For organizations beginning their journey toward ISO certification, audits often seem daunting. Terms like “internal audit,” “external audit,” “certification audit,” and “surveillance audit” are thrown around, leaving many teams confused about what’s required and when.

At QMII, we frequently encounter this uncertainty from clients across industries—from maritime to manufacturing to services. The truth is, both internal and external audits are essential components of a robust management system, but they serve different purposes and require different levels of preparation.

In this article, we’ll unpack the differences between internal audit vs external audit, explain when and why each occurs, and provide a practical side-by-side comparison to help you build confidence in your audit process.

Key Differences Between Internal and External Audits

While both types of audits assess the conformance and effectiveness of a management system, the intent, and outcome of each are distinct.

  • Internal audits are conducted by or on behalf of the organization itself.
  • External audits are performed by independent bodies such as certification bodies, regulatory bodies or customers.

Both help verify that processes are working as intended, but only external audits (by certification bodies) determine whether an organization earns or retains ISO certification.

What is an Internal Audit?

An internal audit is a systematic, independent, and documented process carried out by the organization to assess its own conformity to the ISO standard and its own internal procedures.

Purpose:

  • Verify that the management system is effectively implemented and maintained
  • Identify opportunities for improvement before external auditors arrive
  • Ensure continued compliance with ISO requirements
  • Facilitate risk-based thinking and systemic improvements

Frequency:

ISO 9001 does not mandate how often internal audits must occur, but they should be planned based on:

  • Process importance
  • Past non-conformities
  • Changes to operations
  • Risk levels

Most organizations opt for a full internal audit cycle annually, with higher-risk areas audited more frequently. QMII recommends more frequent audits, perhaps a few processes every quarter. It helps to drive away the fear of audits! Internal audits are a powerful management tool when used proactively—not just as a checkbox exercise.

What is an External Audit?

An external audit is performed by an outside party, typically a certification body or a customer, to verify compliance with ISO standards or contractual obligations.

  1. Certification Audit: Conducted by a registrar to determine if your management system meets ISO requirements for initial certification.
  2. Surveillance Audit: Performed annually (typically in years 2 and 3 of a 3-year certification cycle) to ensure the system continues to conform and improve.
  3. Recertification Audit: Conducted every three years to renew the ISO certificate.
  4. Second-Party Audit: Conducted by customers to assess suppliers or partners for quality or compliance.
  5. Regulatory Audit: Conducted by regulatory bodies to assess for compliance to regulatory requirements.

Unlike internal audits, external audits can result in major or minor non-conformities that affect certification status. They tend to be more formal, and findings are often published in audit reports reviewed by certifying bodies.

Internal vs External: Side-by-Side Comparison

Internal audits are conducted by an organization’s own team or consultants to assess compliance with internal procedures and ISO requirements. They are less formal, cost-effective, and scheduled based on risk or process importance—often annually. Internal audits focus on continual improvement and help identify issues before external audits occur. QMII auditors bring an outside in look at your system with objectivity, impartiality and years of experience. To learn more click here.

External audits are performed by independent certification bodies or customers to verify conformance with ISO standards. These audits are formal, occur on a fixed schedule (certification, surveillance, or recertification), and result in official findings that can impact certification status. They typically involve higher costs and stricter documentation requirements.

While internal audits are used to refine and strengthen systems, external audits validate that those systems meet recognized standards. Both are essential, but serve distinct and complementary roles in maintaining an effective management system.

Which One Should You Focus On?

The simple answer is: both, but your focus depends on where you are in the ISO journey.

Before Certification

If you’re preparing for your initial certification audit, internal audits are your first line of defense. They help you:

  • Identify gaps before external auditors do
  • Test-run your system, including documentation and records
  • Build team confidence in the audit process

At this stage, investing in internal auditor training and conducting mock audits can make a huge difference.

Post-Certification Maintenance

Once certified, internal audits continue to serve as early warning systems, ensuring sustained conformity, compliance and continual improvement. They can uncover issues long before surveillance audits do.

Additionally, internal audits support:

  • Management reviews
  • Strategic decision-making
  • Risk mitigation

Organizations that treat internal audits as strategic tools – not just obligations – tend to have fewer issues during external audits and stronger, more agile systems.

Audit Readiness Tips for Both

Whether facing an internal or external audit, preparation is key. Here’s a checklist to help you be audit-ready year-round:

Audit Readiness Checklist:

  • Keep documented information (procedures, policies, records) current and accessible
  • Conduct regular management reviews and document outcomes
  • Ensure employees are aware of the QMS and can describe their roles
  • Track and close non-conformities, corrective actions, and risks
  • Maintain calibration and maintenance records
  • Review previous audit findings and verify actions taken
  • Keep competence (e.g. training) records updated
  • Align objectives with performance data
  • Audit against requirements—not just for conformity but also effectiveness

Conclusion

Understanding the distinction between internal audit vs external audit helps organizations better prepare, allocate resources, and improve their management systems. While internal audits are about self-improvement and risk management, external audits serve as an objective validation of conformity.

At QMII, we empower teams to master both sides of the audit process. Whether you need internal auditor training, mock audit support, or help interpreting findings from a registrar, our experts are here to guide you. Don’t wait for the next audit to get ready—build a culture of readiness year-round. Explore our internal auditor training programs and tools at www.qmii.com and turn every audit into an opportunity for growth.

Recommended Posts

The PDCA Cycle: Your Blueprint for Continual Improvement
Clause 4.1 of ISO 9001: Understanding Context of the Organization
The Role of Leadership in ISO Management Systems
What is a Quality Manual and Do You Still Need One?