How to Conduct an Internal Audit Step by Step Guide

Most internal audits fail even before the auditor opens the door. It's not because the auditor doesn't have the knowledge. It's not even because the checklists are inaccurate. They fail because the whole process of events leading up to audit day—planning, scheduling, defining the scope, and getting ready—is either hurried, informal, or totally left out. If you've ever left an audit feeling like you missed something important, or received findings from an external auditor that your own internal audit completely overlooked, you've experienced this firsthand.

This guide will walk you through exactly how to conduct an internal audit step by step, from defining your scope before you start to closing out non-conformances after you finish. Whether you're auditing for ISO 9001, ISO 22000, HACCP compliance, or your own internal quality standards, these steps apply across industries and audit types.

What Is an Internal Audit (and Why Does It Actually Matter)?

An internal audit is a structured, independent review of your organization's processes, systems, or activities to assess whether they meet defined standards, regulations, or internal policies.

The word "independent" is key. An internal audit isn't a walk-through by the department manager. It's a formal evaluation conducted by someone—whether internal staff or a trained colleague from another department—who has no direct stake in the outcome of the area being audited.

Done well, internal audits do three things that external audits can't:

• They catch problems early before a regulator or certification body does.
• They give you time to fix issues under controlled conditions.
• They create a documented culture of continuous improvement that compounds over time.

Why Internal Audits Outperform Reactive Quality Control

Organizations that run regular, well-structured internal audit programs consistently perform better in third-party and certification audits. That's not a coincidence, it's the direct result of the feedback loop that internal auditing creates. Finding a non-conformance in your own audit costs you time. Finding it in a certification audit can cost you your certificate.

How to Conduct an Internal Audit Step by Step

Here is the complete internal audit process, laid out in the order you should follow it. Each step builds on the previous one skipping steps is the most common reason internal audits produce weak results.

01 Define the Audit Scope and Objectives

Before anything else, you need to answer two questions: What are we auditing? and Why are we auditing it?

The scope defines the boundaries which processes, departments, sites, products, or time periods are included. The objective defines what you're trying to determine. Are you verifying compliance with ISO 9001 Clause 8? Checking adherence to your HACCP plan? Reviewing your supplier qualification records?

Also decide at this stage who will conduct the audit. The auditor should be competent in the subject area but must not audit their own work. This independence requirement is a fundamental principle under ISO 19011 the international guideline for auditing management systems.

02 Prepare and Distribute the Audit Plan

An audit plan is a short document that communicates the what, when, where, and who of the upcoming audit. Distribute it to all relevant parties auditees, department heads, and any observers at least one to two weeks before the audit date.

Your audit plan should include:

• Audit date and duration how long you'll be on-site or conducting interviews
• Departments and processes in scope be specific about what's included
• Standard or criteria being audited against e.g., ISO 9001:2015, internal SOP-14
• Names of auditors and auditee contacts confirm availability in advance
• Logistics where opening and closing meetings will be held, what system access is needed

Giving advance notice isn't cheating. A well-prepared auditee makes for a more efficient audit and more accurate findings. The goal of an internal audit isn't to catch people off guard, it's to assess whether processes actually work.

03 Develop or Review Your Audit Checklist

The audit checklist is your roadmap. It translates the requirements of your standard or policy into specific questions, observations, and evidence points that the auditor will work through during the audit.

You can build a checklist from scratch, pull from a template library, clone a previous audit and update it, or if you're using audit management software like Smart Audit generate one using the AI checklist builder based on your standard and scope.

Either way, a solid internal audit checklist should:

• Cover every clause or requirement within scope no gaps
• Include open-ended questions, not just yes/no tick boxes
• Have space for objective evidence: document numbers, records reviewed, direct observations
• Include a scoring or rating mechanism if your system uses one
• Allow for conditional logic if one answer triggers deeper questioning, that should be captured

04 Conduct the Opening Meeting

Every formal internal audit begins with an opening meeting. This isn't optional formality, it's how you align expectations, confirm scope, and set a professional tone for everything that follows.

Keep the opening meeting short (15–30 minutes) but cover these points clearly:

1. Introduce the audit team and confirm auditee representatives are present.
2. Confirm the scope, objectives, and criteria of the audit.
3. Explain how findings will be classified: observation, minor non-conformance, major non-conformance.
4. Outline the day's schedule and logistics breaks, lunch, closing meeting time.
5. Confirm that this is a process review, not a personal performance evaluation.

The opening meeting reduces anxiety on both sides and eliminates confusion about what the audit is and isn't. Auditees who understand the process engage more openly which leads directly to better and more honest findings.

05 Perform the Audit: Gather Evidence and Document Findings

This is where the actual audit work happens: interviews, document reviews, process walkthroughs, and evidence collection. This step is what most people think of when they hear "internal audit" but it's only possible to do well if steps 1–4 were done first.

Effective auditors use the SALAMI method as a practical fieldwork framework:

Key field techniques to apply during the audit:

• Follow the process walk the actual workflow from start to finish rather than reviewing documents in a meeting room
• Sample strategically select records from different time periods, operators, or batches to expose inconsistencies
• Ask "show me" when an auditee says something is done, ask to see the evidence verbal assurances are not objective evidence
• Capture positives too note what's working well; effective audit reports recognize strong practices, not just gaps

Going Paperless: A Practical Advantage

If you're using mobile audit software like Smart Audit, you can record findings directly on a tablet or phone during the audit including attaching photos as objective evidence without needing an internet connection. This eliminates the common bottleneck of transcribing handwritten notes after the fact and dramatically reduces the time between audit day and report issue.

06 Classify and Document Your Findings

Not every finding carries the same weight. Before the closing meeting, classify each finding consistently using your organization's defined rating system. Here is the standard classification framework used across ISO management systems:

Document every finding with three elements: (1) the specific requirement or clause it relates to, (2) the objective evidence you reviewed, and (3) a clear, factual description of what was found. Do not record your interpretation of the cause in the finding that comes during the corrective action process.

07 Conduct the Closing Meeting

The closing meeting mirrors the opening meeting in format, and it matters just as much. Present your findings to the auditee and relevant managers, explain the classification of each one, and confirm next steps before anyone leaves the room.

Key principles for an effective closing meeting:

• Read findings verbatim from your report don't improvise or soften language in the moment consistency matters
• Allow the auditee to respond factual corrections are valid and should be recorded; disagreements about interpretation should be noted but not debated
• Confirm due dates and owners every non-conformance should leave the closing meeting with a named owner and an agreed target date for corrective action
• Thank the auditee team acknowledge their time and cooperation; tone in the closing meeting shapes willingness to engage in future audits

08 Issue the Formal Audit Report

The audit report is the official record of everything that happened during the audit. It should be issued promptly ideally within five business days while details are still fresh for both the auditor and the auditee.

A complete internal audit report must include:

• Audit scope, objectives, and criteria
• Date, location, and names of auditors and auditees
• Summary of the audit: areas reviewed, sample sizes, methodology
• All findings with classifications, evidence references, and requirement citations
• Any observations or positive findings
• Confirmation of corrective action due dates and owners
• Signature of the lead auditor and acknowledgment from the auditee

Common Mistake: The Report That Never Gets Read

One of the most common failures in internal audit programs is issuing a comprehensive report that then sits in a shared drive untouched. The audit report is only useful if it drives action. Consider a brief management summary on page one that highlights the most critical findings this is what busy managers will actually read and act on.

09 Manage Non-Conformances and Track Corrective Actions

Issuing the report isn't the end of the audit process, it's the beginning of the improvement cycle. Each non-conformance must go through a formal corrective action workflow:

1. Root cause analysis uses structured methods like 5-Why or fishbone diagrams to identify the real cause, not just the visible symptom. Fixing symptoms without addressing root causes means the same non-conformance will reappear.
2. Corrective action plan specific, measurable actions that will eliminate the root cause, with assigned owners and target dates.
3. Implementation executes the agreed actions within the defined timeframe.
4. Evidence of completion collects and attaches objective evidence that the actions were carried out.
5. Effectiveness verification confirms that the actions actually resolved the non-conformance. This step is routinely skipped and is the primary reason NCs recur.

Tracking this process manually across email threads and spreadsheets is where most internal audit programs break down. Non-conformance management software or the NC module within audit platforms like Smart Audit keeps the entire corrective action lifecycle in one place, with automated reminders, escalation workflows, and a complete audit trail.

10 Review Audit Trends and Close the Compliance Loop

The final step and the most consistently underused is trend analysis. Individual audits produce findings. Multiple audits over time produce patterns, and patterns tell you something far more important than any single finding can.

Your audit program should include a periodic management review where results across all audits are analyzed together. Look for:

• The same process or department generating findings repeatedly
• The same ISO clause or requirement consistently not being met
• Seasonal patterns findings that cluster around specific periods
• Processes with low finding rates that may indicate auditors are being too lenient
• Trends in finding severity are NCs increasing or decreasing over time?

This analysis is what transforms a collection of individual audit events into a genuine continuous improvement engine. It's also the evidence that senior management needs to justify investment in process improvement, training, or system upgrades.

Best Practices for a More Effective Internal Audit Program

Following the ten steps above will give you a structurally sound audit. These additional practices separate good audit programs from great ones:

• Rotate auditors different auditors bring different perspectives and prevent the blind spots that develop when the same person audits the same area year after year
• Apply risk-based scheduling not every process needs the same audit frequency; audit more often where the stakes are highest
• Brief and buddy new auditors shadow new team members on their first two or three audits before letting them lead independently
• Use digital audit tools paper forms make tracking, trend analysis, and report generation significantly harder than they need to be the ROI on audit software typically shows up within the first audit cycle
• Don't wait for problems to audit the best time to run an internal audit is before you have a reason to
• Separate the auditor from the CAPA owner the person who finds a non-conformance should not be the person responsible for fixing it this creates accountability on both sides

Conclusion

Knowing how to conduct an internal audit step by step is one thing building a disciplined, consistent audit program that actually improves your organization over time is the real challenge.

The framework above gives you everything you need define your scope precisely, plan carefully, build a targeted checklist, gather objective evidence on the day, document findings clearly and consistently, follow through rigorously on corrective actions, and use trend data to drive genuine continuous improvement.

The organizations that get the most value from internal audits are not the ones that treat them as annual compliance checkboxes. They're the ones that use every audit as a genuine opportunity to understand what's really happening in their processes before an external auditor, a regulator, or a customer complaint gives them a much less comfortable way to find out.

Start with step one. Define your scope. Book your first audit. The process gets faster and more effective every time you run it.