Can the person who implemented our ISO system conduct internal audits?

The person who implemented your ISO system can conduct internal audits, but only on processes they did not personally design or are not operationally responsible for. If they own or built a specific process, they cannot audit that process. For very small businesses where one person built everything, an external contracted auditor or a trained staff member who was not involved in the implementation should conduct the audits instead.

What does “auditors shall not audit their own work” actually mean in practice?

It means the person conducting an internal audit must not be the same person who designed, implemented, or is directly responsible for the process being audited. It does not mean auditors must be external to the organisation. An employee can audit another department or process they have no personal stake in. The test is whether the auditor has a conflict of interest in the outcome of auditing that specific area.

What happens if our internal audits are found to lack impartiality during a certification audit?

A certification body auditor who finds evidence that internal audits were conducted by people auditing their own work will typically raise this as a non-conformance. Depending on the severity and how systemic it is, this could be a minor non-conformance requiring corrective action within a defined timeframe, or a major non-conformance that delays your certification. You would need to demonstrate a corrected approach and provide evidence of compliant audits before the certificate is issued or maintained.

Do internal auditors need formal qualifications?

ISO standards do not specify a particular qualification, but they do require that internal auditors are competent to conduct audits. Competence is demonstrated through a combination of education, training, and experience. In practice, most businesses meet this requirement by sending internal auditors through a recognised internal auditor training course, which typically runs one to two days and covers audit principles, techniques, and reporting. The training should be documented as part of your competence records.

Can a small business use the same external consultant for both implementation and internal auditing?

Using the same consultant for both implementation and internal auditing creates a conflict of interest, and a competent consultant should flag this themselves. If a consultant helped design and build your system, they cannot objectively audit the same processes they created. Some consulting firms manage this by assigning a different auditor from their team who had no involvement in the implementation. If your consultant is offering to both implement and audit without any separation of roles, treat that as a red flag worth questioning directly.

How often do internal audits need to be conducted?

ISO management system standards require that internal audits are conducted at planned intervals, but they do not specify a fixed frequency. Most businesses conduct a full internal audit cycle once per year, covering all processes within the scope of the management system. Higher-risk processes or areas with a history of non-conformances may be audited more frequently. Your internal audit schedule should be documented and reflect the importance and risk level of the processes being audited, not just a calendar-driven checkbox exercise.

Can the Same Person Who Built the System Audit It?

The Question Every Small Business Asks Eventually

You have spent months building your management system. You wrote the procedures, set up the document control, trained the team, and got everything ready for certification. Now your consultant or certification body mentions that you need internal audits. And the obvious question surfaces: can the person who built the whole thing just audit it themselves?

On this page

It is a fair question, and one that comes up constantly in small and medium businesses across Australia. The honest answer is: it depends, but there are clear lines you cannot cross. Understanding where those lines sit will save you from a non-conformance, a failed certification audit, and a lot of wasted effort.

This article explains the rules around internal audit impartiality, what ISO actually requires, where small businesses have genuine flexibility, and where they absolutely do not.

What ISO Standards Actually Say About Auditor Impartiality

Most ISO management system standards, including ISO 9001, ISO 14001, and ISO 45001, include a requirement that internal audits are conducted by personnel who are objective and impartial. The exact wording varies slightly between standards, but the intent is consistent.

ISO 9001:2015, for example, states under Clause 9.2 that the organisation shall ensure that auditors do not audit their own work. That phrase, “do not audit their own work,” is the critical piece. It does not say the auditor cannot be an employee. It does not say you need an external consultant. It says the auditor cannot audit work they personally performed or are responsible for.

ISO 19011, which is the guidance standard for auditing management systems, reinforces this by defining impartiality as being free from bias and conflict of interest. It specifically identifies situations where the auditor has a personal stake in the outcome as a threat to impartiality.

So the rule is not about job title or seniority. It is about whether the person auditing a particular area is the same person who designed, implemented, or is operationally responsible for that area.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

The Difference Between Building a System and Owning a Process

Here is where many businesses get confused. There is a difference between the person who built the overall management system and the person who owns a specific process within it.

Say you are the quality manager of a 30-person manufacturing business. You led the ISO 9001 implementation. You wrote most of the procedures. You set up the document control system. Does that mean you cannot perform any internal audits at all? No, it does not. What it means is that you cannot audit the specific processes you personally designed and are responsible for managing.

For example, if you wrote and own the document control procedure, you cannot audit document control. But you could audit the production process, the purchasing process, or the customer complaint handling process, provided someone else is responsible for those day-to-day operations.

This is the practical interpretation that most experienced auditors and certification bodies apply. The key test is always: does this person have a personal interest in the outcome of auditing this particular area? If yes, they should not audit it.

Why Impartiality Actually Matters (It Is Not Just a Compliance Tick)

Some businesses treat the impartiality requirement as a bureaucratic hurdle. It is worth understanding why it exists, because once you do, you will apply it more sensibly.

When someone audits their own work, several things tend to happen. They unconsciously overlook issues they already know about but have not fixed. They interpret non-conformances generously in their own favour. They focus on what they know is working well rather than probing the weak spots. And critically, they miss the blind spots that only an outside perspective would catch.

Think about it this way. If you designed a process, you know exactly how it is supposed to work. You will walk through the audit confirming that it works the way you designed it. But an auditor who did not design the process will ask different questions. They will look at what actually happens versus what the procedure says. They will notice the workarounds that have crept in. They will spot the gaps between intent and reality.

That is the real value of an internal audit. Not confirming that your system exists, but finding out whether it is actually working. Running internal audits that actually find problems requires genuine independence from the processes being examined.

Practical Scenarios: What Is and Is Not Acceptable

Scenario 1: The Solo Quality Manager

You are a quality manager in a business of 20 people. You built the entire ISO 9001 system. You own every procedure. Can you do any internal audits?

Technically, if you are personally responsible for every process in scope, then no, you cannot conduct internal audits on your own. This is the genuinely difficult situation that small businesses face. The standard does not give you a pass because you are small.

Your options here are: train another staff member to conduct internal audits on the areas you own, hire an external consultant to conduct internal audits on your behalf, or use a peer audit arrangement with another business if that is practical in your industry.

Scenario 2: The Consultant Who Built the System

An ISO consultant helped you build your management system. Now they are offering to also conduct your internal audits. Is this acceptable?

This is a common arrangement and it can be acceptable, with conditions. If the consultant conducted the implementation work, they have a clear conflict of interest in auditing the areas they designed. A good consultant will either conduct audits only on areas they were not involved in designing, or they will bring in a separate auditor from their firm who had no involvement in the implementation.

This is also why the conflicts of interest between ISO consultants and certification bodies matter so much in practice. The same principle applies within consulting firms. You need genuine separation between the person who builds and the person who audits.

Scenario 3: Cross-Functional Auditing

You have a team of 60 people across three departments. You train one person from each department to conduct internal audits. Each person audits a different department, not their own. Is this acceptable?

Yes, this is a well-established and perfectly valid approach. It is sometimes called cross-functional auditing. The production manager audits the warehouse. The warehouse manager audits the office. The office manager audits production. Each auditor is looking at processes they do not own and did not design. This satisfies the impartiality requirement and has the added benefit of building cross-functional understanding across your team.

Scenario 4: The Owner-Operator

You are a sole trader or a very small business. You are literally the only person who does anything in the business. Can you audit yourself?

This is the hardest case. If you genuinely have no one else who can perform internal audits, you need external support. Some businesses in this situation use a contracted internal auditor, which is a person hired specifically to conduct internal audits without any involvement in building or running the system. This is a legitimate and cost-effective solution for very small operations.

What Certification Body Auditors Look For

When a certification body auditor reviews your internal audit records during a Stage 2 or surveillance audit, they are checking a few specific things related to impartiality.

First, they will look at who conducted each internal audit. They will then cross-reference this against who owns or is responsible for the processes that were audited. If the same person appears in both columns, that is a flag.

Second, they will look at the quality of the audit findings. An internal audit programme that consistently produces zero non-conformances or only minor observations is suspicious. It suggests the audits are not probing deeply enough, which often happens when the auditor is too close to the work.

Third, they will check whether your internal audit procedure addresses impartiality. Most ISO standards require you to document your internal audit process. That documentation should include how you ensure auditors do not audit their own work.

A well-run internal audit programme, with genuine findings and clear evidence of impartiality, tells a certification body auditor that your system is actually working. A programme that looks like a rubber stamp exercise raises serious questions about the integrity of your whole management system. This is closely related to understanding how to check if your ISO management system is actually working.

The Role of ISO 19011 in Guiding Internal Audit Practice

ISO 19011 is the international standard that provides guidance on auditing management systems. While it is not a certification standard itself, it is widely referenced by certification bodies and auditors as the benchmark for good audit practice.

On the topic of impartiality, ISO 19011:2018 Clause 5.2 describes impartiality as a fundamental principle of auditing. It states that audit findings, conclusions, and reports should reflect truthfully and accurately the audit activities. Auditors should be free from bias and not allow commercial, financial, or other pressures to compromise impartiality.

Importantly, ISO 19011 also provides guidance on auditor competence. It is not enough for your internal auditor to simply be independent. They also need to understand the standard they are auditing against, understand the processes they are examining, and have the skills to conduct an effective audit. Independence without competence produces audits that miss things for different reasons.

Training Someone to Be Your Internal Auditor

One of the most practical solutions for small businesses is to train an existing staff member to conduct internal audits. This person does not need to be a quality manager or have any formal qualifications, but they do need structured training.

Internal auditor training courses are widely available in Australia, typically running one to two days. They cover the audit process, how to write audit findings, how to conduct interviews, and how to assess conformance against standard requirements. After completing a course, a staff member can legitimately conduct internal audits on processes they do not own.

The investment is modest, usually a few hundred dollars per person, and it gives your business a genuine internal audit capability. It also tends to improve that staff member's understanding of the management system overall, which has flow-on benefits for day-to-day operations.

When selecting someone for this role, choose a person who is methodical, comfortable asking questions, and not afraid to document what they actually find rather than what they think management wants to hear. Those personal qualities matter as much as formal training.

When External Internal Auditors Make Sense

There is a category of service called contracted internal auditing, where an external consultant or auditor conducts your internal audits on a regular basis without having any involvement in building or running your system. This is different from the consultant who helped you implement the system then offers to audit it.

Contracted internal auditing makes sense in several situations. Very small businesses with no suitable internal resource. Businesses where the person most qualified to audit is also responsible for every process. Organisations that want a higher level of scrutiny than internal staff can provide. And businesses preparing for a certification audit where they want an experienced external perspective before the formal audit.

The cost is typically lower than people expect. A half-day internal audit by an experienced contractor might cost between $800 and $1,500 in Australia, depending on the size and complexity of your system. That is a reasonable investment compared to the cost of failing a certification audit or receiving major non-conformances that delay your certificate.

Common Mistakes Businesses Make With Internal Audits

Beyond the impartiality issue, there are a few other internal audit mistakes that are worth flagging because they often come up alongside the question of who should be auditing.

The first is auditing only what is easy. Businesses often audit the processes that are running well and avoid the ones that are messy or under-resourced. A good internal audit programme covers the full scope of your management system, including the uncomfortable areas.

The second is treating internal audits as a documentation exercise rather than a genuine investigation. Ticking boxes on a checklist without actually talking to people, reviewing records, or observing processes produces audit reports that look complete but miss real issues.

The third is not acting on findings. Internal audits are only valuable if the non-conformances and observations they produce are fed into your corrective action process and actually resolved. An audit finding that sits unaddressed for months is worse than not finding it at all, because it demonstrates that your management review and corrective action processes are not working.

A Word on Integrated Management Systems

If your business runs an integrated management system covering multiple standards, such as ISO 9001, ISO 14001, and ISO 45001 together, the impartiality requirements apply across all of them. Your internal audit programme needs to cover all standards in scope, and the same rules about auditors not auditing their own work apply regardless of which standard a particular process relates to. Understanding how integrated management systems work from an auditor's perspective is particularly useful here, as the audit planning becomes more complex when multiple standards are involved.

Getting the Right Help

If you are working through the internal audit requirements for the first time, or if you have been doing internal audits in a way that might not satisfy the impartiality requirement, it is worth getting proper advice before your next certification or surveillance audit.

A good ISO consultant can review your internal audit programme, help you establish a compliant approach, and train your team to conduct audits effectively. If you are not sure where to find a consultant you can trust, CertBetter connects Australian businesses with verified ISO consultants who have been assessed for real-world experience. You submit one form, receive up to three competing quotes, and can compare credentials before committing to anyone. It is free for businesses and takes a few minutes.