ISO 9001 Internal Audit Planning: What Clause 9.2 Actually Requires (and Why Programs Fail)

A practical guide to planning an ISO 9001 internal audit program that satisfies Clause 9.2, survives third-party scrutiny, and actually improves your QMS.

There's a common pattern in ISO 9001 certification audits: the organization has an internal audit procedure, an audit schedule, and completed audit reports. The auditor pulls them out, reads through them, and issues a finding anyway. Not because the paperwork is missing, but because the program is nominal — designed to produce records that check a box rather than an audit program that functions as a genuine control.

Clause 9.2 is one of the top ten clauses for registrar nonconformances across all certified organizations. That's notable because internal audit is one of the few requirements where organizations have complete control over how they run it. The standard doesn't tell you how to audit — it tells you what your program must accomplish and what records you must keep. The failures aren't usually failures to understand the requirement. They're failures to build a program that takes itself seriously.

This guide covers what Clause 9.2 actually requires, how to structure a program that satisfies it, and the specific failure patterns that generate findings in well-intentioned organizations.

What Clause 9.2 Actually Says

Clause 9.2 is split into two sub-clauses in ISO 9001:2015.

9.2.1 establishes the purpose: the organization shall conduct internal audits at planned intervals to provide information on whether the QMS conforms to the organization's own requirements and to the standard's requirements — and whether it is effectively implemented and maintained.

9.2.2 specifies what the organization must do to achieve this. It's worth reading in full:

The organization shall: plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits...

The word "programme" is the operative term. An audit programme is not a single audit or a single checklist. It's the overarching system — the plan that governs which processes get audited, how often, by whom, and what happens with the results. A one-page schedule naming twelve departments is a starting point. A programme is the structure around which auditing actually functions.

9.2.2 also requires that the organization:

• Define the audit criteria and scope for each audit
• Select auditors and conduct audits in a way that ensures objectivity and impartiality
• Ensure audit results are reported to relevant management
• Take appropriate correction and corrective action without undue delay
• Retain documented information as evidence of the audit programme implementation and the audit results

These five requirements are where most programs develop gaps. The schedule gets built and followed; the infrastructure around it doesn't.

The Audit Programme vs. Individual Audits

The most useful distinction to make before building your internal audit program is between the audit programme — the overarching planning document that governs your audit schedule and approach — and individual audits, which are the actual events where auditors go into processes and gather evidence.

The audit programme defines:

• Which processes or areas will be audited and how often
• The basis for those frequency decisions (risk, importance, prior results)
• Who is responsible for planning and scheduling audits
• What methods will be used (process audits, system audits, product audits, document review)
• What criteria will be applied
• How results are communicated and followed up

Each individual audit has its own plan, checklist or evidence guide, report, and follow-up trail. The programme is the layer above all of that — the document that explains why those particular audits exist and what they're supposed to accomplish.

Many organizations have one without the other. They have a schedule — twelve departments, one per month — but no documented logic for why those departments, why that frequency, or how the schedule adjusts when something changes. That schedule will satisfy an auditor looking at a single audit report, but it won't satisfy an auditor who pulls the programme document and asks how process importance and previous audit results shaped the plan.

Scope: What the Programme Must Cover

A common point of confusion is whether the internal audit programme needs to cover the entire QMS every cycle. The answer is yes — but cycle length and frequency within the cycle can vary by process.

The audit programme must ensure that all processes, areas, and elements of the QMS are audited over a defined period. Most organizations use a rolling twelve-month window. By the end of each cycle, every process included in the QMS scope has been audited at least once. Higher-risk processes may be audited more frequently than once per cycle.

"All processes" means all processes — not just production. Quality managers often build audit schedules that focus heavily on the shop floor and document-heavy processes while underweighting support functions: human resources (competence and training records), purchasing (supplier controls), maintenance (equipment and infrastructure), and management itself (review inputs, objective-setting, resource decisions). If your QMS procedure covers these areas — and it almost certainly does — they need to appear in your audit programme.

Clause coverage vs. process coverage is another area to address. Some organizations structure their internal audits around processes (order management, production, inspection, shipping). Others structure them around clauses (Clause 6.1 risk management, Clause 7.2 competence, Clause 8.4 supplier controls). Either approach can work. What doesn't work is a programme that audits processes and misses clauses, or one that ticks off clauses without evaluating actual process effectiveness. Your programme documentation should make clear how you're ensuring that both dimensions — all processes and all applicable QMS requirements — are covered.

Frequency: Risk-Based Planning in Practice

ISO 9001:2015 removed the prescriptive frequency requirements of earlier versions. The 2015 standard says audits shall be conducted at "planned intervals" and that the programme shall take into consideration the importance of the processes and the results of previous audits. That's it. You determine the frequency; the standard evaluates whether your rationale is defensible.

This is actually more demanding than a fixed frequency requirement, because it requires documented thinking. A once-per-year audit of every process, applied uniformly, is technically compliant — but it's not risk-based, and an auditor can probe it. "Why do you audit your customer complaint process and your building maintenance process at the same frequency?" is a legitimate question. If the answer is "because that's what we've always done," that's not a risk-based answer.

A practical risk-based approach:

Start by assigning each process in your QMS a relative risk level based on three factors:

1. Importance to product conformity and customer satisfaction. Processes directly involved in producing and delivering conforming product should be weighted higher than support processes with indirect quality impact.

2. History of nonconformances. Processes that have generated internal or customer nonconformances, or received findings in prior internal or external audits, should be audited more frequently until performance stabilizes.

3. Rate of change. Processes that have recently changed — new equipment, new personnel, revised procedures, new customer requirements — carry elevated risk and warrant more frequent audit until the changes are verified as effective.

High-risk processes might be audited twice per cycle or quarterly. Stable, well-controlled processes with clean audit histories might be audited once per cycle. New or recently changed processes might be audited every quarter until they show consistent results.

Document this logic in your audit programme. The programme document should explain, at least at a category level, why different processes have different audit frequencies. When an auditor asks "how did you determine this frequency?", the answer should be in writing — not improvised.

Trigger-based audits should supplement your scheduled programme. When a significant customer complaint is traced to a specific process, that process should be audited before the next scheduled slot. When a regulatory or standard requirement changes in a way that affects your QMS, the affected processes should be audited sooner rather than waiting for the calendar to come around. When a process changes materially, audit it. Document the trigger and the resulting audit as a programme adjustment.

Auditor Independence: The Non-Negotiable

The standard requires that auditors not audit their own work. This is stated plainly in 9.2.2: audits shall ensure objectivity and impartiality of the audit process. The practical implication is that the person responsible for a process cannot audit that process.

This constraint creates logistical challenges in smaller organizations. If you have a quality team of two, and one of them owns the internal audit procedure, who audits the audit program? The most common solutions:

Cross-functional audit assignments. The quality engineer audits manufacturing. The production supervisor audits purchasing. The maintenance lead audits the training records function. People audit processes they don't own. This works reasonably well if the auditors have sufficient training and the cross-functional assignments are genuinely independent.

External or contracted auditors. Some organizations supplement internal audits with contract auditors — particularly for high-risk processes or the quality management function itself. This satisfies independence but adds cost.

Audit team structures. Using two-person audit teams where neither member owns the process being audited addresses independence while also distributing the observation load.

Whatever structure you use, document how independence is ensured in your audit programme. An auditor will look at your audit assignments and ask how you've addressed objectivity. "We assign auditors to areas they don't work in" is an answer. Having it documented is better.

A specific failure mode: quality managers who audit their own quality department, including the management review process, the audit programme itself, and the document control function. These are all processes the quality manager effectively owns. An auditor who finds the QA manager in the "auditor" column next to "document control" and "internal audit procedure" will ask about independence. The answer can be salvageable — but it needs to exist.

What the Audit Programme Document Needs to Include

Most organizations have an audit schedule. Fewer have a programme document that explains the schedule. Here's what a complete programme document should address:

• Scope of the programme: Which processes, areas, and QMS requirements are covered
• Audit cycle: The period over which all in-scope processes will be audited (typically 12 months)
• Frequency rationale: How and why audit frequencies were set, with reference to risk criteria
• Methods: How audits will be conducted (interviews, document review, observation, process tracing)
• Audit criteria: Which requirements auditors will evaluate against (standard clauses, internal procedures, customer requirements)
• Responsibilities: Who owns the programme, who schedules individual audits, who conducts them
• Independence: How auditor independence is ensured
• Reporting: How audit results are documented and communicated
• Follow-up: How corrective actions are tracked to closure
• Programme review: How and when the programme itself is reviewed and updated

This can be one document or a procedure plus a schedule. The specific format doesn't matter. What matters is that the content exists, is current, and reflects how you actually run the programme — not how you intended to run it two years ago.

Individual Audit Plans and Reports

Each audit in the programme requires its own plan and report.

The audit plan (sometimes called an audit notice or schedule notification) covers:

• The audit's objective and scope
• The processes or areas to be audited
• The criteria (which requirements or procedures will be evaluated)
• The date, time, and location
• The auditor(s) assigned
• Logistics (where to start, who to meet)

The audit plan is typically distributed to the area being audited in advance. Advance notice isn't required by the standard, but it's standard practice and helps auditors observe normal operations rather than scrambling to assemble records.

The audit report covers:

• Audit date, scope, and auditor
• Summary of activities and areas audited
• Evidence reviewed (documents, records, interviews conducted)
• Nonconformances or observations found
• Positive findings (not required by the standard, but useful for building credibility)
• Conclusion on conformity and effectiveness of the audited area
• Required corrective actions, with reference to the nonconformance records

Audit reports should be specific. "The calibration records were reviewed and found to be satisfactory" is not useful. "Calibration records for all 14 measurement devices in the inspection area were reviewed. One device (hardness tester, ID HT-07) showed a calibration due date of March 2025 — calibration has not been renewed. Nonconformance issued." That's an audit report.

Corrective Action Follow-Up: The Step That Completes the Loop

Many organizations treat the audit report as the end of the audit. It isn't. The audit is complete when nonconformances are closed — not when the report is issued.

9.2.2 requires that appropriate correction and corrective action be taken without undue delay, and that the results are reported to relevant management. Timely doesn't mean immediate — it means appropriate to the risk of the finding. A major nonconformance affecting product safety warrants fast action. An administrative gap in a low-risk process might have a longer resolution timeline. What "undue delay" means is that you have a documented timeline, you're meeting it, and you're not letting findings sit unresolved for months while the clock ticks toward the next certification audit.

The follow-up record should show:

• What correction was made (immediate fix)
• What corrective action was taken (addressing root cause)
• When the action was verified as effective
• Who verified it and how

Verification of effectiveness is a consistent source of findings. Organizations close corrective actions when the fix is implemented, without confirming that the fix actually worked. "Retraining conducted" closes the action — but if the same issue recurs in the next audit, the corrective action either didn't address root cause or didn't verify that it did. The audit programme should feed back into itself: prior nonconformances should be on the auditor's agenda the next time that process is audited.

Common Audit Conversation Examples

Finding: Audit programme not risk-based

Auditor reviewing the audit schedule: "I see every process is audited once per year on a rotating basis. How did you determine the frequency for each process?"

Quality manager: "We do every area once a year to make sure we cover everything."

Auditor: "Your production control process has had three customer returns traced to it this year. What's the basis for auditing it at the same frequency as your facilities maintenance process?"

Quality manager: "That's just how we've always done the schedule."

The programme isn't wrong because it uses annual frequency — it's wrong because there's no documented rationale, and the frequency clearly doesn't reflect process importance or prior audit results as 9.2.2 requires.

Finding: Auditor independence not maintained

Auditor reviewing audit assignment records: "Your internal audit report for document control is signed by your quality manager. Is the quality manager responsible for document control?"

Quality manager: "Yes, but she also does all of our internal audits."

Auditor: "How are you ensuring objectivity and impartiality when the process owner audits their own process?"

Independence is non-negotiable. If the only trained auditor you have owns every process in the QMS, you have a structural problem that needs a structural solution — not a documentation workaround.

Finding: Corrective actions not closed or verified

Auditor reviewing prior audit reports and corrective action records: "Your audit from November identified a nonconformance in incoming inspection — no documented inspection criteria for material from Supplier B. I see a corrective action was opened. Was it closed?"

Quality manager: "Yes, we created the inspection criteria."

Auditor: "I don't see a closure record. And looking at your March audit of the same area, the inspector couldn't show me the criteria — they looked them up in a shared folder that hadn't been updated."

Quality manager: "The action was marked closed when we created the document."

Creating a document isn't the same as implementing and verifying it. The corrective action wasn't verified as effective. The follow-up audit found the same condition. That's a systemic breakdown in the audit loop.

Finding: Audit programme not covering all QMS processes

Auditor reviewing three years of audit records: "I've looked through your audit schedule and completed reports. I don't see any audit of your customer feedback and satisfaction process — Clause 9.1.2. When was that last audited?"

Quality manager: "We include it in the management review."

Auditor: "Management review isn't an internal audit. The audit programme needs to cover all processes in scope of your QMS."

Including a process in management review doesn't substitute for auditing it. If it's in scope, it needs to be audited.

The Records That Have to Be There

Clause 9.2.2 requires retaining documented information as evidence of the audit programme implementation and the audit results. That phrase — "implementation and results" — means both the planning records and the output records.

At minimum, you need:

• The audit programme document (current version)
• The audit schedule for each cycle
• Individual audit plans for completed audits
• Completed audit reports with evidence, findings, and conclusions
• Nonconformance records for any findings raised
• Corrective action records linked to nonconformances
• Evidence of corrective action closure and effectiveness verification
• Records of management review of audit results

For organizations running their QMS on spreadsheets and shared folders, these records typically live in multiple locations that drift apart over time. The audit schedule is in one folder, reports are in another, corrective actions are in a third. When an auditor asks to trace a nonconformance from its source through correction and verification, reassembling those records from disconnected files under audit conditions is stressful at best.

SheetLckr addresses this by keeping audit-related records — schedules, findings, corrective action logs — in a version-controlled, approval-tracked environment where the history of each record is intact and traceable. For quality managers whose internal audit documentation is always the thing that takes the most prep before an external audit, having those records connected and current from the moment they're created is a meaningful structural improvement.

Building a Programme That Takes Itself Seriously

The minimum-viable internal audit programme — the one that satisfies Clause 9.2 and doesn't generate findings — requires: full QMS scope coverage over each audit cycle, documented frequency rationale based on process importance and prior results, genuine auditor independence, specific and evidence-based audit reports, timely corrective action with verified effectiveness, and clean records that connect all of these together.

The better audit programme does all of that and produces something useful. Leadership gets meaningful data about how the QMS is actually performing. Systemic patterns get surfaced before they become customer complaints. Processes that changed in the past six months get checked before a certification auditor gets there first. Auditors ask hard questions — not adversarially, but because hard questions are what makes an audit worth running.

The goal isn't to produce reports that satisfy a certification body. It's to know whether your quality management system is working. When the programme is built to answer that question honestly, the certification audit looks after itself.