• Advisera Home


ISO 9001 Documentation Toolkits

Iso 9001 training.

By Standard

Carlos Pereira da Cruz

Carlos Pereira da Cruz


ISO 9001 Blog

Writing a good qms internal audit report.

Advisera Mark Hammar

In ISO 9001 , the process for internal audits is one of the most important ways for you to ensure that your quality management system (QMS) is functioning properly and efficiently, but what is the role of the audit report in this process? Many people who are not well versed in audits or the overall quality management system may not fully understand how important an audit report can be. Here is the information you need to know.

What is the importance of an audit report?

An audit report  is the official record of an audit – the only official record. All of the notes taken by the auditors, all of the comments made by employees during the audit, all of the information taken by the process owners during the audit, and all of the statements made at the closing meeting really don’t amount to anything official. If something is not recorded in the audit report, it doesn’t really count. Remember that it will not only be the people who were audited or were at the closing meeting that will read the audit report; these are also used in management review by people who were not part of the audit.

This is why the audit report from, e.g., a third-party certification body is so detailed; the report needs to record all the information necessary to detail any corrective actions needed and justify why your company is compliant with the ISO 9001 standard. The audit report needs to be the complete recorded evidence of all aspects of the audit. In many ways, an audit without a good report is not really an audit.

What should be in an audit report?

So, this brings up the question of what makes a good audit report. What needs to be included, and what should be eliminated? When looking at this, it is important to remember again that the audit report is the one official report of the audit, and therefore must stand on its own. The best practice for audit report content is included in ISO 19011, guidelines for quality and/or environmental management systems auditing. This may be overkill for a small company, and can be reduced if required, but it is a good start when considering what you want to include in your audit reports.

Here is a list from ISO 19011 of the seven items that should be included in an audit report:

Additionally, ISO 19011 includes some optional items; the following could be applicable to an internal audit if deemed to be useful:

For more on using ISO 19011 to improve your internal audit process, see ISO 9001 internal audit in 13 steps using ISO 19011 .

An audit report should not include surprises

One final thing to note is that nothing in the report should come as a surprise to the auditees who read it. If information was not presented at the closing meeting, it should not find its way into the audit report. Use your audit report to document what happened in the audit, make it easy to understand, and you will find that your audit information will benefit your efforts to improve your QMS.

Click here to download the free white paper   Clause by clause explanation of ISO 9001  that will explain all the requirements for internal audit.

how to write an iso audit report

You may unsubscribe at any time. For more information, please see our privacy notice .

close menu

How to write an internal audit report for ISO 27001


As part of the management system requirements, Clause 9.2 details what must be done regarding internal audits. This includes a requirement for retaining documented evidence of the audit results, and this is done by way of an audit report.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that:

In addition to the overall compliance and effectiveness of the ISMS, as ISO 27001 is designed to enable an organisation to manage it’s information security risks to a tolerable level, it will be necessary to check that the implemented controls do indeed reduce risk to a point where the risk owner(s) are happy to tolerate the residual risk.

Internal Audit For ISO 27001 Requirement 9.2

Clause 9.2 Internal audit mandates:

“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to

b) is effectively implemented and maintained.

The organization shall:

c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;

d) define the audit criteria and scope for each audit;

e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

f) ensure that the results of the audits are reported to relevant management; and

g) retain documented information as evidence of the audit programme(s) and the audit results.”

how to write an iso audit report

Achieve your first ISO 27001

Download your free guide to fast and sustainable certification

Get your free guide

Your ultimate guide to first-time ISO 27001 success

Achieve ISO 27001 first-time

We just need a few details so that we can email you your guide to achieving ISO 27001 first-time

Download your free guide now and if you have any questions at all then Book a Demo or Contact Us . We’ll be happy to help.

How do ISO 27001 internal audits work?

Internal audits for ISO 27001 work by following an audit programme that identifies the audits to be carried out before certification and during each certification period.

They require the selection of a competent and objective auditor to undertake each internal audit verifying compliance with the requirements of the standard, the organisation’s own information requirements and objectives for the ISMS, and that the policies, processes, and other controls are effective and efficient.

Activities included within an internal audit:

Documentation review

How often do I need to conduct an audit?

Whilst it is not clear within ISO 27001 itself as to how often you must perform internal audits. It is expected that the audit programme follows the same requirements as those placed upon the certification bodies for conducting their audits following ISO/IEC 27006:2015 – Requirements for bodies providing audit and certification of ISMSs.

Within ISO 27006 requirement e, states that the audit programme “covers representative samples of the scope of the ISMS certification within the three year period.”

Therefore, you need to conduct internal audits covering the entire standard, at minimum, over the certification period (3 years for UKAS accredited certificates).

You could do this as a single audit, but it is more commonly broken down into smaller audits over the 3-year period.

It is also important to audit some areas more frequently if the risk levels are high or the area is subject to frequent changes.

It’s recommended that you audit the management system requirements (Clauses 4-10) annually. This can be tied into your ISMS management review, which also has to be conducted annually.

Within ISMS.online, we provide a pre-built Audit Programme work area which includes:

We make achieving ISO 27001 easy

Get a 77% headstart.

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.

Book your demo

Why do I need to create a report for an internal audit?

The standard requires you to document the audit results – Clause 9.2 of ISO 27001 includes the requirement to “retain documented information as evidence of the ……… audit results”.

This is done within an Audit Report.

What needs to be done when preparing the report?

Obviously, before you can document the audit report, you have to plan and carry out the audit. You can then document the findings in the report.

Get started with your ISO 27001 audit plan

For each audit, you will need to plan:

Every audit will require the review of relevant documentation, including policies, procedures, standards, and guidance relevant to the area(s) of the standard being audited. It is good practice to advise those being audited of the areas to be covered to ensure easy and timely access to the relevant documentation.

In ISMS.online, this is made easy by either having the documentation within the system or linking it within the standard’s relevant section.

Evidential sampling & interviews

Most audits will require the sampling of evidence to a lesser or greater degree. This may include interviewing relevant key staff, end users, and sometimes even temporary staff and contractors.

Sources for sampling may include, for example:

ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.

Information Security Manager, Honeysuckle Health

Book a demo

Once the data gathering for the audit has been done, it will be necessary for the auditor to assess and analyse the findings to determine any nonconformities or opportunities for improvement.

Findings are normally categorised as one of the following:

Some certification bodies also use:

Having analysed the findings, the audit report can now be prepared and presented to the person or team responsible for the ISMS for review and follow-up.

How is an internal audit report prepared?

The audit report must be prepared as documented information , but this doesn’t mean it has to be a separate Word or PDF document. Within the ISMS.online platform , we try to encourage the avoidance of creating such documents but instead provide a work area in which the report can be directly documented. This area offers additional functionality including the ability to easily link to other work areas, policies, controls, risks, corrective action and improvement “tickets”, and more.

Create an executive summary

The executive summary is useful so that senior management can quickly and easily see an overview of the findings, including any possible critical issues, trends, and opportunities for improvement. This can then be easily linked to the ISMS management review following Clause 9.3 .

This will usually include:

Introduce terminology used

To ensure a common understanding of the report’s findings, it is necessary to include the definitions of some terminology used that is either specific to the organisation, the audit process, or the standard. Remember, not all who may need to read, assess and understand the report, will necessarily understand all of the terminology used.

Describe the Audit Plan

This will include:

Describe facts found

For each section of the audit, you should document the findings, including notes of any evidential samples taken.*

It is good practice to record compliance and positive points and document any nonconformities or opportunities for improvement.

The findings should record the facts found relevant to the ISMS and the standard and should not include opinion or conjecture beyond reasonable extrapolation.

*Note – if evidential samples contain personally identifiable information , it is usual practice to pseudonymise or anonymise the data in line with privacy legislation requirements such as GDPR.

Document nonconformities and opportunities for improvement

Where nonconformities and opportunities for improvement are identified, these must be clearly documented so that corrective actions and improvement items can be recorded and managed through the organisation’s recognised processes as documented in accordance with Clause 10.1 Nonconformity and corrective action; and 10.2 Continual improvements.

Describe recommendations

As this is an internal audit report, it is allowable for an auditor to make recommendations about how an organisation might address findings. Ultimately the decisions relating to corrective actions and improvements must be made by the relevant individuals or teams responsible for the ISMS and information security.

how to write an iso audit report

See our platform features in action

A tailored hands-on session based on your needs and goals

How ISMS.online makes reporting easy

The ISMS.online platform dispenses with the need for creating Word documents, PDFs and spreadsheets by providing an all-in-one-place solution for easily documenting and linking all aspects of the ISMS, including the documentation of audit reports.

ISMS.online includes a pre-built audit programme project that covers both internal and external audits.

The pre-built audit programme includes:

Each internal audit activity contains a template for a combined audit plan and report.

Prior to conducting the audit, the template acts as the audit plan – including which areas are to be audited and providing prompts for recording when the audit will be conducted and by whom.

During or after conducting the audit, the auditor can write notes directly into the templated audit activity.

As well as simply providing the audit activity templates, ISMS.online provides the ability to quickly link to other work areas within the platform which means that linking audit findings to controls, corrective actions and improvements, and even to risks is made easy and accessible. This will enable you to easily demonstrate to your external auditor the joined-up management of identified findings.

Need help with your ISO 27001 audit?

Contact us , and we can provide support.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

The proven path to ISO 27001 success

Perfect policies & controls.

Easily collaborate, create and show you are on top of your documentation at all times

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

« What is involved in an ISO 27001 audit?

How to conduct your iso 27001 management review ».

How to Write an Internal Audit Report for ISO 27001

Internal audits are essential for maintaining ISO 27001 compliance. The requirements for writing an internal audit report are outlined in Clause 9.2 of the Standard.

But how do ISO 27001 audits work, and why do you need to document the results? We explain everything you need to know in this blog, including our top tips for writing an ISO 27001 internal audit report.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit is a thorough examination of an organisation’s ISMS (information security management system) to ensure that:

An internal audit is one of two assessments that organisations must complete to achieve ISO 27001 compliance – the other being the certification audit.

Each type of audit is conducted in a different manner and for a different purpose. The certification audit is carried out by a third party, who assesses the ISMS to determine whether the organisation should be certified.

By contrast, the internal audit is conducted by an organisation’s staff, who use the results to inform future decisions regarding the ISMS.

The internal audit report is therefore a crucial part of the process. It helps the organisation identify weaknesses that could jeopardise the organisation’s compliance status and the security of its data.

The organisation should use the results of the audit to make improvements before the certification audit.

Internal audits should be repeated at regular intervals to ensure that the ISMS remains compliant and effective.

Why do I need to create a report for an internal audit?

Organisations are required to document their ISO 27001 internal audits so that they can:

Preparing your ISO 27001 internal audit report

An ISO 27001 internal audit report is typically split into four sections.

1. Executive summary

The executive summary gives decision makers an overview of the organisation’s compliance status and any nonconformities that must be addressed. It might also contain:

2. Describe the audit

The report audit should contain relevant information about how the audit was conducted. This should include the audit criteria, but might also specificy details of the audit’s scope, such as areas that were covered, locations and relevant staff, as well as the key findings of the assessment.

Findings shouldn’t be limited to areas of non-compliance; you should also describe areas of strength and other positive notes.

This can be listed either as its own section or as an addition to the executive summary.

3. Document nonconformities and opportunities for improvement

One of the main objectives of the internal audit is to identify areas where the organisation’s practices fail to meet the requirements of the Standard or the organisation’s needs.

These should be documented in the audit report so that corrective actions and improvements can be recorded and managed.

4. Define corrective actions

Because the internal audit is intended to bolster the organisation’s compliance posture, the internal auditor must conclude with a list of corrective actions.

These actions will follow on from the identified nonconformities, stating the steps that the organisation must take to close compliance gaps.

Simplify your internal audit reporting with IT Governance

how to write an iso audit report

With IT Governance’s ISO 27001 Toolkit , you’ll receive the support you need to complete an internal audit process quickly and efficiently.

Developed by the experts who led the world’s first ISO 27001 certification project, this toolkit contains customisable templates to complete the internal audit process, along with more than 140 documents to manage ISO 27001 compliance.

It’s directly aligned to the clauses and controls of ISO 27001, ensuring complete coverage of the Standard.

how to write an iso audit report

About The Author

' src=

Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

How to Write a Good Audit Report: 4 Key Resources to Follow

How to Write a Good Audit Report: 4 Key Resources to Follow

Want to learn how to write a good audit report that is digestible and effective at motivating stakeholder action? Elevate your next audit report with our reporting resources package, with proven tactics to boost clarity and business impact.

What Is Considered a Good Audit Report? 

A good internal audit report is one that clearly communicates the objectives, scope, and findings of an audit engagement, and in doing so, motivates its readers to take internal audit’s recommended actions. 

2023 Focus on the Future: Internal Audit Must Accelerate Its Response in Addressing Key Risks

What Should Be in an Audit Report? 

Content matters when learning how to write a good audit report. Our understanding of audit report contents is based on The IIA Standard 2410 - Criteria for Communications. In the internal auditing standards, we are told what the report must and should contain. Since we are all working from the same auditing standards, audit reports have a basic structure that most internal auditors follow. The audit report generally includes the following elements:

The report typically starts with a description of the scope and objectives. This section of the report establishes what the audit was about, why the audit risk areas mattered to management, and what the team included in the audit. 

Next, the report details the issues that were found in the results section. For most audit departments, the issues, recommendations, and action plans are combined for each of the issues noted. 

The conclusions section of the report allows the audit team a chance to make comments that extend beyond the individual issues in the results section. The conclusion section is also where most reports include the internal auditor’s opinion. The end of the report is a good opportunity to include a positive note acknowledging areas where management did well.

How Do You Write a Good Audit Report? 

A good internal audit report conveys a clear message to the reader. Looking back at The IIA Standard 2410, the guidance is written about communication, not reporting. If we are writing a report as a communication tool, then the report should be free of judgment, written in a tone that appeals to the reader instead of making accusations. Audit reports should be brief and to the point. Norman Marks once said, “The length of the audit report, if one is even needed, should be just enough to tell the consumers of the report what they need to know – and no more.” The report should also steer clear of any jargon since the report may go to external parties. As long as the focus remains on communicating with management about the risks and control environment in the area that was audited, you will write a good report.

We’ve collected four of our top resources on how to write a good audit report from our Audit Management Playbook , including Tips for Writing an Effective Executive Summary, 10 Best Practices for Writing a Digestible Audit Report, and the Audit Reporting Checklist — and you can download the full Audit Management Playbook below. 

4 Tips for Writing an Effective Executive Summary

The first step to writing a great audit report is ensuring its contributors understand the desired outcome of the report. For an audit report to make an impact on the business, it must motivate leadership to act upon internal audit’s recommendations.

Tips for Writing an Effective Executive Summary

1. Know Your Readers

Understand who will receive the report. The executive summary should give an overview of the detailed report that resonates with every executive officer who reads it, so it is important to understand your organization’s culture. Some organizations may be more cross-functionally collaborative, while others will be more compliance-oriented. Not every stakeholder will be a technical subject matter expert. For example, if your report is going to the CFO and you have IT audit findings, make sure that you don’t have to be an IT expert to understand what the issue is.

2. Cut the Fluff

The executive summary should be 1-2 pages. Aim for brevity as much as possible. Consider the best way to summarize each point, as there will be more takeaways in the detailed report. Wherever possible, use numbers and percentages to help drive points home. Eliminate any unnecessary descriptive adjectives and adverbs.

3. Explain It to the Company

Whether the audit report is presented to members from operations or IT, the executive summary should be written so that every individual can easily understand the terminology and sophistication level of the writing. A good rule of thumb is to try to explain every point in a way that all levels of experience and expertise at your company would understand.

4. Make It Digestible

For any key point, whether it is a big, scary finding or a positive one, bring the reader’s attention to the information as concisely as possible. Decide on your most important takeaways or messages, then leverage visual formatting to draw your audience’s eyes to each message.

Writing the Detailed Report

Depending on the audit, the expectations set during the opening meeting, and the findings, the contents of the detailed report may vary. If there were more findings and complexity in the audit than anticipated, you might need to include more detail.

Writing the Detailed Report

The contents of the detailed report are as follows:

10 Best Practices for Writing a Digestible Audit Report

10 Best Practices for Writing a Digestible Audit Report

1. Reference Everything. 

Avoid unverifiable claims and make sure to bridge any gaps of information by referencing where you obtained key facts and figures.

2. Include a Reference Section. 

Use indices, appendices, and tables in this section is very helpful.

3. Use Figures, Visuals, and Text Stylization. 

If you can put a number behind a fact or use a percentage to describe it, do so. Circle or highlight the key points you want to convey, as well as bold, underline, italicize, or use color to draw attention to key facts and figures. Use tables or graphs to summarize and draw attention to key trends or important data, wherever possible.

4. Note Key Statistics about the Entity Audited. 

Noting key statistics about the entity audited in the Background/ Overview, if applicable, puts things in perspective and gives context and relevance to your audit findings. 

5. Make a “Findings Sandwich.” 

Layer a positive finding, followed by an issue, followed by a positive, and so on. Try to end the Findings Summary on a positive note.

6. Ensure Every Issue Includes the 5 C’s of Observations. 

Criteria, Condition, Cause, Consequence, and Corrective Action Plans/ Recommendations.

7. Include Detailed Observations. 

Detailed Observations are also a good place to include any additional facts and figures

8. Always Perform a Quality Assurance Check. 

Seek someone who does not have a direct connection to the audit so they can provide fresh eyes. If possible, ask someone from the department or function audited to review the report as well.

9. Avoid Blame – State the Facts.

Aim to preserve the relationship with audit clients by being as objective as possible and avoiding blame. Simply state issues and recommended actions.

10. Be as Direct as Possible.

Avoid soft statements when making recommendations (such as “Management should consider…”) and opt for solid recommendations and calls to action instead.

Audit Reporting Checklist

To elevate your next audit report, follow our audit checklist  on how to write a good audit report to ensure that it clearly communicates the objectives, scope, and findings of an audit engagement, and in doing so, motivates its readers to take internal audit’s recommended actions.

Audit Report Checklist

Looking for more resources to take your internal audit team to the next level? Download the full in-depth Audit Management Playbook below and get more best practices, checklists, and tools for each stage of the audit lifecycle — planning, fieldwork, reporting, issue management , and scaling audit practices.

Fill out the form below to get your free guide.

The Audit Management Playbook

Related Articles

5 Hacks to Accelerate Your Audit Career

Ready to Get Started?

How to Write an Audit Report

Last Updated: March 6, 2023 References Approved

This article was co-authored by Michael R. Lewis . Michael R. Lewis is a retired corporate executive, entrepreneur, and investment advisor in Texas. He has over 40 years of experience in business and finance, including as a Vice President for Blue Cross Blue Shield of Texas. He has a BBA in Industrial Management from the University of Texas at Austin. There are 9 references cited in this article, which can be found at the bottom of the page. wikiHow marks an article as reader-approved once it receives enough positive feedback. This article has 25 testimonials from our readers, earning it our reader-approved status. This article has been viewed 432,682 times.

An audit report is the formal opinion of audit findings. The audit report is the end result of an audit and can be used by the recipient person or organization as a tool for financial reporting, investing, altering operations, enforcing accountability, or making decisions. An effective audit report is essential to making sure the results of your audit are presented in a way that is useful to the party receiving the audit.

Preparing to Write an Audit Report

Image titled Write an Audit Report Step 2

Image titled Write an Audit Report Step 4

Tip: Make sure to define all the terms and abbreviations you use, as the standard forms of communication have potential to change.

Image titled Write an Audit Report Step 1

Image titled Write an Audit Report Step 3

Beginning Your Report

Image titled Write an Audit Report Step 5

Image titled Write an Audit Report Step 6

Image titled Write an Audit Report Step 7

Image titled Write an Audit Report Step 9

Writing Your Results and Recommendations

Image titled Write an Audit Report Step 11

Image titled Write an Audit Report Step 13

Image titled Write an Audit Report Step 14

Audit Report Template

how to write an iso audit report

Expert Q&A

Video . by using this service, some information may be shared with youtube..

You Might Also Like

Write a Statistical Report

About This Article

Michael R. Lewis

To begin an audit report, write an "Introduction" that gives background information. Then, add a "Purpose and Scope Methodology" section that outlines your goals and explains what you included and excluded from your report. After this section, add your disclaimer, the "Statement on Auditing Standards," and end with your "Executive Summary." This summary should explain your findings, ratings, and any action that will be taken. Throughout the report, use concise language and bullet points. For tips from our Financial reviewer on what to include in different types of audits, keep reading! Did this summary help you? Yes No

Reader Success Stories

Deena Ross

Apr 26, 2019

Did this article help you?

how to write an iso audit report

Zaitoon Akram

Jul 14, 2020

Shadreck Chitumbo

Shadreck Chitumbo

Jul 10, 2019

C. Reynolds-Relford

C. Reynolds-Relford

Jun 8, 2022

Goma Mosbah

Goma Mosbah

May 17, 2019

Am I a Narcissist or an Empath Quiz

Featured Articles

Where to Stop a Backsplash on an Open Wall (Plus DIY Tips)

Trending Articles

What's Your Mindset Quiz

Watch Articles

Make Tabasco Sauce

Get all the best how-tos!

Sign up for wikiHow's weekly email newsletter

Download Free ISO Templates

ISO Templates

Sign up today and we'll send you a 10% discount code towards your first purchase.

QMS Internal Audit Report Word Template | ISO 9001


An Internal Audit Report is a document generated by an organization's internal auditors that details the findings of an audit. It describes the results of an audit conducted by an organization's internal auditor. In addition, it provides information about how well the company's systems and processes are working and what needs improvement so they can improve them in addition to being used internally within organizations or departments.

Internal Audit Report, Internal Audit Report Template, Internal Audit Report Word Template, Internal Audit Report Template Word, QMS Internal Audit Report Template, QMS Internal Audit Report Template Word, QMS Internal Audit Report Word Template, QMS Internal Audit Report

The purpose of a QMS internal audit is to assess the effectiveness of a company's systems and processes. QMS Internal audits can be conducted on any aspect of a business, from financial systems to quality management systems (QMS). Internal auditing is a critical process for ensuring compliance and effectiveness when it comes to quality management systems. Internal auditing is a process by which an organization evaluates and improves its quality management system.

It involves reviewing records, interviewing employees, and performing other tests to identify areas of improvement. In addition, internal auditing aims to ensure that the quality management system is effective and compliant with all applicable standards and regulations. 

QMS Internal Audit Reports are an essential part of any business. They help ensure that all aspects of the business are functioning correctly and that employees follow company policies. In addition, there are some key objectives that Internal Audit Reports should achieve, including identifying areas where improvements can be made, ensuring compliance with regulations, and preventing or detecting fraud. One of the key objectives of Internal Audit Report Word Template is to identify areas where improvements can be made. This may include finding ways to improve efficiency or reduce costs. It may also involve identifying areas where the company is not compliant with regulations. By pinpointing these areas, the company can correct them and avoid any potential penalties.

The Seven Processes of an Internal Audit Report:

An Internal Audit Report Template is a comprehensive report that documents the findings of an internal audit. The report outlines the seven processes followed during an internal audit: planning and scoping, risk assessment, data collection and analysis, findings and recommendations, management response and action plan, reporting, and follow-up. We will discuss each of these processes in detail.

Seven Processes of Internal Audit Report, Internal Audit Report Seven Processes, QMS Internal Audit Report Seven Processes, Seven Processes of QMS Internal Audit Report Word Template

ISO 9001 Templates Toolkit

Benefits of Internal Audit Report Template:

Internal Audit Reports can provide several benefits for businesses, including:

QMS Internal Audit Report Template, QMS Internal Audit Report Template Word, QMS Internal Audit Report Word Template, QMS Internal Audit Report, Internal Audit Report Template, Internal Audit Report Template Word, Internal Audit Report Word Template, Internal Audit Report

ISO 9001 checklist

ISO Internal Audit Explained [with Procedures & Checklists]

What is an iso internal audit.

The purpose of an ISO internal audit is to assess the effectiveness of your organization’s quality management system and your organization's overall performance. Your internal audits demonstrate compliance with your ‘planned arrangements’, e.g. the Quality Management System (QMS) and how its' processes are implemented and maintained.

Contents What is an ISO Internal Audit? Why perform Internal Audits? Principles of Internal Auditing Types of Internal Audit Use an Internal Audit Checklist Do We Need An Internal Audit Procedure? A Gap Analysis Preparing the Audit Report Getting the Most from the Audit Schedule Other types of Audit Internal Audit Checklist, Procedure [Template download]

Don't Try To Manage It All Alone!

Our Internal Audit Procedures & Checklists is proven to work.

Why Perform Internal Audits?

Your organization will likely conduct internal audits for one or more of the following reasons:

Principles of Internal Auditing

Auditing relies on a number of principles whose intent is to make the audit become an effective and reliable tool that supports your company’s management policies and policies whilst providing suitable objective information that your company can act upon to continually improve its performance.

Adherence to the following principles are considered to be a prerequisite for ensuring that the conclusions derived from the audit are accurate, objective and sufficient. It also allows auditors working independently from one another to reach similar conclusions when auditing in similar circumstances.

The following principles relate to auditors:

ISO 9001 Template stamp

Selection of Auditors

Competence level may be measured by training, participation in previous audits and experience in conducting audits. Auditors may be external or internal personnel; however, they should be in a position to be impartial and objective.

When internal personnel are selected to perform an audit, a mechanism needs to be established to ensure objectivity, for instance, a representative from another department may be selected to do the audit.

Audits are demanding and require various forms of expertise. The size of the audit team will vary pending the size of the organization, size and type of operations and the scope of the audit.

Start with Expert Templates, then Make Them Yours

Preparing for the audit.

Before the audit, prepare thoroughly! Spending time in preparation will make you much more effective during the audit - you will become a better auditor. Auditors should not skip this step as it provides much needed value to the audit. Taking the time to prepare and organize actually saves time during the audit.

Use an Internal Audit Checklist .

You should have an up-to-date audit schedule and a well defined audit plan for each process. Be sure to communicate the audit schedule to all parties involved as well as to Top Management as this will help reinforce your mandate.

Gather together all the relevant documented information that relates to the process you will be auditing. Look at process metrics, work instructions, turtle diagrams, process maps and flowcharts, etc. If applicable, collect and review any control plans and failure mode effects analysis work sheets too. Review these thoroughly and highlight the aspects that you plan to audit. Using the documented information in this way ensures they become audit records.

Your organization’s documented information may not cover all of the requirements that may be relevant to the process. If certain information is not available, it may become your first audit finding, not bad for the pre-audit review!

Certain information and linkages should be audited. Some are required and some are simply good audit practice. Putting these sections into a worksheet format gives auditors a guide to follow, to ensure the relevant links are audited.

The Human Aspect of Auditing

Good auditors realize very early on that they are dealing with personalities as much as processes and systems. Whilst the intent of the audit a serious one, often light humor, politeness and diplomacy are the best ways to build rapport. It is vital every effort is made to reassure those being audited that the audit’s primary function is to drive improvement, not to name and shame.

If you are new to auditing, acknowledge this fact, be open and honest. It is also important to explain to the auditees that they are free to express their views during the audit. Remember that you, the auditor, are also there to learn.

Always discuss the issues you have identified with the auditees and always provide guidance on what is expected in terms rectifying any non-conformances or closing out observations you raised. Let the auditees know they are welcome to read your notes and findings; the audit is not a secret.

Try not to be drawn into arguments concerning your observations. It is never appropriate to directly name people in the audit report as this may lead to defensiveness which is ultimately counter productive.

Definition of Internal Auditing

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."

Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors Research Foundation. Florida, USA, January 2011

Types of ISO Internal Audit

Internal audits are commonly referred to as ‘first-party audits’ and are conducted by an organization to determine compliance to a set of requirements which might arise from standards like ISO 9001:2015, as well as customer or regulatory requirements.

There are common methods of internal auditing that may be used to determine compliance:

System Audits

Process audits, product audits.

The system audits are best undertaken using the internal audit checklist. This type of audit focuses on the organization’s quality management system as a whole, and compares the planning activities and broad system requirements to ensure that each clause or requirement has been implemented.

The process audit is an in-depth analysis which verifies that the processes comprising the management system are performing and producing in accordance with desired outcomes. The process audit also identifies any opportunities for improvement and possible corrective actions . Process audits are used to concentrate on any special, vulnerable, new or high-risk processes.

The product audit may be a series of audits, at appropriate stages of design, production and delivery to verify conformity to any specified product requirements, such as dimensions, functionality, packaging and labeling, at a defined frequency.

Foreman checklist document

So, how is an audit conducted?

Use an Internal Audit Checklist

An internal audit checklist will help you to determine the extent to which your organization’s quality management system conforms to the requirements by determining whether those requirements have been effectively implemented and maintained.

The internal audit tool will help you to assess the status of your existing management system and identify process weakness to allow a targeted approach to prioritizing corrective action to drive improvement.

Our Internal Audit Checklist Template will save you hours of time, all the preparation is done for you already.

The internal audit checklist stands as a reference point before, during and after the audit process and if developed for a specific audit and used correctly will provide the following benefits:

The internal audit checklist comprises tables of the certifiable (‘shall’) requirements, from Section 4.0 to Section 10.0 of ISO 9001:2015, each requirement is phrased as a question.

Do We Need An Internal Audit Procedure?

Yes, we recommend you document an Internal Audit Procedure - this addresses two of the ISO 9001 clauses - Performance Evaluation and Improvement. It will greatly help you with the process of auditing and internal audit management.

Why Reinvent the Wheel?

Control of internal audits procedure.

The purpose of this procedure is to define your organization’s process for undertaking QMS audits, process audits, and supplier and legislation audits in order to assess the effectiveness of the application of the quality management system and its compliance to ISO 9001:2015.

This procedure also defines the responsibilities for planning and conducting audits, reporting results and retaining associated records.

Looking For Help with Your Internal Audit Procedure?

Our Control of Internal Audits Procedure includes:

Save Time and Money — Proven to Work

Before you invest all the hours reinventing the wheel, before you spend countless dollars outsourcing the task — try our Internal Audit Checklist .

A Gap Analysis

The gap analysis will likely be your first ISO 9001:2015 internal audit. The gap analysis checklist highlights the new requirements contained in ISO 9001:2015 but it not intended to cover all of the requirements from ISO 9001:2015 comprehensively.

The unique knowledge obtained about the status your existing quality management system will be a key driver of the subsequent implementation approach. Armed with this knowledge, it allows you to establish accurate budgets, time-lines and expectations which are proportional to the state of your current management system when directly compared to the requirements of the standards.

Your organization may already have in place an ISO 9001:2008 compliant quality management system or you might be running an uncertified system. If this is the case, you will want to determine how closely your system conforms to the requirements ISO 9001:2015.

The results of a gap analysis exercise will help to determine the differences, or gaps, between your existing management system and the new requirements. Not only will the analysis template help you to identify the gaps, it will also allow you to recommend how those gaps should be filled.

The gap analysis output also provides a valuable baseline for the implementation process as a whole and for measuring progress. Try to understand each business process in the context of each of the requirements by comparing different activities and processes with what the standard requires. At the end of this activity you will have a list of activities and processes that comply and ones that do not comply. The latter list now becomes the target of your implementation plan.

audit report

Preparing the Audit Report

A good summary report is the output which is the value of the audit. It deserves an appropriate amount of attention and effort. As you moved through the audit, you should have noted the issues and improvements you saw. These should have been marked clearly so you are now able to quickly review and capture them as you write the report.

These findings and conclusions should be formally documented as part of the summary report. Too often, the audit report only recites back facts and data the managers already know. The value is in identifying issues and opportunities they do not know! This summary should be reviewed first with the lead auditor, then the Process Owner and Management Team. Make final revisions and file the audit report and all supporting audit materials and notes.

Gather the whole audit package together, in an organized manner. The rest of the work instructions, flowcharts, notes and relevant papers should be gathered into the audit package as supporting records. All findings should also be documented on your corrective action forms. The audit summary and the corrective action forms should be attached to the audit package, which now becomes the audit record. Only the summary report and corrective actions need be given to the process owner.

Elementary Audit Questions

These basic audit questions will help guide the audit in the right direction since the answers they provide often unlock the doors to information the auditor requires in order to accurately assess the particulars of a process.

Consider these common audit questions:

Getting the Most from the Audit Schedule

The audit schedule is divided up to reflect each section of ISO 9001 You should determine which of these sections are of greatest relevance to your business; in other words, which processes, should there be problems, will affect your customers the most. These are the processes that your company must make certain remain stable and consistent. You might wish to schedule these key processes for additional audits, perhaps two or even three times per year.

The audit schedule provides the following benefits:

Other types of Audit

Jump start your ISO documentation

Is a certified auditor "required" to do an iso audit or can the company do the iso audit themselves.

You do not need a 'Certified Auditor' to undertake internal quality audits of your management system and its processes.

Certified Auditors normally work for external, third-party accreditation bodies such as DNV, UKAS, LRQA, who will perform the Certification Audit , that is, assess your organization's management system against the requirements of ISO 9001 and provide your certificate of compliance. They will also conduct Surveillance Audits to ensure that your certification is maintained. They would not be involved in day-to-day internal auditing operations.

Video — What is the Purpose of the Certification Audit?

Internal Auditors can be people from within your organization who posses the necessary competence and impartiality to undertake internal audits in order to ensure effective operation of your organization's processes. The Internal Auditors often report to the Quality Manager.

To view our Audit Checklists , please see below.

Related Information You Might Find Useful

Next ISO 9001 Clause

Each ISO 9001 Clause Explained

Updated: 14th May 2022 Author: Richard Keen

Richard Keen

Richard Keen

Richard is our Compliance Director, responsible for content & product development. But most importantly he is ISO's biggest fanboy and a true evangelist of the standards. Learn more about Richard

ISO Checklist

Don’t Try to Manage It All Alone!

Our ISO Auditors and Quality Manager Trainers have been in this industry for years, and since 2002 we’ve been providing thousands of small businesses and large corporations with the tools they need to get certified.

Instead of trying to create everything you need to follow this process from scratch, use ours. We have procedures, templates, checklists, process maps, forms and gap analysis tools to help your internal audits without missing a single input or output.

Before you invest all the hours reinventing the wheel, before you spend countless dollars outsourcing the task — try our templates.

Credit card, PayPal or ApplePay

Are The Templates Suitable For You?

Bought by Small Businesses and Large Corporations our templates have been sold online and CD since 2002.

The Templates are used by first timers following our step-by-step, clause-by-clause guidance documents; and experienced Quality Managers wishing to streamline and improve their existing documentation.

The application of our templates is scalable and generic ; regardless of the size and type of organization. The elements that form the quality management system are the same.

Five Reasons To Choose Our Templates

1. Our customizable templates save you time and money by offering a  streamlined process  to create your quality documentation

2. They’ve got  everything you need  in one simple template

3. Proven to work our templates have  helped thousands of businesses big and small  achieve certification

4. Documents use  styles  to make reformatting and rebranding a breeze

5. Our templates are generalizable for  any industry or sector . The application of our templates is  scalable and generic ; regardless of the size and type of organization.

FAQs About Our Templates

Ask Us a Question

More Information

ISO 9001 Client images

This website uses cookies to ensure you get the best experience on our website. Learn More Got it!


  1. Iso Audit Report Template

    how to write an iso audit report

  2. How To Write Audit Report Sample

    how to write an iso audit report

  3. 50 Free Audit Report Templates (Internal Audit Reports) ᐅ TemplateLab

    how to write an iso audit report

  4. Audit Report-2 Signed

    how to write an iso audit report

  5. 20+ Internal Audit Report Templates

    how to write an iso audit report

  6. Internal Audit Report Template ISO 9001

    how to write an iso audit report


  1. What Mistake Teachers Don't Tell Students About PEMDAS

  2. Displine essay in english || Essay on displine

  3. All-New 2023 Honda Accord: Hybrid Fuel Economy

  4. Monsters How Should I Feel Meme

  5. Balikan Natin Mga Lumang Tugtugin 60's 70's 80's 🥯💓 Pure Tagalog Pinoy Old Love Songs💥 OPM Songs

  6. The Christmas Message: Jesus Came To Save Us From Hell


  1. How to write a good ISO 9001 audit nonconformity?

    Include what was wrong. You are writing the nonconformity so that the auditee can investigate what was wrong, so state what problem you found.

  2. ISO 9001 audit report: Why is a good one so important in the QMS?

    The best practice for audit report content is included in ISO 19011, guidelines for quality and/or environmental management systems auditing

  3. How can you write a decent ISO 9001 nonconformity audit report?

    Include details on what went wrong. You're writing the nonconformity so the auditee can figure out what went wrong, therefore explain what went

  4. How to write an internal audit report for ISO 27001

    How is an internal audit report prepared? · Introduce terminology used · Describe the Audit Plan · Describe facts found · Document nonconformities and opportunities

  5. How to Write an Internal Audit Report for ISO 27001

    How to Write an Internal Audit Report for ISO 27001 · 1. Executive summary. The executive summary gives decision makers an overview of the

  6. How to Write a Good Audit Report: 4 Key Resources to Follow

    10 Best Practices for Writing a Digestible Audit Report · 1. Reference Everything. · 2. Include a Reference Section. · 3. Use Figures, Visuals, and

  7. Example of How to Write QMS Audit Reports

    Audits to confirm compliance with the QMS Ordinance are conducted by 12 audit organizations. (Pharmaceuticals and Medical Devices Agency [PMDA] and 11

  8. How to Write an Audit Report: 14 Steps (with Pictures)

    Beginning Your Report · Provide perspective for the reader, giving a fair balance of the positive and negative results of the audit. · Be precise, and avoid

  9. QMS Internal Audit Report Word Template

    An Internal Audit Report is a document generated by an organization's internal auditors that details the findings of an audit. It describes the

  10. ISO Internal Audit Explained [with Procedures & Checklists]

    The purpose of an ISO internal audit is to assess the effectiveness of your organization's quality management system and your organization's