ISO 9001 Internal Audit Checklist: 62 Questions Organized by Clause

An Internal Audit checklist is only as good as the questions on it. We've reviewed dozens of ISO 9001 audit checklists - some downloaded from the internet, some built by consultants, some inherited from a previous quality manager who left the company years ago. The common thread in the ones that don't work is that they ask whether something exists rather than whether it works. "Is there a Quality Policy?" checks a box. "Can the machine operator on second shift tell you what the Quality Policy means for their work?" tells you something useful.

This checklist is organized by clause and written around what auditors actually probe during Certification Audits and Surveillance Audits. Use it for Internal Audits, pre-certification preparation, or as a framework for building your own audit program. Not every question applies to every organization - tailor it to your scope and operations.

How to Use This Checklist

Don't try to cover every question in a single audit session. ISO 9001 allows you to break your Internal Audit program across multiple sessions throughout the year, covering different clauses or processes in each one. A focused two-hour audit of Clause 8 (operations) will find more real issues than a rushed full-day audit trying to cover everything.

For each question, you're looking for objective evidence - not just a "yes" from the person you're interviewing. Ask to see records, watch a process, or walk the floor. The best audit findings come from comparing what the procedure says against what actually happens.

Clause 4: Context of the Organization

1. Has the organization identified internal and external issues relevant to its purpose and strategic direction?

2. Are these documented and reviewed?

3. Are interested parties identified with their relevant requirements?

4. Does the organization monitor changes in interested party expectations?

5. Is the QMS scope defined and documented?

6. Are any exclusions justified?

7. Does the scope reflect the actual products, services, and sites covered?

8. Are the processes needed for the QMS identified, with their sequence and interaction defined?

9. Can anyone in the organization explain how their process connects to the overall system?

Clause 5: Leadership

10. Can Top Management demonstrate active involvement in the QMS - not just signing policies but participating in reviews, allocating resources, and removing obstacles?

11. When was the last time leadership discussed quality performance in a meeting that wasn't the annual Management Review?

12. Is the Quality Policy appropriate to the organization's purpose?

13. Is it communicated, understood, and available?

Ask three people at different levels what the policy means for their work - if nobody can paraphrase it, the communication isn't working.

14. Are roles, responsibilities, and authorities defined and communicated?

15. In a small shop, can people tell you who is responsible for Document Control, Nonconformity management, and customer communication - even if one person covers multiple roles?

16. Does the organization ensure a customer focus throughout its operations?

17. Is there evidence that customer requirements are determined and met, risks to conformity are addressed, and customer satisfaction is monitored?

Clause 6: Planning

18. Has the organization determined risks and opportunities that need to be addressed?

This doesn't require a formal risk register - but there should be evidence that risks have been identified and actions planned. Check Management Review minutes for risk discussions.

19. Are Quality Objectives established at relevant functions, levels, and processes?

20. Are they measurable, monitored, and updated?

Ask to see the current objectives and the data showing progress. If the objectives haven't changed in three years and nobody tracks them between reviews, that's a finding.

21. When changes to the QMS are planned, does the organization consider the purpose of the change, potential consequences, resource needs, and responsibility assignments?

Look for recent examples - a new product, a process change, a supplier switch - and ask how the change was managed.

Clause 7: Support

22. Are adequate resources provided for the QMS - people, infrastructure, work environment, monitoring equipment?

23. Is monitoring and measuring equipment calibrated or verified at specified intervals?

Pull the Calibration Log and check whether calibrations are current and whether out-of-tolerance conditions triggered a review of affected products.

24. Is organizational knowledge determined, maintained, and made available?

25. For small manufacturers, this often means: what happens when your most experienced employee retires?

26. Is critical process knowledge documented or trapped in one person's head?

27. Are competence requirements defined for positions affecting quality?

28. Is there evidence of competence evaluation beyond just training records?

29. If someone completed CNC training six months ago but scrap rates for their parts are elevated, how does the organization address the gap?

30. Is the Quality Policy communicated and understood (awareness)?

31. Are internal and external communication processes defined?

32. Is documented information controlled - created, updated, version-managed, and retained appropriately?

Clause 8: Operation

33. Are operational processes planned and controlled?

34. Are criteria established for processes and product acceptance?

35. Look at work instructions, job travelers, and inspection plans - do they match the actual processes being performed?

36. Are customer requirements determined and reviewed before commitment?

37. Check a sample of recent orders: was the print reviewed, were tolerances confirmed, were material requirements verified, and is there a record of that review?

Contract review is the most commonly missed documentation step in small manufacturing.

38. If design and development is in scope: are design inputs, outputs, reviews, verification, validation, and change controls documented?

39. If excluded: is the exclusion justified, and is the organization truly not performing any design activities?

Modifying a customer's design, selecting materials, or developing custom tooling fixtures may constitute design.

40. Are external providers (suppliers) evaluated, selected, and monitored?

41. Is there an Approved Supplier List?

42. When was it last updated?

Pull a recent purchase order and trace it from the supplier evaluation through receiving inspection to production use.

43. Are production and service processes conducted under controlled conditions?

44. Is product identification and traceability maintained?

45. Can you pick a finished part and trace it back to its raw material, the machine it was made on, the operator, and the inspection results?

If the answer is no, there's a traceability gap.

46. Are Nonconforming outputs identified and controlled?

47. What happens when a part fails inspection?

48. Is there a documented process for disposition - rework, scrap, customer concession?

Check the Nonconformance Log and verify that recent entries were dispositioned and closed.

Clause 9: Performance Evaluation

49. What is the organization monitoring and measuring?

50. How is customer satisfaction tracked?

51. Look beyond surveys - delivery performance trends, complaint data, return rates, and repeat business patterns all count. Is the data being analyzed and used to drive decisions?

52. Is the Internal Audit program planned, covering the full QMS scope?

53. Are auditors objective and impartial (not auditing their own work)?

Review the audit schedule, recent audit reports, and Corrective Actions from findings. If every audit report says "no findings," that's a red flag - it usually means the audit wasn't thorough enough, not that the system is perfect.

54. Has a Management Review been conducted with all required inputs?

55. Are the outputs documented with decisions and action items?

Check whether action items from the previous Management Review were actually completed - this is one of the most common Surveillance Audit findings.

Clause 10: Improvement

56. Is there evidence of Continual Improvement activities?

This can come from Corrective Action trends, process improvements, objective achievements, or Management Review outputs. The standard wants to see an active improvement cycle, not just a wish list.

57. When Nonconformities occur, is there a documented Corrective Action process?

58. Pull recent Corrective Actions and check: was the Root Cause identified (not just the symptom)?

59. Was the action taken appropriate to the cause?

60. Was effectiveness verified?

61. Are similar Nonconformities recurring - which would indicate the Root Cause wasn't actually addressed?

62. Are Corrective Actions closed in a timely manner?

Open Corrective Actions older than 90 days without documented progress are a common audit finding.

Red Flags That Signal Deeper Issues

Every Internal Audit produces individual findings, but patterns across findings often reveal systemic issues worth investigating:

The same Corrective Action keeps getting raised at consecutive audits with different wording but the same underlying problem. The Root Cause analysis isn't going deep enough.

Training records exist for everyone but nobody can explain what they actually learned. Training is a compliance exercise, not a competence-building tool.

The Quality Manual was last revised three years ago but the organization has added new product lines, changed suppliers, and restructured departments since then. The system documentation has drifted from reality.

Management Review minutes show the same objectives being "continued" year after year with no progress discussion. Leadership engagement is superficial.

Calibration records are current but nobody has evaluated what happens to products measured with out-of-tolerance equipment. The process is followed without understanding the purpose.

Making the Checklist Work for You

Customize this to your operation. Add questions specific to your industry, your processes, and your known risk areas. Remove questions that don't apply to your scope. The best Internal Audit programs evolve over time - each audit cycle should refine the questions based on what you found (or didn't find) the last time around.

If your team doesn't have a trained Internal Auditor, you have two options: bring in an external auditor who knows your standard, or invest in Internal Auditor Training to build the capability in-house. We provide both - Internal Audit services for organizations that need an experienced outside perspective, and Internal Auditor Training for teams ready to build the skill themselves.

If you're preparing for a Certification Audit or want to improve your Internal Audit program, we offer a free initial consultation. You can also use our free ISO 9001 Gap Analysis tool for a quick self-assessment to help you figure out where you stand.