Internal Audit Requirements

ISO management system standards are required to adopt the high-level structure, identical core text, and common terms and definitions of Annex SL of the ISO Directives, Part 1.

The Annex SL base text for clause 9.2, Internal Audit, is shown below, and followed by the actual internal audit requirements for these management system standards:

ISO 9001:2015
ISO 14001:2015
AS9100:2016; AS9110:2016; AS9120:2016
IATF 16949:2016
ISO 27001:2013.

Annex SL

9.2 Internal audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the XXX management system:

a) conforms to:

– the organization’s own requirements for its XXX management system;
– the requirements of this International Standard;

b) is effectively implemented and maintained.

9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit program including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) retain documented information as evidence of the implementation of the audit program and the audit results.

 

ISO 9001:2015

The ISO 9001:2015 quality standard adopted Annex SL with only the text in bold italics added:

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:

a) conforms to:

1) the organization’s own requirements for its quality management system;
2) the requirements of this International Standard;

b) is effectively implemented and maintained.

9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit program including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) take appropriate correction and corrective actions without undue delay;

f) retain documented information as evidence of the implementation of the audit program and the audit results.

NOTE: See ISO 19011 for guidance.

 

ISO 14001:2015

The ISO 14001:2015 environmental standard adopted Annex SL with only the text in bold italics added:

9.2.1 General

The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system:

a) conforms to:

1) the organization’s own requirements for its environmental management system;
2) the requirements of this International Standard;

b) is effectively implemented and maintained.

9.2.2 Internal audit program

The organization shall establish, implement and maintain an internal audit program, including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits.

When establishing the internal audit program, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization, and the results of previous audits.

The organization shall:

a) define the audit criteria and scope for each audit;

b) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

c) ensure that the results of the audits are reported to relevant management.

The organization shall retain documented information as evidence of the implementation of the audit program and the audit results.

 

AS9100:2016, AS9110:2016, and AS9120

The AS9100:2016, AS9110:2016, and AS9120:2016 aerospace standards adopted Annex SL with only the text in bold italics added. Some of the changes were introduced by ISO 9001:2015. The unique additions by the aerospace standards are preceded by a + sign.

9.2 Internal Audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system;

a. conforms to:

1. the organization’s own requirements for its quality management system;

+ NOTE: The organization’s own requirements should include customer and applicable statutory and regulatory quality management system requirements.

2. the requirements of this International Standard;

b. is effectively implemented and maintained.

+ NOTE: When conducting internal audits, performance indicators can be evaluated to determine whether the quality management system is effectively implemented and maintained.

9.2.2 The organization shall:

a. plan, establish, implement, and maintain an audit program including the frequency, methods, responsibilities, planning requirements, and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

b. define the audit criteria and scope for each audit;

c. select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d. ensure that the results of the audits are reported to relevant management;

e. take appropriate correction and corrective actions without undue delay;

f. retain documented information as evidence of the implementation of the audit program and the audit results.

NOTE: See ISO 19011 for guidance.

 

IATF 16949:2016

The IATF 16949:2016 automotive standard adopted Annex SL with only the text in bold italics added. Some of the changes were introduced by ISO 9001:2015. The unique additions by IATF 16949:2016 are grouped into sub-clauses 9.2.2.1, 9.2.2.2, 9.2.2.3, and 9.2.2.4 and preceded by a + sign.

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:

a) conforms to:

1) the organization’s own requirements for its quality management system;
2) the requirements of this International Standard;

b) is effectively implemented and maintained.

9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit program including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) take appropriate correction and corrective actions without undue delay;

f) retain documented information as evidence of the implementation of the audit program and the audit results.

NOTE: See ISO 19011 for guidance.

+ 9.2.2.1 Internal audit program

The organization shall have a documented internal audit process. The process shall include the development and implementation of an internal audit program that covers the entire quality management system including quality management system audits, manufacturing process audits, and product audits.

The audit program shall be prioritized upon risk, internal and external performance trends, and criticality of the processes.

Where the organization is responsible for software development, the organization shall include software development capability assessments in their internal audit program. The frequency of audits shall be reviewed and, where appropriate, adjusted based on occurrence of process changes, internal and external nonconformities, and/or customer complaints. The effectiveness of the audit program shall be reviewed as a part of management review.

+ 9.2.2.2 Quality management system audit

The organization shall audit all quality management system processes over each three-year calendar period, according to an annual program, using the process approach to verify compliance with this Automotive QMS Standard. Integrated with these audits, the organization shall sample customer-specific quality management system requirements for effective implementation.

+ 9.2.2.3 Manufacturing process audit

The organization shall audit all manufacturing processes over each three-year calendar period to determine their effectiveness and efficiency using customer-specific required approached for process audits. Where not defined by the customer, the organization shall determine the approach to be used.

Within each individual audit plan, each manufacturing process shall be audited on all shifts where it occurs, including appropriate sampling of the shift handover.

The manufacturing process audit shall include an audit of the effective implementation of the process risk analysis (such as PFMEA), control plan, and associated documents.

+ 9.2.2.4 Product audit

The organization shall audit products using customer-specified required approaches at appropriate stages of production and delivery to verify conformity to specified requirements. Where not defined by the customer, the organization shall determine the approach to be used.

 

ISO 27001:2013

The ISO 27001:2013 information security standard adopted Annex SL with only the text in bold italics added:

9.2 Internal audit

The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to:

1) the organization’s own requirements for its information security management system;
2) the requirements of this International Standard;

b) is effectively implemented and maintained.

9.2.2 The organization shall:

c) plan, establish, implement and maintain an audit program including the frequency, methods, responsibilities, planning requirements and reporting. The audit program shall take into consideration the importance of the processes concerned and the results of previous audits;

d) define the audit criteria and scope for each audit;

e) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

f) ensure that the results of the audits are reported to relevant management;

g) retain documented information as evidence of the implementation of the audit program and the audit results.

 

Auditor Training

If you are interested in being trained as an internal auditor for one of these standards, click on a course description below:

Public Courses

ISO 9001:2015 Internal Auditor
ISO 14001:2015 Internal Auditor
IATF 16949:2016 Internal Auditor
ISO 27001:2013 Internal Auditor

Onsite Courses

ISO 9001:2015 Internal Auditor
ISO 14001:2015 Internal Auditor
IATF 16949:2016 Internal Auditor
ISO 27001:2013 Internal Auditor