ISO 9001 Internal Audit Checklists and Process Audits


Involved - Posts
Internal Auditors Checklists - Needed -

Oh, and HELLO to eveyone!!!

I start my new Quality Managers position wih my new company next week and I know I am going to have a ton of questions!
You all seem very bright and creative and I am sure i will be hanging out here a lot :)

Anyway the company I am going to is certified to the new standard but there are some noncons I have to deal with right off the bat, and they are due resolved in about 70 days.

One of them is training. The first thing I want to do it re-train all the auditors and set them loose.
Anyone have any good checklists, generic I guess.
Is so that would be great, you can e-mail them to me or post them.

Thanks a lot.

Hullo G, and welcome to the Cove :bigwave:. Personally, I don't have any generic checklists, but you may find some in the Free Files directory.

I also suggest a visit to the Auditing Forum

Bring the questions. We'll try to help (And learn a bit ourselves in the process).

Over to the Cove dwellers...



Welcome Gman, from another newbie.

At my company we do have element specific checklists, but I have never liked them - the questions on them never seem to be the ones I would ask.

Here is MY checklist for internal audits - well, actually my process. It is as generic as can be.

1. What am I auditing? What are the "shalls" that must be met? What is the intent behind the requirements, and how does it apply to our situation? What other elements of the standard are pertinent - records, training, resourcing, document control, etc. These questions are answered entirely from the standard.

2. Is our system conforming? What processes and procedures in our Quality System pertain to this requirement? How are they documented? Do they address all of the requirements of the standard for documented procedures and records? How do they relate to one another, and is the system internally consistent (i.e. are there conflicting requirements between different procedures, etc.)? Does it make sense? What are the good audit points? By audit points I mean observables within our processes - things that I should be able to see and verify. These questions are answered entirely from the documentation that exists within our quality system.

3. Are we following our system? This is where I start going out on the floor, talking to managers and front line workers, digging through records, etc. to see if the system that I audited in question 2 is the system that exists on the floor. I start with the audit points that I pre-determined, but rarely do I stop with them. There are always additional items and questions that come up, and you need to be flexible enough to adjust course as the situation dictates.

Anyway, that's the system I use - I'd like to hear from other folks who audit if they do it differently.

As far as training for auditors - They all need to have a consistent understanding of the standard - that may take a day or two. You can explain the auditing process to them in 5 minutes, but they need to practice it for a day or two in simulations - especially steps 1 and 2, which are often overlooked or under-appreciated. And they should definitely have some communications skills training - asking open-ended questions, LISTENING, and business writing - a good NC is useless if no one can understand it because it is poorly written.

Ed Gibbs


Yes! Welcome fellow Michigander. :bigwave: If you are in the Detroit area, there is a group of us that are planning on meeting on a monthly basis for lunch. You are more than welcome to buy, I mean join us :vfunny: (the buy part was a joke - you'll catch on to our unusuall sense of humor eventually)

Now, about the checklist. Are you looking for checklist the standard, or one that you would use as part of determining auditor competence? For the first, I would recommend, as part of the auditor training develop checklists for your processes and procedures. Most generic checklists are marginal for internal auditing. Mostly, you will be auditing against your own documentation and practices, so your checklists should be the same. Let me know if you want a generic standard (other than ISO/TS 16949). I am attaching a generic checklist.


  • Checklist- Complete ISO 9K2K Rev B.doc
    267.5 KB · Views: 2,171
Great post Ed, :agree:

I suppose most of us follow similar guidelines, but I for one have not put it in writng son nicely. Good job.

I would like to make one addition, however:

4. Is there a better ( cheaper, safer, faster, less complicated or whatever) way to do this? We also want to use the audit to search for improvement potential, right?



As far as Audits go, Ed has a good baseline above... You would of course add in your process so the questions are targeted at your requirements.

I think that with a process approach to auditing, the first step is to define the scope of the audit you plan to conduct (what is the process you are planning to audit?) and what are you auditing that against? are you auditing it against a particular standard? or against your own quality manual? or against several standards? or some other requirements?

Once you have the scope and the process to be audited, then it gets much easier to complete the checklist... focus on the Inputs and Outputs of that process and on the internal checks and balances within the process. Also keep in mind that problems can and do arrise in any process, that is why I added # 5 to Ed's list (including Claes # 4 above)...

5) How do you know when there is a problem? Have you experienced any problems recently? and what steps do/did you take to try and resolve them?

Oh yeah, we also like to ask people on the shop floor if they know what our Quality Policy is and how their work contributes to the overall success of our company. E

PS: I also think it helps to involve your auditees in the development of a checklist. If you are going to conduct an audit with 7 requirements on your checklist, give the auditee an opportunity to add one or two more items to your checlkist. This lets you audit against your requirements and gives the auditee an opportunity to focus part of the audit on one or two areas they are concerned with...
Last edited by a moderator:


Good additions folks, thanks.

I guess as far as checklists go I really have at least 2 sets, and I develop them as I go.

Checklist 1 is developed in Step 1, and lists the auditable requirements of the standard for our Quality System. That is the checklist I use as I go through the QS in Step 2 and audit the SYSTEM for compliance to the standard. If I write a NC at this point it will be against our QS, and it will reference the clause in the ISO standard that the QS doesn't meet. So I might write a NC that says "There is no evidence of a documented procedure for... as required by ISO-9001:2000 clause..."

Checklist 2 is developed in Step 2, and lists the audit points I find in our QS for use in Step 3. I use this checklist during the floor audit, and if I write a NC from this checklist it will be against actual practice and reference our QS. So it might say "Records of calibration of test equipment are not being maintained in blue boxes as required by company procedure... in the production area." I would not normally write a NC referencing the ISO standard in step 3 because the people on the floor are not working to ISO, they are working to our procedures, which I have already determined to be/not be compliant to the ISO requirements in step 2.

What about steps 4 and 5? How are the checklists for those steps developed, and how would you write a NC in those parts of the audit? What if someone says in Step 5 "I had a problem last week, but my boss told me to ignore it." Is that a NC? If so, is it a NC to the ISO standard or to the internal procedures?

Ed Gibbs
Last edited by a moderator:


Re: Internal Auditors Checklists - Needed -

edward.gibbs said:
What about steps 4 and 5? How are the checklists for those steps developed, and how would you write a NC in those parts of the audit? What if someone says in Step 5 "I had a problem last week, but my boss told me to ignore it." Is that a NC? If so, is it a NC to the ISO standard or to the internal procedures?
Ed Gibbs
I will comment on #5 and trust Claes to do the same for #4...

I usually look to include a few questions targeted at problem identification and resolution. This can lead you in many directions... what are the control parameters? What equipment requires calibration? what happens if equipment calibration has expired? Who controls the process? have they been trained in how to control the process? what evidence shows that they are competent to perform that task? who has the authority to make a decision regarding that process? how are problems identified? who makes a decision on when actions need to be taken to resolve a problem? is that authority defined? if so, where is it defined? etc...

It would depend on your system as to whether your above statement would be a nonconformance... At the least, I would want to ask more questions regarding that statement and maybe have the opportunity to question their boss. Perhaps it's ok for the boss to give the authorization to run outside a control parameter? perhaps that boss is aware of other issues which caused him to make such a statement? perhaps you exceeded your in-process control parameters but steps were already underway to bring the process back in control? or while you may have exceeded the in-process control parameters, the final product attributes will not be adversely affected?


Shaun Daly

What do the Auditors need retraining in?

If its basic Audit Skills the web presentation available here (the link is at the top of the page) is quite usefull.

If they need converting to ISO9000:2000 then get a training body in and do them all on a 2 day Internal course.

Process Auditing itself is a skill on its own - maybe another training course?
Re: Internal Auditors Checklists - Needed -

edward.gibbs said:
What about steps 4 and 5? How are the checklists for those steps developed, and how would you write a NC in those parts of the audit?

Well... Step 4 may not be a separate step as such...

I just keep thinking that way through the entire audit, and do not issue a NC for improvement potential found, unless I can pin it to the std or our system. We don't call them NC's btw. (We call them improvement issues) I make very certain however, that I mention the potential in the audit report text.

Top Bottom