Section 1
Purpose
Internal auditing is the mechanism by which a QS firm verifies that its Quality Management System (QMS) is functioning as designed and producing the intended outcomes. Under ISO 9001:2015 Clause 9.2, regulated firms must conduct planned internal audits at defined intervals covering all QMS processes. Internal audits are not inspections by external bodies — they are systematic, evidence-based reviews conducted by the firm itself to identify gaps, nonconformities, and opportunities for improvement before a client or regulatory body identifies them.
Non-conformance management (ISO 9001:2015 Clause 10.2) is the process by which the firm responds when a QMS process fails, an error occurs in a deliverable, or a procedure is not followed. It requires: immediate corrective action to deal with the problem; root-cause analysis to understand why it occurred; preventive action to stop recurrence; and documentation throughout. The strength of a firm's nonconformance process is one of the primary indicators of the maturity and effectiveness of its QMS.
For a newly established QS firm, even without formal ISO 9001 certification, implementing a basic internal audit programme and a nonconformance register from day one establishes good discipline, creates an auditable quality trail, and directly supports RICS Rule 3 (good-quality and diligent service). It also positions the firm well for future ISO 9001 certification if sought.
Section 2
Key Principles
- Internal Audit Requirements — ISO 9001:2015 Clause 9.2 — Firms must: (a) plan, establish, implement, and maintain an audit programme — covering frequency, methods, responsibilities, and reporting; (b) define the criteria and scope for each audit; (c) select auditors and conduct audits to ensure objectivity and impartiality — the person responsible for an area must not audit their own area; (d) report results to relevant management; (e) take corrective action on any nonconformities; and (f) retain the audit programme and audit reports as documented evidence. (ISO 9001:2015, Clause 9.2)
- Audit Frequency and Coverage — ISO 9001:2015 does not prescribe a minimum number of audits per year but requires 'planned intervals'. In practice, for a small QS firm, an annual programme covering all QMS processes over a 12-month rolling cycle is the accepted baseline. Higher-risk or problem areas — document control, commission review, or any area where previous nonconformities were found — should be audited more frequently. The audit programme must cover all clauses of the standard over the cycle. (ISO 9001:2015, Clause 9.2.1)
- Auditor Impartiality — A core requirement of Clause 9.2 is that auditors must be objective and impartial — they cannot audit their own work or their own area of responsibility. In a small firm, this may require: (a) cross-auditing between partners/senior staff; (b) engaging a qualified external auditor or consultant for at least part of the audit programme; or (c) using a peer from within a professional network. The requirement cannot be waived on grounds of firm size. (ISO 9001:2015, Clause 9.2.2b)
- Nonconformity Defined — A nonconformity under ISO 9001:2015 Clause 10.2 is any failure to meet a requirement — either a requirement of the standard itself or a requirement of the firm's own documented QMS procedures. This includes: a cost plan issued without the required peer review; a template used that is not the current version; a commission accepted without completing the commission review procedure; or a supplier used who is not on the approved subconsultant register. It is not limited to errors that reach the client or cause complaints. (ISO 9001:2015, Clause 10.2)
- Root Cause Analysis — ISO 9001:2015 Clause 10.2.1(c) explicitly requires determination of the causes of nonconformity — not just corrective action on the symptoms. Common root-cause analysis techniques include: 5 Whys (ask 'why?' five times to trace back to the root); fishbone/Ishikawa diagram (categorise causes under people, process, equipment, environment, management, measurement). Without genuine root-cause analysis, corrective actions address symptoms only and the nonconformity typically recurs — a finding that auditors flag as a systemic weakness. (ISO 9001:2015, Clause 10.2.1c)
- Distinction Between Correction and Corrective Action — A critical distinction in Clause 10.2 that is frequently misunderstood: a correction is the immediate fix applied to the specific nonconformity (e.g., updating a cost plan that used the wrong template version). A corrective action is the action taken to prevent recurrence by eliminating the root cause (e.g., updating the document register, removing the old template from the shared drive, adding a pre-issue checklist step). Both are required. The NCR is not closed until the corrective action has been taken and its effectiveness verified. (ISO 9001:2015, Clause 10.2.1a–f)
Section 3
Practical Application
Step 1
Prepare the Annual Audit Programme: At the start of each calendar year: (a) list all QMS processes to be audited (document control, commission review, competence/training, client satisfaction, subconsultant management, nonconformance, management review — and all ISO 9001 clauses); (b) assign an auditor to each process — someone with no direct responsibility for that area; (c) schedule provisional audit dates across the year; (d) record the programme as a controlled document. The programme is a mandatory record and must be retained.
Step 2
Conduct Each Internal Audit: For each scheduled audit: (a) inform the auditee of the audit date and scope in advance; (b) prepare an audit checklist aligned to the ISO 9001 clause and the firm's documented procedure for that process; (c) conduct the audit by reviewing records, interviewing staff, and observing practice — not just reading documents; (d) record findings — distinguishing between conformances, observations/improvement opportunities, and nonconformities; (e) agree a factual audit report with the auditee before finalising.
Step 3
Issue and Action the Audit Report: Following each audit: (a) issue the written audit report to the Responsible Principal; (b) for any nonconformities identified, raise a Non-Conformance Report (NCR) and assign it to a named responsible person with a target date; (c) for observations or improvement opportunities, log them in the continuous improvement register; (d) retain the audit report as a mandatory record. The RP must be kept informed of all audit findings.
Step 4
Raise and Manage Non-Conformance Reports (NCRs): When a nonconformity is identified (whether from an internal audit, client complaint, staff identification, or management review): (a) raise an NCR using the standard template — record: date, identifier, description, area, evidence, immediate correction applied; (b) conduct root cause analysis — use 5 Whys or fishbone; (c) define the corrective action — what will be done, by whom, by when; (d) implement the corrective action; (e) verify effectiveness after a defined period; (f) close the NCR only when effectiveness is confirmed; (g) log in the Nonconformance Register.
Step 5
Maintain the Nonconformance Register: Keep a running Nonconformance Register recording all NCRs raised, their status (open/closed), and outcomes. The register provides: a trend analysis tool — recurring nonconformities in the same area indicate a systemic problem; management review data — NCR statistics are a mandatory input to the Annual Management Review; evidence for certification body auditors or RICS monitoring. Review the register quarterly and present to the RP.
Step 6
Verify Effectiveness and Close NCRs: Corrective actions must be verified as effective before an NCR is closed. Verification methods include: re-auditing the process after the corrective action has been implemented; reviewing project files to confirm the changed procedure is being applied; checking that the root cause has been eliminated rather than merely addressed in one instance. Document the verification evidence in the NCR record. If a corrective action proves ineffective, a new NCR or escalated action is required.
Section 4
Common Mistakes to Avoid
- Conducting 'paper audits' only — reviewing documents without interviewing staff or observing practice. ISO 9001:2015 requires audits to verify that the QMS is 'effectively implemented and maintained' (Clause 9.2.1). Checking that a procedure document exists is necessary but not sufficient — the auditor must verify that it is genuinely followed. This requires sampling actual project files, questioning staff on what they do in practice, and observing the process where possible.
- Allowing the person responsible for an area to audit their own work. ISO 9001:2015 Clause 9.2.2(b) is explicit that auditors must ensure objectivity and impartiality. Self-audit does not meet this requirement. In a two-person firm, one partner should audit the other's processes, and an external consultant should audit the Responsible Principal's areas. Impartiality is non-negotiable regardless of firm size.
- Closing NCRs without verifying that corrective actions have been effective. An NCR that is closed simply because the corrective action was taken — without checking whether the root cause has been eliminated and the nonconformity has not recurred — does not comply with Clause 10.2.1(f). Certification body auditors specifically look for evidence of effectiveness verification in closed NCRs and will raise a major nonconformity if it is absent.
- Recording all negative findings as 'observations' rather than 'nonconformities' to avoid raising NCRs. Some auditors soften findings to reduce administrative burden or avoid difficult conversations with colleagues. However, a genuine failure to follow a documented requirement is a nonconformity under Clause 10.2 and must be recorded as such. Failure to do so undermines the integrity of the QMS and can result in a major finding when the suppressed issues become evident to an external auditor.
- Treating the annual audit programme as a one-off exercise rather than a continuous process. The programme must be reviewed and updated based on results — if a particular process generates repeated nonconformities, it should be audited more frequently in the following year. The audit programme is a living document, not a box-ticking annual schedule.
Section 5
APC Competency & Quick Reference
This topic is relevant to the following APC competencies:
- Conduct Rules, Ethics and Professional Practice (Level 3)
- Quality Management
- Business/Practice Management
What does ISO 9001:2015 Clause 9.2 require of a QS firm's internal audit programme, and how should impartiality be achieved in a small practice?
Clause 9.2 requires the firm to plan, establish, implement, and maintain an audit programme — covering audit frequency, methods, responsibilities, and reporting. Audits must cover all QMS processes over the audit cycle. The key impartiality requirement (Clause 9.2.2b) means auditors cannot audit their own area of responsibility. In a small QS practice, impartiality is typically achieved through: cross-auditing between principals (each auditing the other's areas); using a suitably qualified external auditor or consultant for higher-risk or sensitive areas; or engaging a peer from a professional network. The audit programme and all individual audit reports must be retained as documented evidence.
What is the difference between a 'correction' and a 'corrective action' under ISO 9001:2015, and why does this distinction matter?
A correction (Clause 10.2.1a) is the immediate action taken to deal with the specific nonconformity — for example, re-issuing a cost plan that used the wrong template. A corrective action (Clause 10.2.1d) is the action taken to eliminate the root cause and prevent recurrence — for example, updating the document register, removing the outdated template from the shared drive, and adding a pre-issue template-version check to the QA procedure. Both are required under Clause 10.2 — correction alone is insufficient. Without corrective action addressing the root cause, the same nonconformity will typically recur, and a pattern of recurring nonconformities indicates a systemic QMS failure.
How should a QS firm conduct root-cause analysis when raising a Non-Conformance Report, and what technique is most commonly used in professional services firms?
The most widely used technique in professional services firms is the '5 Whys' method — asking 'Why did this happen?' repeatedly (typically five times) until the root cause is reached rather than stopping at the symptom. For example: a cost plan was issued without peer review. Why? → The reviewer was away. Why was there no cover? → The review procedure doesn't address cover arrangements. Why? → The procedure was written for a team but never updated for the current two-person firm. Why? → The procedure review is not in the audit programme. Root cause: procedure review is not scheduled. The corrective action then addresses the scheduling gap — not just the individual incident. The fishbone/Ishikawa diagram is used where causes are multi-factorial or where the category of cause (people, process, environment, management) needs to be explored.
Section 6
Internal Audit & Non-Conformance Checklist
☐
Annual audit programme prepared — all QMS processes and ISO clauses covered
☐
Auditor assigned for each process — no self-auditing
☐
Audit checklists prepared for each scheduled audit
☐
Audit conducted — records, interviews, and observations reviewed
☐
Written audit report produced for each audit
☐
Audit report issued to Responsible Principal
☐
NCR raised for every nonconformity identified
☐
Immediate correction applied for each NCR
☐
Root-cause analysis completed (5 Whys or fishbone)
☐
Corrective action defined, assigned, and implemented
☐
Effectiveness of corrective action verified before NCR closure
☐
Nonconformance Register maintained and reviewed quarterly
☐
NCR and audit data presented at Annual Management Review
Section 7
CPD Learning Outcomes
- Plan and implement an annual internal audit programme for a QS firm's QMS that satisfies ISO 9001:2015 Clause 9.2 requirements, including process coverage, auditor impartiality, and documented evidence retention.
- Conduct a non-conformance investigation applying root-cause analysis (5 Whys), distinguishing between the correction and the corrective action, and documenting the process in a Non-Conformance Report.
- Evaluate the effectiveness of corrective actions following implementation, and use Non-Conformance Register trend data to identify systemic QMS weaknesses for improvement.
Section 8
Further Reading
- BS EN ISO 9001:2015 — Quality Management Systems: Requirements, Clauses 9.2 and 10.2 — BSI Group: https://www.bsigroup.com/en-GB/standards/bs-en-iso-9001/
- QIA — ISO 9001 Internal Audit Requirements Explained: https://www.qi-a.com/learning-center/iso-9001-internal-audit-requirements-explained/
- QMS UK — 5 Steps to Finding and Resolving ISO 9001 Non-Conformities: https://www.qmsuk.com/news/5-steps-to-finding-and-resolving-iso-9001-non-conformities
- GloCert — Common ISO 9001 Audit Findings in Professional Services: https://www.glocertinternational.com/resources/articles/common-iso-9001-audit-findings/
- RICS Rules of Conduct 2021 — Rule 3 (Good-Quality and Diligent Service): https://www.rics.org/content/dam/ricsglobal/documents/standards/2021_roc_en.pdf
Subscriber Content
Sections 3–8 are for subscribers
Your subscription unlocks Practical Application steps, Common Mistakes to Avoid, APC Quick Reference, the Stage Checklist, CPD Learning Outcomes, Further Reading, and all production-ready templates.