Royaal Project

When Internal Audits Find Typos Instead of Risks: Raising the Quality Bar on ISO Clause 9.2

Roy Zopfi

For many SMEs, the annual internal audit has settled into a comfortable rhythm. A familiar checklist is dusted off, a colleague walks the floor with a clipboard, a short report is filed, and a handful of small findings are closed out before the external auditor arrives. The certificate is renewed. Nobody is uncomfortable.

That comfort is the problem.

ISO 9001 clause 9.2 — and its equivalents in ISO 14001 and ISO 27001 — asks something more demanding than a tidy report. It asks whether your management system is actually working: whether processes deliver the outcomes you intend, whether risks are being controlled, and whether the system is improving. A polite internal audit does not answer those questions. It avoids them.

Why “polite” audits are expensive

A friendly internal audit looks efficient. It closes quickly, costs little, and produces a clean report. But the absence of findings is not the absence of risk. It usually signals one of three things:

  • The audit scope was set to look only where the organisation already performs well.
  • The auditor lacked the authority — or the independence — to challenge senior staff.
  • Findings were softened or reframed so they could be closed before the external audit.

In each case, the internal audit becomes a presentation exercise rather than a diagnostic one. The organisation pays for the audit hours, the certification fee, and the consultant time — without buying any of the protection these are meant to provide.

What ISO actually expects

Clause 9.2 of ISO 9001:2015 requires internal audits to be conducted at planned intervals to determine whether the management system conforms to the organisation’s own requirements, conforms to the ISO standard, and is effectively implemented and maintained. The words that get overlooked are “effectively implemented.” Conformity is a low bar; effectiveness is the standard the clause is pointing at.

The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system is effectively implemented and maintained.

ISO 9001:2015, clause 9.2.1

The same logic appears in ISO 14001 clause 9.2 for environmental management and ISO 27001 clause 9.2 for information security. The standards converge on a simple expectation: the internal audit should generate insight the organisation could not get any other way.

Five patterns of an internal audit that actually pays off

Lifting the quality of an internal audit does not require a larger budget. It usually requires a different set of choices.

1. Rotate the auditor — and protect their independence

Using the same internal auditor year after year is the single most common cause of stale findings. The auditor becomes part of the system they are supposed to evaluate. Rotation does not need to mean hiring externally; it can mean swapping auditors between sites, departments, or peer organisations. What matters is that the auditor is not auditing their own work and is structurally able to challenge senior staff without consequence.

2. Start with the process you suspect, not the one you trust

A risk-based audit programme looks for trouble before it finds the organisation. If management already knows that onboarding is messy, that supplier qualification is uneven, or that incident reporting is undercounted — the audit programme should start there. Auditing where you already perform well produces clean reports and no learning.

3. Score findings by business risk, not by ease of closure

Many internal audit reports rank findings by how quickly they can be fixed. This is the wrong axis. A typo in a procedure is easy to fix and changes nothing. A control that is being routinely bypassed is harder to address and matters enormously. Findings should be classified by their potential business impact — financial, regulatory, reputational, operational — so that management review focuses on what is consequential.

4. Use the audit to test the riskiest assumptions in your strategy

The most useful internal audits go beyond procedural checks. They test whether the assumptions underpinning the organisation’s strategy still hold: whether customer contractual obligations are actually being met, whether supplier dependencies are being monitored, whether emerging regulations such as CSRD, DORA, or the AI Act are being tracked in any structured way. This is where ISO management systems start earning their keep.

5. Close findings with effectiveness in mind, not deadlines

A finding closed before it has actually been resolved at root cause will reappear — often in a more expensive form. Closure should require evidence that the change has held over time. Where the same finding repeats across cycles, the response is not another corrective action; it is a redesign of the underlying process.

What this looks like at management review

A well-run internal audit programme changes the texture of the management review meeting. Rather than reviewing a list of minor findings closed at speed, leadership is presented with a smaller number of substantive observations: where the system is drifting, where the strategy and the controls are out of alignment, and where investment is needed. These are decisions only management can make, and they are decisions the internal audit is uniquely positioned to surface.

Linked through to the broader compliance and quality agenda, the internal audit becomes a feeder into project portfolios, contract reviews, and sustainability reporting — connecting management system improvement to commercial outcomes. For organisations using ISO certifications as a market signal, this is also where investor and customer confidence is built.

A short checklist before your next internal audit

Before the next audit cycle begins, leadership can ask five questions:

  • Who is the auditor, and is their independence protected in practice?
  • Which three processes do we most suspect are underperforming — and are they in scope?
  • How are findings classified by risk, and is that classification understood by management?
  • Are repeat findings being escalated rather than re-closed?
  • Will the output be usable as a strategic input at the next management review?

If the answer to any of these is unclear, the audit programme is worth revisiting before the cycle starts — not after.

How Royaal Project supports SMEs

Royaal Project works with SMEs and corporates to design internal audit programmes that produce decision-useful findings rather than decorative reports. This typically combines an independent audit review, a refresh of the risk-based audit plan, and coaching for internal auditors so they can hold difficult conversations with senior staff. The work integrates with the wider compliance and ISO management system services, with contract management where findings touch supplier and customer obligations, and with the compliance advisory practice where regulatory exposure is involved.

To discuss your internal audit programme, visit royaalproject.com or book an introductory conversation.

This article describes observed practice patterns and best practices. It is not legal advice.