FAQ

How often should we perform internal audits under ISO 9001?

ISO 9001 does not specify an exact frequency (for example, quarterly or annually) for internal audits. Instead, it requires you to establish an internal audit program with planned intervals that are appropriate for your organization and its risks.

What ISO 9001 actually requires

ISO 9001:2015 clause 9.2 requires organizations to:

  • Conduct internal audits at planned intervals.
  • Plan the audit program by considering the importance of the processes, changes affecting the organization, and the results of previous audits.
  • Define the criteria, scope, frequency, and methods in the audit program.

In practice, this means there is no universal “correct” number of audits per year. The program must be justified by your context, risk, and performance, and it must cover all QMS processes over time.

Typical patterns in regulated manufacturing environments

In aerospace and other regulated, high-liability sectors, common approaches include:

  • Full QMS coverage at least annually: All core processes are audited at least once per year, often more frequently for high-risk areas.
  • Risk-based frequency:
    • High-risk processes (e.g., special processes, final inspection, configuration management, contract review) audited every 3 to 6 months.
    • Moderate-risk processes (e.g., document control, training, calibration) audited every 6 to 12 months.
    • Lower-risk or stable support processes audited annually, sometimes on a multi-year rotation if well controlled and justified.
  • Event-driven audits: Additional focused audits when issues arise, such as significant nonconformances, customer complaints, major process changes, supplier failures, or after corrective actions.

External customers, primes, or regulators may effectively drive expectations above the ISO 9001 baseline, even though they cannot change the standard itself. Those expectations should be reflected in your internal audit program where applicable.

Factors that should drive your audit frequency

When defining how often to audit, consider:

  • Risk to product quality and safety: Processes directly affecting conformity, airworthiness, or patient safety typically need more frequent audits.
  • Process performance and stability: High scrap, rework, escapes, or repeat nonconformances justify tighter audit cycles until performance stabilizes.
  • Regulatory and customer requirements: Contractual or sector-specific rules (e.g., aerospace quality requirements) can influence expectations for audit depth and cadence.
  • Organizational change: New product introductions, system migrations (MES/ERP/QMS), layout changes, or supplier changes often require temporary increases in audit frequency.
  • Past audit results: Processes with major or repeat findings should be audited more frequently until effectiveness of corrective actions is demonstrated.
  • Resource constraints: Limited qualified auditors, limited downtime, and complex brownfield environments require pragmatic scheduling, but not at the expense of known high-risk areas.

Balancing thoroughness with plant reality

Many regulated plants operate with legacy MES/ERP/QMS systems, manual travelers, and constrained downtime. In these contexts:

  • A single annual internal audit “blitz” is usually risky, because it concentrates disruption and often misses issues that arise mid-year.
  • A quarterly or monthly rolling schedule by process or area often works better, spreading load while maintaining coverage.
  • Audit scope can be narrow but deep for high-risk processes, focusing on traceability, configuration control, and evidence trails across multiple systems.

Trying to redesign the entire audit approach around new tools or full system replacement is rarely justified in high-regulation, long-lifecycle environments because of the validation, qualification, and change control burden. It is usually more practical to improve audit planning and evidence capture around existing systems.

Pragmatic baseline for many ISO 9001 plants

While you must define your own program, a commonly defensible starting point is:

  • Audit all QMS processes at least once every 12 months, documented in an audit schedule.
  • Audit high-risk production and support processes every 3 to 6 months until performance is stable.
  • Trigger additional focused audits for significant nonconformances, major changes, or systemic CAPAs.
  • Review and adjust your audit program at least annually based on data and management review.

This approach aligns with ISO 9001 expectations while respecting the realities of complex industrial operations.

Evidence and justification

Regardless of your chosen frequency, external auditors will look for:

  • A documented audit program showing scope, criteria, frequency, and methods.
  • Risk-based rationale for why some areas are audited more or less often.
  • Completed audit reports, records of findings, and follow-up actions.
  • Evidence of effectiveness: nonconformances being addressed, recurrence reduced, and management review considering audit results.

If you can demonstrate that your audit frequency is intentional, risk-based, and adjusted based on performance, it is usually acceptable under ISO 9001, even if it differs from neighboring plants.

Related Blog Articles

Get Started

Built for Speed, Trusted by Experts

Whether you're managing 1 site or 100, Connect 981 adapts to your environment and scales with your needs—without the complexity of traditional systems.

Get Started

Built for Speed, Trusted by Experts

Whether you're managing 1 site or 100, C-981 adapts to your environment and scales with your needs—without the complexity of traditional systems.