5.2 Clause 9.2 — Internal audit
Key Takeaways
- Clause 9.2.1 requires internal audits at planned intervals to determine whether the QMS conforms to the organization's own requirements and to ISO 9001, and whether it is effectively implemented and maintained.
- Clause 9.2.2(a) requires an audit programme that considers the importance of the processes concerned, changes affecting the organization, and the results of previous audits.
- Clause 9.2.2(c) requires auditors to be selected, and audits conducted, in a way that ensures objectivity and impartiality — nobody may audit their own work.
- Clause 9.2.2(e) requires correction and corrective action to be taken without undue delay when internal-audit nonconformities are found.
- A third-party lead auditor effectively audits the organization's internal audit programme itself, verifying it covers the required scope, uses independent auditors, and drives timely action.
Clause 9.2 is unusual among the ISO 9001 requirement clauses because it asks the organization to do, internally, exactly what a CQI/IRCA lead auditor does externally: audit the management system. Understanding 9.2 well is doubly useful -- it is both a requirement you must audit for conformity, and a preview of the audit lifecycle you will study in depth from Chapter 6 onward.
9.2.1 Purpose of Internal Audit
Clause 9.2.1 requires the organization to conduct internal audits at planned intervals to provide information on whether the QMS:
- (a) conforms to the organization's own requirements for its QMS and to the requirements of ISO 9001:2015, and
- (b) is effectively implemented and maintained
Both halves matter. An internal audit that checks compliance with the organization's own procedures without also checking against ISO 9001's requirements is incomplete, and vice versa. "Effectively implemented and maintained" pushes internal auditors past a paperwork check toward verifying that the system actually functions day to day.
9.2.2 Running the Programme
Clause 9.2.2 sets out six specific obligations:
| Ref | Requirement |
|---|---|
| (a) | Plan, establish, implement and maintain an audit programme(s) including frequency, methods, responsibilities, planning requirements and reporting, considering the importance of the processes concerned, changes affecting the organization, and results of previous audits |
| (b) | Define the audit criteria and scope for each audit |
| (c) | Select auditors and conduct audits to ensure objectivity and impartiality of the audit process |
| (d) | Ensure results are reported to relevant management |
| (e) | Take correction and corrective action without undue delay |
| (f) | Retain documented information as evidence of the audit programme and results |
Two of these obligations generate the most audit findings in practice, so they deserve special attention.
Risk-Weighted Programme Design (9.2.2(a))
The programme cannot simply audit every clause once a year on a fixed calendar. It must be weighted: processes that are more important -- higher risk, higher customer impact, historically problem-prone -- should be audited more frequently or in more depth than stable, low-risk processes. A programme that gives design and production processes the same audit attention as a rarely used administrative process, with no rationale, is a common weak point. Likewise, when the organization changes -- a new product line, a new site, new software, key personnel turnover -- the programme should respond by adjusting scope or frequency, not simply continue on autopilot.
Objectivity and Impartiality (9.2.2(c))
This is the clause that prohibits an employee from auditing their own department's work. A production supervisor auditing their own line, or a quality engineer auditing a procedure they personally wrote and maintain, cannot provide objective evidence of independence. Small organizations sometimes solve this with cross-functional auditor pools, where department heads audit each other's areas, or by bringing in a contract auditor for functions too small to self-audit independently. As you will see in Chapter 6, this maps directly onto the independence principle of ISO 19011.
What a Third-Party Auditor Checks Under 9.2
When a CQI/IRCA-trained lead auditor evaluates an organization's clause 9.2 implementation, the objective evidence trail typically includes:
- The audit programme document itself: does it cover all applicable processes and clauses across a defined cycle, commonly one to three years?
- Audit schedules and completion records showing planned audits were actually performed on time
- Individual audit plans showing defined criteria (which procedures, which clauses) and scope for each audit
- Auditor competence records and an assignment matrix confirming auditors did not audit their own areas
- Audit reports showing findings were communicated to process owners and to relevant management, not filed away unread
- Corrective action records tied to internal-audit nonconformities, with evidence of timely closure, since a programme that raises findings but never closes them is not meeting 9.2.2(e)
A Common Failure Pattern
One of the most frequent nonconformities raised against clause 9.2 is a programme that exists on paper -- a schedule, a checklist template -- but where audits are superficial, consistently find zero nonconformities, or are performed by the same person auditing the same area they manage. Zero findings across every internal audit, year after year, is itself a red flag worth probing: either the QMS is genuinely exceptional, or the internal audits are not detecting real issues. A lead auditor should treat a suspiciously clean internal-audit history as a prompt to sample more deeply elsewhere in the system, not as reassurance that everything is fine.
The programme should also be sized to the real organization, not just the site where the quality manager happens to sit. A single-site, single-shift operation may reasonably complete a full-scope audit cycle in twelve months, but a multi-site or multi-shift organization needs the programme scope to explicitly include every location and shift operating under the same certificate. A programme document that never mentions the night shift, or a satellite warehouse within the certified scope, has not properly applied 9.2.2(a)'s requirement to plan the programme around the importance of the processes concerned and the organization as it actually operates. When you study ISO 19011's guidance on managing an audit programme in Chapter 6, you will recognize this same sizing principle applied at the third-party level: an audit programme that quietly ignores part of the certified scope cannot credibly claim to have evaluated the whole management system.
A quality manager at a small manufacturer proposes that the production supervisor audit their own department's processes to save time, since the supervisor knows the process best. As a lead auditor reviewing this arrangement, why does it conflict with ISO 9001:2015 clause 9.2.2(c)?
Which combination correctly reflects the requirements of ISO 9001:2015 clause 9.2.2 for an internal audit programme?