ISO 9001 requires an internal audit programme that evaluates whether the management system conforms to the standard's requirements and operates effectively. Most certified organisations have such a programme. A meaningful share of those programmes produce audits that find little, find the same things every cycle, or find issues that nobody addresses substantively. The standard is satisfied on paper; the management system does not improve. The gap is rarely in the audit programme structure — it is in the audit technique that actually surfaces what management does not yet know.
Two Failure Modes of Internal Audit
The first failure mode is the audit that finds nothing. Auditors visit each process, review the documented procedures, observe a small sample of activity, and report that everything is operating as documented. The reality may match this report or may not — the audit was not designed to find out. The second failure mode is the audit that finds the same things every cycle. Documentation gaps, training records out of date, process changes not formally controlled. The findings recur because the corrective actions address symptoms rather than the underlying process discipline that produces them.
Process Approach, Not Clause-by-Clause
A common technique that produces shallow audits: working through the standard clause-by-clause, asking whether each requirement is met. The structure is comprehensive and produces uninteresting findings. The technique that produces depth is the process approach: pick a process, trace it from input through execution to output, examine the linkages with adjacent processes, and look for where the documented procedure diverges from actual practice or where the actual practice produces outcomes the management system does not address.
Audit Trails: Following the Evidence
A useful technique is the audit trail — starting from an outcome and tracing backward through the process that produced it. Pick a customer complaint and trace it back through nonconformity handling, root cause analysis, corrective action, effectiveness review, and management review. Pick a recent product launch and trace it through design and development, supplier qualification, production qualification, and release. The trail surfaces where the management system carried the work through and where it did not. Findings from audit trails tend to be substantive in a way that procedure-comparison audits rarely are.
A useful diagnostic for an audit programme: when was the last finding that genuinely surprised the management team? If the answer is "not in the past year," the audit programme is probably producing predictable findings that match what management already knows. Predictable findings have value but do not move the management system. Audits that surface the unknown require deliberate technique.
Auditor Independence and Skill
ISO 19011 sets out auditor competence requirements that map directly to internal audit effectiveness. Independence from the area being audited is the first requirement — auditing your own work or your own department produces predictable findings. Technical knowledge of the process being audited is the second — generalist auditors miss process-specific issues. The combination is sometimes hard to achieve in smaller organisations; the workable approach is cross-functional pairing where auditors swap into each other's areas, supplemented by external auditing of areas where internal independence is not possible.
Findings That Lead to Real Corrective Action
A finding that produces corrective action like "retrain the team" or "update the procedure" rarely prevents recurrence. The same training will be given to next year's team; the procedure will drift again. Strong findings are written specifically enough that the corrective action has to address the underlying process discipline — why was the documented procedure not followed, what about the work environment made the deviation more likely, what would have caught it. Audits that produce findings of this depth are what drive management system maturity over years.
How to Build an Audit Programme That Improves Over Time
- Train auditors in process-approach technique, not just clause-by-clause checklists
- Vary auditors across cycles so different perspectives examine each area over time
- Use audit trails to trace from outcomes back through process — they consistently produce depth
- Calibrate finding quality during management review, not just count of findings
- Track repeat findings as a measure of corrective action effectiveness — high repeat rate signals weak corrective action
- Integrate external audit results back into internal audit planning — external findings inform internal focus areas