Internal audit checklist for ISO 9001: the 47 questions that actually matter

Most internal audit checklists are bloated. They restate every sub-clause as a yes/no question, generate hundreds of lines, and get filled in by an auditor who is mostly trying to get through the day. The output is a stack of ticks, a couple of obvious findings, and very little insight.

A good internal audit asks fewer, sharper questions — the ones that consistently expose weakness across organizations regardless of size or sector. Below are 47 of them, grouped by clause, drawn from the patterns external auditors actually look for. Use this as your spine; add sector-specific questions on top.

Clause 4 — Context and interested parties (5 questions)

• When was the context analysis last updated, and what changed in the QMS as a result?
• Which interested parties have been added or removed in the last 12 months, and why?
• Can leadership explain how external issues (regulation, supply chain, climate, AI) are reflected in objectives?
• Is the scope statement still accurate given new sites, products, or outsourced processes?
• How does the organization decide which interested-party requirements become QMS requirements?

Clause 5 — Leadership (5 questions)

• Can top management describe the quality policy in their own words and link it to a business outcome?
• How is the customer focus visible in operational decisions, not just slides?
• Are quality responsibilities and authorities documented for the roles that actually carry them — or only for the quality team?
• What recent decision did leadership make because of QMS data?
• How is leadership held accountable when QMS performance slips?

Clause 6 — Planning (5 questions)

• Are risks and opportunities reviewed at a defined cadence, or only when something goes wrong?
• Can each quality objective be traced back to a specific risk, opportunity, or strategic priority?
• Are the actions taken to address risks proportionate — or is everything rated medium and ignored?
• When the QMS changes, is the change planned, communicated, and verified — or just announced?
• Are objectives measurable in a way that allows a clear pass/fail at year-end?

Clause 7 — Support (7 questions)

• Are competence requirements defined per role, and is current competence evidenced (not just attendance)?
• Is calibration status traceable to the device used on the day of the measurement?
• Are external documents (standards, customer specs, regulatory) controlled at the version actually in use?
• How does the organization ensure obsolete documents are not in circulation in shared drives or printouts?
• Is the awareness of the quality policy genuine, or rehearsed only before audits?
• How are the resources for the QMS — people, infrastructure, environment, monitoring — reviewed against demand?
• If the organization uses AI tools in operations, is there documented control over inputs, outputs, and decisions made?

Clause 8 — Operation (10 questions)

• Are operational acceptance criteria defined and applied at every handover, or only at final inspection?
• How are customer requirements captured, reviewed, and confirmed before commitment?
• Are design and development controls applied consistently — or only on flagship projects?
• How is the performance of external providers monitored beyond on-time delivery?
• Are critical-to-quality characteristics identified and protected through the process, not just inspected at the end?
• How is traceability maintained when product or service flows across multiple sites or systems?
• Is customer property — including data and IP — controlled with the same rigor as physical property?
• When changes happen mid-production or mid-delivery, is there a documented control process or improvisation?
• How are nonconforming outputs prevented from being released, and who has authority to override?
• Is post-delivery activity (warranty, support, recall) governed by the QMS or treated as separate?

Clause 9 — Performance evaluation (8 questions)

• Are the right things being measured, or only the easy things?
• Is customer satisfaction measured through more than one channel (survey, complaint rate, retention)?
• Is the internal audit programme risk-based, or does every process get audited identically every year?
• Are auditors competent and independent of the area they audit?
• Do management reviews produce decisions, or just minutes?
• Are all required inputs (9.3.2) and outputs (9.3.3) actually present in the review record?
• Is the data presented in management review trended over time, or just a snapshot?
• When KPIs miss target, is there a documented response — or does it quietly disappear?

Clause 10 — Improvement (7 questions)

• Is the difference between correction, corrective action, and improvement understood by the people doing the work?
• Are root causes documented, or are 'cause' fields filled in with restatements of the problem?
• Are similar nonconformities recurring across different areas — and is anyone looking horizontally?
• Is the effectiveness of corrective action verified after a defined period, not just closed?
• Are improvement opportunities captured outside of nonconformities — from staff suggestions, customer signals, audit observations?
• Does continual improvement show up in measurable outcomes, or only in the number of actions raised?
• How does the organization decide which improvements to fund and which to defer?

How to use the 47

Don't read these as yes/no questions. Each one is a prompt for evidence. The auditor's job is to ask the question, ask for the proof, and follow the proof until either it holds up or it doesn't. If a question can be answered with 'yes' and no follow-up, the audit is too shallow.

Build your audit programme so that across the year every clause is touched, but no single audit tries to cover everything. A focused two-hour audit on six well-chosen questions will surface more than a four-hour walk-through of a 200-line checklist.