The internal quality audit is the quality management system’s self-assessment mechanism — the structured process by which the organisation verifies that its quality processes are being followed, are effective, and comply with the applicable standard. ISO 9001 clause 9.2 mandates internal audits at planned intervals. Every major quality certification — ISO 9001, ISO 13485 (medical devices), IATF 16949 (automotive), AS9100 (aerospace) — requires a systematic internal audit programme. But the audit’s value depends entirely on whether it is conducted with genuine rigour: auditors who ask the right questions, verify claims with evidence rather than accepting assertions, and classify findings accurately enough to reflect the true state of the system. An internal audit programme that consistently finds only minor observations in a system that an external auditor subsequently flags for major non-conformances has failed its primary purpose. This free checklist gives quality managers, internal auditors, and QMS teams a structured framework for the full QA compliance audit lifecycle.
Definition: A failure to meet a specific QMS requirement in a way that is systemic, is likely to significantly affect product quality or customer satisfaction, or that would result in a major finding in an external audit.
Examples: No documented inspection procedure for a high-risk process; CAPA process not followed for documented non-conformances; management review not conducted in the past 12 months; significant traceability gap.
Required response: CAPA raised and implemented before external audit; root cause identified and addressed.
Definition: An isolated failure to follow a documented procedure, or a single instance of a process not meeting a requirement, without systemic implications.
Examples: One inspection record with missing inspector signature; one training record not updated; a procedure reference in an SOP pointing to a superseded document version.
Required response: Corrective action to address the specific instance; root cause investigation if the same type of issue recurs.
Definition: A situation that does not represent a non-conformance but that could potentially become one, or that presents an opportunity to improve the effectiveness of the QMS.
Examples: An inspection process that is being followed but whose effectiveness is not being measured; a procedure that is technically compliant but so difficult to follow that compliance is inconsistent.
Required response: Noted in the audit report; reviewed in the next management review; a PDCA cycle may be initiated.
Six phases covering the full internal audit lifecycle — from programme planning and document review through on-site execution, finding classification, CAPA generation, and management review input.
The audit is a verification exercise. Claims made by the auditee about their processes must be verified against objective evidence — records, observations, and data — not accepted at face value. “We always do it that way” is not objective evidence.
An internal audit programme that audits the easy areas frequently and the difficult areas rarely does not provide the assurance ISO 9001 requires. CheckFlow’s audit programme tracks coverage of all QMS clauses and all critical processes against the audit schedule — ensuring the full scope is covered within the programme cycle.
An audit finding that is documented in a report and then never followed up is a finding that recurs at the next audit — and at the external audit. CheckFlow tracks every finding from identification through CAPA to verified effectiveness, escalating overdue items and preventing premature closure.
External certification bodies require evidence of a systematic internal audit programme: who conducted the audits, what areas were covered, what findings were raised, what CAPAs were issued, and whether they were effective. CheckFlow produces this record automatically as the audit programme runs — audit dates, scope, findings, CAPAs, and closure — in a format that any external auditor can review.
QA compliance audits review whether process standardisation is in place and being followed. CheckFlow’s Process Standardisation Checklist covers the development and implementation of the documented procedures the audit will verify. See the Process Standardisation Checklist →
QA audit findings generate CAPAs that are resolved through the continuous improvement process. CheckFlow’s Continuous Improvement Cycle Checklist covers the PDCA framework. See the Continuous Improvement Cycle Checklist →
A QA compliance audit process covers six phases: audit planning (annual programme covering all QMS clauses, scope and objectives defined, independent auditor selected, question sets prepared, auditee notified, documents collected), document review (QMS documentation currency, previous CAPA status, quality record review), on-site audit execution (opening meeting, process auditing with open questions, evidence verification, real-time findings recording, closing meeting), finding classification and audit report (Major NC/Minor NC/OFI classification, report issued within 5 days, Major NCs escalated), CAPA and closure (auditee CAPA within 2–4 weeks, auditor review, effectiveness verification, finding closed), and management review input (audit summary in management review, trend analysis over audit cycles).
A major non-conformance (MNC) is a systemic failure to meet a QMS requirement — typically one that affects product quality, could lead to customer satisfaction failures, or would be identified as a major finding by an external certification auditor. Examples include: no documented procedure for a high-risk process, CAPA process not followed, or management review not conducted. A minor non-conformance (MnNC) is an isolated, non-systemic deviation from a documented procedure — a single missing signature on a record, a single out-of-date reference in a procedure. The practical distinction is that a major NC would typically require a major corrective action before an external audit can be cleared; a minor NC typically requires only a local correction.
ISO 9001 clause 9.2 requires organisations to conduct internal audits at planned intervals to provide information on whether the QMS conforms to the organisation’s own requirements and the requirements of the standard, and whether the QMS is effectively implemented and maintained. The standard requires an audit programme that considers the importance of processes and the results of previous audits; that auditors are objective and impartial (independent of the area being audited); and that the results are reported to relevant management. ISO 19011 provides guidance on auditing management systems, including auditor competence, audit programme management, and audit execution.
ISO 9001 requires internal audits at “planned intervals” without specifying a minimum frequency. In practice, most organisations plan to cover all QMS clauses and all significant processes at least annually. The frequency for specific areas should be risk-based: high-risk processes, areas with recent non-conformances, and processes not audited recently should be audited more frequently. Many organisations run monthly or quarterly focused audits covering specific processes, with a full-scope annual programme.
You can start a free 14-day trial with no credit card required, giving you full access to all features including this template. The Business plan is $10 per user per month after the trial. Full details at checkflow.io/pricing.
