FAQ on ISO Audit – Clear text on ISO 9001

Startseite / SAP Blog / general-en
SAP Silver Partner
25. April 2025 – Thilo Kiefer

Internal Audits – Introduction

Whether in preparation for the external certification audit or in the day-to-day work of quality management:
Again and again, questions arise about the correct implementation of internal audits according to ISO 9001.

Do we have to do a system audit every year? Is it enough for us to audit individual processes? What exactly does the standard require?

Table of Contents
ISO 9001 FAQ Audit Internal

In our FAQ, we provide practical answers – explained in an understandable way and directly applicable.

1. Do we need to conduct a full system audit every year?

No, not necessarily – but the entire quality management system (QMS) must be audited regularly.

ISO 9001 requires that all requirements of the standard be reviewed at scheduled intervals.
This means that an annual system audit is not mandatory, but it must be ensured that
that all relevant standard chapters are covered over time.

2. Is it enough if we only audit individual processes?

Only if these process audits together cover all standard requirements.

An audit of the sales process or product development only sheds light on one sub-area.
However, if you are dealing with topics such as management evaluation, internal communication, risks and opportunities or document control,
does not meet all the audit obligations of the standard.

Our practical tip: Planning is everything. With a well-structured audit plan, you can also
systematically check all standard requirements over several process audits.

3. What is the difference between a process audit and a system audit?

Process audit System audit
Focus on a single process (e.g., quoting, support, development) Looks at the entire QMS
Verifies that the process is efficient, compliant, and effective Covers all requirements of ISO 9001
Provides concrete optimization potential in day-to-day business Ensures that the management system works as a whole

4. How often do we need to conduct internal audits?

ISO 9001 does not set a specific time limit – but: “at planned intervals” and
taking into account risks, changes and results of previous audits.

In many companies, an annual audit cycle has proven its worth.
In the case of dynamic organizations or new processes, a semi-annual audit can also be useful.

5. What happens if we do not audit all standard requirements?

Then there is an increased risk of deviations during the certification audit, e.g.:

  • “Non-coverage of standard requirements in the internal audit program”
  • “Lack of effectiveness of the internal audit process”

A missing or incomplete audit is not a trivial offence – it is regularly referred to as
Major Nonconformity, resulting in re-audits and additional effort.

6. How long should an internal process audit take?

The duration depends on the complexity and scope of the process.
In practice, an internal process audit in medium-sized companies usually takes between 2 and 4 hours – including preparation and follow-up.

It is important that sufficient time is planned for interviews, document review and debriefing.

7. How long does an internal system audit take?

An internal system audit covers all standard elements of ISO 9001 – i.e. from the management level through all core and support processes.
The effort is correspondingly greater: In smaller companies, a system audit can take 1 to 2 days .
For more complex structures, audits lasting several days are also required.

8. Who should participate in an internal audit?

In addition to the auditor, the following people should also participate:

  • Process owners or participants
  • Representatives of the management level (e.g. division managers)
  • For system audits: QM representative and, if necessary, management

Open communication and a willingness to cooperate are crucial for a successful audit.

9. What qualifications should the internal auditor have?

ISO 9001 does not require formal certification, but the auditor should:

  • have knowledge of ISO 9001:2015 ,
  • have completed internal auditor training ,
  • understand the audited area without being directly responsible (independence),
  • have methodological and communication skills .

External auditors are not absolutely necessary – a well-trained internal auditor is usually sufficient.

Conclusion: What does this mean for us?

For munich enterprise software GmbH, this means:

  • Our audit approach must keep an eye on all standard topics – even the “invisible” ones such as management evaluation or quality policy.
  • Process audits remain central – but specifically supplemented by system audits or cross-checks.
  • With a documented audit program and risk-based planning, we are on the safe side.

Preview: The next questions in the blog

In the second part of this FAQ series, we will answer, among other things:

  • What does a lean audit plan look like that meets both requirements?
  • Which standard points are often forgotten in practice?
  • How can an internal audit be carried out professionally even with few QM resources?

Related knowledge topics

Mastering SAP Go-Live and S/4HANA Conversion
SAP Go-Live: How to get started with live operation An SAP go-live is an important moment in any project. Regardless of whether it is a new SAP implementation or an...
read more
Missing SAP function? We bring the statistical commodity code back to the GUI!
The challenge of Intrastat in S/4HANA Are you faced with the problem that you have to submit an Intrastat declaration , but can no longer manage the necessary statistical commodity...
read more
Changing Grouping in SAP S/4HANA – What to Do Without XD07?
With the introduction of SAP S/4HANA, a lot has changed in master data maintenance – especially around customer and supplier master records. Anyone who used to be able to quickly...
read more