ISO Internal Audit Techniques

Our ISO Auditors will use a variety of audit techniques to obtain the required objective evidence and achieve the objectives of each internal audit session. This blog explains those audit techniques in a little more detail, so you know what to expect.


Using a representative sampling technique is one of the most effective ways to achieve the objectives of an audit.  

This may include sampling of: data generated by a procedure, a product of a process or the occurrence of a policy.

In addition to this, sampling can be approached in two ways:

Judgement-Based Sampling

This is the most common form of sampling that our ISO auditors will undertake.  It uses the knowledge, skills and experience of our team to determine ‘what’ should be sampled and the ‘size’ of a representative sample.

Statistical Sampling

A more technical approach is statistical sampling.  This depends on the characteristics of the data-set, the size of the company, time allocated for the audit, frequency of audits and any other relevant factors which could influence the sample.

Statistical sampling requires more time at the audit planning stage, and will likely require additional input from the client in order to determine an effective statistical model.

Sample Risk

In both cases there is an element of ‘sample risk’, where a defect or non-conformity may not be captured in the representative sample.  Or alternatively, the sample may capture a higher level of defect than exists in other areas of the system.


Our auditors may observe a work process in action or review a physical characteristic of the premises in order to determine whether a process is effective in achieving your intended outcomes.  

This may be a passive observation while people carry on their work, or a guided walkthrough where the auditor will ask questions to gain a better understanding.


In some cases it may not be possible to sample or observe live data, for example if performing an activity creates unnecessary risk or disrupts the organisation too much.  

For instance, this might apply to some business continuity processes.

In these cases a test of a procedure might be the most effective way to audit without affecting the organisation.


Since ISO’s Annex SL was introduced, demonstrating the commitment of the organisation’s leadership has been a core requirement, and one way to audit this is through interviews.

Our auditors may meet with people from across the organisation to ask them about different aspects of the management system.  This is a good way to test awareness of key policies and procedures.

Data Analytics

Some processes may generate a large amount of data that can be analysed to determine if an intended outcome has been achieved.  

While this is a more technical audit, it can be a useful technique for ISO Management Systems.

Document Review

Although most modern ISO Management System Standards have reduced the amount of mandatory documentation, most organisations will find that they generate some documents in order to operate the system more effectively, and become resilient to key staff leaving the business.

Particularly at the start of an auditor relationship, document reviews can be an unobtrusive way of understanding how you have built your management system.

It is also the method used during stage 1 of the external ISO certification audits.

Onsite vs Offsite

The majority of our audits are conducted Onsite, however with the emergence of video conferencing and other tools, it is increasingly becoming possible to execute some of the techniques above remotely.

The balance of Onsite and Offsite audits should be carefully considered at the audit programme planning stage, and it should be noted that some audit techniques can only be done Onsite.  

Human Interaction Vs No Human Interaction

We believe that people are the most important asset to an organisation and therefore are the key to really understanding what is going on within a management system.  Therefore most of our audit time will be spent working with members of your team.

However, as you’ve seen above, there are techniques that can be executed without disrupting your staff.  Again, this should be carefully considered at the audit programme planning stage.

Managing Audit Risks

If not managed properly, audits can introduce risk in to the organisation, which of course we want to avoid.

There are times where the audit schedule may need to be adjusted, and our auditors will happily do that providing the audit objectives can still be met.  

We also take the confidentiality of your organisation very seriously, and you can read about our Information Security controls here.

Do you need an ISO Internal Audit? Contact us to start your assurance programme.

Robert Clements
Robert Clements
Articles: 290