to identify the level of compliance with each
requirement:

All performance indicators, metrics, objectives, audit results, etc. show stability and
Conforming
consistently achieve targets. Process is fully documented and implemented.

Poor performance/adverse trends, expected results not achieved. Current practices

Minor conform but are not documented. Process partially documented or partially
nonconformance implemented.

Practices are non-conforming, likely to cause safety or regulatory compliance issues.

Major Likely to have a significant adverse effect on customer satisfaction, product quality, the
nonconformance environment, health and safety, delivery, or profitability. Process not implemented, no
resources, not documented.

Opportunity for Minor problems exist, otherwise conforming, minor process or product changes
improvement planned. Post audit follow up and review is required to assess new opportunities.
ISO 9001:2015 Internal Audit Checklist Demo

The internal audit checklist ensures your internal audits concisely Each ISO 9001:2015 'shall' requirement has been re-phrased as a question The general guidance and examples shown in Column 'E' should be referred to when undertaking an internal audit
compare your management system against the requirements of to elicit a response that can be represented as an 'x'. as described by ISO 9001:2015, Clause 9.2.
ISO 9001:2015.
The error tracking cells in Column 'M' display an error message when more This guidance is not intended to add to, subtract from, or in any way modify the stated requirements of ISO
Answer questions 1 to 305 to determine comformance. The than 1 response is entered in Columns 'F', 'G' and 'H', or whether a 9001:2015. The examples shown are things to consider when asking audit the questions and looking for objective
audit results are summarized in the 'Audit Results' worksheet. response has yet to be entered. See the summary in Cell 'M3'. audit evidence to record.

Clause Question
Clause Title Audit Question Guidance & Suggestions
No No

4 Context of the Organization

Sources of evidence could come from SWOT or PESTLE analysis results, business strategy plans; quality plans;
information provided on your organization’s website; annual reports; management meeting minutes; documented
procedure; and lists of external and internal issues and conditions.

Has your organization determined external and internal issues relevant to Records of meetings where context is routinely discussed and monitored, e.g. as part of the structured
4.1 Organizational Context 1 its purpose and its strategic direction that affect its ability to achieve the management review process or within each of the respective function of the organization (Purchase, HR,
intended result(s) of its quality management system? Engineering, Sales, Finance etc.).

Interviews with relevant top management in relation to the organization’s context and its strategic direction are
also a good source of compliance evidence, such as: individual strategy or tactical plan documents written to
underpin the organization’s policies and provide a road map for achieving future goals.

External issues, examples could include:

1. Reports relating to the your organization's competitive environment, new technologies, new markets, customer
expectations, supplier intelligence, economic conditions, political considerations, investment opportunities, social
factors;
2. Identification of factors relating to changing legislation and regulation;
3. Feedback relating to product/service performance and lessons learned;
4. Register of identified external risks and their treatment.
Does your organization monitor and review information about these
4.1 Organizational Context 2
external and internal issues?
Internal issues, examples could include:
1. Organizational structure, identification of roles/responsibilities and governance arrangements;
2. Reports on how well the organization is performing, statements relating to mission, vision and core values;
4. Feedback obtained from employees, e.g. survey results;
5. Information and processes for capturing and sharing knowledge and lessons learned;
6. Organizational capability studies: load/capacity, resource requirements to achieve demand;
7. Register of identified internal risks and their treatment.

Does your organization determine the interested parties that are relevant Examples of interested parties include: customers, partners, end users, external providers, owners, shareholders,
4.2 Relevant Interested Parties 3
to the quality management system? employees, trade unions, government agencies, regulatory authorities, and the local community.

Include those parties that add direct value to your organisation, or who are affected by your organisation's the
Does your organization determine the requirements of these interested
4.2 Relevant Interested Parties 4 activities. Use of surveys, networking, face-to-face meetings, association membership, attending conferences,
parties that are relevant to the quality management system?
lobbying, participation in benchmarking, etc., in order to gain stakeholder information and their requirements.

Records of meetings where interested parties and their requirements are routinely discussed and monitored, e.g. as
Does your organization monitor and review information about these
4.2 Relevant Interested Parties 5 part of the structured management review process, or within each of the respective function of the organization
interested parties and their relevant requirements?
(Purchase, HR, Engineering, Sales, and Finance etc.).
ISO 9001:2015 Internal Audit Checklist Demo

The internal audit checklist ensures your internal audits concisely Each ISO 9001:2015 'shall' requirement has been re-phrased as a question The general guidance and examples shown in Column 'E' should be referred to when undertaking an internal audit
compare your management system against the requirements of to elicit a response that can be represented as an 'x'. as described by ISO 9001:2015, Clause 9.2.
ISO 9001:2015.
The error tracking cells in Column 'M' display an error message when more This guidance is not intended to add to, subtract from, or in any way modify the stated requirements of ISO
Answer questions 1 to 305 to determine comformance. The than 1 response is entered in Columns 'F', 'G' and 'H', or whether a 9001:2015. The examples shown are things to consider when asking audit the questions and looking for objective
audit results are summarized in the 'Audit Results' worksheet. response has yet to be entered. See the summary in Cell 'M3'. audit evidence to record.

Clause Question
Clause Title Audit Question Guidance & Suggestions
No No

4 Context of the Organization

Consideration of boundaries and applicability of the QMS includes:
Does your organization determine the boundaries and applicability of the
4.3 Management System Scope 6 1. Range of products and services;
quality management system to establish its scope?
2. Different sites and activities;
3. External provision of processes, products and services.
Ensure that issues relating to organizational context and the needs of interested parties encompassed in the scope.
When determining this scope, has your organization considered the
4.3 Management System Scope 7 A lack of a documented process will require more reliance on objective evidence from interviews with Top
external and internal issues referred to in 4.1?
management and the evaluation of external and internal issues (see 4.1).

Ensure that issues relating to organizational context and the needs of interested parties encompassed in the scope.
When determining this scope, has your organization considered the
4.3 Management System Scope 8 A lack of a documented process will require more reliance on objective evidence from interviews with Top
requirements of relevant interested parties referred to in 4.2?
management and the evaluation to the requirements of relevant interested parties (see 4.2).

When determining this scope, has your organization considered all

Obtain evidence that clearly defines what your organisation sells, produces, or provides services for. Link this to the
4.3 Management System Scope 9 relevant products, services and work-related activities, functions and
relevant standards or ACOPs that they are governed by.
physical boundaries to the quality management system?

Has your organization applied all the requirements of ISO 9001:2015 if

Describe the application of ISO 9001 within the scope was determined, and how has it been applied by your
4.3 Management System Scope 10 they are applicable within the determined scope of the quality
organization.
management system?

Does the scope state the types of products and services covered, and
Describe how the application of ISO 9001 within the scope was determined, and how any clause exclusions are
provide justification for any requirement of ISO 9001:2015 that your
4.3 Management System Scope 11 justified. There must be alignment between the documented scope of the organization’s QMS and their agreed
organization determines is not applicable to the scope of its quality
scope of certification.
management system?
Is the scope of your organization’s quality management system available
Verify objective evidence that the scope of documented and available to interested parties. A statement from your
4.3 Management System Scope 12 and maintained as documented information and available to interested
organization that the scope will be provided upon request may be accepted as objective evidence.
parties and workers? (See 7.5.1a)
Has your organization established, implemented, maintained and ISO 9001 includes specific requirements necessary for the adoption of processes when developing, implementing
continually improved its quality management system, including the and improving your QMS. This requires your organization to systematically define and manage its processes, and
4.4 Management System Processes 13
processes needed and their interactions, in accordance with the their interactions, in order to achieve the intended results in accordance with both the policy and strategic
requirements of ISO 9001:2015? direction of your organization.
A process is set of interrelated or interacting activities which transforms inputs into outputs. A procedure is a
Has your organization determined the process required for the quality
specified way of fulfilling an activity within a process. QMS processes should be defined to address: suppliers,
4.4 Management System Processes 14 management system, including their interactions, in accordance with
manufacturers, internal or external customer issues, resources, design, operation, production, logistics, products,
requirements and their application throughout the organization?
and services, customers and end-users.

Has your organization determined the inputs required and the outputs What are the expected inputs and outputs from each of the identified processes, together with assignment of
4.4 Management System Processes 15
expected from these processes? responsibilities and authorities e.g. Process Owner, Process Champion, Lead Process User and Process User?
ISO 9001:2015 Internal Audit Checklist Demo

The internal audit checklist ensures your internal audits concisely Each ISO 9001:2015 'shall' requirement has been re-phrased as a question The general guidance and examples shown in Column 'E' should be referred to when undertaking an internal audit
compare your management system against the requirements of to elicit a response that can be represented as an 'x'. as described by ISO 9001:2015, Clause 9.2.
ISO 9001:2015.
The error tracking cells in Column 'M' display an error message when more This guidance is not intended to add to, subtract from, or in any way modify the stated requirements of ISO
Answer questions 1 to 305 to determine comformance. The than 1 response is entered in Columns 'F', 'G' and 'H', or whether a 9001:2015. The examples shown are things to consider when asking audit the questions and looking for objective
audit results are summarized in the 'Audit Results' worksheet. response has yet to be entered. See the summary in Cell 'M3'. audit evidence to record.

Clause Question
Clause Title Audit Question Guidance & Suggestions
No No

4 Context of the Organization

Describe the identification of the processes needed for the QMS, including their sequence and interaction, e.g. E.g.
Has your organization determined the sequence and interaction of these
4.4 Management System Processes 16 process framework, process model, process groupings, process flow diagram, process mapping, value stream
processes?
mapping, Turtle diagrams, SIPOC (Supplier, Input, Process, Output, and Customer) charts and process cards.

Describe how what are the criteria, methods, measurement and related performance indicators needed to operate
Has your organization determined and applied the criteria and methods
and control those processes? Criteria and methods to ensure effective operation and control of the identified
4.4 Management System Processes 17 (including monitoring, measurements and related performance indicators)
processes, e.g. process monitoring indicators, process performance indicators, target setting, data collection,
needed to ensure the effective operation and control of these processes?
performance trends, and internal or external audit results.
Has your organization determined the resources needed for these Describe how resources are determined and how they are made available, this might duing operational planning or
4.4 Management System Processes 18
processes and ensure their availability? management reviews.
Describe how are responsibilities and authorities assigned for those processes. Information needed to ensure
Has your organization assigned responsibilities and authorities for these
4.4 Management System Processes 19 effective operation and control of the processes, e.g. defined process requirements (shall), good practice (should),
processes?
defined roles, required competencies, associated training, and guidance.
Describe how risks and opportunities are considered and what plans are made to implement actions to address
Has your organization addressed the risks and opportunities as
4.4 Management System Processes 20 them? Risks and opportunities relating to the process, resource needs, user training/competency, continual
determined in accordance with the requirements of 6.1?
improvement initiatives, frequency of reviews, agenda, minutes, and actions.
Has your organization evaluated these processes and implement any
Describe the methods that are used to monitor, measure and evaluate processes and, if needed, what changes are
4.4 Management System Processes 21 changes needed to ensure that these processes achieve their intended
made to achieve intended results?
results?
Describe how opportunities to improve the processes and the QMS are determined. Examples include risk and
Does your organization improve the processes and the quality
4.4 Management System Processes 22 opportunity matrices, corrective action and non-conformance records. Describe the approach towards
management system?
improvement and action taken when process performance is not meeting intended results.
To the extent necessary, does your organization maintain documented Documentation identified and retained by the organization to show that processes are carried it as planned, e.g.
4.4 Management System Processes 23
information to support the operation of its processes? physical hard copy records, electronic media (data servers, hard drives, CDs).
To the extent necessary, does your organization retain documented Documentation created and maintained that includes a description of relevant interested parties (4.2), scope of the
4.4 Management System Processes 24 information to have confidence that the processes are being carried out as QMS including boundaries and applicability (4.3), description of the processes needed for the QMS, their sequence,
planned? interaction and application and assignment of responsibilities for the processes.
Enter the letter 'x' into either Column 'F', 'G' or Any issues that are identified during the internal Note any process or practice that seems weak,
'H', to express your answer to each audt audit must be documented against the current cumbersome, redundant or complex - but which
question. ISO 9001:2015 requirements. is still conforms.

The scoring formula assumes each requirement Provide a reference to documented information An OFI may be an improvement to the QMS or
conforms, until an 'x' is entered into Column 'G' to justify each audit finding. Describe the nature something that could prevent future problems in
or 'H'. of any minor or major nonconformance. an otherwise conforming area.

Conforms Minor NC Major NC OFI Audit Evidence & Notes Opportunities to Improve

x x

x
Enter the letter 'x' into either Column 'F', 'G' or Any issues that are identified during the internal Note any process or practice that seems weak,
'H', to express your answer to each audt audit must be documented against the current cumbersome, redundant or complex - but which
question. ISO 9001:2015 requirements. is still conforms.

The scoring formula assumes each requirement Provide a reference to documented information An OFI may be an improvement to the QMS or
conforms, until an 'x' is entered into Column 'G' to justify each audit finding. Describe the nature something that could prevent future problems in
or 'H'. of any minor or major nonconformance. an otherwise conforming area.

Conforms Minor NC Major NC OFI Audit Evidence & Notes Opportunities to Improve

x x

x x

x
Enter the letter 'x' into either Column 'F', 'G' or Any issues that are identified during the internal Note any process or practice that seems weak,
'H', to express your answer to each audt audit must be documented against the current cumbersome, redundant or complex - but which
question. ISO 9001:2015 requirements. is still conforms.

The scoring formula assumes each requirement Provide a reference to documented information An OFI may be an improvement to the QMS or
conforms, until an 'x' is entered into Column 'G' to justify each audit finding. Describe the nature something that could prevent future problems in
or 'H'. of any minor or major nonconformance. an otherwise conforming area.

Conforms Minor NC Major NC OFI Audit Evidence & Notes Opportunities to Improve

x x

x x

x
Use this audit checklist to determine the extent to which your quality management system conforms to requirements by determining whether
those requirements have been effectively implemented and maintained. This template will help you to assess the state of your existing
management system and identify process weakness to allow a targeted approach to priortizing corrective action.

100%
90% 5 Compliance per
80% 2 Domain
70% 3 This chart displays your
60% organization's conformity
50% to the main clauses of the
40% standards (green bar).
30% 19 Non conforming
20% requirements are shown
10% as the two orange bars,
0% and OFIs are shown as the
4 Context 5 Leadership 6 Planning 7 Support 8 Operation 9 Evaluation 10 Improvement yellow coloured bar.
OFI Major NC Minor NC Compliant

Compliance per Standard Non-conformance Summary

This chart displays the percentage and ratio of various audit non- This chart displays the percentage and ratio of various categories of
conformances throughout the requirements of ISO 9001:2015, ISO non-conformances throughout the your organization's management
14001:2015 and ISO 45001:2018. system.

10 Improvement 17.24%
9 Evaluation
6.90%
8 Operation

7 Support 10.34%
65.52%
6 Planning

5 Leadership

4 Context 3 2

0 1 2 3 4 5 6

Minor NC Major NC Compliant Minor NC Major NC Opportunities