Most businesses treat internal audits as something to get through. A date goes in the calendar, someone walks around with a checklist, a few records get reviewed, and a report lands on someone’s desk with no major findings. The audit is done. The box is ticked.
On this page
The problem is that this kind of audit achieves almost nothing. It does not improve the management system. It does not reduce risk. It does not prepare the business for what an external auditor will actually look for. And in many cases, it actively hides problems that will surface later at the worst possible time.
Internal auditing is one of the most powerful tools available under any ISO management system. When it is done properly, it catches issues early, drives real improvement, and gives leadership an honest picture of how the business is actually performing. When it is done poorly, it creates a false sense of security that can be more damaging than not auditing at all.
Why Internal Audits Exist in the First Place
Clause 9.2 of ISO 9001, ISO 14001, ISO 45001, and most other ISO management system standards requires organisations to conduct internal audits at planned intervals. This is not optional. If you hold certification, you are required to audit your own system.
The purpose is straightforward. The organisation needs to determine whether its management system conforms to both the requirements of the standard and its own internal requirements, and whether the system is effectively implemented and maintained.
That second part is where most internal audits fall short. Checking whether a procedure exists is easy. Checking whether it is actually being followed on the floor, whether it is effective, and whether it is producing the intended results is much harder. It requires auditors who know what to look for and are willing to ask uncomfortable questions.
The Common Problems With Internal Audits
Treating it as a document review
The most common failure mode is an audit that never leaves the desk. The auditor reviews procedures, checks that documents are up to date, confirms that records exist, and writes a report. At no point does anyone observe the actual process being carried out, talk to the people doing the work, or verify that what is documented matches what is happening in practice.
This is not an audit. It is a filing check. A management system can have perfect controlled documentation and still be fundamentally broken if nobody is following it.
Auditors who are not independent
ISO 19011, the international standard that provides guidance on auditing management systems, is clear that auditors must be impartial and objective. They should not audit their own work. In practice, many organisations assign internal audits to the person who manages the process being audited, or to someone who reports directly to them.
This makes it almost impossible to raise meaningful findings. Nobody wants to document problems in their own area. Nobody wants to create work for their direct manager. The result is a clean audit report that tells leadership everything is fine when it may not be.
Checklists that ask the wrong questions
A checklist full of yes/no questions will produce a superficial audit every time. Questions like “Is there a documented procedure for this process?” or “Are records maintained?” can be answered without actually understanding whether the process works.
Effective audit questions are open-ended. They ask how something is done, what happens when it goes wrong, how the organisation knows whether a process is achieving its objectives, and what evidence exists to support that conclusion. These questions force the auditor and the auditee to engage with the substance of the system rather than its paperwork.
No follow-up on findings
Raising a finding is only useful if something happens as a result. In too many organisations, internal audit findings get recorded, a corrective action gets written, and then nothing changes. The same finding appears again the following year. Sometimes for several years in a row.
This is a systemic failure, not an administrative one. It means the organisation is not using its own audit process to drive improvement. External auditors notice this pattern quickly, and it raises serious questions about management commitment and the effectiveness of the corrective action process.
What a Good Internal Audit Programme Looks Like
Plan based on risk, not convenience
The audit programme should be planned based on the importance and risk of the processes being audited, not on what is easiest to schedule. High-risk processes, areas with a history of problems, and processes that have recently changed should be audited more frequently.
A common approach is to audit every process at least once per year, with higher-risk areas audited more often. The programme should also take into account the results of previous audits. If an area had significant findings last time, it makes sense to follow up sooner rather than later.
Select the right auditors
Internal auditors need two things: competence in auditing techniques and enough knowledge of the process being audited to ask intelligent questions. They do not need to be experts in the area, but they need to understand it well enough to recognise when something does not make sense.
Training matters. Sending people on a one-day internal auditor course is a reasonable starting point, but it is not enough on its own. Auditors improve with practice, and pairing less experienced auditors with more experienced ones is an effective way to build capability over time.
Independence also matters. The auditor should not have direct responsibility for the area being audited. In small organisations where this is difficult, consider using auditors from a different department, or bringing in an external resource for critical areas.
Go beyond the paperwork
A good internal audit involves talking to people. Not just the process owner or the manager, but the people who actually do the work. Ask them how the process works. Ask them what they do when something goes wrong. Ask them whether they have seen the procedure and whether it reflects what they actually do.
The gap between what is documented and what actually happens is where the most valuable audit findings live. This gap is invisible if the auditor only reviews documents.
Observe processes in action where possible. If you are auditing a warehouse operation, go to the warehouse. If you are auditing customer complaint handling, look at actual complaints and how they were resolved. If you are auditing purchasing, review actual purchase orders and supplier evaluations, not just the procedure that describes how they should be done.
Write findings that mean something
An audit finding should clearly describe what was observed, what requirement it relates to, and why it matters. Vague findings like “documentation could be improved” or “more training is recommended” are not useful. They do not give the organisation enough information to take effective corrective action.
A well-written finding identifies a specific gap between what the system requires and what is actually happening. It includes objective evidence — what was seen, what records were reviewed, what was said during interviews. It references the specific clause of the standard or internal procedure that is not being met. If you have ever wondered why audit reports take so long, this level of detail is a big part of the reason.
Findings do not need to be limited to non-conformances. Observations and opportunities for improvement are equally valuable. An audit that only looks for failures misses the chance to identify areas where the system is working but could be working better.
Close the loop on corrective actions
Every finding should result in a corrective action that addresses not just the immediate issue but the root cause. If a procedure is not being followed, the corrective action should not simply be “retrain staff.” It should investigate why the procedure is not being followed. Is it unclear? Is it impractical? Do people not know it exists? Is there a resource constraint that makes it impossible to follow?
Corrective actions need deadlines and owners. They need to be verified — not just checked off as complete, but confirmed as effective. Did the action actually solve the problem? Is the non-conformance still occurring? This verification step is where most corrective action processes break down.
The results of corrective action verification should feed back into the audit programme. If a corrective action was not effective, the issue needs to be reopened and addressed again.
How Internal Audits Should Feed Into the Bigger Picture
Internal audit results should be a standing input to the management review process. Leadership should see a summary of what was audited, what was found, what corrective actions were taken, and whether those actions were effective.
This gives management an honest view of system performance. If internal audits consistently find nothing, that should be questioned — not celebrated. No management system is perfect, and an audit programme that never identifies issues is almost certainly not looking hard enough.
The audit programme itself should also be reviewed periodically. Are the right processes being audited at the right frequency? Are the auditors competent and independent? Are the findings meaningful? Is the programme actually contributing to improvement, or is it just generating paperwork?
The Relationship Between Internal and External Audits
A strong internal audit programme makes external certification audits significantly easier. When an organisation has already identified and addressed its own weaknesses, there are fewer surprises during the external audit. The certification body auditor can see that the organisation takes its own system seriously and is actively working to improve it.
Conversely, an organisation that relies entirely on the external auditor to find problems is taking a risk. External audits are limited in scope and time. They sample processes rather than reviewing everything. If the internal audit programme is not catching issues, the external audit may not catch them either — until they become serious enough to result in a major non-conformance or a customer complaint.
There is also a credibility issue. When an external auditor finds a significant problem that the organisation’s own internal audit programme missed, it raises questions about the integrity of the entire system. It suggests that internal audits are being conducted as a formality rather than a genuine assessment. This is one of the reasons businesses are reconsidering their certification body relationships — when neither the internal nor external audit process is producing value, something is fundamentally broken.
Certification bodies themselves are audited by accreditation bodies such as JASANZ in Australia and New Zealand, which oversee auditor competence and process integrity. Understanding this chain of oversight helps explain why a strong internal audit programme matters — it is part of a broader system of accountability that only works when every level takes its role seriously.
Common Mistakes to Avoid
Scheduling all internal audits in the weeks before the external audit. This turns the internal audit into exam preparation rather than an ongoing improvement tool. Internal audits should be spread throughout the year.
Using the same auditor for the same process every year. While continuity has some value, rotating auditors brings fresh perspectives and reduces the risk of complacency.
Auditing only against the ISO standard and ignoring internal requirements. The standard requires the organisation to audit against its own requirements as well. If the business has set specific quality objectives, defined KPIs, or established internal procedures that go beyond the standard, these should be included in the audit scope.
Failing to audit the audit programme itself. The effectiveness of the internal audit process should be evaluated as part of the management review. If audits are not finding issues, or if corrective actions are not being closed, the programme needs attention.
Making Internal Audits Worth the Time
Internal audits consume time and resources. If they are done properly, the return on that investment is significant — fewer external audit findings, better process performance, earlier identification of risks, and a management system that genuinely supports the business rather than sitting in a folder.
If they are done as a tick-box exercise, they waste everyone’s time and create a false sense of compliance. The difference comes down to how seriously the organisation treats the process, how well the auditors are trained and supported, and whether leadership actually uses the results.
CertBetter connects Australian businesses with accredited certification bodies and verified ISO consultants. If your internal audit programme needs strengthening or you are looking for external support, you can submit a free request and receive competing quotes from vetted providers.
An internal audit that finds nothing is not a success. It is a warning sign. The organisations that get the most value from ISO certification are the ones that use their internal audit programme to hold themselves accountable — honestly, consistently, and without shortcuts.
