Internal Audit Checklist Guidance

Implementation & Gap Analysis Auditing

Using this audit checklist to undertake a clause-by-clause audit works very effectively for the initial audits in
preparation for implementation, gap analysis or certification. However, once your quality management
system is implemented, your organization is expected to develop a process approach to its auditing
programme.

Each audit question phrases the ISO 9001:2015 'shall' requirements as a question, in order to elicit either a
'yes' or 'no' response, that can be represented as an 'x'. The 'x' is used by various formulae to create a
graphical output that summarizes audit data. One question might apply to one or more processes, functions
or departments.

A ‘yes’ answer means that your organization is already meeting one of the requirements while a ‘no’ answer
will reveal a gap that exists between requirements and your organization's management system or processes.
A ‘no’ answer might indicate that a process needs to be developed further, modified or improved in some
way to make it compliant.

Process Auditing
We suggest that you make copies of this workbook and create one workbook for each process that you
identified earlier using the Process Matrix & Application Matrix. You can filter the internal audit checklist
questions show those that apply to each process as shown in the Process Matrix.

The Process Audit Template replicates the turtle diagram (from the internal audit procedure) and requires
the auditor review the inputs, risks, controls, activities, equipment, materials, personnel, and methods of
measurement for each process. You can cross-refer the clause references in the process audit report to the
internal audit checklist questions.

Audit Scoring Criteria

The following qualitative audit scoring criteria are used to identify the level of compliance with each
requirement:

All performance indicators, metrics, objectives, audit results, etc. show stability and
Conforming consistently achieve targets. Process is fully documented and implemented.

Poor performance/adverse trends, expected results not achieved. Current practices

Minor conform but are not documented. Process partially documented or partially
nonconformance implemented.

Practices are non-conforming, likely to cause safety or regulatory compliance issues.

Major Likely to have a significant adverse effect on customer satisfaction, product quality, the
nonconformance environment, health and safety, delivery, or profitability. Process not implemented, no
resources, not documented.

Opportunity for Minor problems exist, otherwise conforming, minor process or product changes planned.
improvement Post audit follow up and review is required to assess new opportunities.
ISO 9001:2015 Internal Audit Checklist Demo
Enter the letter 'x' into either Column 'F', 'G' or Any issues that are identified during the internal Note any process or practice that seems weak,
The internal audit checklist ensures your internal audits concisely Each ISO 9001:2015 'shall' requirement has been re-phrased as a question The general guidance and examples shown in Column 'E' should be referred to when undertaking an internal audit
'H', to express your answer to each audt audit must be documented against the current ISO cumbersome, redundant or complex - but which is
compare your management system against the requirements of to elicit a response that can be represented as an 'x'. as described by ISO 9001:2015, Clause 9.2.
question. 9001:2015 requirements. still conforms.
ISO 9001:2015.
The error tracking cells in Column 'M' display an error message when more This guidance is not intended to add to, subtract from, or in any way modify the stated requirements of ISO
The scoring formula assumes each requirement Provide a reference to documented information to An OFI may be an improvement to the QMS or
Answer questions 1 to 305 to determine comformance. The audit than 1 response is entered in Columns 'F', 'G' and 'H', or whether a response 9001:2015. The examples shown are things to consider when asking audit the questions and looking for objective
conforms, until an 'x' is entered into Column 'G' justify each audit finding. Describe the nature of something that could prevent future problems in
results are summarized in the 'Audit Results' worksheet. has yet to be entered. See the summary in Cell 'M3'. audit evidence to record.
or 'H'. any minor or major nonconformance. an otherwise conforming area.

Clause Question
Clause Title Audit Question Guidance & Suggestions Conforms Minor NC Major NC OFI Audit Evidence & Notes Opportunities to Improve
No No

4 Context of the Organization

Sources of evidence could come from SWOT or PESTLE analysis results, business strategy plans; quality plans;
information provided on your organization’s website; annual reports; management meeting minutes; documented
procedure; and lists of external and internal issues and conditions.

Has your organization determined external and internal issues relevant to its Records of meetings where context is routinely discussed and monitored, e.g. as part of the structured management
4.1 Organizational Context 1 purpose and its strategic direction that affect its ability to achieve the review process or within each of the respective function of the organization (Purchase, HR, Engineering, Sales, x
intended result(s) of its quality management system? Finance etc.).

Interviews with relevant top management in relation to the organization’s context and its strategic direction are also
a good source of compliance evidence, such as: individual strategy or tactical plan documents written to underpin
the organization’s policies and provide a road map for achieving future goals.

External issues, examples could include:

1. Reports relating to the your organization's competitive environment, new technologies, new markets, customer
expectations, supplier intelligence, economic conditions, political considerations, investment opportunities, social
factors;
2. Identification of factors relating to changing legislation and regulation;
3. Feedback relating to product/service performance and lessons learned;
4. Register of identified external risks and their treatment.
Does your organization monitor and review information about these
4.1 Organizational Context 2 x
external and internal issues?
Internal issues, examples could include:
1. Organizational structure, identification of roles/responsibilities and governance arrangements;
2. Reports on how well the organization is performing, statements relating to mission, vision and core values;
4. Feedback obtained from employees, e.g. survey results;
5. Information and processes for capturing and sharing knowledge and lessons learned;
6. Organizational capability studies: load/capacity, resource requirements to achieve demand;
7. Register of identified internal risks and their treatment.

Does your organization determine the interested parties that are relevant to Examples of interested parties include: customers, partners, end users, external providers, owners, shareholders,
4.2 Relevant Interested Parties 3 x x
the quality management system? employees, trade unions, government agencies, regulatory authorities, and the local community.

Include those parties that add direct value to your organisation, or who are affected by your organisation's the
Does your organization determine the requirements of these interested
4.2 Relevant Interested Parties 4 activities. Use of surveys, networking, face-to-face meetings, association membership, attending conferences, x
parties that are relevant to the quality management system?
lobbying, participation in benchmarking, etc., in order to gain stakeholder information and their requirements.

Records of meetings where interested parties and their requirements are routinely discussed and monitored, e.g. as
Does your organization monitor and review information about these
4.2 Relevant Interested Parties 5 part of the structured management review process, or within each of the respective function of the organization x
interested parties and their relevant requirements?
(Purchase, HR, Engineering, Sales, and Finance etc.).

Consideration of boundaries and applicability of the QMS includes:

Does your organization determine the boundaries and applicability of the
4.3 Management System Scope 6 1. Range of products and services; x x
quality management system to establish its scope?
2. Different sites and activities;
3. External provision of processes, products and services.

Ensure that issues relating to organizational context and the needs of interested parties encompassed in the scope.
When determining this scope, has your organization considered the
4.3 Management System Scope 7 A lack of a documented process will require more reliance on objective evidence from interviews with Top x
external and internal issues referred to in 4.1?
management and the evaluation of external and internal issues (see 4.1).

Ensure that issues relating to organizational context and the needs of interested parties encompassed in the scope.
When determining this scope, has your organization considered the
4.3 Management System Scope 8 A lack of a documented process will require more reliance on objective evidence from interviews with Top x
requirements of relevant interested parties referred to in 4.2?
management and the evaluation to the requirements of relevant interested parties (see 4.2).

When determining this scope, has your organization considered all relevant
Obtain evidence that clearly defines what your organisation sells, produces, or provides services for. Link this to the
4.3 Management System Scope 9 products, services and work-related activities, functions and physical x x
relevant standards or ACOPs that they are governed by.
boundaries to the quality management system?

Has your organization applied all the requirements of ISO 9001:2015 if they
Describe the application of ISO 9001 within the scope was determined, and how has it been applied by your
4.3 Management System Scope 10 are applicable within the determined scope of the quality management x
organization.
system?

Does the scope state the types of products and services covered, and
Describe how the application of ISO 9001 within the scope was determined, and how any clause exclusions are
provide justification for any requirement of ISO 9001:2015 that your
4.3 Management System Scope 11 justified. There must be alignment between the documented scope of the organization’s QMS and their agreed x
organization determines is not applicable to the scope of its quality
scope of certification.
management system?
Is the scope of your organization’s quality management system available
Verify objective evidence that the scope of documented and available to interested parties. A statement from your
4.3 Management System Scope 12 and maintained as documented information and available to interested x
organization that the scope will be provided upon request may be accepted as objective evidence.
parties and workers? (See 7.5.1a)
ISO 9001:2015 Internal Audit Checklist Demo
Enter the letter 'x' into either Column 'F', 'G' or Any issues that are identified during the internal Note any process or practice that seems weak,
The internal audit checklist ensures your internal audits concisely Each ISO 9001:2015 'shall' requirement has been re-phrased as a question The general guidance and examples shown in Column 'E' should be referred to when undertaking an internal audit
'H', to express your answer to each audt audit must be documented against the current ISO cumbersome, redundant or complex - but which is
compare your management system against the requirements of to elicit a response that can be represented as an 'x'. as described by ISO 9001:2015, Clause 9.2.
question. 9001:2015 requirements. still conforms.
ISO 9001:2015.
The error tracking cells in Column 'M' display an error message when more This guidance is not intended to add to, subtract from, or in any way modify the stated requirements of ISO
The scoring formula assumes each requirement Provide a reference to documented information to An OFI may be an improvement to the QMS or
Answer questions 1 to 305 to determine comformance. The audit than 1 response is entered in Columns 'F', 'G' and 'H', or whether a response 9001:2015. The examples shown are things to consider when asking audit the questions and looking for objective
conforms, until an 'x' is entered into Column 'G' justify each audit finding. Describe the nature of something that could prevent future problems in
results are summarized in the 'Audit Results' worksheet. has yet to be entered. See the summary in Cell 'M3'. audit evidence to record.
or 'H'. any minor or major nonconformance. an otherwise conforming area.

Clause Question
Clause Title Audit Question Guidance & Suggestions Conforms Minor NC Major NC OFI Audit Evidence & Notes Opportunities to Improve
No No

4 Context of the Organization

Has your organization established, implemented, maintained and ISO 9001 includes specific requirements necessary for the adoption of processes when developing, implementing
continually improved its quality management system, including the and improving your QMS. This requires your organization to systematically define and manage its processes, and
4.4 Management System Processes 13 x
processes needed and their interactions, in accordance with the their interactions, in order to achieve the intended results in accordance with both the policy and strategic direction
requirements of ISO 9001:2015? of your organization.

A process is set of interrelated or interacting activities which transforms inputs into outputs. A procedure is a
Has your organization determined the process required for the quality
specified way of fulfilling an activity within a process. QMS processes should be defined to address: suppliers,
4.4 Management System Processes 14 management system, including their interactions, in accordance with x
manufacturers, internal or external customer issues, resources, design, operation, production, logistics, products, and
requirements and their application throughout the organization?
services, customers and end-users.

Has your organization determined the inputs required and the outputs What are the expected inputs and outputs from each of the identified processes, together with assignment of
4.4 Management System Processes 15 x
expected from these processes? responsibilities and authorities e.g. Process Owner, Process Champion, Lead Process User and Process User?

Describe the identification of the processes needed for the QMS, including their sequence and interaction, e.g. E.g.
Has your organization determined the sequence and interaction of these
4.4 Management System Processes 16 process framework, process model, process groupings, process flow diagram, process mapping, value stream x x
processes?
mapping, Turtle diagrams, SIPOC (Supplier, Input, Process, Output, and Customer) charts and process cards.

Describe how what are the criteria, methods, measurement and related performance indicators needed to operate
Has your organization determined and applied the criteria and methods
and control those processes? Criteria and methods to ensure effective operation and control of the identified
4.4 Management System Processes 17 (including monitoring, measurements and related performance indicators) x x
processes, e.g. process monitoring indicators, process performance indicators, target setting, data collection,
needed to ensure the effective operation and control of these processes?
performance trends, and internal or external audit results.
Has your organization determined the resources needed for these processes Describe how resources are determined and how they are made available, this might duing operational planning or
4.4 Management System Processes 18 x
and ensure their availability? management reviews.
Describe how are responsibilities and authorities assigned for those processes. Information needed to ensure
Has your organization assigned responsibilities and authorities for these
4.4 Management System Processes 19 effective operation and control of the processes, e.g. defined process requirements (shall), good practice (should), x
processes?
defined roles, required competencies, associated training, and guidance.
Describe how risks and opportunities are considered and what plans are made to implement actions to address
Has your organization addressed the risks and opportunities as determined
4.4 Management System Processes 20 them? Risks and opportunities relating to the process, resource needs, user training/competency, continual x
in accordance with the requirements of 6.1?
improvement initiatives, frequency of reviews, agenda, minutes, and actions.
Has your organization evaluated these processes and implement any
Describe the methods that are used to monitor, measure and evaluate processes and, if needed, what changes are
4.4 Management System Processes 21 changes needed to ensure that these processes achieve their intended x
made to achieve intended results?
results?
Describe how opportunities to improve the processes and the QMS are determined. Examples include risk and
Does your organization improve the processes and the quality management
4.4 Management System Processes 22 opportunity matrices, corrective action and non-conformance records. Describe the approach towards improvement x
system?
and action taken when process performance is not meeting intended results.
To the extent necessary, does your organization maintain documented Documentation identified and retained by the organization to show that processes are carried it as planned, e.g.
4.4 Management System Processes 23 x
information to support the operation of its processes? physical hard copy records, electronic media (data servers, hard drives, CDs).
To the extent necessary, does your organization retain documented Documentation created and maintained that includes a description of relevant interested parties (4.2), scope of the
4.4 Management System Processes 24 information to have confidence that the processes are being carried out as QMS including boundaries and applicability (4.3), description of the processes needed for the QMS, their sequence, x
planned? interaction and application and assignment of responsibilities for the processes.
Use this audit checklist to determine the extent to which your quality management system conforms to requirements by determining whether
those requirements have been effectively implemented and maintained. This template will help you to assess the state of your existing
management system and identify process weakness to allow a targeted approach to priortizing corrective action.

100%
90% 5
Compliance per Domain
80% 2
This chart displays your
70% 3
organization's conformity
60%
to the main clauses of the
50%
standards (green bar). Non
40%
19 conforming requirements
30%
are shown as the two
20%
orange bars, and OFIs are
10%
shown as the yellow
0%
4 Context 5 Leadership 6 Planning 7 Support 8 Operation 9 Evaluation 10 Improvement coloured bar.

OFI Major NC Minor NC Compliant

Compliance per Standard

Non-conformance Summary
This chart displays the percentage and ratio of various audit non-
This chart displays the percentage and ratio of various categories of non-
conformances throughout the requirements of ISO 9001:2015, ISO
conformances throughout the your organization's management system.
14001:2015 and ISO 45001:2018.

10 Improvement 17%
9 Evaluation
7%
8 Operation

7 Support 10%
66%
6 Planning

5 Leadership

4 Context 3 2

0 1 2 3 4 5 6

Minor NC Major NC Compliant Minor NC Major NC Opportunities