Internal Audit Frequency

How often should you perform internal audits?

The standards for ISO 9001, ISO 45001 and ISO 14001 do not specify a frequency. They also do not require all processes be included in a single internal audit. They should, however, cover all processes over time and across multiple audits. Because internal audits are for self-evaluation and Improvement, they are an important part of your Management System. The IATF 16949, however, requires audit frequency covering all processes at a minimum of three years.

Working from the bottom up, review each process and look at these criteria:

  • Risk
  • Complexity
  • Experience
  • Maturity
Maturity – all new processes must be evaluated using Key Performance Indicators. A process that has been around for a while, is stable, and efficient could be audited less frequently.

Experience – use the past to determine the future. Look at past audit outcomes to determine a process’ future audit frequency. A process that has been in conformance for the past 2 years may be audited just as often. One that seems to always be on the NCR should be audited more frequently.

Risk – because you are using a Risk Based Approach, refer to the risk to help assign frequency. If a process is considered high risk, you may want to audit it more frequently. Lower risk processes may only require less frequent assessments.

Complexity – process complexity is a measure of the process difficulties that impede project execution. As complexity increases, the audit frequency should also increase.
After reviewing each process, you may want to create four “audit buckets.” Each bucket has an audit frequency. Designate one for quarterly, one for bi-annual, one for annual and one for every two years. After you review a process against the above criteria, drop them into one of the buckets.

Internal Audit Frequency Buckets