Internal audits are meant to be your early warning system. They should catch problems before the external auditor does. But in many organizations, the internal audit program itself becomes the problem.
Registrars consistently flag internal audit programs as a source of non-conformances, not because organizations skip them, but because the way they are conducted does not meet the intent of the standard.
Here is what goes wrong and how to build an internal audit program that actually works.
The schedule-driven trap
Most organizations build an annual internal audit schedule and follow it regardless of what is happening in the business. Every department gets audited once a year, every process gets equal time, and the schedule becomes a calendar exercise.
The standards require a risk-based approach to internal auditing. ISO 9001 clause 9.2 says the audit program must consider the importance of the processes, changes affecting the organization, and results of previous audits. IATF 16949 goes further and requires process-based auditing across all shifts.
The fix is to weight your audit schedule toward high-risk areas. Processes that had findings last time should be audited sooner. Processes undergoing significant change should get extra attention. Low-risk, stable processes can be audited less frequently. Document the rationale for your schedule so auditors can see the risk-based logic.
Auditors who audit their own work
One of the most common findings is auditors who lack independence. The quality manager audits the quality department. The production supervisor audits their own production line. The standard is clear: auditors must be objective and impartial, and they cannot audit their own work.
In smaller organizations this is a genuine challenge because there are only so many qualified people. The solution is cross-functional auditing. Train people from different departments to audit each other. A maintenance technician can be trained to audit document control. A logistics coordinator can audit the calibration process. The key is competence and independence, not job title.
Checklists that check nothing
Many internal audits use generic checklists that ask surface-level questions. "Is there a procedure?" Yes. "Are records maintained?" Yes. The audit is closed with zero findings, and three months later the external auditor finds significant gaps in the same area.
The problem is that the audit checked for the existence of documents rather than the effectiveness of processes. A strong internal audit asks questions like: "Show me how you handled the last customer complaint from start to close. Walk me through the root cause analysis. What changed as a result?"
The fix: train your internal auditors to audit by following the process trail, not by checking boxes on a form. Pick a specific part number, a specific complaint, a specific change order, and follow it through the system. This is exactly what external auditors do, and it is exactly what your internal auditors should practice.
Findings that never close
This is perhaps the most damaging pattern. Internal audits identify findings, corrective actions are assigned, and then nothing happens. The findings remain open for months. When the external auditor reviews the internal audit results, they see a list of unresolved problems, which raises questions about the effectiveness of the entire management system.
The fix is to treat internal audit findings with the same urgency as external findings. Assign owners, set realistic due dates, verify effectiveness, and close them. If a finding cannot be closed in a reasonable timeframe, escalate it to management review.
A well-run internal audit program is the single best investment you can make in audit readiness. It catches problems early, demonstrates system maturity to external auditors, and drives real improvement.
If your internal audit program needs a reset, or if you need help training auditors who can ask the right questions, that is exactly the kind of engagement we specialize in.