Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

Internal audit

An internal audit is a systematic, independent first-party audit that checks a management system against requirements and confirms it is working effectively.

CASRAI research-methods explainer — Internal audit

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

First, second and third-party audits

Audits are classified by who performs them. A first-party audit, the internal audit, is conducted by or on behalf of the organisation on its own management system. A second-party audit is performed by an interested party such as a customer auditing a supplier. A third-party audit is carried out by an independent external body, including certification bodies whose audits can lead to certification. Internal audits are the organisation’s own assurance mechanism: they let it find and fix problems before external auditors or customers do, and they generate evidence for management review.

How an internal audit is run

ISO 19011, the guidance standard for auditing management systems, frames internal audits as systematic and evidence-based. The organisation plans an audit programme covering all parts of the system over time, prioritising by risk and importance. Each audit has a defined scope and criteria; the auditor gathers objective evidence through document review, interviews and observation, then compares it against the criteria. Crucially, auditors must be independent of the activity audited so they can be impartial. Findings — conformities, nonconformities and opportunities for improvement — are recorded and reported, and nonconformities are followed through to corrective action.

Why standards require internal audits

Management-system standards such as ISO 9001, ISO 14001, ISO/IEC 27001 and ISO 13485 require internal audits at planned intervals as a core element of keeping the system effective. They provide independent, internal confirmation that the system both conforms to requirements and is actually implemented and maintained, not merely documented. Internal audits feed management review with reliable information, drive corrective action and continual improvement, and prepare the organisation for external certification audits. A weak internal-audit programme is itself a common finding, because without it management lacks objective evidence about how the system is performing.

Key facts

At a glance

  • Definition: a systematic, independent first-party audit of a management system
  • Conducted by: the organisation’s own trained, independent auditors
  • Checks: conformity to requirements and effective implementation
  • Guidance standard: ISO 19011
  • Required by: ISO 9001, ISO 14001, ISO/IEC 27001, ISO 13485 and others
  • Contrast: external (third-party) audits can lead to certification

Common misconceptions

What people often get wrong

Often heard: An internal audit is the same as the certification audit.

Actually: They are different. Internal audits are first-party — the organisation auditing itself for assurance and improvement. Certification audits are third-party, performed by an independent certification body and capable of granting certification. Internal audits help prepare for, but do not replace, certification audits.

Often heard: Auditors can audit their own work as long as they are honest.

Actually: Standards require auditor independence: auditors must not audit their own activity or area, because impartiality cannot be assured otherwise. Independence from the audited area is a defining feature of a credible internal audit.

Often heard: An internal audit just checks whether documents exist.

Actually: A proper internal audit gathers objective evidence that the system is implemented and effective in practice, through interviews, observation and records — not merely that procedures are written down. Documentation without implementation is itself a nonconformity.

Going deeper

Related CASRAI guidance

NonconformityISO 9001ISO 27001Accreditation vs certificationStandards dictionaryPlain-language explainers
LAC

Partner Deal

LAC Health Supplies Mobile App

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →