Internal Audit Requirements for Quality Control

Internal audit requirements for quality control establish the procedural and documentary obligations that organizations must meet when assessing their own quality management systems against defined standards or regulatory criteria. This page covers the structural requirements for internal audit programs, the regulatory frameworks that mandate or reference them, and the practical decision points that determine audit scope, frequency, and documentation. Understanding these requirements is essential for organizations operating under frameworks such as ISO 9001, FDA Quality System Regulation, or AS9100, where internal audits function as a primary mechanism for demonstrating systemic compliance.

Definition and scope

An internal quality audit is a planned, documented examination of a quality management system (QMS) conducted by personnel within the organization to verify conformance with established criteria and identify systemic weaknesses before external review. The scope extends beyond product inspection to encompass processes, procedures, records, personnel competency, and management oversight functions.

ISO 9001:2015, published by the International Organization for Standardization, requires organizations to "conduct internal audits at planned intervals" to determine whether the QMS conforms to the organization's own requirements and to the standard's requirements (ISO 9001:2015, §9.2). The FDA's Quality System Regulation under 21 CFR Part 820 — now consolidated and updated under the Quality Management System Regulation (QMSR) effective February 2026 — similarly mandates that device manufacturers establish procedures for quality audits and designate a responsible individual to conduct them.

The scope of an internal audit program must explicitly define:

1. Which processes, departments, and locations are subject to audit
2. The standards or specifications used as audit criteria
3. The frequency and scheduling basis (risk-based, calendar-based, or triggered by events)
4. The competency requirements for audit personnel
5. The documentation format for findings, observations, and objective evidence

Organizations subject to corrective and preventive action requirements must link audit findings directly to their CAPA systems, closing the loop between detection and resolution.

How it works

A conforming internal audit program operates in four discrete phases.

Phase 1 — Planning. The audit schedule is established, typically on an annual basis, with frequency adjusted based on the criticality of the process and the results of prior audits. ISO 9001:2015 §9.2.2 specifies that the program must consider the importance of processes concerned and the results of previous audits. Audit criteria, scope, and method are defined before fieldwork begins.

Phase 2 — Execution. Auditors gather objective evidence through document review, observation of activities, and interviews. Auditors must be independent of the area being audited — a requirement stated explicitly in both ISO 9001:2015 and 21 CFR Part 820.22. Checklists aligned to specific clauses or process requirements structure the fieldwork and create a defensible audit trail.

Phase 3 — Reporting. Findings are classified and documented. A nonconformance requires documented objective evidence that a requirement is not being met. Observations or opportunities for improvement carry different response obligations. The audit report must be reviewed by management with responsibility for the area audited.

Phase 4 — Follow-up. Corrective actions are assigned, tracked, and verified for effectiveness. The document control system must retain audit records for a defined period — FDA-regulated manufacturers are required under 21 CFR Part 820 to retain quality system records for a period equivalent to the design and expected life of the device, but not less than 2 years from the date of release for commercial distribution.

Common scenarios

Manufacturing under ISO 9001. A production facility seeking or maintaining ISO 9001 certification must audit every clause of the standard at least once per certification cycle (typically 3 years), with high-risk or frequently nonconforming processes audited more often. Certification bodies such as those accredited by ANAB will review audit records and CAPA closure rates during surveillance audits.

FDA-regulated medical device manufacturers. Under 21 CFR Part 820, the internal audit function must be documented in written procedures. The FDA investigator's checklist (QSIT methodology — Quality System Inspection Technique) specifically examines whether internal audits cover all elements of the QMS, whether nonconformances were identified and closed, and whether management review incorporates audit results. Failure to maintain adequate audit records has historically constituted a Form 483 observation.

Aerospace and defense under AS9100. AS9100 Rev D, published by the Society of Automotive Engineers (SAE International) in alignment with IAQG requirements, imposes additional audit requirements beyond ISO 9001, including risk management process audits and supplier-related process audits. Organizations in this sector often maintain a tiered schedule with 12-month coverage across all clauses.

Internal versus third-party audits. Internal audits (first-party) differ from supplier audits (second-party) and certification audits (third-party) in both independence requirements and evidentiary weight. Regulators and certification bodies accept first-party audit records as evidence of ongoing compliance monitoring but do not substitute them for independent verification. Audit readiness for quality control depends directly on the rigor of the internal program.

Decision boundaries

Determining what triggers an internal audit beyond the scheduled cycle requires defined criteria. The following conditions typically establish mandatory unscheduled audit triggers under ISO 9001 §9.2 and FDA QMSR precedent:

• A significant customer complaint or product recall event
• Detection of a systemic nonconformance not previously identified
• Substantial process change or introduction of new equipment
• Post-merger integration of a new facility into the existing QMS
• Regulatory inspection findings that implicate a process or department

The distinction between an audit nonconformance and an audit observation matters operationally: a nonconformance requires a formal CAPA, documented root cause analysis, and closure verification. An observation or opportunity for improvement does not mandate CAPA but must still be reviewed by management. Organizations that treat observations as nonconformances inflate CAPA workload; organizations that downgrade nonconformances to observations create regulatory exposure.

Auditor qualification is a hard boundary in FDA-regulated environments. Under 21 CFR Part 820.22, audits must be conducted by individuals who do not have direct responsibility for the matters being audited. Assigning an auditor to review their own process invalidates the audit record for regulatory purposes.

References

• ISO 9001:2015 – Quality Management Systems Requirements (ISO)
• 21 CFR Part 820 – Quality System Regulation (FDA / eCFR)
• FDA Quality System Inspection Technique (QSIT) Guide
• AS9100 Rev D – Quality Management Systems: Requirements for Aviation, Space, and Defense (SAE International / IAQG)
• ANAB – ANSI National Accreditation Board
• FDA QMSR Final Rule – Alignment with ISO 13485 (Federal Register)