Quick answer: Internal audit is one of the core disciplines that separates a real management system from a paper system. It helps a business find weaknesses before the certification body does.
Last reviewed: March 2026 by the BlueSafe Technical Team.
At a glance
| Item | Summary |
|---|---|
| Standard | Internal audit across ISO management systems |
| What it covers | Planned internal review of conformity and effectiveness |
| Who needs it | Businesses maintaining or preparing a certifiable system |
| Audit model | Internal, independent, evidence-based review |
| Certificate validity | Internal audit supports surveillance and recertification readiness |
| Approximate cost | Mostly internal time unless external auditors are engaged |
| Tender relevance | Indirectly strong because weak internal audit often undermines certification timing |
What internal audit is
Internal audit is not just "checking paperwork." It is a structured review of whether:
- the system meets the standard
- the system is being followed
- the records support what the business claims
- improvement actions are needed
That makes it one of the most important management-system disciplines.
Internal vs external audit
| Issue | Internal audit | Certification audit |
|---|---|---|
| Conducted by | The business or its delegate | Certification body |
| Main purpose | Learn and improve before external scrutiny | Make certification decisions |
| Flexibility | Higher | Lower |
| Commercial pressure | Lower | Higher |
The best businesses use internal audit to reduce surprises, not to stage-manage appearances.
Planning the audit programme
The page brief emphasises planned intervals, which is the right frame.
An audit programme should consider:
- business risk
- previous findings
- process importance
- certification timing
Annual coverage is common, but frequency should reflect the real system.
The audit process
- Plan the audit.
- Define scope and criteria.
- Prepare questions and evidence checks.
- Conduct interviews, observations, and record review.
- Report findings.
- Follow up on corrective action.
A good audit is not just a checklist exercise. It is a disciplined review of whether the system works.
Competency and independence
The brief is clear that auditors should not simply audit their own work. Independence matters because otherwise the audit loses credibility.
For smaller businesses, that often means:
- cross-auditing between functions
- using someone outside the process
- occasionally using external help
Findings and corrective action
Audit findings are only useful if they flow into:
- documented corrective action
- cause analysis
- follow-up verification
This is where internal audit links directly to the broader improvement system.
State and territory variations
Internal-audit method is not state-specific, but clause content in standards tied to legal compliance still needs to reflect the right jurisdictional environment.
Related guides
- ISO Gap Analysis - How to Assess Your Business Before Certification
- ISO Corrective Action and Nonconformity - How to Fix Problems Properly
- The ISO Certification Process in Australia - Step-by-Step Guide
Frequently asked questions
What is an ISO internal audit?
An internal review of whether the management system meets the standard and works in practice.
Who can conduct an ISO internal audit?
A competent person who is independent of the area being audited.
How often should internal audits be conducted?
At planned intervals based on system needs and certification readiness.
What happens if internal audits find non-conformities?
The issues should move into corrective action and then be checked for effective closure.