Lesson 9 of 12
What Internal Audit Is and How It Runs
4 min
In the previous lesson you closed out a full corrective action: you found the oil leak, fixed its root cause, and verified it worked. But ask yourself an uncomfortable question: how many other gaps exist in your facility right now that nobody has reported?
Corrective action deals with what has already surfaced. What hasn't surfaced yet — the log that quietly stopped being filled in, the training everyone forgot, the procedure that's only half-followed — will never reach you while you sit in your office. You need a mechanism that goes looking for the gaps instead of waiting for them to turn into incidents.
Take a plastics factory in Amman: three production lines, a raw-materials warehouse, and a maintenance workshop. Its safety manager felt confident — corrective actions closed on schedule, training sessions ran as planned. Then the external audit arrived and found that lifting-equipment inspections in the warehouse had been stalled for five months: an entire section had slipped out of oversight and nobody had noticed. What that manager was missing was internal audit.
A self-examination the standard requires
Internal audit is a periodic self-examination a facility conducts on itself, and ISO 45001 requires it explicitly (clause 9.2) at planned intervals. Its job is to answer two questions, not one: does your system conform to the standard's requirements? And is it actually being followed the way you documented it? You're comparing reality against the documentation, and the documentation against the standard — and a lot of gaps live in the space between the two.
Its non-negotiable condition is independence (of the auditor): whoever audits an activity must be independent of it. The maintenance supervisor doesn't audit maintenance — he might audit the warehouse instead, while someone else audits his workshop. This isn't a judgment on anyone's integrity; anyone grading their own work tends to see what they want to see. In small facilities this is solved by rotating roles between departments, or by borrowing an auditor from another branch.
Don't reduce it to a mere "dress rehearsal" for the external audit — it's first and foremost management's own eye on its system. And yes, catching a gap internally is immeasurably cheaper: you fix it on your own schedule and by your own decisions, whereas catching it during the certification audit can delay the certificate itself.
From plan to closure: a full cycle at the Amman factory
Here's how the Amman factory built its internal audit program after that wake-up call:
- The annual program: the year was split into quarters so that audits would cover every department and every clause over the course of the year. The third-quarter round was dedicated to the warehouse and the maintenance workshop, covering clauses 6.1 (risk assessment), 8.1 (operational control), and 9.1 (monitoring and measurement). Departments that had shown problems before get visited more often than others — the program follows risk, not fairness.
- The checklist: the auditor built it from the clause text and the factory's own documents — eighteen questions such as: Does the risk register cover the new lifting equipment? Are forklift inspections happening at the frequency the procedure specifies? Does the warehouse keeper know his role in the emergency plan?
- Execution (half a day): a field walkthrough, short interviews, and record sampling: training files for five randomly chosen workers, the last ten forklift inspections, incident reports from the past six months. The golden rule: compare what you're told against what's written against what your own eyes see — that three-way match is what real conformity looks like.
- Recording findings: the round produced two nonconformities — lifting-equipment inspections stalled for five months in violation of the monthly inspection procedure, and two new workshop workers who hadn't received induction training — plus one observation about an outdated emergency board. Every finding was written with its three elements: the evidence, the requirement violated, and a precise description — with no names of "culprits."
- Follow-up: every nonconformity opened a corrective action with an owner and a due date. The audit isn't considered finished when the report is delivered — it's finished when its actions are closed and their effectiveness verified, by someone who didn't carry them out.
Notice where the whole cycle's value concentrates: in that last line. A report that turns into actions that get tracked through to closure.
Common mistakes
- Auditing yourself: a department head audits his own department, so the report comes out clean every time. An audit without independence is just a certificate of good conduct someone writes for themselves.
- Turning the audit into a trial: when workers feel the round is hunting for someone to blame, they hide problems, and the audit loses the one thing it's worth having — the truth. An audit examines the system, not intentions, and its findings are written without names.
- Findings with no follow-up: a report documents ten gaps and then sits in a drawer, so the next audit finds the exact same gaps. A finding that never turns into a corrective action is ink wasted.
In goiso
The Inspections board is your tool for running the internal audit program: create a card for each round with its scope and clauses, and move it across the columns from planning through to closure — see How do I use the Inspections board. When you find a gap, log it as a nonconformity item right on the same card so its corrective-action trail is generated automatically — see What do I do with a nonconformity item found during inspection. And the separation of roles is built into the platform structurally, not just as a habit: the internal auditor role (internal_auditor) is the only one that can verify the effectiveness of corrective actions — whoever carried it out doesn't get to verify it.
Summary
- Internal audit is a periodic self-examination the standard requires: it compares reality against the documentation, and the documentation against the standard.
- Independence is non-negotiable: nobody audits work they own.
- The full cycle: annual program → checklist → sampled execution → documented findings → actions closed and verified.
- The value of an audit lies in its follow-up, not its report.
Your audit results — along with your indicators and the status of your actions — now roll up to senior leadership's table. Next: What is management review.