Every ISO management system standard requires a formal internal audit programme. This is not a walkthrough — it is a documented, planned audit with findings, nonconformances, and verified corrective actions. If your CB finds the internal audit programme is weak, it is a major nonconformance against the management system standard itself.
Annual
Minimum frequency — risk-based scheduling
Documented
Plan, report, NCs, and CAPA trail required
Independent
Auditor must not audit their own work
An internal audit is a structured review of whether your QMS is working as intended. The auditor observes your work, checks records, and compares practice to SOPs. The goal is to find and fix gaps before the external CB auditor does.
Objective
Not to blame — to find system gaps
Evidence
Auditors look at records and observe practice
CAPA
Every finding gets a corrective action with a deadline
Quick reference. ISO 9001 cl. 9.2, IATF 16949 cl. 9.2.2 (product and process audits additional), ISO 14001 cl. 9.2, ISO 45001 cl. 9.2, ISO 27001 cl. 9.2. Key requirements: risk-based programme, auditor competence and independence, documented audit plan, NC classification (major / minor / observation), CAPA with effectiveness verification, management review input.
cl. 9.2
Internal audit clause across all standards
Risk-based
Higher-risk areas audited more frequently
CAPA
Effectiveness verification required
Internal audit is a core element of every ISO management system standard. Derived from the Plan-Do-Check-Act (PDCA) cycle, internal audit is the "Check" phase — verifying that the management system is being implemented as planned and is effective. It provides management with independent assurance of QMS performance.
PDCA
Check phase of the Deming cycle
cl. 9.2
Clause number across all ISO MSS
Independence
Auditor cannot audit own work
Required by ISO 9001, IATF 16949, ISO 14001, ISO 45001, and ISO 27001Most common CB finding: internal audit records incomplete or CAPA not verifiedAuditor competence and independence from audited area both required
What’s on this page
01 —What it isUnderstanding Internal Audit
The formal check that your management system is working — not just documented.
Internal audit is a planned, independent, documented evaluation of whether your management system conforms to the requirements of the standard and is being effectively implemented. Every ISO management system standard — ISO 9001, ISO 14001, ISO 45001, ISO 27001, IATF 16949 — requires a formal internal audit programme.
Internal audit is not a management walkthrough. It requires: a documented audit programme, trained and competent auditors who are independent of the area being audited, written audit plans, documented findings with NC classification, and CAPA tracking to verified closure.
The purpose is to find gaps and fix them before the external CB auditor does. A CB finding that your internal audit programme is inadequate is a major nonconformance against the management system standard — because it means the self-checking mechanism of the QMS is not working.
The most common CB finding on internal audits: Audits happening informally with no documentation, CAPA not tracked to verified closure, or auditors auditing their own areas. All three are direct nonconformances against the audit clause.
👥 Illustrative case — details changed for confidentiality
The business
Metal fabrication company Rajkot · 75 employees, ISO 9001 certified
The trigger
A surveillance audit by their CB found that internal audit records were incomplete — three of the last four quarters had no documented audit report. The CB issued a major nonconformance.
The challenge
Internal audits were happening — but informally. The quality manager conducted walkthroughs and noted issues verbally. No audit plans, no formal reports, and no CAPA tracking. Nothing could be presented to the CB.
Where Clicarity came in
They deployed Clicarity to manage the audit programme. Each quarterly audit was a job — plan, opening meeting, floor observation, report, and CAPA follow-up as stages. Manufacturing and QC were audited as sub-jobs with separate NC records. When they rejoined at management review, the complete audit record of both departments was preserved.
The result
Major NC closed within 30 days. CB confirmed corrective action effective at next surveillance visit.
The audits were always happening. We just had nothing to show for them. Clicarity gave us the evidence trail.
A management system standard — internal audit is a QMS requirement, not a standalone activity
03 —What it requiresWhat is checked
What makes an internal audit programme credible to a CB auditor.
1
Documented audit programme covering the full year
A written schedule showing which areas/processes will be audited, when, and by whom. Risk-based — higher-risk areas audited more frequently.
E.g. Annual audit schedule: Manufacturing Q1, QC Q1, Purchasing Q2, Sales Q3, Management system Q4.
2
Trained and competent auditors — independent of the area
Auditors must be competent (trained in audit techniques and the standard) and must not audit their own work.
E.g. Production supervisor trains as internal auditor. Can audit QC, Purchasing, and Management system — but not Manufacturing.Most common gap: Only one person in the company is the "internal auditor." If they get sick or leave, the programme collapses. Train at least 2.
3
Written audit plan shared with auditee in advance
Before each audit, a written plan shared with the department head: scope, criteria, methods, and timing.
E.g. Email with attached audit plan: area = QC Inspection, criteria = ISO 9001 cl. 8.4 + relevant SOPs, date, auditor name.
4
NC classification — major, minor, observation
Findings classified consistently. Major NC: complete absence of a requirement or system breakdown. Minor NC: isolated failure. Observation: potential improvement.
E.g. No calibration records for any instrument = Major NC. One instrument with expired calibration = Minor NC.
5
CAPA for every NC — with root cause and deadline
Each nonconformance requires a corrective action: root cause identified, action proposed, responsible person, and completion date agreed.
E.g. NC: SOP-MFG-012 not followed at Stage 3. Root cause: SOP not displayed at workstation. CAPA: Mount SOP at workstation. Responsible: Production supervisor. Due: within 14 days.
6
CAPA effectiveness verification — auditor confirms it worked
After the CAPA is implemented, the auditor verifies it was effective — not just that something was done.
E.g. Follow-up visit: SOP mounted at workstation. Operator can describe the procedure. CAPA verified effective.
7
Input to management review
Internal audit findings, NC trends, and CAPA status are formal inputs to the management review meeting.
E.g. Management review agenda item: internal audit summary — NCs raised, NCs closed, open items, trends.
What inspectors really check
A CB auditor will ask for the last 12 months of internal audit records — plans, reports, NC lists, and CAPA evidence. They check: Was every area audited? Were auditors independent? Is every NC from the last cycle closed with a verified CAPA? Were findings reported to management review?
Gap analysis checklist — tick what you already have
Annual audit programme documented — all areas scheduled
Risk-based. Higher-risk areas more frequently.
At least 2 trained internal auditors in the company
Training records available.
Each audit has a written plan shared with auditee before the audit
Scope, criteria, date, auditor.
Audit reports issued promptly after each audit
With NC classification (major / minor / observation).
CAPA raised for every NC — root cause, action, owner, due date
No NC left without a CAPA.
CAPA effectiveness verified by the auditor after implementation
Not just closed — verified effective.
Internal audit summary in management review minutes
Trends, open NCs, and programme status.
0 of 7 complete
04 —Official bodyWho certifies in India
Who issues this in India — and how to verify it.
There is no external body for internal audit — it is an internal QMS requirement. Auditors can be trained internally or through recognised internal auditor training courses aligned to the relevant standard.
Recognised internal auditor training bodies in India: CII (Confederation of Indian Industry), BIS training, NABCB-accredited CB training divisions, and international bodies like BSI, Bureau Veritas, and SGS offer internal auditor training courses for ISO 9001, ISO 14001, ISO 45001, and ISO 27001.
CII — Internal auditor training
CII Institute of Quality internal auditor courses.
Promptly after the audit. CAPA agreed with auditee.
Follow-up
Verify CAPA effectiveness
Before the CB surveillance visit.
▶Where to begin: Use the checklist in Section 3 to assess your readiness before contacting any CB.
Frequency
At least annual — risk-based
High-risk processes: more frequently.
Auditor training
Before first audit
Recognised internal auditor course.
CAPA timeline
Agreed with auditee
Typically 14-30 days for minor, immediately for major.
Programme review
At management review
Trends and open NCs presented.
Train at least two internal auditors. Companies with only one internal auditor face a programme collapse whenever that person is unavailable. Two auditors also enables cross-auditing — each audits the other's area, maintaining independence.
06 —Find certified companiesHow to verify
How to find and verify certified organisations.
Internal audit programmes are internal QMS records — there is no national register. CB surveillance audit reports referencing internal audit findings are not public. Assess a company's internal audit programme maturity through their CB certification status and any publicly available quality indicators.
How to verify: To confirm whether any organisation holds a current Internal Audit certification, use the official register. Verify the issuing CB's accreditation at nabcb.qci.org.in.
Build a 12-month audit schedule — assign every area a quarter
One page. Every area in scope gets a scheduled audit quarter. Paste it to the quality notice board.
2
Train at least two people as internal auditors — this week, book the course
CII, BSI, or Bureau Veritas all run 2-day internal auditor courses aligned to your standard. Until you have trained auditors, your programme has no foundation.
Conduct the first audit this month and issue a written report — even if only one page
The first report is the hardest. After that, the programme is in motion.
08 —How Clicarity fitsProcess tracking
Good records are the foundation. A process tracker builds them automatically.
Clicarity — Live Job Process Tracker & Bottleneck Identifier
Clicarity doesn't conduct your internal audits. It tracks the audit programme — ensuring every audit has a plan, a report, and a CAPA trail that CBs and management can rely on.
Internal audit programmes fail not because audits aren't happening — but because there is no documented trail. In Clicarity, each audit is a job. Stages track: audit plan, opening meeting, document review, floor observation, closing meeting, report issue, and CAPA follow-up. When an audit covers multiple departments, each department runs as a sub-job with its own NC record and auditee sign-off. When they rejoin at the management review stage, the complete audit record of every department is preserved in one traceable programme.
Audit plan stage: scope, auditor, auditee, date, and criteria captured before the audit begins — the advance notice record ISO 9001 and IATF require.
Each department audited as a sub-job with its own NC count and auditee acknowledgement — no department's findings get mixed with another's.
CAPA follow-up stage tracks each NC to verified closure — the audit is not marked complete until every CAPA has been verified effective.
Clicarity shows the audit programme status at a glance — which audits are overdue, which CAPAs are pending verification — before the CB arrives.
▼ Job splits — each component tracked independently
#AUD-2026-Q2-A
Manufacturing — Line 1 & 2
#NCs found
▼Lead auditor
▼Auditee sign-off
#AUD-2026-Q2-B
QC — Inspection & lab
#NCs found
▼Lead auditor
▼Auditee sign-off
▲
Components rejoin as #AUD-2026-Q2 — complete record of every branch, every data point, every sign-off preserved.
Closing meeting
▼NCs presented to auditee
▼Auditee acknowledged
📅CAPA due date agreed
▼Closing minutes signed
📅Close date
→
Audit report issued
✎Report ref. no.
#Major NCs
#Minor NCs
#Observations
📅Issue date
→
CAPA follow-up
▼All CAPAs received
▼CAPAs verified effective
📅Verification date
▼Audit closed by
▼MR sign-off
Wastage tracked:▰ Manufacturing and QC departments audited independently — separate NC counts and sign-offs▰ CAPA follow-up tracked against each NC until verified effective▰ Audit closed only when all CAPAs are verified
ⓘ Fields and stage names are fully customisable. This illustrates a typical ISO 9001 / IATF 16949 internal audit setup.
👥 Illustrative case — details changed for confidentiality
The business
Metal fabrication company Rajkot · 75 employees, ISO 9001 certified
The trigger
A surveillance audit by their CB found that internal audit records were incomplete — three of the last four quarters had no documented audit report. The CB issued a major nonconformance.
The challenge
Internal audits were happening — but informally. The quality manager conducted walkthroughs and noted issues verbally. No audit plans, no formal reports, and no CAPA tracking. Nothing could be presented to the CB.
Where Clicarity came in
They deployed Clicarity to manage the audit programme. Each quarterly audit was a job — plan, opening meeting, floor observation, report, and CAPA follow-up as stages. Manufacturing and QC were audited as sub-jobs with separate NC records. When they rejoined at management review, the complete audit record of both departments was preserved.
The result
Major NC closed within 30 days. CB confirmed corrective action effective at next surveillance visit.
The audits were always happening. We just had nothing to show for them. Clicarity gave us the evidence trail.
Clicarity is a process tracking tool. It does not provide certification, consulting, or audit services.