top of page

Clause 9 Performance Evaluation

9.2 Internal audit

Clause Criteria

There are 2 sub-clauses:
Clause 9.2.1 General
The organization shall conduct internal audits at planned intervals to provide information on whether the management system:
a) conforms to:
the organization’s own requirements for its management system;
the requirements of this document;
b) is effectively implemented and maintained.
Clause 9.3.2 Internal audit programme
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme, the organization which shall consider take into consideration the importance of the processes concerned and the results of previous audits.
The organization shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
c) ensure that the results of audits are reported to relevant managers;
d) retain documented information as evidence of the implementation of the audit programme(s) and the audit results.


The intent of the clause on Internal audit is to specify the requirements for planning, implementing and maintaining an internal audit programme for purposes of checking that the organization’s management system conforms to both the Management Systems Standard requirements and any additional management system related requirements the organization self-imposes, and that the management system is being effectively implemented and maintained as planned.

An internal audit programme requires that;
internal audits be planned and scheduled based on the importance of the processes audited and the results of previous audits,
a methodology for planning and conducting internal audits be established,
roles and responsibilities within the audit programme be assigned taking into account the integrity and independence of the internal audit process,
the audit criteria (i.e., policies, procedures or requirements used as a reference against which relevant and verifiable records, statements of fact or other information will be compared) and audit scope (i.e., description of the physical locations, organizational units, activities and processes, as well as the time period covered) for each audit planned.
The internal audit programme is planned and implemented and maintained by internal personnel, or can be managed by external persons acting on the organization’s behalf. In either case the selection of internal audit programme personnel needs to meet Competence (Clause 7.2) requirements.
The results of internal audits are reported to the management responsible for the functions/unit audited, and any other individuals deemed appropriate in accordance with the requirements of the Communication clause (7.4).
Documentation providing evidence of internal audit programme implementation and audit results is created and controlled in accordance with the requirements of Documented information (7.5).
Information, including trends, on internal audit results is reviewed in accordance with the requirements of Management review (9.3).

Chief Explainer:

Phil Byrne

bottom of page