ISO 9001 Internal audit for SMEs in Malta

ISO 9001 Internal audit for SMEs in Malta might be a daunting task for some, or an exciting experience through which you actively improve your business.

ISO 9001 is a voluntary international quality management standard that forward thinking companies implement within their company to structure their processes. 

For a company to make a return on the cost for ISO 9001 certification, management must make sure they follow the practices suggested by the standard. 

Given that during the implementation process, care has been given to design a system that streamlines the business processes of the company, an internal audit is the best way to achieve continual improvement within the company. 

What is an internal audit?

An internal audit is a non-biased, systematic, evidence based approach to ensure that processes are being adhered to, with the aim of finding ideas for continual improvement. If you’d like more information about the Criteria for ISO 9001:2015 internal audits, with examples, click here.

Let’s break this down into smaller chunks. 


As opposed to an external audit, which is the yearly audit done by the ISO certification body, an internal audit done by people within the company as a self-imposed frequency. The standard requires us to audit each process a minimum of once every 12 months. There is no maximum limit on the number of audits. For SMEs based in Malta, I suggest a maximum of twice a year. 


The most basic concept of an internal audit is to find shortcomings within a management system. Therefore, impartiality is critical. This means that no one can audit their own work. In SMEs having a non-biased internal audit is extremely hard. That’s why as an experienced consultant, I am asked to conduct an ISO 9001 Internal audit for SMEs in Malta. 

Systematic approach

As per anything within an organised management system, structure and organised planning are critical. By having a clear plan on which processes will be audited, and when, we can make sure that we follow an audit plan that covers all aspects of the business at least once a year.  

Process driven 

ISO 9001 has evolved into prioritizing the importance of a process approach. This means that we look at what the company does, the way that it adds value to its customers, in terms of processes. We’ve discussed that there are 4 key processes and various supporting process. 

Findings & Non-conformities

Whenever the internal auditor finds an opportunity for improvement we call that a finding. A finding is the lowest within the scale of seriousness of the deficiency. A major and minor nonconformity are a more serious deviation that has been discovered. The former (finding) would be a deviation from the self-imposed procedures. A nonconformity is when clear breach of a specific ISO clause is identified. 

Evidence based

When doing an audit (both internal and external) we are looking for evidence. In the context of an audit, evidence refers to following a real customer order, from start to finish. We are then going to look into the supporting services that were used to deliver than specific order. For example the training records of the employees that were involved in rendering the service to the client. 

Conducting an ISO 9001 Internal audit for SMEs in Malta

As explained, an internal audit has to be systematic. And what better than an audit check to ensure that an audit is systemic, and to make sure that all topics are covered. 

The most common pitfall for anyone with little experience ISO experience is to overcomplicate things. If you search for ‘internal audit checklist’ online, you’ll find countless posts. These checklists tend to overcomplicate things and use a simplistic way of how an audit is done. 

They would basically convert each phrase within the standard in a question. But that doesn’t make sense, as sometimes by implementing a system, you would be covering multiple points within different clauses. 

So make sure that you base the continual improvement of your organisation not on a PDF you find off the internet, but on the knowledge of an experienced ISO 9001 consultant in Malta

Factors to consider when doing an Internal Audit for ISO 9001:2015 Certification

Clause 4

Has the organisation identified the context in which it adds value to its customers. This can be demonstrated through having documented information relating to the identification of the internal and external factors of the organisation. A SWOT or PESTLE analysis within the business would perfectly cater for this requirement.

Clause 5

Relates to the commitment that management has towards the continual improvement of the organisation. Committed management would be actively involved in the activities required  by ISO, and are seen as an integral part of their job – leadership of people through the management of processes.

The organisation must also have a quality policy in place, to guide employees towards the vision of the leaders within the organisation. Moreover, objectives must be set inline with the quality policy. Through the quality policy and quality objectives, an organisation would make sure that all the employees are pulling the same rope, and working towards the same objectives.

Clause 6

This clause is the keystone for the latest update within the ISO standard. ISO 9001:2015 has included the concept of risk management. Through the internal and external issues, as discussed in clause 4 above, we will identify the elements that have an effect on our business. Now, each of these elements can have a positive (opportunity) effect or a negative (risk) effect. Here the auditor will look for evidence that the risks and opportunities have been identified, prioritized and actioned.  

Clause 7

This section talks about the resources that are required to offer the product/service to the client. There are 3 types of supporting resources. People, infrastructure and the working environment. The idea of this clause is about ensure a reliable management system, whereby through training and maintenance, the required resources will be made available when they are required.

Clause 8

The 4 key processes to consider are requirements for the sales & marketing procedure, operations, purchasing and design & development [not all companies would have design – for example, travel agents in Malta would not need to include it]. For each of these processes, we will need to review the process, as defined within the management systems, from start to finish. This is done by finding a random customer order and following the process from start to finish. By following a specific order, we would be taking an evidence-based approach within our internal audit.

Clause 9

Performance evaluation is critical for any management system that is designed in a way that allows for decisions to be made based on data (rather than hunches). Here, the auditor will look for evidence that the company is periodically collects data about its key and supporting processes, and that a system is in place to ensure that the necessary action is taken to reach the goals that were defined in Clause 5, as explained above.

One of the most important elements to consider is the collection and evaluation of customer feedback as a source through which ideas for continual improvement are captured.

Clause 10

No matter how hard we try, given that we are all humans, we are bound to make mistakes. And the standard acknowledges this fact. Here, the standard requires a way in which we will capture mishaps within the organisation, including complaints (internal, customer or supplier).


We honestly hope that this article has helped you to understand how to do an ISO 9001 Internal audit for SMEs in Malta. Should you need any further information, please feel free to get in touch. We’d love to help.

Similar Posts