The internal ISO audit is performed annually under ISO 19011 to verify system conformity before the external audit.
The internal audit is one of the most powerful tools in any ISO management system, and also one of the most under-used. Too many organizations treat it as a bureaucratic formality run once a year to keep the certification body happy. The reality is that a well-executed internal audit can identify inefficiencies that cost thousands of euros, prevent nonconformities at the external audit and generate tangible improvements in business processes. This guide shows you how to plan and execute internal audits that deliver real value, following the guidance of ISO 19011:2018.
See our related guide. For the general ISO 9001 context, see my complete implementation and certification guide.
ISO 19011: the reference standard for audits
ISO 19011:2018 provides guidance on auditing management systems. It is not a certifiable standard, but it is the reference used by professional auditors and the framework certification bodies expect your organization to follow for its internal audits.
The seven audit principles defined by ISO 19011 are: integrity (the foundation of professionalism), fair presentation (the obligation to report truthfully), due professional care (diligence and judgement when auditing), confidentiality (information security), independence (the basis of impartiality), evidence-based approach (a rational method) and risk-based approach (focus on what matters most).
When the seven principles are applied consistently, the audit stops being a defensive exercise and becomes a diagnostic tool. Your team understands that the auditor is not there to police: they are there to help the system work better.
Audit types: first, second and third party
Before planning, it helps to be clear about which type of audit you are running. The difference is not semantic: it changes scope, resources and pressure on the team.
| Criterion | 1st party (internal) | 2nd party (supplier/customer) | 3rd party (external) |
|---|---|---|---|
| Who audits | Own staff or contracted consultant | Your company audits a supplier (or a customer audits you) | Certification body accredited by ENAC |
| Object | Verify compliance and internal improvement | Verify contractual compliance | Issue official certificate |
| Independence | From the audited process, not from the company | Full from the audited party | Full |
| Typical frequency | Full annual plus quarterly partials | Before approval plus periodic reviews | Initial plus annual surveillance plus recertification every 3 years |
| Cost | €800-3,500 per year outsourced | Equivalent to an internal audit | €1,500-8,000 per year depending on standard and size |
| Associated decision | Improvement plan | Approve / keep / drop supplier | Issue / maintain / suspend certificate |
The internal audit covered by this guide is the first-party one. It is the only one you control in intensity, depth and frequency, and that is precisely why it can deliver the most value.
Risk-based annual audit programme
A common mistake is to audit every process with the same intensity. The correct approach is a risk-based programme that concentrates audit resources where they can have the highest impact.
To design the annual programme, assess each process against:
- Its criticality for customer satisfaction.
- Results of previous audits (processes with recurring findings need more attention).
- Recent changes (modified or new processes).
- Performance indicators (processes that miss their targets).
- Applicable legal or contractual requirements.
With this assessment, allocate more frequency and depth to higher-risk processes and less to those that run stably. A medium industrial company may end up with a programme that audits production and purchasing twice a year, HR and sales once a year, and maintenance every two years if it has had few historical findings.
Internal auditor competence
The internal auditor must be independent of the audited process, technically competent in management systems, trained in ISO 19011 audit techniques and have soft skills for the interview: active listening, neutral questioning, ability to defuse defensive reactions.
For SMEs (small and medium-sized enterprises), three options exist: train an internal auditor in-house (€500-1,200 for a 40-hour course), outsource to a consultant (€600-2,000 per audit), or cross-audit between departments. Each option has trade-offs in cost, independence and learning curve.
Audit planning by process
Once the annual programme is defined, each specific audit needs its own plan. The plan documents scope, audit criteria, sampled processes, calendar, auditor team and required evidence. A good audit plan is signed off by management one week before fieldwork and shared with the auditees so they can prepare records.
Tip: avoid surprise audits. The objective is to verify how the system works in normal conditions, not to catch people out. Surprise effect produces defensive answers, not useful evidence.
Interview techniques that produce useful evidence
The interview is the auditor's main tool. Open questions (how, why, when, who) produce richer evidence than closed yes/no questions. The "show me" rule is essential: every verbal answer must be backed by a documented record, a system screen or a physical observation. Without evidence there is no finding.
Listen 80% of the time, ask 20%. Take notes in real time. Triangulate sources: cross-check what the operator says with what the manager says and with what the procedure says. Three-way agreement confirms; disagreement is a finding.
Drafting findings: observation, nonconformity, opportunity
The audit ends with a list of findings, classified into three categories:
- Major nonconformity: total breach of a requirement, systemic failure or repeated minor that was not corrected. Stops the certificate.
- Minor nonconformity: isolated breach that does not endanger the system. Requires a corrective action with a deadline.
- Observation: deviation that does not yet breach the requirement. No corrective action is required, but follow-up is recommended.
- Opportunity for improvement: suggestion to raise performance even though there is no breach. Voluntary.
Each finding is written using the SAR formula: Statement (what was found), Audit criterion (which clause is breached), Reference (evidence number and location). A finding without these three elements cannot be defended.
From findings to corrective actions
The internal audit only delivers value if findings translate into improvement actions that the system actually closes. The process has four steps: root cause analysis (5 whys or Ishikawa), corrective action plan with owner and deadline, implementation, and effectiveness verification at least three months after closure.
An action closed without verification is not a closed action: it is a hidden risk. Plan a sample review of closed actions in the following internal audit.
Management review: the audit's final destination
ISO requires a periodic management review where the consolidated audit results, the status of corrective actions, the indicator trends and the changes in context are tabled to top management. The internal audit feeds that review with structured evidence.
If the internal audit does not end up on the management's agenda, the system has lost its closure loop. Book a 45-minute review and we will look at how your internal audit feeds the management review and whether the cycle is really closed.
Frequently asked questions
- How often should an internal ISO audit be performed?
- ISO 19011 requires the entire system to be audited at least once a year, but a risk-based approach is preferable: high-risk processes are audited quarterly, medium-risk ones twice a year, and low-risk ones annually.
- Can the same person audit and be audited?
- No. The auditor must be independent of the audited process. They can work in the same company, but never audit their own activity. In small SMEs this is solved with cross-audits between departments or by hiring an external auditor.
- Does an internal auditor need to be certified?
- ISO 19011 does not require an official certificate, but a 40-hour internal auditor course and at least one accompanied audit are recommended. Recognised certifications include IRCA, Exemplar Global and AENOR.
- What is the difference between observation, nonconformity and opportunity for improvement?
- An observation is a deviation that does not yet breach the standard; a nonconformity is a confirmed breach of a requirement; an opportunity for improvement is a suggestion to raise performance even though there is no breach.
- Is the same audit valid for ISO 9001, ISO 14001 and ISO 45001?
- Yes, provided the integrated programme is properly planned. The High Level Structure (Annex SL) allows the common clauses to be audited jointly and only the specific clauses of each standard to be audited separately.
Frequently asked questions
How does this apply to my SME?
It applies as long as you serve Spanish customers or process Spanish data; the framework is mandatory above thresholds we summarise in the table.
What does it cost in 2026?
Indicative ranges for SMEs 10-50 employees: 2,500-12,000 EUR for documentation + auditor fees vary by AENOR / BV / SGS / LRQA.
Which Spanish regulation applies?
BOE references RD 311/2022 (ENS), Regulation EU 2016/679 (GDPR), LOPDGDD, NIS2, DORA and the EU AI Act 2024/1689 depending on scope.
How long does the implementation take?
Average runs 4-7 months for a single ISO. Compound integrated SGI (9001+14001+27001) usually 8-12 months.
Can I co-finance it with Kit Digital or Kit Consulting?
Yes, Kit Consulting 2026 covers up to 24,000 EUR in advisory hours; Kit Digital covers tools (CRM, ERP, ciberseguridad) up to 29,000 EUR.
El marketing del cerebro es más predictible que el marketing de la opinión. — Ángel Ortega Castro