Done badly, an internal audit is a box-ticking ritual that everyone dreads and nobody learns from. Done well, it's one of the most useful improvement tools a management system has. ISO 19011 is the international guidance for auditing management systems, and its logic applies whether you're auditing quality, environment, safety, or security.
Program vs. individual audit
Two levels matter. The audit program is the planned schedule of audits across the year, risk-prioritized so the important areas get attention. An individual audit is one engagement within that program. Most failures start at the program level — auditing the easy areas instead of the risky ones.
The principles that make audits trustworthy
ISO 19011 rests on principles like integrity, fair presentation, due professional care, confidentiality, independence, and an evidence-based approach. The last one is the heart of it: audit conclusions must rest on verifiable evidence, not opinion or politics.
Running the audit, step by step
- Plan — scope, criteria (the standard/procedures you're auditing against), and what you'll sample.
- Opening meeting — confirm scope and logistics, set a collaborative tone.
- Gather evidence — three sources: interview people, observe work as it happens, and examine records. Triangulate; don't rely on one.
- Evaluate findings — conformity, nonconformity, or opportunity for improvement, each tied to specific evidence and a clause.
- Closing meeting — present findings clearly, no surprises.
- Report and follow up — document, agree corrective actions, and verify they actually worked.
An auditor's job isn't to catch people out. It's to find out whether the system is actually working — and to surface, with evidence, where it isn't.
Auditor competence
ISO 19011 puts real weight on the auditor's competence: knowledge of the standard, of auditing technique, and crucially of behaviour — being observant, diplomatic, tenacious, and able to reach evidence-based conclusions without bias. A technically sharp auditor with poor people skills gathers worse evidence, because people clam up.
The tell of a good internal audit
You can judge an audit function by one question: does it produce findings that lead to real improvement, or just a clean file for the external auditor? The first builds the business. The second wastes everyone's time.
Become a confident auditor
My ISO 19011 course covers the whole discipline — program planning, evidence gathering, writing findings, and the auditor behaviours that separate useful audits from box-ticking.
View the auditing course →Questions
What's the difference between internal and external audits?
Internal (first-party) audits are run by or for the organization on itself. External audits are second-party (by a customer) or third-party (by a certification body). ISO 19011 guides first- and second-party auditing.
Can someone audit their own work?
No — the independence principle means auditors shouldn't audit their own area. Small organizations cross-audit between functions to preserve objectivity.