How to become an ISO Certified Internal Auditor


QEHS Consultant

Let's begin with a question: What is an ISO Internal Auditor?

When the expression Internal  Auditor is used, it refers to an auditor who participates, perhaps leads, an ISO management system audit of his/her own organization's management system.

Are Internal Audits Necessary? 

Internal audits are a mandatory and necessary part of an organization's obligation to demonstrate ongoing compliance with the requirements of the ISO Management System Standard(s) to which the organization subscribes. 

At a practical level, internal audits help ensure that when external auditors come to check compliance - either a Certification Body auditing as the basis of continuing certification of compliance or Supplier Audits as the basis of placing business with the organization - there will be few if any non-compliances to be discovered. 

Additionally, internal audit programmes are a great occasion to identify opportunities for improvement. After all, it is during internal audits that auditors are talking with the very people most familiar with the day-to-day workings of the organization.

The Internal Audit Process

ISO Internal Auditing then is not a boring box-ticking exercise but instead an engrossing set of activities involving:

  1. the interviewing of people doing the work that makes your organization a success,
  2. observing the workplace in action,
  3. checking workplace activities and processes, as well as
  4. scrutinizing documents and records, 

Advantage of Being  Certified Internal Auditor

As experienced internal auditors have knowledge of the processes and activities at many levels and functions within the organization, they are frequently chosen for promotion ahead of their colleagues.

Internal Audits: Business Applications

The finance profession tends to use terms like internal auditor and lead auditor as if they only apply to the finance sectors. 

ISO Management System Standards apply to any sector - quality, environment, energy, medical device manufacture, food safety, occupational health and safety, information security, etc. 

It's best to refer to ISO Internal Auditors and ISO Lead Auditors in regards to these standards.

Where do the different ISO Standards fit in?

An auditor trained in the requirements of ISO 9001, the quality system standard, is not equipped to audit against the requirements of, say, ISO 14001, the environmental management system standard. This is for the simple reason that the two standards have very different objectives and significantly different detailed requirements. 

So, an ISO 9001 Internal Auditor would need additional training (an ISO 14001 Extension Course) before they were capable of conducting an ISO 14001 audit.

How then does one become an Internal Auditor?

It’s not about getting a Certificate

Once upon a time it was 'certification equals competency' and organizations like IRCA built a recognized Register of Auditors. 

As ‘the only game in town,’ Lead Auditor training was taken not only by Certification Body Lead Auditors but also by Consultants and QHSE Managers (especially in their role as Audit Programme Managers) wishing to develop their skills and expertise.

Since 2011, a Lead Auditor Certificate alone is no longer acceptable as proof of competency. ISO 19011, the Guidelines for auditing management systems, made this clear by defining competence as the ‘ability to apply knowledge and skills to achieve intended results’.

ISO Internal Auditor options









Registers of Lead Auditors are redundant.  And a register of internal auditors was 'never a thing'.

And what then is the relationship between internal auditor certification and competency?

Required Competencies for Internal Auditors

ISO 19011 sets out 4 headings in determining auditor competence. They apply equally to internal auditors and to lead auditors. namely,

  • General: organizational knowledge, skills and experience; working experience is essential.
  • Knowledge and skills: to successfully complete an audit, generic competence (including auditing skills) and a level of discipline and sector-specific knowledge and skills (i.e. of the applicable ISO Standard and of the economic sector being audited) are required.

So, what are the steps involved in becoming a competent ISO Internal Auditor?

Internal Auditor Certification in ISO 9001, ISO 14001, ISO 13485, ISO 27001, ISO 45001

5-steps to ISO Internal Auditor Competency

Here are the steps you need to take …

  1. Satisfy yourself that you have the temperament and personal attributes needed to be a successful Internal Auditor.
  2. Check that you have the technical experience, subject expertise, supervisory and managerial experience needed to conduct an audit.
  3. Complete an ISO Internal Auditor Certification Course – either a 2-day conventional course or 12-hour online course.
  4. Undertake internal audits as often as possible – 3 times-a-year is considered the minimum needed to maintain auditing skills. 
  5. Finally, have yourself evaluated as a competent internal auditor.  Typically this is done by a QHSE Manager, or equivalent and recorded in your personal training/competency record.


‘Horses for Courses’

Of course, internal auditing of a single ISO Standard (usually ISO 9001) may not be the limit of your ambition. 

You can extend range and type of audit you conduct by adding another standard to the scope of your auditor certification (e.g. take an ISO 14001 Internal Auditor Extension Course - 8 hours) or raise your game by taking a Lead Auditor Course (those responsible for Supplier Audits often do this to ensue the depth of knowledge necessary to adequately carry out such an audit).

More Information

For more in-depth information we recommend you read ISO 19011:2018, especially: 

  • Part 7: Competence and evaluation of auditors, and
  • Annex A: Additional guidance for auditors planning and conducting audits.


Choose an Internal Auditor Course

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in the manufacturing industry, John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems.

Subscribe to Email Updates


Recent Posts

Posts by Topic