Management Systems

Internal audits that create value

How to move internal audit beyond a compliance checklist into a risk-focused, evidence-based practice that improves the business.

High-Performance QMS

Internal audit is one of ISO 9001's most underused tools. Reduced to a checklist, it confirms documents exist and misses what matters. Done well, it examines whether processes achieve their intent, focuses on risk, gathers real evidence, and produces findings that leadership can act on. This guide covers how to make internal audit create value.

Best used when
  • Audits confirm paperwork but miss real issues
  • Findings are minor and rarely lead to improvement
  • Auditors follow a checklist regardless of risk
  • Leadership sees audit as a compliance ritual
Plan

Risk-based audit planning

Focus audit effort where risk and importance are highest, rather than auditing every area at the same depth on a fixed rota.

  • Prioritize processes by risk and performance
  • Vary depth and frequency by importance
  • Set clear objectives for each audit
Conduct

Evidence-based inquiry

Good auditing asks how a process achieves its intent and gathers evidence, rather than ticking off clauses.

  • Follow the process and the evidence, not just documents
  • Ask open questions about outcomes and risks
  • Confirm findings with objective evidence
Report

Constructive, useful findings

Findings should help people improve. Frame them clearly, distinguish severity, and highlight good practice as well as gaps.

  • Separate significant issues from minor observations
  • Explain impact, not just non-conformance
  • Recognize strengths and share good practice
Improve

Connecting audits to decisions

Value comes from what happens after the audit. Feed findings into management review and track actions to closure.

  • Route significant findings into management review
  • Track actions and verify they prevent recurrence
  • Look for patterns across audits over time
Common mistakes
  • Auditing to a checklist regardless of risk
  • Reporting only conformance, never impact
  • Findings that close without preventing recurrence
  • Treating audit as separate from management decisions
How Cogliva helps

From findings to improvement

Cogliva helps you connect audit findings to owned actions, objectives, and review, so audits drive improvement rather than filing reports. Cogliva supports internal audit follow-through; it does not perform audits or replace auditor judgment.

Frequently asked questions

What does ISO 9001 require for internal audits?

ISO 9001 requires planned internal audits at planned intervals to check the QMS conforms to requirements and is effectively implemented and maintained, with results reported to relevant management and non-conformities addressed. It leaves the method to you.

How do we make internal audits more valuable?

Focus on risk and process intent rather than checklists, gather real evidence, write constructive findings that explain impact, and connect results to management review and improvement actions. Value comes from what changes afterward.

Can the same people audit their own work?

Auditors should be objective and, as far as practical, not audit their own work. Small organizations can manage this by cross-auditing between functions or using competent people from other areas.

Audit to improve, not just to confirm

Risk-focused, evidence-based audits connected to decisions make the whole system better.

Back to High-Performance QMS