ISO 9001 INTERNAL AUDIT CHECKLIST

Issued by: Quality Assurance Date: 00-00-00 Revision: A QF-092-1

Refs Requirements What to look for and how Comply Auditor notes and evidence

This checklist is divided into sections corresponding to the quality system processes defined in the Process Map at the top of the checklist. The Process Map and
this audit checklist must call out the same processes. When you edit the Process Map to fit your company, remember to also make corresponding changes in the
checklist.

This is also an ISO 9001:2015 compliance checklist. The requirements for each process are paraphrased from ISO 9001 and there is a reference to the
corresponding clause of the standard (first column). The checklist is carefully designed to completely cover all requirements of the ISO 9001 standard. If, when
customizing the Process Map, you delete or add processes, make sure that you re-associate the corresponding clauses in ISO 9001 and don’t leave any out (e.g.,
maintain completeness of the checklist in regard to compliance with ISO 9001).

You should customize this checklist on three levels: 1) align it with any changes in the Process Map, 2) further develop the “Requirements” column to add other
relevant requirements (if any), and 3) edit the “What to look for and how” column to make it appropriate to the products, operations, practices and issues that are
relevant in your company. The third item in particular will require the most customizing.
 INTERNAL AUDIT CHECKLIST Doc: QF-82-02-1 Revision: A Pg. 2 of 26

Refs Requirements What to look for and how Comply Auditor notes and evidence

PROCESS MAP DIAGRAM

Quality System Processes

QSP 041: Context and interested parties QSP 081 : Production/service provision and quality planning
QSP 042: Quality management system processes QSP 082: Sales, contracting and customer communication
QSP 051: Leadership and commitment QSP 083: Design and development of products and services
QSP 052: Quality policy QSP 084: Purchasing and subcontractor control
 INTERNAL AUDIT CHECKLIST Doc: QF-82-02-1 Revision: A Pg. 3 of 26

Refs Requirements What to look for and how Comply Auditor notes and evidence

QSP 053: Roles, responsibilities and authorities QSP 085: Production and service provision
QSP 061: Risks and opportunities QSP 086: Release of products and services
QSP 062: Quality objectives QSP 087: Control of nonconforming outputs
QSP 063: Planning of changes QSP 091: Monitoring, measurement, analysis and evaluation
QSP 071: Resources QSP 092: Internal audit
QSP 072: Competence QSP 093: Management review
QSP 073: Awareness QSP 101: Opportunities for improvement
QSP 074: Communication QSP 102: Corrective and preventive actions (CAPA)
QSP 075: Documented information QSP 103: Continual improvement

QSP 041 Context and interested parties

4.1 Determine external and internal
issues that are relevant to the
purpose and strategic direction of
the company
Are the issues determined? Who determined Note
the issues? How are the issues documented? "Yes"
Are there both internal and external issues? for
How are the issues communicated (Quality complia
Manual, training, etc.) Are the issues
reviewed from time to time to ensure their
nce and
continual relevance?. Are there any records "No" for
demonstrating that external issues were noncom
reviewed? Were there any issues added or pliance.
removed after the initial set of issues were
determined?

4.2 Determine interested parties Are interested parties determined? Who

relevant to the QMS and their
requirements.
determined the interested parties? How is it
documented who the interested parties are?
Are the requirements of the interested parties
determined? Are the interested parties
reviewed from time to time to ensure their
continual relevance?. Are there any records
demonstrating that interested parties were
reviewed? Were there any interested parties
added or removed after the initial
determination?

QSP 042 Quality management system processes

 INTERNAL AUDIT CHECKLIST
Refs Requirements
4.3 Determine the
 Scope of the QMS
 ISO 9001 requirements that don't
apply to the company
4.4 Define the processes of the QMS
QSP 051 Leadership and Commitment
5.1 Top management shall
 support, promote and be
accountable for the effectiveness
of the QMS
 communicate the importance of
conforming to the QMS
requirements
 provide resources for the QMS
 establish the quality policy and
Doc: QF-82-02-1 Revision: A Pg. 4 of 26
What to look for and how Comply Auditor notes and evidence
Are the boundaries and applicability of the QMS
established and documented? How is the scope
documented? (Quality Manual).
When determining the scope, are external and internal
issues considered? Are requirements of interested
parties considered?
Are there any ISO 9001 requirements that are claimed
not to apply to the company? Are these claims
substantiated? Are these claims reasonable and
justified? Are any ISO 9001 requirements related to
enhancing customer satisfaction excluded?
Are processes needed for the quality
management system identified and
established (process map)? Is the sequence
and interaction between these processes
determined (process map)? Are criteria and
methods for the operation and control of
quality system processes established
(operational procedures)? Are required
resources available? Are quality system
processes monitored and measured (internal
audit, customer satisfaction, manufacturing
process performance, etc.)? Is the quality
system being continually improved?
NOTE: most of these questions can only be
fully answered after completing the entire
audit.
Do employees understand the consequences
of failing to meet requirements? Is there a
quality policy? Are quality objectives defined?
Are management reviews being conducted
regularly? ‘Are adequate resources
necessary for the quality system provided?
Are there specific examples how
management promotes improvement?
 INTERNAL AUDIT CHECKLIST
Refs Requirements
quality objectives
 promote improvement
5.1.2 Top management shall demonstrate
leadership and commitment with
respect to customer focus.
QSP 052 Quality policy
5.2.1 The quality policy shall
 be appropriate to the purpose and
context of the company
 provide a framework for quality
objectives
 include a commitment to satisfy
applicable requirements
 include a commitment to continual
improvement of the QMS
 be communicated and be
understood throughout the
company
 be reviewed for continuing
suitability
5.2.2 The quality policy shall
 be documented
 be communicated, understood and
applied in the company,
 be available to relevant interested
parties
QSP 053 Organizational roles, responsibilities and authorities
5.3 Assign the responsibility and
authority for:
Doc: QF-82-02-1 Revision: A Pg. 5 of 26
What to look for and how Comply Auditor notes and evidence
What measures are implemented to ensure
that customer requirements are determined
and met (processes, procedures, training,
monitoring, auditing, etc.)?
Are there any risks related to customer
satisfaction determined?
Is the quality policy appropriate (relevant to
the types of products, type of market,
customer expectations, etc.)? Does it include
explicit commitment to comply with
requirements and continually improve the
quality system? Is it related to quality
objectives? Is the quality policy periodically
reviewed for continuing suitability?
Is the quality policy documented? Do
employees know the meaning of the quality
policy and understand how they can
contribute to achieving the policy? Is external
communication of the quality policy
determined?
Are all responsibilities and authorities
relevant to the QMS defined? How are roles
 INTERNAL AUDIT CHECKLIST
Refs Requirements
 ensuring that QMS conforms to
requirements of ISO 9001
 ensuring that processes are
delivering their intended outputs
 reporting on performance of the
QMS
 ensuring the promotion of
customer focus
 ensuring that changes do not affect
the integrity of the QMS
QSP 061 Risks and opportunities
6.1.1 Determine the risks and
opportunities that need to be
addressed to:
 ensure that the QMS can achieve
intended results
 enhance desirable effects
 prevent or reduce undesired
effects
 achieve improvement
6.1.2 Plan and implement risk reduction
actions to address risks and
opportunities.
Evaluate the effectiveness of risk
reduction actions
QSP 062 Quality objectives
6.2.1 Establish measurable quality
objectives that are consistent with
the quality policy.
Doc: QF-82-02-1 Revision: A Pg. 6 of 26
What to look for and how Comply Auditor notes and evidence
and responsibilities assigned and
communicated (organizational charts,
responsibilities and authorities defined in
procedures, process owners) Do operational
procedures and work instructions assign
responsibilities for performing activities that
are defined in these documents? How are
responsibilities and authorities communicated
to employees (quality manual, procedures,
training)?
Are risks and opportunities defined? How are
risks evaluated? Are risks/opportunities
reevaluated to ensure their continuing
relevance and validity?
Are risk reduction actions planned and
implemented? Are the actions proportionate
to the potential impacts (risks)?
Is the effectiveness of risk reduction actins
evaluated? How often?
How many objectives are established? Are
they measurable? Is how to measure
progress defined and who is responsible for
doing this? Is anyone responsible for
implementation of the objectives? What
happens when an objective is achieved? Are
 INTERNAL AUDIT CHECKLIST
Refs Requirements
6.2.2 Plan how to achieve quality
objectives, to include the
determination of:
 what will be done
 resources requirements
 responsibilities
 completion die date
 how results will be measured
QSP 063 Planning of changes
6.3 Changes to the QMS shall be
carried out in a planned manner, to
include consideration of:
 purpose and potential
consequences
 impact on the integrity of the QMS
 availability of resources
 allocation of responsibilities and
authorities
QSP 071 Resources
7.1.2 Determine and provide personnel
necessary for implementation and
operation of the QMS.
7.1.3 Determine and provide infrastructure Are there sufficient equipment and machines
necessary for operations and to
achieve conformity of products and
Doc: QF-82-02-1 Revision: A Pg. 7 of 26
What to look for and how Comply Auditor notes and evidence
objectives updated? What is the mechanism
for establishing new objectives?
Are plans to achieve quality objectives
documented? Do those plans include: what
will be done, what resources will be required,
who will be responsible, when it will be
completed, how the result will be evaluated?
When changes are planned and
implemented, is there a consideration of
purpose, consequences, impacts on QMS,
availability of resources, and assignment of
responsibilities?
What is the evidence that these issues have
been considered?
Are there sufficient qualified personnel
assigned to maintain the QMS? Are
document changes (revisions),
corrective/preventive actions, and customer
complaints processed in a timely manner?
Are internal audits, management reviews,
training and other such activities conducted
at prescribed intervals and/or in accordance
with established schedules?
to perform all specified production and
service provision processes and
 INTERNAL AUDIT CHECKLIST Doc: QF-82-02-1 Revision: A Pg. 8 of 26

Refs Requirements What to look for and how Comply Auditor notes and evidence

services. monitoring/measurement activities? Are the

equipment and machines adequate
(qualified/calibrated where appropriate)? Are
there sufficient qualified personnel to operate
these processes? Are buildings and facilities
in good repair and properly maintained (look
for leaking roofs, broken windows,
contamination, infestation, etc.)? Is there
sufficient space for office, production,
storage, and other operations and activities
(look for overcrowding, intermingling, cross-
contamination, etc.)? Is organization and
housekeeping of storage and work areas
satisfactory? Are supporting services
(communication, transportation, etc.)
adequate?

Maintain infrastructure necessary for Is process equipment regularly maintained

operations and to achieve conformity and serviced? Are there maintenance plans
of products and services. and schedules? Are there maintenance
records?

7.1.4 Determine, provide and maintain the In work areas, are temperature, humidity,
work environment needed to achieve particulate levels (dust), noise and other such
conformity of products and services. environmental conditions compatible with the
type of product and processes? Is there
appropriate and adequate lighting at work
stations? Are there any training/awareness
programs aiming to ensuring suitable social
and psychological conditions in the
workplace.

7.1.5.1 Determine and provide resources Is it determined what monitoring and

(devices, equipment or services) for
monitoring and measurement, when
used for verifying the conformity of
products and services.
measuring shall be undertaken to verify
product conformity and what measuring
devices/equipment are needed (control
plans, work orders, inspection procedures,
drawings, etc.)?

Ensure that measuring devices and
equipment are suitable for the
specific measurements for which
they are used, and that they are
maintained.
Are measuring devices selected on the basis
of the monitoring/measurement requirements
(accuracy, environmental conditions, etc.)?
Are operators/inspectors competent (trained)
in the use of measuring devices? Are there
maintenance plans/schedules for measuring
 INTERNAL AUDIT CHECKLIST
Refs Requirements
7.1.5.2 Ensure that measuring equipment
shall
 be calibrated or verified against
traceable measurement standards,
 be adjusted or re-adjusted as
necessary,
 be identified (also with calibration
status),
 be safeguarded from improper
adjustments, and
 be protected form damage and
deterioration.
Maintain calibration records.
Assess the validity of the previous
measuring results when the
equipment is found to be
nonconforming (damaged, out of
calibration, etc.). Take appropriate
action on the equipment and any
product affected.
Validate computer software used in
the monitoring and measurement of
specified requirements.
7.1.6 Determine, acquire, maintain and
preserve knowledge necessary for
operations and to achieve conformity
of products and services,
QSP 072 Competence
Doc: QF-82-02-1 Revision: A Pg. 9 of 26
What to look for and how Comply Auditor notes and evidence
equipment?
Is there a list (inventory) of measuring
devices? Are all active devices calibrated
(those used for product verification)? Are
calibration certificates, or other records,
established and maintained? Is traceability to
national or international standards recorded?
Is calibration (adjustment) frequency
defined? Is it followed? Are measuring
devices identified (unique serial numbers)?
Are measuring devices identified with
calibration stickers? How are devices
safeguarded from unauthorized adjustments?
Are measuring devices adequately protected
during handling, maintenance and storage?
What is done when a nonconforming
measuring device is found? Is there an
investigation to establish whether acceptance
of any product is affected? Are results of
such investigation recorded (CAPAs)? Are
corrective actions taken on the equipment
and any product affected (CAPAs)?
Is computer software used in any monitoring
and measurement? Is it in-house developed
software? Can the software be changed or
updated? Is the software validated? Are
validation reports available?
How is it determined when and what kind of
new organizational knowledge is needed
(design reviews, management reviews,
planning of changes, CAPA investigations,
marketing reports, etc.) How is organizational
knowledge maintained and preserved?
(document control and distribution, training)
 INTERNAL AUDIT CHECKLIST
Refs Requirements
7.2 Determine the necessary
competence requirements for
personnel
Ensure that personnel are
competent and, when applicable,
provide training to satisfy
competency requirements and
evaluate the effectiveness of
training.
Maintain training and competency
records.
QSP 073 Awareness
7.3 Ensure that personnel are aware of
the quality policy and quality
objectives, how they contribute to
the effectiveness of the QMS, and
the implications of not conforming
with the QMS requirements.
Doc: QF-82-02-1 Revision: A Pg. 10 of 26
What to look for and how Comply Auditor notes and evidence
Are there defined competence (education,
training, skills and/or experience)
requirements for jobs and positions that can
affect conformity of products and
services? Are there job/position
descriptions and/or specifications for
education/training requirements for key
positions?
Is there a deliberate process to verify that
personnel assigned to specific jobs/positions
satisfy the competence requirements for that
job? Are new employees formally trained for
new jobs/positions? How? Is this training
recorded?
After completion of training, how is the
effectiveness of the training evaluated?
(tests, formal evaluations, certifications,
performance monitoring, etc.)
Are competence (education, training, skills
and/or experience) records maintained for
each employee? Where, how and by whom
are these records maintained? How do
managers/supervisors responsible for
assignment of work activities know who is
competent to perform a particular job
(training matrix)?
Are there any formal training programs to
advance employee awareness related to the
QMS? (ISO 9001 training) Are employees
aware of and understand the quality policy?
Are they aware of the quality objectives
relevant to their jobs/positions and do they
know, specifically, how they can contribute to
reaching these objectives? Are employees
aware of specific consequences of product
deficiencies and failures (safety,
environmental, customer dissatisfaction,
 INTERNAL AUDIT CHECKLIST
Refs Requirements
QSP 074 Communication
7.4 Determine the internal and external
communications relevant to the
QMS, including what and when will
be communicated, who is
responsible for communicating, and
who are the recipients.
QSP 075 Documented information
7.5.1 Establish documented information
required by the ISOI 9001 standard,
and documented information
necessary for the effectiveness of
the QMS, to include:
 scope of the QMS and exclusions
 quality policy and quality objectives
 process procedures, operational
procedures, work instructions,
training materials
 drawings, specifications, methods
Doc: QF-82-02-1 Revision: A Pg. 11 of 26
What to look for and how Comply Auditor notes and evidence
etc.)?
How is it known in the company what and
when will be communicated, who is
responsible for communicating, and who are
the recipients?
Are QMS policies and objectives, product
quality requirements (specifications), quality
system effectiveness/performance data and
results, product quality data, etc., adequately
communicated?
What specific processes (methods) are used
to communicate this information and data
(QMS documentation, regularly scheduled
review meetings, bulletin boards/newsletters,
training, etc.)? Are these processes fully
implemented and are they regularly
maintained and used? Are there procedures
or instructions defining these communication
processes?
Are there communication processes for
employees to report product/system quality
problems, and to suggest improvements to
the quality system?
Is there a quality manual, or other documents
defining the scope of the QMS, quality policy
and quality objectives?
Is there a quality manual? Operational
procedures?
How are processes and requirements of the
QMS defined and communicated? (process
procedures, operational procedures,
work instructions, training materials) Are
these processes and requirements
 INTERNAL AUDIT CHECKLIST
Refs Requirements
and other documents defining
products and services
7.5.2 When creating and updating
documents, ensure that documents
are:
 uniquely identified,
 reviewed and approved for
suitability and adequacy
 created in appropriate format and
media
7.5.3 Control documented information to
ensure that:
 it is available for use where and
when is needed,
 it is adequately protected form
loss, deterioration, confidentiality,
improper use, etc.).
Define processes and activities
related to the control of documents,
to include:
Doc: QF-82-02-1 Revision: A Pg. 12 of 26
What to look for and how Comply Auditor notes and evidence
documented?
Are drawings, specifications, methods
and other documents defining products
and services issued and maintained as
controlled documents?
Are documents uniquely identified (unique
title and /or code-number) and are they
legible?
Are documents approved before issue? How
is the approval evidenced (signature)? Is
there a process for reviewing, updating and
re-approving documents? Are documents
identified with their revision level? How are
changes identified (change brief, highlighted,
etc.?)
Are documents created in appropriate format
and language, so that they can be readily
accessed, and be understood by the people
who use them?
What measures are implemented to ensure
that relevant and current documents are
available at points of use (distribution lists,
current master lists, etc.)? When obsolete
documents are retained, is it for a specific,
stated reason? Are obsolete documents
clearly marked to distinguish them from
current revisions? What other measures are
implemented to prevent unintended use of
obsolete documents?
Are documents stored in dry, clean locations
to protect them from deterioration? Are
electronic documents (computer files)
regularly backed up? How are electronic
documents protected against
unintended/unauthorized alteration?
Are there procedures and/or instructions for
control of documents?
 INTERNAL AUDIT CHECKLIST Doc: QF-82-02-1 Revision: A Pg. 13 of 26

Refs Requirements What to look for and how Comply Auditor notes and evidence

 distribution, access, retrieval and

use of documents
 storage and preservation
 control of changes
 retention and disposition
Identify and control documents of Is there a process for receiving, reviewing,
external origin approving (for use) and distributing
documents of external origin (form
customers, regulators, suppliers, etc.)

Establish and maintain records to How is it determined and communicated

provide evidence of conformity of which QMS records are maintained by the
products and services, and the QMS company? (procedures, work instructions,
work orders, technical documentation, etc.)
Are the records sufficient to demonstrate
Protect records against loss, product, service and process conformity, and
deterioration, and from unintended the conformity and effectiveness of the
and unauthorized alteration. QMS?
Is there a procedure for the control of
records? Does it address the identification,
storage, protection and retrieval of records?
Are retention times and storage locations
defined for all types of records?
Are records stored in dry, clean locations to
protect them from deterioration? Are
electronic records backed up? How are
electronic records protected against
unintended/unauthorized alteration?
Are records readily retrievable (test by asking
for retrieval of specific records)?

QSP 081 Production/service provision and quality planning

8.1 Determine quality and other
requirements for products and
services.
Establish acceptance criteria for
Are quality requirements (tolerances, surface
finish, workmanship standards, etc.) for the
product defined? How are they documented
(drawings, specifications, samples, etc.) and
communicated (instructions, samples,
training, etc.)?
 INTERNAL AUDIT CHECKLIST
Refs Requirements
products and services.
Establish criteria for production and
service provision processes.
Provide resources (human,
equipment, machines, etc) for the
process.
Implement control of the processes
in accordance with the criteria.
Determine records needed to
provide evidence that production
and service provision processes,
and resulting products and services
meet specified requirements.
Control changes and review the
consequences of changes.
Ensure that outsourced processes
are likewise controlled.
Doc: QF-82-02-1 Revision: A Pg. 14 of 26
What to look for and how Comply Auditor notes and evidence
Are requirements for product inspection and
testing defined and documented for all stages
of product realization (receiving of purchased
products, in-process and final product
release)? Are inspection/testing methods and
procedures defined and documented? Are
acceptance criteria defined/documented?
How is the quality plan for a product
communicated to production and QC
personnel (work order, procedures,
checklists, etc.)?
Are production processes validated or tested
(refer also to PRP 05 ISO 7.5.2)? Who
selects production equipment, and how? Are
operators trained? Are there adequate work
instructions?
Select a sample of processes and ask how
they were developed and validated/tested;
and review the associated documentation
(performance/validation test results, work
instructions, operator qualification
requirements, setup verification records,
etc.).
Is each specified inspection, test and
monitoring activity recorded? Is the scope
and format of records defined (work orders,
tags/tickets, forms, electronic data collection
systems, etc.)?
How are requests for process changes
documented and evaluated? Who reviews
and approves requests for process changes?
Is the effect of change considered ?
Are process requirements and requirements
for process control/monitoring clearly
specified for outsourced processes? Are
these requirements included in purchase
orders or contracts?
 INTERNAL AUDIT CHECKLIST
Refs Requirements
QSP 082 Sales, contracting and customer communication
8.2.1 Determine and implement
arrangements for
 communicating product
information,
 handling enquiries, RFQs,
contracts, orders and change
orders
Determine and implement effective
arrangements for communicating
with customers regarding customer
feedback and customer complaints.
Communicate with customers
regarding
 handling and controlling customer
property
 requirements for contingency
actions (when relevant)
8.2.2 Determine product requirements, to
include requirements
 specified by the customer
(including delivery and post-
delivery);
 not stated by the customer, but
necessary for specified or intended
use;
 statutory and regulatory
requirements related to the
product; and
 any additional requirements
considered necessary by the
Doc: QF-82-02-1 Revision: A Pg. 15 of 26
What to look for and how Comply Auditor notes and evidence
Are processes for communicating with
customers adequately defined, to include
policies, assignment of authorities and
responsibilities, and methods (procedures,
instructions, training)? Are these processes
consistently implemented?
Verify that product brochures/specifications
and other product information (including the
internet site) are current.
Is there a system for receiving customer
feedback and complaints (logs, complaint
files, etc.)? Are responsibilities for handling
customer complaints assigned? Is there a
linkage with the corrective/preventive action
system?
is this requirement relevant, i. e., does the
company ever receive any customer
product? (templates, gauges, returnable
packaging, intellectual property). If so, look
for identification showing that the product
belongs to customer. Investigate whether
there were any events of loss, damage, or
unsuitability of customer property and
whether this was promptly reported back to
the customer.
How are customer requirements determined
and communicated? Are they documented?
Who processes this information and how is it
done? Are there written
procedures/instructions and/or training?
Are there any requirements that are not
stated by the customer but are necessary?
Are there any regulatory requirements? Who
determines, and how, what these additional
requirements are? Are they documented?
How?
Check a sample of orders to verify that
procedures, instructions and/or training are
being followed. Interview employees and
 INTERNAL AUDIT CHECKLIST
Refs Requirements
company.
Ensure that claims for products and
services can be met.
8.2.3 Prior to the commitment to supply
products and services, review
requirements related to the offered
products and services to ensure that
 requirements are defined,
 any discrepancies and ambiguities
are resolved, and
 company is able to meet the
requirements.
Maintain review records.
Where customer requirements are
not documented (not communicated
in writing), confirm the requirements
before accepting the order.
8.2.4 When changing or amending orders,
ensure that relevant documents are
amended and that changes are
communicated to relevant
personnel.
QSP 083 Design and development of products and services
8.3.2 Plan design and development
stages and controls, considering:
Doc: QF-82-02-1 Revision: A Pg. 16 of 26
What to look for and how Comply Auditor notes and evidence
review customer complaints to find out
whether there is history of order requirements
that were misunderstood and/or incomplete.
How are customer requirements reviewed,
and by whom? Are there written procedures,
instructions, checklists, and/or training. Are
there records demonstrating that the required
reviews are being conducted for every order?
Check a sample of orders to verify that
procedures, instructions and/or training are
being followed. Interview employees and
review customer complaints and on-time
delivery records to find out any cases of
orders that were shipped late due to lack of
adequate capacity to fulfill these orders.
Is it permissible to take and accept verbal
orders? If so, are these orders confirmed?
How are such orders confirmed?
Ask for records (copies) of the confirmations.
Interview personnel to find out whether they
were consistently trained/instructed to
confirm verbal orders.
How are change orders processed? Is there
a system for amending documents? Are
there written instructions, procedures and/or
training? How is information about order
changes communicated to relevant
departments/personnel within the company?
Review a sample of change orders to verify
that procedures, instructions and/or training
are being followed. See if you can uncover
any past problems caused by mishandling of
change orders.
Are design stages/activities identified? Are
review, verification and validation activities
 INTERNAL AUDIT CHECKLIST
Refs Requirements
 required design process stages
 the review, verification and
validation activities appropriate to
each stage
 resource needs and assignment of
responsibilities and authorities
 the need to control interfaces
between design functions and
groups
 involvement of customers and
users
 requirements for subsequent
realization of the design
(production of service provision)
 the level of control by customers
and other interested parties
 documentation requirements
8.3.3 Determine and document design
and development inputs,
considering:
 functional and performance
requirements
 information from previous similar
designs
 statutory, regulatory and other
applicable requirements
 potential consequences of failure.
Resolve conflicting inputs.
8.3.4 Perform systematic design reviews
to evaluate whether the design is on
track toward meeting input
requirements, and to identify any
problems and propose necessary
actions. Maintain records of the
reviews and the resulting actions.
Carry out design verification to
Doc: QF-82-02-1 Revision: A Pg. 17 of 26
What to look for and how Comply Auditor notes and evidence
identified? Are responsibilities/authorities for
each activity assigned? Are documentation
requirements defined? (drawing schedule or
list)
Verify that there is a design project schedule,
or at least due dates for completion of major
design phases; and that it includes design
reviews and design verification/validation
activities.
How is design input documented (design
project book, kickoff sheet, etc.)? Is there
evidence that statutory and regulatory
requirements are included, and that potential
consequences of failure are considered?
Who is responsible for reviewing the input?
How is the review documented/recorded?
How are changes and/or introduction of
additional inputs handled?
How many design reviews are planned for
the design project? What is the role of these
reviews? Who participates? Are there
records of the reviews? Are there records
demonstrating that the resulting actions are
implemented and their effectiveness verified?
What specific actions are taken to verify that
 INTERNAL AUDIT CHECKLIST
Refs Requirements
ensure that design outputs have met
the design input requirements.
Maintain records of the verification
results and any related actions.
Prior to delivery or implementation of
the product, perform design
validation to ensure that the resulting
product is capable of meeting the
requirements for the specified
application or intended use. Maintain
records of the validation results and
any related actions.
8.3.5 Ensure that the design output
 meets design input requirements,
 provides necessary information for
development of production or
service provision processes, and
for purchasing,
 contains acceptance criteria, and
 specifies product characteristics
that are essential for its safe and
proper use.
Document design output and
approve the design output prior to
release.
8.3.6 Review, verify, validate, as
appropriate, and approve design
changes before implementation.
Evaluate the effect of the changes
on constituent parts and on product
already delivered. Maintain records
Doc: QF-82-02-1 Revision: A Pg. 18 of 26
What to look for and how Comply Auditor notes and evidence
design outputs meet the design input
requirements? Is this a systematic review?
Are all design inputs considered? Are the
actual verification results (calculations, data,
etc.) included in the record?
How is the design validated? Is a prototype
built and tested? Is the first article tested? Is
the design based on a similar proven design?
Are validation records maintained? Are the
actual validation results (test data) included
in the record?
Is there a systematic review to verify that
design output meets design input
requirements (last design review meeting)? Is
information for purchasing, such as material
specs, parts lists, etc. included? Are there
clear specifications, drawings and
instructions for production? Are there
acceptance criteria for inspection and testing
of product? Where applicable, are safety and
operation/use features considered in the
design and included in the design output?
Is design output documented? How? Are the
documents reviewed and approved prior to
release and by whom? How are preliminary
documents distinguished from the final
released documents?
Verify that design output documents
forwarded to production, subcontractors or
other consultants are clearly identified as
final or preliminary.
How are requests for design changes
documented and processed? Who reviews
and approves requests for design changes?
Is the effect of change on the overall product
considered (ask for specific examples)? Who
decides, and how, what reviews, verifications
and validations need to be done for a design
 INTERNAL AUDIT CHECKLIST
Refs Requirements
of changes and of their
reviews/evaluations and any
necessary actions.
QSP 084 Purchasing and subcontractor control
8.4.1 Control suppliers and the purchased
products and services to ensure that
outsourced processes and the
supplied products and services
conforms to specified requirements.
Evaluate and select suppliers based
on their ability to supply products
conforming to specified
requirements.
Establish evaluation, selection,
performance monitoring, and re-
evaluation criteria.
Maintain records or supplier
evaluations and related actions.
8.4.2  Ensure that externally provided
processes remain within the
control of the QMS
 Define controls to be applied to the
external providers and to the
resulting output (the supplied
processes, products and services)
 Determine verification or other
activities to ensure that supplied
processes, products and services
meet requirements.
Doc: QF-82-02-1 Revision: A Pg. 19 of 26
What to look for and how Comply Auditor notes and evidence
change? Are results of reviews, verifications
and validations included in design change
records?
How are suppliers controlled: initial selection
evaluations, ongoing monitoring, audits of
supplier’s QMS and/or manufacturing
processes, requests for corrective actions?
How is purchased product controlled: review
of quality records (SPC charts, inspection
reports, lab test results, etc.), receiving
inspection? Who makes these decisions?
Are suppliers evaluated and reviewed before
they are approved? What are the scope,
extent and criteria for evaluating and
approving suppliers? Who decides? How is
the approval documented (an approved
vendor list)? Are there records of initial
supplier evaluations?
Select randomly and review a sample of
supplier evaluation and monitoring files. Is
their approval status clearly authorized? Is
their performance consistently monitored? In
the event of nonconforming deliveries, are
they required to implement corrective
actions? Is there a follow up?
What is being done to ensure purchased
product conformity: Supplier’s QMS
certification? Audits of supplier's QMS?
Certificates or inspection reports from
supplier or independent labs? Supplier's
process SPC records, Cpk or Ppk
requirements? Containment and receiving
inspection?
Select a sample of purchased product
categories and investigate for each what
activities or arrangements are planned to
ensure their conformity, how this plan is
 INTERNAL AUDIT CHECKLIST
Refs Requirements
In determining the extent of controls
consider impacts (risks) of potential
nonconformity and the effectiveness
of controls already applied by the
supplier.
8.4.3 In purchasing specifications include,
where appropriate
 requirements for approval of
products, processes, equipment,
methods and criteria for release of
products and services
 requirements for competence and
qualification of personnel
 communication requirements and
methods
 controls and monitoring to be
applied
 verification and validation activities
to be performed at the supplier's
premises.
Ensure adequacy of purchasing
specifications before they are
forwarded to suppliers.
QSP 085 Production and service provision
8.5.1.a) Ensure the availability of documents
defining the characteristics of
products and services to be
produced or provided.
Doc: QF-82-02-1 Revision: A Pg. 20 of 26
What to look for and how Comply Auditor notes and evidence
documented and communicated, and
whether it is consistently implemented.
Where appropriate, are there requirements
for certificates, inspection reports, SPC data,
approval of samples, etc. included in
purchasing documents? Are there any
requirements/criteria for release of products
and services? Are there any requirements
with regard to supplier’s quality management
system?
Review a sample of purchase orders,
especially those where the product is
expected to come with certificates.
Are audits or inspections to be performed at
the supplier's premises? If so, review a
sample of purchase orders or contracts to
ascertain that such activities are defined in
the purchasing documents.
How is adequacy of purchasing documents
ensured? Are the documents reviewed
before release? Are there standard, pre-
approved, specifications in the system? What
other methods are used?
See if you can uncover any past problems
caused by errors or omissions in purchasing
documents.
Are adequate product specifications
(drawings, parts lists, math data, standards,
samples, etc.) available to production
personnel? Are the specifications approved
and are they current?
Interview production personnel and ask how
they know what to make and what the
 INTERNAL AUDIT CHECKLIST
Refs Requirements
8.5.1.b) Ensure the availability of measuring
8.5.1.c) devices and the implementation of
monitoring and measurement
activities.
8.5.1.d) Ensure the use of suitable
equipment, machines and
environment for operation of
processes.
8.5.1.e) Appoint competent persons and
ensure the availability of work
instructions, as necessary.
Doc: QF-82-02-1 Revision: A Pg. 21 of 26
What to look for and how Comply Auditor notes and evidence
requirements are for workmanship standards
(appearance, precision, surface quality, color,
etc.).
Is there a system for controlling the inventory
of measuring/monitoring devices (a list with
identification, location, calibration status)? Is
the inventory of measuring devices adequate
to meet requirements of the
monitoring/measurement program
(inspections, tests, SPS, etc.)?
Are processes monitored? How? (SPC, tool
ware, etc). Are process outputs inspected or
otherwise verified? (first article inspection, in-
process inspections, etc.) How are process
monitoring and process output verification
defined? (work orders, quality plans, etc.).
Are monitoring and measurement records
established and maintained?
Who selects/specifies production equipment
and tooling? Is equipment/tooling tested
before it is used in production? Is tool wear
monitored, and how? Are equipment checks
and/or tool change intervals defined? Is the
physical environment (temperature, humidity,
etc.) suitable to operation of processes?
Are there specified competency requirements
for operating processes? Are process
operators assigned based on meeting the
competency requirements for the process?
How is it known who is competent too
operate specific processes?
Are there adequate instructions for operating
machines and processes? Who decides and
how (criteria) whether work instructions shall
be established for a given process/work
station? Are process parameters
(temperature, pressure, speed, etc.) defined?
Ask operators what should the settings be for
various parameters in their processes, and
how they know this? What are the lower and
upper limits for the parameters? What should
 INTERNAL AUDIT CHECKLIST
Refs Requirements
8.5.1.f) Validate processes where the
resulting output cannot be verified by
subsequent monitoring or
measurement. Establish
arrangements for these processes
including, as applicable
 criteria for their review and
approval,
 approval of equipment and
qualification of personnel,
 use of specific methods and
procedures,
 requirements for records, and
 revalidation.
8.5.1.g) Implement actions to prevent human How is it determined where prevention of
error. human error is needed? (risk analysis,
8.5.1.h) Ensure the implementation of
release, delivery and post-delivery
activities.
8.5.2 Identify outputs and their acceptance Are materials and products used in
(inspection) status.
Doc: QF-82-02-1 Revision: A Pg. 22 of 26
What to look for and how Comply Auditor notes and evidence
they do, and how, when a parameter
(temperature, for example) goes over limit?
Who is responsible for identifying processes
requiring validation? How is it determined
what controls, validations and arrangements
shall be required for each such process
(criteria for review and approval)? Are
process validation results recorded? Are
processes revalidated (where appropriate)?
Select a sample of processes that require
validation and investigate how these
processes were validated, and whether this
complies with requirements.
CAPAs) Are there any arrangements, setups
or equipment aiming to prevent human error?
(automation, use of templates, alarms, etc.).
Are there defined responsibilities for these
activities? How are requirements
documented (procedures, work orders,
installation/servicing requisitions, etc.)?
Are delivery-related activities (processing of
shipping orders, packaging, dispatch,
delivery, installation, etc.) defined in
procedures, work instructions, training, etc.?
Are appropriate records maintained?
production uniquely identified while in
storage, in staging areas, at work stations,
etc? Is the acceptance status identified?
Verify that for any product (material) in
production areas it is evident what the
product is and whether it passed inspection
(test) and can be moved to the next
processing stage or be dispatched to
 INTERNAL AUDIT CHECKLIST
Refs Requirements
Where traceability is a requirement,
control and record the unique
identification of the outputs.
8.5.3 Identify, verify, protect and
safeguard customer and supplier
property provided for use or
incorporation into the product; and
report to customers or suppliers any
event of loss, damage or
unsuitability of their property.
8.5.4 Protect and preserve the conformity
of product in storage and during
delivery to the intended destination.
Doc: QF-82-02-1 Revision: A Pg. 23 of 26
What to look for and how Comply Auditor notes and evidence
customer (or finished goods warehouse).
How is it determined what products
(materials) require traceability (customer
requirements, regulatory requirements,
internal engineering or QA requirements,
etc.)? How are traceability requirements for
specific products documented? Where
required, how is traceability recorded?
Review a sample of production records and
verify the integrity of the traceability system.
Verify that rework operations (diluting,
mixing, reprocessing, etc.) do not
compromise the integrity of the traceability
system.
Is this relevant? If so, look for identification
showing that the product belongs to customer
or supplier. Investigate whether there were
any events of loss, damage, or unsuitability
of customer property and whether this was
promptly reported back to the owner.
Are there any requirements/procedures for
handling confidential intellectual property that
belongs to customers or suppliers?
In warehouses, storage and staging areas:
Are there designated areas for storage of
particular products? Are products kept in
boxes, bags, bins or other protective
packaging? Are there products that require
special storage conditions (temperature,
humidity, cleanliness, etc)? How are these
conditions ensured? Are they recorded? Are
there products with limited shelf life? How is
such product managed? Is there an effective
first-in-first-out system? Are stacking
limitations defined? Are they observed? Is
there a risk of cross-contamination? How is it
managed? Is there an inventory management
system? Is it kept current?
Look for misplaced product, product taken
out of packaging, unused product returned to
storage, product returned by customers,
product intermingled with other unrelated
 INTERNAL AUDIT CHECKLIST
Refs Requirements
8.5.5 Determine the extent of required
post-delivery activities, considering:
 statutory and regulatory
requirements
 the potential undesired
consequences (risks) associated
with products and services
 the nature, use and life cycle of
products and services
 customer requirements and
customer feedback
8.5.6 Review control and authorize
process changes.
Maintain records of changes,
reviews and authorizations, and any
related actions.
Doc: QF-82-02-1 Revision: A Pg. 24 of 26
What to look for and how Comply Auditor notes and evidence
product, etc. Test the accuracy of the
inventory management system. Always keep
an eye on damaged and deteriorated
product.
Are there documented packaging
specifications? Are packaging materials and
processes controlled?
Investigate if customer complaints (or other
evidence) indicate that there were instances
of product damage/deterioration due to
inadequate or defective product
packaging/protection.
Go to purchasing and the packaging material
storage areas and check that only the
specified packaging materials are being
purchased and used.
Are there any post-delivery activities
specified? Have safety and other risks been
considered, and how they could be
potentially mitigated in the post-delivery
phase?
Has there been any consideration of the
environmental impacts of the product while in
use and/or at the end of its useful life. If
relevant, have a recycling program been
considered, for example?
How are requests for process changes
documented and processed? Who reviews
and authorizes process changes? Is the
effect of change on other processes and/or
product considered (ask for specific
examples)? Who decides, and how, what
tests and validations need to be done to
verify a process change? Are results of
reviews, verifications, validations and
authorizations maintained?
 INTERNAL AUDIT CHECKLIST
Refs Requirements
QSP 086 Release of products and services
8.6 Prevent the release of product until
all planned processing (production)
and verification activities have been
completed.
Maintain records of the releases of
products and services, to include:
 evidence of conformity
 identity of the person(s) authorizing
the release
QSP 087 Control of nonconforming outputs
8.7.1 Identify and control nonconforming
outputs (products) to prevent their
unintended use or delivery.
Doc: QF-82-02-1 Revision: A Pg. 25 of 26
What to look for and how Comply Auditor notes and evidence
How is the finished product released? Who
verifies, and how, that all specified production
and verification activities have been
completed? How is the released product
identified (distinguished from product that has
not yet been released)? What measures are
implemented to ensure that product that has
not been formally released is not used or
shipped?
Ask personnel in inventory management and
shipping functions how do they know (and
verify) what is the release status for any
given product (batch).
Select a sample of production/QC records
(and/or product staged for shipping) and
verify that all product release activities were
carried out as planned.
Are there records of product releases? Do
the records include, or refer to evidence of
conformity with acceptance criteria? Are
persons authorizing the release identified?
Is there a procedure for identifying,
controlling and dealing with nonconforming
product? Is the identification (labels, tags,
etc.) firmly attached/affixed to the product or
its container? Are nonconforming products
segregated? Quarantined? How? Are there
arrangements to identify/segregate
nonconforming (purchased) product in
receiving areas? In production areas? In
inspection areas? In storage areas
(warehouses)? In shipping areas? Are
personnel trained in the uses of the
procedure in each relevant area?
 INTERNAL AUDIT CHECKLIST
Refs Requirements
Deal with nonconforming outputs by
 correcting the nonconformity
(rework),
 segregating, containing and
suspending delivery, or
 informing the customer and
obtaining authorization for
acceptance under concession.
Verify the conformity of reworked or
corrected products.
8.7.2 Maintain records of the
 nature of nonconformities
 subsequent action taken
 concessions obtained
 the authority deciding the action
and disposition with respect to the
nonconformity
QSP 091 Monitoring, measurement, analysis and evaluation
9.1.1 Determine the monitoring and
measurement to be undertaken,
including:
 what needs to be measured and
monitored, and when
 methods for monitoring and
measurement
 when results shall be analyzed and
evaluated
Evaluate the performance and
effectiveness of the QMS
Doc: QF-82-02-1 Revision: A Pg. 26 of 26
What to look for and how Comply Auditor notes and evidence
Are responsibilities assigned for making NC
product disposition decisions? Are these
decisions documented? How is this
documentation associated with the actual
product (control number, special stickers/tag,
copy of the NCR report attached to the
product, etc.)? When accepting NC products,
how is it determined whether customer
concession is required or not? Who has the
authority to accept NC products under a
concession?
Are reworked or corrected products verified
(re-inspected, re-tested, etc.) to their original
specification? Are the results recorded? Is
reworked product formally released for use or
delivery?
Are there records describing the nature of
nonconformities and actions taken? Are they
traceable to specific product batches or
shipments? Are customer concessions
included in the record? Is the authority
deciding the disposition identified? How long
are these records retained?
Is it determined what monitoring and
measuring shall be undertaken and what
methods and equipment shall be used
(control plans, work orders, inspection
procedures, drawings, etc.)?
Are results of monitoring and measurement
recorded?
How is the performance and effectiveness of
the QMS monitored and measured? (internal
audits, collecting of quality performance
 INTERNAL AUDIT CHECKLIST
Refs Requirements
9.1.2 Monitor information relating to
customer satisfaction. Determine
methods for obtaining and using this
information.
9.1.3 Analyze data arising from monitoring
and measurement, to evaluate:
 conformity of products and
services
 customer satisfaction
 performance and effectiveness of
the QMS
 implementation of planned
arrangements
 effectiveness of risk reduction
actions
 performance of external providers
 the needs for improvements to the
QMS
QSP 92 Internal Audit
9.2.1 Plan and conduct internal audits to
determine whether the quality
management system conforms to
requirements (ISO 9001 , internal
requirements); and whether it is
effectively implemented and
maintained.
9.2.2 Establish, implement and maintain
an audit program, including:
schedules, methods, responsibilities,
and reporting requirements.
Doc: QF-82-02-1 Revision: A Pg. 27 of 26
What to look for and how Comply Auditor notes and evidence
data). How is the performance evaluated?
(management review, analysis of quality
performance data and trends).
What type of information is used to determine
customer satisfaction (feedback, surveys,
interviews, etc.)? How is this information
obtained? How often? How is this information
processed and used (for example, statistical
analysis reported to management review)?
What specific data are analyzed to meet
requirements of this clause? Are data on
product nonconformity rates collected and
analyzed? How are data on customer
satisfaction analyzed? Are there data on
trends of characteristics of processes and
products (e.g., on how these characteristics
vary within the specified tolerance)? Is the
effectiveness of risk reduction actions
evaluated? What specific supplier
performance data are being systematically
collected (on-time delivery, nonconformity
rates, etc.)?
Is it determined how the data is to be
analyzed and by whom? How are results
reported and used?
Are internal audits carried out at planned
intervals? Are all relevant processes and
areas covered by the audits?
Is there a written procedure for internal
auditing?
Are there documented audit plans and
schedules? Are importance, changes and
 INTERNAL AUDIT CHECKLIST
Refs Requirements
Schedule audits based on the
importance, changes and past
performance history of processes
For each audit, define audit criteria
and scope; and ensure objectivity
and impartiality of auditors.
Take appropriate corrective actions
to address audit findings.
Report results of internal audits to
management.
QSP 093 Management Review
9.3.1 Periodically review the quality
management system to ensure its
continuing suitability, adequacy and
effectiveness.
9.3.2 The input into management reviews
shall take into consideration:
 status of actions from previous
reviews
 changes
 customer satisfaction and
feedback
 quality objectives
Doc: QF-82-02-1 Revision: A Pg. 28 of 26
What to look for and how Comply Auditor notes and evidence
past compliance history considered when
planning audits (increased audit frequency
for important and/or problematic
processes/areas)?
How are audit criteria and scope documented
(standard, checklists, etc.)?
Are auditors impartial and independent from
the process being audited? Are auditors
competent (trained)?
Are there any records of what specific
evidence was reviewed (usually auditor notes
on checklists)?
Are nonconformities (audit findings)
documented? How?
Is there a process for requesting,
implementing and evaluating corrective
actions to address audit findings? Are there
records of the corrective actions?
Are results of internal audits reported to
management? how and how often?
(management review).
How often are management reviews
conducted? Who participates? Is there an
agenda prepared for each review? How are
the reviews recorded (minutes of meetings)?
Are all required inputs provided for each
review? Are there records specifically
demonstrating that each input was provided
and considered?
Have all actions from the preceding review
been closed out? What happens to actions
that have not been fully completed?
How, for example, are opportunities for
 INTERNAL AUDIT CHECKLIST Doc: QF-82-02-1 Revision: A Pg. 29 of 26

Refs Requirements What to look for and how Comply Auditor notes and evidence

 process performance and product improvement input into the review? Who is
conformity, responsible for this input? How are the
opportunities for improvement considered?
 nonconformities and corrective
Who decides which opportunities will be
actions implemented?
 results of monitoring and
measurement
 results of audits
 performance of external providers
(suppliers)
 adequacy of resources
 effectiveness of risk reduction
actions
 opportunities for improvement.
9.3.3 The output from management In the last two management reviews, what
reviews shall include decisions and specific decisions and actions related to
actions related to: improvement were taken? How were they
implemented?
 improvement,
 changes to the QMS Does the record show that management
 resource needs. reviews include decisions related to changes
to the QMS?
Were there any special resources provided to
implement the improvements or changes?

10 Improvement
10.1 Determine and select opportunities Are there specific examples of recent
for improvement, to include: improvements to products and services?
 improvement of products and Is the risk evaluation process actively used to
services identify risks and to implement actions to
 preventing or reducing undesired reduce risks?
effects What have been done recently to improve the
 improving the QMS QMS?

10.21 Take actions to control and correct Is there a process for initiating, investigating,
nonconformities (including any implementing and evaluating the
arising from complaints) and to deal effectiveness of corrective actions. Is this
with their consequences. process documented in a procedure?
 INTERNAL AUDIT CHECKLIST
Refs Requirements
Evaluate the need for actions to
eliminate causes of nonconformities. determined? Is every corrective action
Implement corrective actions and
review their effectiveness.
Ensure that corrective actions are
appropriate to the effects of the
nonconformities.
Evaluate the need to update risks
and opportunities and make
changes to the QMS.
10.2.2 Maintain records on the nature of
nonconformites, any subsequent
action taken, and results of
corrective actions.
10.3 Continually improve the suitability,
adequacy and effectiveness of the
QMS.
Doc: QF-82-02-1 Revision: A Pg. 30 of 26
What to look for and how Comply Auditor notes and evidence
Are there recent examples of corrective
actions taken arising from customer
complaints?
How many corrective actions have been
initiated through the period? How many are
open? How long have they been open? Are
there due dates?
Are root causes of nonconformites
evaluated for the need to eliminate root
causes? Are the results of this evaluation
documented
Is implementation of corrective actions
documented? Is it verified? Are corrective
actions implemented in a timely manner? Are
there due dates for implementing corrective
actions?
Does evaluation of nonconformities include
consideration whether there are other related
activities or processes that are at risk of a
similar nonconformity?
Are there examples of risk analysis projects
related to a nonconformity and associated
corrective actions?
Are all nonconformities recorded? Do the
records include description of the nature of
the nonconformity? Are subsequent actions
and their results recorded? Are these records
readily retrievable?
Are results of the analysis of quality
performance data used in identifying the
needs and opportunities for improvement?
Are management review outputs identifying
the needs and opportunities for
improvement?
What are the most recent examples of
 INTERNAL AUDIT CHECKLIST Doc: QF-82-02-1 Revision: A Pg. 31 of 26

Refs Requirements What to look for and how Comply Auditor notes and evidence

improvements made to the QMS?