Does internal audit have to be done by an employee?

No. The 'internal' in internal audit refers to scope, not to who delivers the work. Clause 9.2 requires the audit to assess your own management system and to be independent of the area being audited. There is no requirement that the auditor be your own employee. Many organisations use external providers specifically because independence is easier to demonstrate, and certification bodies recognise the credibility of an independent delivery model.

How often do internal audits need to happen?

Clause 9.2 requires audits at planned intervals, with frequency reflecting risk, importance, and any change in the management system. In practice, most organisations spread the full management system over an annual or biennial cycle, with higher-risk areas audited more often. A single audit immediately before a certification visit does not meet the requirement.

Can one auditor cover multiple management system standards?

Yes, where the auditor is competent across each standard in scope. Many organisations holding multiple certifications run integrated audit programmes for efficiency. ISO 19011 sets out the relevant competencies. An integrated approach requires either an auditor with cross-standard competence or a coordinated team with clear scope boundaries.

What happens if the audit surfaces issues we did not want to find?

That is the audit doing its job. Internal audit findings are an input to clause 9.3 management review, not a public report. Findings drive corrective action under clause 10.2 and inform leadership decisions. Catching issues internally is always preferable to catching them at certification.

How do you maintain independence if your internal auditor also advises on the system?

You cannot. ISO 19011 and clause 9.2 both require the auditor to be independent of the area audited. If the same individual advises on and audits the management system, the audit is invalid. Where an organisation uses one external provider for both advisory and internal audit, the engagements must be structurally separated, with different consultants and clear scope boundaries documented in the engagement letters.

Internal audit across management system standards: clause 9.2 in practice

Every ISO management system standard requires an internal audit programme. Clause 9.2 is effectively identical across ISO 27001, ISO 22301, ISO 27701, ISO 42001, ISO 9001, and the others. The wording is consistent. The execution rarely is.

Internal audits are where management systems either prove they are alive or quietly fail. A genuine, risk-based internal audit programme catches issues months before the external auditor would. A tick-box one provides a false sense of security and lets problems compound.

This article looks at what clause 9.2 actually requires across the management system family, where internal audit programmes commonly struggle, and what good looks like in practice.

Key takeaways

The same clause 9.2 wording appears in every ISO management system standard. Internal audit is a universal requirement, not a standard-specific one.
The most common failure mode is not absence of audit but absence of independence, depth, or follow-through.
Multi-standard organisations often run parallel audit programmes when an integrated approach would be more efficient and more revealing.
Independence is the design constraint that shapes every other decision: who audits, what cadence, what scope, and how findings are handled.

What clause 9.2 actually requires

Across ISO management system standards, clause 9.2 asks the organisation to:

Conduct internal audits at planned intervals.
Determine whether the management system conforms to the standard’s requirements and to the organisation’s own requirements.
Determine whether the management system is effectively implemented and maintained.
Plan, establish, implement, and maintain an audit programme.
Define the audit criteria and scope for each audit.
Select auditors and conduct audits to ensure objectivity and impartiality.
Ensure results are reported to relevant management.
Retain documented information as evidence.

The wording shifts marginally between standards but the substance does not. This is one of the strongest reasons to think about internal audit at the programme level rather than per standard.

Standards where this applies

The same clause 9.2 structure applies across the management system family:

Standard	Internal audit reference	Scope
ISO 27001:2022	Clause 9.2	Information security management system
ISO 22301:2019	Clause 9.2	Business continuity management system
ISO 27701:2019	Clause 9.2	Privacy information management system
ISO 42001:2023	Clause 9.2	AI management system
ISO 9001:2015	Clause 9.2	Quality management system
SOC 2 (AICPA TSP)	Continuous monitoring expectations	Trust services criteria
NIS2	Article 21 governance and internal review	Cybersecurity risk management measures
DORA	Article 6 ICT internal audit	ICT risk management framework

For organisations holding more than one certification, the shared structure across these standards (formally known as Annex SL, or the Harmonized Structure since 2021) makes integrated audit programmes practical and substantially more efficient than running each in parallel.

Where internal audit programmes commonly struggle

Across recent client audit preparation engagements, the same handful of issues recur.

Independence. Clause 9.2 requires the auditor to be objective and impartial. In small or mid-sized organisations, the person with the competence to audit a function is often the person who runs it. The standard does not accept this arrangement, and external auditors quickly identify the resulting findings as muted or absent.

Competence. Effective internal auditors need training. ISO 19011 sets out the relevant competencies. Many organisations send their staff through internal auditor courses once and never refresh.

Cadence. A single audit immediately before the external visit does not constitute a programme. Clause 9.2 expects audits at planned intervals, with frequency reflecting risk, importance, and recent change.

Depth. Tick-box audits that verify documents exist add little value. Risk-based audits that test whether controls actually work surface real issues.

Follow-through. Findings that are not closed out, or are closed nominally without addressing the root cause, become repeat OFIs at the next external audit. This is a recurring theme across the five themes we see in audit findings.

Multi-standard duplication. Organisations with several management systems often run parallel audit programmes when an integrated approach would be more efficient and reveal more.

The independence design problem

Of these, independence is the design constraint that shapes every other decision. ISO 19011 frames it clearly: the auditor must be objective, impartial, and free from bias and conflict of interest.

In a large organisation, this is solvable through structure. Auditors from one business unit can audit another. The audit function can sit outside line operations. Resources support full-time auditors.

In a smaller organisation, the structural options run out quickly. The person who knows enough about the IT function to audit it credibly is often the person who runs it. The person who could audit HR controls is often the HR business partner. The standard does not relax for organisations of this size.

There are three viable responses:

Cross-functional internal auditing. A small team trained to ISO 19011, with audits assigned so that no auditor reviews their own area. Workable, but requires sustained investment in training and audit time.
External delivery. An independent third party delivers the audits. Solves independence at the root. Adds external cost, but typically less than the loaded cost of training and sustaining internal capability.
Hybrid. A small in-house team with external support for areas where independence is structurally hard to achieve, such as IT and security in tech-led organisations.

The right answer depends on size, sector, and the maturity of the management system. The wrong answer is to accept compromised independence and hope the external auditor does not notice. They notice.

What good looks like

A healthy internal audit programme has a few hallmarks.

Documented programme. An audit calendar that covers the management system over a defined cycle (typically annual or biennial), refreshed each year. Not a single audit before the certification visit.
Risk-weighted scoping. Higher-risk areas audited more frequently, with rationale captured. Recent change in the organisation reflected in scope decisions.
Competence evidenced. Auditors trained, with current evidence of competence. ISO 19011 used as the reference.
Independence verifiable. Audit assignments documented in a way that demonstrates each auditor is independent of the area audited.
Findings followed through. A tracker that links findings to corrective action, with closure verified rather than asserted. The same tracker that captures audit findings should hold management review actions, pentest findings, and incident actions, for single-source visibility.
Inputs into management review. Clause 9.3 management review meetings reference internal audit outputs as a standing input rather than as a year-end bolt-on.

Most external auditors will recognise a healthy programme within thirty minutes of looking at it. They will also recognise an unhealthy one in the same time.

Integrated programmes for multi-standard environments

For organisations holding more than one certification, integrated audit programmes are usually a substantial improvement on parallel programmes. The shared structure across ISO standards makes this practical.

The benefits:

Less audit fatigue for operational teams interviewed across multiple standards.
Cross-system visibility on areas that span standards (supplier management, incident response, training).
A single coordinated calendar the management team can plan around.
A clearer story for certification bodies, particularly where integrated certifications are also in scope.

The catch is that integrated audits require either auditors competent across all standards in scope, or a coordinated team with documented scope boundaries. ISO 19011 supports both approaches.

Practical questions to ask about your programme

If you are reviewing internal audit ahead of a certification, surveillance, or regulatory cycle, the questions worth asking are:

Is the audit calendar documented and current, or does the programme rely on memory?
Can you produce evidence of auditor competence for each person who audits?
For each audit conducted, can you demonstrate the auditor was independent of the area audited?
Are findings tracked through to verified closure, or just to asserted closure?
Do internal audit outputs appear in management review minutes as a substantive input?
For multi-standard environments, is there a case for integrating the next audit cycle?

If most of these answers are clear, the programme is likely healthy. If several are not, the next audit cycle is the right moment to address it.

If you would like independent support with internal audit delivery, programme design, or an integrated audit cycle across multiple standards, our audits and reviews service covers all of the above, with engagements structured to preserve independence under clause 9.2.