ISO 9001 internal audit checklist (downloadable)

This checklist supports clause 9.2 of ISO 9001:2015, internal audit. It is suitable for first-, second-, and third-party preparation. The downloadable workbook contains one sheet per clause, with sampling guidance, prompts, and a nonconformity register. Adapt the prompts to your scope; do not use them verbatim with no thought.

How to use this checklist

1. Schedule. Plan the audit programme so every clause and every process is audited at least once per certification cycle. High-risk processes, and processes with prior nonconformities, get audited more frequently.
2. Sampling. Sample is the auditor’s tool. Take enough evidence to be confident the process is in control, but not so much that the audit becomes a rework exercise. Default sample sizes:
   • Documents: 5 per process, more if document control is suspect.
   • Records: a stratified sample across time and across operators.
   • Process observations: at least 1 walk-through per shift if multiple shifts run.
3. Grading. Major nonconformity = absence, breakdown, or systemic failure of a required element. Minor nonconformity = isolated lapse with no systemic root cause. Opportunity for improvement = suggestion that does not constitute a nonconformity.
4. Reporting. Report nonconformities with evidence (what, where, when), the requirement breached (clause and your internal procedure), and a recommendation only if asked.

Clause-by-clause prompts

Clause 4, Context

• Has the organisation determined external and internal issues relevant to its purpose? Sample evidence: minutes, SWOT, PESTLE, board paper.
• Is the interested-parties register current? Sample 5 parties; for each, validate that requirements are documented and addressed.
• Is the QMS scope statement consistent with what the organisation actually does?

Clause 5, Leadership

• Sample 3 management actions that demonstrate accountability for QMS effectiveness in the past 12 months.
• Validate the quality policy is communicated and understood, interview 3 staff at random.
• Confirm roles, responsibilities, and authorities for the QMS are assigned and communicated.

Clause 6, Planning

• Risk and opportunity register: review most recent revision; verify 10 entries are addressed in process or procedure.
• Quality objectives: each objective has owner, measure, target, current status, and review record.
• Change control: sample 3 changes in the past 12 months; verify documented information shows purpose, consequences, integrity, resources.

Clause 7, Support

• Resources: walk through one process and verify resource adequacy.
• Competence: sample 5 personnel; verify competence evidence on file.
• Awareness: 3 staff interviews, can they articulate the policy and their contribution?
• Communication: review the communication matrix; sample 3 instances.
• Documented information: sample 10 documents, current revision, owner, review date, distribution control.

Clause 8, Operation

• Operational planning: sample 1 product or service line; trace requirements to delivery.
• Customer requirements: sample 3 contracts; verify review, approval, change handling.
• Design and development (if in scope): sample 2 design projects; verify planning, inputs, controls, outputs, changes.
• External providers: sample 3 suppliers; verify evaluation, re-evaluation, control of externally provided processes.
• Production and service provision: identification, traceability, preservation, post-delivery.
• Release: sample 5 release authorisations.
• Nonconforming output: sample 5 nonconformities in past 6 months; verify control, segregation, disposition.

Clause 9, Performance evaluation

• Monitoring and measurement: confirm KPIs are aligned with objectives, collected, analysed, reviewed.
• Customer satisfaction: review the most recent results and corrective actions taken.
• Internal audit: programme covers all clauses and processes; auditors are competent and impartial.
• Management review: sample the most recent minutes; verify all required inputs are addressed and decisions are recorded.

Clause 10, Improvement

• Nonconformity and corrective action: sample 5 corrective actions; verify root cause, action, effectiveness review.
• Continual improvement: review evidence of improvement initiatives in the past 12 months, are they tracked to closure?

Nonconformity register fields

For each finding the workbook records: ID, audit date, auditor, clause, process audited, requirement, evidence (what was seen and where), grading (major / minor / OFI), root cause (filled by auditee), proposed action, target close date, evidence of effectiveness, actual close date.

Auditor competence

Internal auditors must be impartial, they cannot audit their own work. Competence evidence: ISO 19011 or sector-equivalent training, mentored audits, or formal qualification (e.g., IRCA, Exemplar Global).

Download the workbook

The downloadable Excel workbook ships with one sheet per clause, the nonconformity register, the audit programme planner, and a simple risk heatmap for the audit programme.

Related articles

• ISO 9001 implementation guide
• Document control procedure
• Audit readiness checklist
• Management review minutes template