Quality Assurance: Internal Audit Requirements

Internal audit requirements form a core compliance obligation within formal quality management systems, establishing the mechanisms by which organizations verify that their own processes conform to documented standards, regulatory mandates, and operational objectives. These requirements are defined by standards bodies including the International Organization for Standardization (ISO) and the American Society for Quality (ASQ), as well as sector-specific regulators such as the U.S. Food and Drug Administration (FDA) and the Department of Defense (DoD). Understanding the structural boundaries of internal audit obligations — what triggers them, who conducts them, and what records they must produce — is essential for quality professionals operating in regulated environments.

Definition and scope

An internal audit, within the context of quality assurance, is a systematic, documented, and independent examination of an organization's quality management system (QMS) conducted by personnel within or commissioned by that organization. The purpose is to determine whether the QMS conforms to planned arrangements, to the requirements of the applicable standard, and to the requirements established by the organization itself.

ISO 9001:2015, Clause 9.2, establishes the foundational international requirement for internal audits. The clause mandates that organizations conduct internal audits at planned intervals and that audit results be reported to relevant management. ISO 9001 applies across industries; sector-specific extensions include AS9100 for aerospace and IATF 16949 for automotive manufacturing, each layering additional audit frequency and documentation obligations onto the base ISO 9001 framework.

In regulated U.S. industries, internal audit requirements carry statutory weight. FDA regulations under 21 CFR Part 820 (Quality System Regulation for medical devices) require that quality audits be conducted at sufficient intervals to ensure the quality system is effective. The FDA's Quality System Regulation has been updated through alignment with ISO 13485:2016 under the Quality Management System Regulation (QMSR) finalized in 2024. Similarly, 21 CFR Part 211 governs pharmaceutical GMP compliance, with internal self-inspections serving as the functional equivalent of internal audits.

The scope of internal audit requirements extends across four primary dimensions: process conformance, product conformance, system effectiveness, and regulatory adherence. Audit scope must be defined in an audit plan, and the plan must be accessible to auditors and auditees before the audit begins.

For a foundational reference on how these requirements fit into the broader compliance landscape, see the Quality Assurance Regulatory Framework reference.

How it works

Internal audit execution follows a structured lifecycle, typically organized into five discrete phases:

  1. Planning — The audit program manager defines the audit schedule, scope, criteria, and methods. ISO 9001:2015 Clause 9.2.2(a) requires that the program take into account the importance of the processes concerned and the results of previous audits.
  2. Auditor assignment — Auditors must be selected to ensure objectivity and impartiality. ISO 19011:2018, the guidelines for auditing management systems published by ISO, specifies that auditors must not audit their own work. This independence requirement is structural, not discretionary.
  3. Document review — Auditors review the quality manual, procedures, work instructions, and records relevant to the audit scope before conducting on-site or remote activities.
  4. On-site audit execution — Auditors gather evidence through interviews, observation of activities, and inspection of records. Evidence is documented using objective, verifiable language.
  5. Reporting and follow-up — Findings are classified as conformances, observations, or nonconformances. Nonconformances require documented corrective action, and the audit record must be retained as evidence of QMS operation (Quality Assurance Documentation Requirements).

The audit program itself must be reviewed periodically to assess its effectiveness. ISO 19011:2018 identifies six competence criteria for auditors: ethical conduct, open-minded presentation, diplomacy, observational skill, perceptiveness, and versatility — each evaluated through defined performance metrics during auditor qualification.

Common scenarios

Internal audit requirements activate across a range of operational circumstances. The three most prevalent scenarios in regulated industries are:

Scheduled surveillance audits — Organizations certified to ISO 9001, AS9100, or IATF 16949 must conduct internal audits on a planned cycle, typically annual, to maintain certification. Certification bodies such as those accredited by the ANSI National Accreditation Board (ANAB) verify internal audit records during external surveillance and recertification audits.

Pre-certification audits — Before submitting to a third-party certification audit, organizations conduct internal audits to identify gaps. This scenario is particularly common in organizations pursuing initial ISO 9001 certification, where the internal audit serves as a readiness gate.

Regulatory inspection preparation — In FDA-regulated industries, internal audits are conducted before FDA inspections to identify potential 483 observations (inspection observations). The FDA's Investigations Operations Manual references quality system audits as an indicator of management commitment during inspections.

Post-incident audits — Following a product recall, customer complaint cluster, or process failure, organizations may conduct focused internal audits scoped to the affected process area. These are often linked to corrective and preventive action (CAPA) requirements under 21 CFR Part 820.

Decision boundaries

Internal audit requirements create distinct classification decisions that quality professionals must navigate correctly.

Internal audit vs. third-party audit — Internal audits are first-party activities conducted by or on behalf of the organization itself. Third-party audits, conducted by independent certification or regulatory bodies, operate under separate procedural and evidentiary standards. The two cannot substitute for each other under ISO 9001 or FDA QSR frameworks.

Auditor independence threshold — ISO 19011:2018 prohibits auditors from auditing processes they directly manage or operate. An organization with fewer than 10 employees may use external consultants or cross-departmental personnel to satisfy this independence requirement. The threshold is functional, not numerical: the test is whether the auditor has a direct stake in the audit outcome.

Finding classification — Nonconformances require documented corrective action with root cause analysis and effectiveness verification. Observations (sometimes called opportunities for improvement) do not mandate corrective action under ISO 9001 but must still be documented in the audit report. Misclassifying a nonconformance as an observation is itself a finding during external surveillance audits.

Audit frequency determination — ISO 9001:2015 does not specify a minimum number of internal audits per year. The program must be risk-based: processes with a history of nonconformances, higher regulatory risk, or direct product impact require more frequent audit intervals than administrative processes.

References

Read Next

Quality Assurance: US Regulatory Framework Enforcement authority is distributed across more than a dozen federal agencies, each operating under distinct statutory mandates. Quality Assurance: Documentation Requirements Documentation requirements vary across industries — from FDA-regulated medical device manufacturing under 21 CFR Part 820 to... Quality Assurance: Standards Overview This reference covers the structural landscape of QA standards — the bodies that issue them, how compliance mechanisms...