This page is dedicated to helping you learn the art & science of internal auditing. It is by no means a comprehensive list but it gives you the basis of ISO 9001:2015 – Internal Audit Criteria with examples.

ISO 9001:2015 – Internal Audit Criteria with examples

Section one of five ISO 9001:2015 – Internal Audit Criteria with examples contains five questions worth two marks each.

The difference between objectivity and impartiality in this context.

Objectivity: Objectivity is sticking to the facts, being guided by the evidence and considering an event will be closer to the truth the more supporting evidence it has. This is important when gathering evidences during the audit.

Impartiality: impartiality is not taking sides, giving up making value judgments and treat as equivalent different versions of an event, believing the truth is in the middle.

The difference between being argumentative and being assertive, in the context of an audit.

Argumentative: going into an argument with clients – being disagreeable. This is an emotional reaction. Often aggressive.  

Assertive: being respectful of the client who is disagreeing with you, while standing behind the point that you are making (which is backed-up by a specific clause from the standard). This is without emotion, just stating facts.  

Customer Satisfaction

Two methods in which an organisation can monitor customer satisfaction:

  • Customer surveys
  • Market-share analysis

Verification Activities

Clause 8.3.4 of ISO 9001:2015 requires design and development verification to be carried out. List two verification activities that may be used by the design function of an organization.

  • Modelling/simulation
  • Experiments/tests

Note: 8.3.4 has 3 requirements:

  • Review: planning on how things happen
  • Verification: internally checking that product developed meets the desired output
  • Validation: customer confirms that outputs meet customer requirements

Two ways in which an auditor can verify that agreed corrective actions have been effectively implemented.

After noting a corrective action as documented information an auditor can:

  • Check whether changes are made to the management systems and talk with the people involved to ensure that they know/implement the change
  • Update risks and opportunities during planning, and ensure that the right actions are taken and implemented to mitigate risks and seize opportunities for effective risk based management as per ISO 9001:2015
  • Go on site, to confirm that the changes has been implemented.

ISO 9001:2015 – Internal Audit Criteria examples: Leadership + Auditor

7 Quality Management Principles

ISO 9000:2015 identifies ‘evidence-based decision-making as one of the 7 Quality Management Principles that facilitate the achievement of Quality Objectives.

a) As per ISO 9001:2015 – Internal Audit Criteria, explain your understanding of what is meant by ‘evidence-based decision-making.   (2 marks)

This means that decisions are taken based facts on objective analysis of data and information, rather than hunches. This means that data is collected, and effectively analysed to come up with factual information regarding a situation – and subsequently evidence-based decision making can be done.

Eight ISO 9001:2015 clauses that support ‘evidence-based decision making’

The following are examples of ISO 9001:2015 – Internal Audit Criteria for evidence-based decision making.

Evaluation of Leadership

ISO 9001:2015 requires Top Management to demonstrate leadership and commitment with respect to the QMS. Here are some methods for evaluating leadership in ISO 9001:2015 – Internal Audit Criteria with examples

a) Describe briefly a method you could use to evaluate Top Management leadership and commitment.

  • By interviewing the top management, I would ensure that they are committed to the quality policy, in a way that the quality objectives are defined that support the quality policy. And that they quality objectives are compatible with the context and strategic direction of the organization. Moreover, I would confirm that the data relating to these objectives is being collected, effectively analysed, and discussed during management review meetings, and that appropriate decisions are taken by top management to reach the quality objectives.

b) Give three examples of audit evidence you would gather as part of your evaluation of Top Management leadership and commitment. (3 marks)

  • 5.2 – quality policy is available as documented information, communicated and understood throughout the organization, and available to relevant interested parties
  • 5.3 – organizational roles and responsibilities are assigned, communicated and understood within the organization.
  • 9.3.3 – the outputs from the management review meeting consider all items mentioned in 9.3.2 and that decisions and actions related to opportunities for improvement, changes to the QMS and any resources needed are discussed and actioned (with the allocation of the right budgets – time and money).

Demonstrating Leadership & Commitment

Top management shall demonstrate leadership and commitment with respect to the quality management system by:

  1. taking accountability for the effectiveness of the quality management system;
  2. ensuring that the quality policy and quality objectives are established for the quality management system and are compatible with the context and strategic direction of the organization;
  3. ensuring the integration of the quality management system requirements into the organization’s business processes;
  4. promoting the use of the process approach and risk-based thinking;
  5. ensuring that the resources needed for the quality management system are available;
  6. communicating the importance of effective quality management and of conforming to the quality management system requirements;
  7. ensuring that the quality management system achieves its intended results;
  8. engaging, directing and supporting persons to contribute to the effectiveness of the quality management system;
  9. promoting improvement;
  10. supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

Traits of an auditor

2.3 A positive auditor professional behavior is to be diplomatic.

a) State the meaning of ‘diplomatic’ and give an example to demonstrate how an auditor could be diplomatic. (3 marks)

  • Diplomatic is when we convey the message that we’d like to communicate with the client in a respectful way, that would be understood by the client. For example when the auditee is disagreeing with the auditor that a particular evidence (or lack of) should be considered as a NC – a diplomatic auditor with cordially disagreed with the auditee and read the relevant clause in a way that is perceived as friendly, respectful and professional.      

b) Describe briefly the effect that not being diplomatic could have on an audit. (2 marks)

  • Severe the relationship with the client by arguing
  • If one the other hand the auditor is agreeable, to avoid being assertive, the downside could be that we do not achieve the intended outcome of the audit which to ensure that the company is complying to the requirements set by the standard.

Case Study

2.4 At the opening meeting of an external audit, you are informed that a recent internal audit has found many nonconformities relating to the in-house purchasing department. Corrective action has already been planned. It is therefore suggested that to audit this department again would add no value and asks if you could delete this department from the audit plan and spend more time in the production area.

Outline five issues you would include in the response you would give to this request. (5 marks)

  1. The external audit has to cover all the processes that have been defined within the audit programme  
  2. The results of the internal audit could be used as inputs for the improvement of the QMS and therefore cannot be excluded
  3. Since many non-conformities were already found, it would be wise to audit the process again, as the external auditor might also provide additional insight on how the improvement should be tackled – further improving the corrective action that has already been planned
  4. By having the external auditor reviewing the current purchasing process, employees will further understand the importance of their role within the company – internal and external auditors are reviewing their work to ensure that it is done in a way that benefits all relevant stakeholders
  5. The duration of the audit on the production area is adequate to the needs of the company, and no additional person-hours are required

ISO 9001:2015 – Internal Audit Criteria examples: Case-Studies

Audit Trail 1

3.1 During a routine surveillance visit, the organisation you are auditing informs you that they no longer carry out any design and development work. This activity is now outsourced to an external provider (supplier/contractor).

Give four examples of audit trails/audit evidence you would look for to determine the conformance of the current system with ISO 9001:2015, given the information you have just received.


For each of your examples, identify the clause(s) of ISO 9001:2015 that relate to this situation. (10 marks)

Audit TrailEvidence soughtPurpose
How did the company approve the supplier to work with, and what monitoring is in place to evaluate the performance of the supplierInterview with purchasing   Documented information8.4.1
Which controls did the company put in place to ensure that the supplier achieves the desired output?Interview R&D  8.4.2b
How does the company manage verification and validation to confirm that the product achieves the desired output?Interview R&D  8.4.2d
How does the company communicate the needs with the external providerInterview R&D   Interview with purchasing8.4.3
ISO 9001:2015 – Internal Audit Criteria Example: Supplier Management

Audit Trail 2

Taking into account the requirements of clause 10.2 of ISO 9001:2015, describe in terms of a sequence or illustrate using a diagram the corrective action process starting from a non-conformance being raised by an auditor through to close out of the finding. Identify who is responsible for each element of the process and identify where in the corrective action process decisions need to be taken. (10 marks)

Non-conformity foundAuditor
NC report created (description of NC, objective evidence and ISO 9001:2015 clause and requirement)Auditor
NC discussed during closing meetingAuditor
Signature to confirm acceptance of NCAuditee
Proposed action plan sent to auditorAuditee
CA relating to the NC is evaluated to determine whether root cause of problem would be solvedAuditor
Change is plannedAuditee
Change is implementedAuditee
NC is discussed during next external auditAuditor
Audit trail completed to ensure proper closure of NCAuditor
Close NCAuditor
ISO 9001:2015 – Internal Audit Criteria Example: Corrective Action

Another approach that can be taken is as follows:

NC raisedAuditor
Root cause analysisAuditee
CA proposalAuditee
Implement CAAuditor
Effectiveness of CAAuditor/auditee
Identify risks/opportunities with CAAuditee
Integrate with QMSAuditee
Retained documented of CA for NCAuditee
Follow-up for CA to ensure closureAuditor
ISO 9001:2015 – Internal Audit Criteria Example: Corrective Action

Audit Trail 3

3.3 You are conducting an ISO 9001:2015 audit in an injection moulding company (a process by which plastic components are manufactured). The next activity on your audit plan is the organisation’s final product testing laboratory. Outline in a checklist how you will perform this audit by developing a series of ten audit checkpoints. For each checkpoint, identify examples of the audit evidence you would want to gather and give the appropriate ISO 9001:2015 reference.

Note: 1 mark will be awarded per audit checkpoint, with 0.5 mark for the supporting evidence and 0.5 mark for the appropriate ISO 9001:2015 reference. (10 marks)

Audit TrailEvidence soughtPurpose
How were the checking characteristics definedInterview with QA8.5.1a1
How are the testing samples being processed? Is there a quarantine area?Is there a procedure on this?8.5.2
How is it being ensured that the preservation of output is being done effectively?Tour of lab and holding areas/stores8.5.4
How was this process included within the QMS?Interview with QA4.4.1
What documented information exists to ensure that the processes are being carried out as planned?Documented information4.4.2b
How was it ensured that people involved in this process are competent to carry out the said tasksDocumented information7.2
Are the relevant people aware of how their job affects the QMS?Interview with people doing the work7.3
Which monitoring and measuring equipment is being used?Interview with QA7.1.3
How are you making sure that the equipment being used is suitable and maintained?Documented information7.1.5.2
Which documents are being made available for this process?Documented information7.5.3
Who is making sure that the release of products to the customer does not proceed until all requirements met?Interview with QA8.6
In case of a NC found within the process, how is this handled?Interview with QA10.2
Given the importance of final product testing, have the appropriate Risks & opportunities been included within the QMS?Interview with QA6.1.1
ISO 9001:2015 – Internal Audit Criteria Example: Quality Control

Another approach that can be taken is as follows:

Audit TrailEvidence soughtPurpose
Evidence of conformity with acceptance criteriaInspection sheet8.6a
Traceability to the person authorizing the releaseInspection sheet and final release document8.6b
Control of nonconforming outputsSegregated quarantine areas8.7.1b
Describe non-conformityDocumented information8.7.2a
Quality objectivesDocumented information6.2.1d
Customer satisfactionSurveys, warranties9.1.2
Physical env or labTemperature, humidity measurement and related data7.1.4
Identification of traceabilityBatch number8.5.2
Determining requirements of productsParameters agreed with customer8.5.1
Measurement traceability for equipment to be calibrated or verifiedCalibration plan7.1.4.2a
ISO 9001:2015 – Internal Audit Criteria Example: Quality Control

ISO 9001:2015 – Internal Audit Criteria examples: Incidents

Questions in this section are designed to test your ability to analyse audit situations, evaluate audit evidence and apply knowledge of the audit criteria correctly.

Delegates are required to either:

· Complete the nonconformity report template.

Marking scheme for a nonconformity:

· For correctly identifying the scenario as a nonconformity (2 marks)

· For a clear description of the nonconformity (3 marks)

· For correctly quoting relevant evidence (3 marks)

· For correctly identifying the relevant ISO 9001 requirement (1 mark)

· Overall clarity of the nonconformity report (1 mark)

Note: if you raise a nonconformity report when there is no nonconformity, 0 (zero) marks will be awarded.


· Complete the audit investigation template, clearly stating:

· Your reason(s) for thinking there is not yet sufficient evidence to report your findings as a nonconformity (2 marks)

· How you would investigate to determine conformity or nonconformity, including audit trails you would follow and specific examples of audit evidence you would seek and for what purpose. (8 marks)

Note: If you complete the audit investigation template for a situation where there is evidence that a nonconformity exists, a maximum of 7 marks may be awarded as follows:

· Providing a valid reason why there is insufficient evidence for a Nonconformity. (2 marks)

· Providing relevant audit trails as above.(5 marks)

Audit situation one:

In the final inspection and despatch area you are examining the inspection and despatch records for order number 1234. This relates to product XYZ that is due to be sent out to a customer.

You note that in the final inspection section of the records the word ‘OK’ is written with the initials JW alongside it. The Despatch Supervisor tells you that JW is one of the junior inspectors. You ask the supervisor: ‘Who has authorised the release of the product?’ The supervisor replies that authorisation is not necessary for this type of routine product and it is clear from the records that the inspection was satisfactory. He says: ‘If there has been any problem we get a signature from David Manvers, the Chief Inspector, but only if they had to do some rework to the product.’

You check the organisation’s documented information for the product release process and find it states that the Chief Inspector is responsible for authorising the final release of all products.

If you think there is sufficient evidence to report your findings as a nonconformity:

· Complete the nonconformity report on the following page.

Description of the nonconformity: The organization does not implement planned arrangements, at appropriate stages, to verify that the product and service requirements have been met.
Objective Evidence Supervisor stated that: supervisor replies that authorisation is not necessary for this type of routine product and it is clear from the records that the inspection was satisfactory   Documented information for product release process states that: Chief Inspector is responsible for authorising final release of all products   The release of the product is not being done according to the procedures for the company.  
ISO 9001:2015 clause and requirement:   Clause 8.6  
Non-conformity report based on ISO 9001:2015 Internal Audit Criteria

Audit situation two:

You are auditing the design and development process in an organisation that designs and manufactures industrial equipment. They are currently dealing with a serious customer complaint relating to faulty safety mechanisms. They have sent engineers to this customer to repair some equipment they designed, manufactured and supplied two years earlier for contract number A123.

You find a recent note on file that states that the engineers are currently having difficulty in repairing the equipment. They have been issued with the latest drawings for the equipment (serial number X134, revision 3). The drawings do not contain a modification to the safety mechanism that was made prior to delivery and installation of the equipment.

You confirm with the Design Manager that revision 3 is the current version of the drawings and that revision 3 does not include the change to the safety mechanism. You ask the Design Manager why the modification to safety mechanism was not made to the drawing and he replies that the change was reviewed and considered to be minor with no impact on the equipment and it didn’t affect the customer’s contract specification.

If you think there is sufficient evidence to report your findings as a nonconformity:

· Complete the nonconformity report on the following page.

This should have been an NC against:

  • 8.3.6 a – design and development changes
  • 8.3.6 d – the fault related to safety mechanism and there could be implications


· Complete the audit investigation template.

          Audit investigation template:
  Given that the customer and applicable statutory and regulatory requirements are determined, understood and consistently met this is not a non-conformity. Moreover, the planned changes in the customer equipment could have been noted on different documented information, rather than the drawing (like instruction for engineers when going on-site).   But, it could still pose a threat to the QMS and therefore needs be analyzed further.  
Audit TrailEvidence SoughtPurpose
The questions that the auditor will askInterview/documentClause Number
Design and development changes as per the ‘review of the change’ that was implementedDocumented information8.3.6a
Risks relating to the on-site repair processDocumented information6.1
Competence of engineers to fix problemInterview Documented info – competence7.2
Competence of design manager to ensure no impact on the equipment and it didn’t affect the customer’s contract specificationInterview Documented info – competence Documented info – customer contract7.2
Non-conformities from repairs process to evaluate whether lack of updated drawing was root cause to other NCsDocumented info10.2
Customer satisfaction relating to the effectiveness in which repairs are completedDocumented info9.1.2
Non-conformities relating to product category “safety mechanism” to evaluate the frequency of a similar repair required at the client (and to evaluate the quality of the original design)Documented info10.2
Audit investigation template based on ISO 9001:2015 Internal Audit Criteria

Audit situation three:

During an audit of an insurance company, you ask the Training Manager to show you the training records for three people who work in the Claims Department. You see from the training records that each has attended a course on customer care.

You ask the Training Manager how they evaluated the training and are told “We ask every person who attends a training course to complete a questionnaire on whether they enjoyed the course, how useful they found the training and how good the tutor was. This information helps us decide whether to send other staff on the course”.

You examine the questionnaires completed by the three people who attended the customer care course. All three awarded high marks on how enjoyable they found the course and the usefulness of the course. All three also awarded a satisfactory score for the tutor. If you think there is sufficient evidence to report your findings as a nonconformity:

· Complete the nonconformity report on the following page.


· Complete the audit investigation template

          Audit investigation template:
  It is unclear how critical the course relating to customer care is to ensure that the employees are competent to do their job.  
Audit TrailEvidence SoughtPurpose
The questions that the auditor will askInterview/documentClause Number
Risks relating to customer care within claims departmentInterview top management   Documented information6.1.1
How has the organisation determined the necessary competence of persons working in the claims departmentDocumented info7.2a
How was the training provider approved?Documented info8.4.1
Is the supplier rating approved following all attendees to the training?Documented info8.4.1
Evaluate customer satisfaction to ensure that clients are happy with claims departmentDocumented info9.1.2
Is the practice of ensuring competence determined using this methodology for all other skills of employees within the company?Documented info7.2b
Auditing Investigation Template based on ISO 9001:2015 Internal Audit Criteria

Conclusion: ISO 9001:2015 – Internal Audit Criteria with examples

We sincerely hope you have enjoyed this post about ISO 9001:2015 – Internal Audit Criteria with examples. We have shared this information with a deep commitment to help you grow your ISO 9001 Certification knowledge. The more companies get ISO 9001 Certified, the better the value-chain will be across the board.

If you are now interested in getting further help and you’d like to know the cost for ISO 9001 Certification, we’d love to help.

If you are seeing the help of an ISO 9001 Consultant in Malta or anywhere in the world, we can help. Alternatively, you might want to consider this ISO 9001 Software that will guide you towards ISO Certification at your own pace.