In over 15 years auditing management systems across Latin America, I can affirm that internal audit is the most underestimated process in any ISO system. Many organizations treat it as a certification formality rather than what it truly is: the only tool that lets you see the real state of your system before an external auditor does.
The core problem: internal audits that find nothing
The first indicator that something is wrong is an internal audit reporting zero nonconformities. In practice, this almost never reflects a perfect system. What it reflects is a deficient audit. Based on patterns documented in our assessments of ISO 9001 quality management systems and ISO 27001 information security, 68% of internal audits in the region produce generic findings that add no value to the system.
Why does this happen? Three main reasons: undertrained internal auditors, vague audit criteria, and lack of auditor independence from the audited area.
What ISO 19011 says and why it matters
ISO 19011:2018 is the reference standard for management system audits. It is not certifiable, but it establishes the principles and guidelines every internal audit should follow. The seven principles are: integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach.
The most violated principle in practice is independence. Clause 5.4.2 of ISO 19011 states that auditors should not audit their own work. However, in 43% of organizations we assess, process owners simultaneously act as internal auditors of their own areas.
The 5 most frequent internal audit mistakes
- Undefined audit criteria. The audit team arrives without a clear program. ISO 19011 clause 6.3.2 requires the audit plan to specify criteria, scope, and schedule.
- Insufficient sampling. Two or three records are reviewed and an entire process is deemed conforming. If your organization processes 500 purchase orders monthly and the auditor reviewed 3, the evidence is statistically irrelevant.
- Descriptive rather than evidence-based findings. A finding like "lack of control observed" says nothing actionable. An auditable finding states specific evidence, quantities, and the exact clause breached.
- No follow-up on corrective actions. Nonconformities are raised, actions defined, but nobody verifies effectiveness. Clause 10.1 of ISO 9001 and 10.2 of ISO 27001 require effectiveness verification.
- Audit as checklist instead of investigative process. The best audits ask open questions: "how?" and "show me the evidence."
How to prepare for an effective internal audit
- Auditor training: Minimum 16-hour course based on ISO 19011 with practical interview, sampling, and finding-writing techniques.
- Annual audit program: Define frequency, scope, and criteria for each cycle. Higher-risk areas should be audited more frequently.
- Evidence ready: Process owners should have the last 12 months of records accessible.
- Guaranteed independence: Structure the audit team so nobody audits their own process.
Internal audit as a strategic tool
Organizations that use internal audit best are those integrating it with their gap management and viewing it as a continual improvement mechanism. If your organization needs to evaluate its internal audit program maturity, an independent assessment against ISO 19011 is the most efficient starting point.