Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

In this article, Jerry Lawrence, CertiKit’s Lead ISO27001 auditor shares his thoughts on internal auditing and the benefits of an established internal auditing programme.

Internal Audits – Are they a necessary evil or a great benefit?

Many years ago, as a freshly trained auditor, I was asked “why did I need to audit the process when we had external auditors coming in every 6 to 12 months doing the same?”. In my naivety, I soon learnt not to say “because the standards require it” as this isn’t exactly a huge selling point to the Senior Management Team, and it certainly doesn’t get their buy-in as to why they should divert time and effort to your audits.

In my defence though, the various management system standards such as ISO27001, ISO9001 and ISO14001 etc do require internal audits, but in my eagerness to get out and practice my newly trained skills on the workforce, I hadn’t really understood the reasons why the standards require it and the included benefits.

Internal audits report cartoon

So why do the standards require internal audits?

There are several reasons why internal audits are a mandatory requirement for various management systems standards.

The first and most obvious one is the fundamental process approach adopted by various ISO standards namely the Plan-Do-Check-Act (PDCA) cycle that can be applied to all management system processes.

  • The check part of the cycle is concerned with monitoring, and where applicable, measuring processes and the resulting products and services against policies, objectives and requirements and report the results. Sound familiar? Auditing is a key part of the check cycle.
  • The act part of the cycle requires you to take actions to improve performance as necessary. Audits are a way of identifying what actions need to be taken when examining the processes.

Maintaining process conformity and continual improvement are essential – you have spent time, effort and financial resources working towards or achieving an ISO certification, and one of the most difficult things is maintaining that certification. Audits are a way of ensuring that the defined processes continue to be implemented as intended and that they reflect process changes that may result from adopting new technologies, changes in business operations or key staff.

What do we gain from internal audits?

In a recent blog by CertiKit’s Technical Author, Ted Spiller on Why ISO management systems fail, Ted highlights a number of key reasons for management system failure and these include:

  • Lack of embedment period –the system hasn’t been clearly moulded to the businesses processes and gets forgotten
  • Lack of training– staff lack knowledge and awareness, and are unsure of their responsibilities
  • Lack of communication– there are stifled lines of communications throughout the business
  • System not being monitored (internal audits)– this allows errors and mistakes to slip through the net and build up over time
  • Lack of desire for improvement– this is likely due to management priorities and staff not being supported
  • Avoiding responsibility– all levels of the business not being held accountable for their requirements

Imagine running a business where some or all these reasons are ignored. It would be easy to see why the business would quickly fail to deliver quality products and have an unmotivated workforce, but most of all these inefficiencies could lead to larger operating costs and lower profitability.

Internal audits are a way of checking the following:

  • The health of your management system and the way it is operating
  • The wealth of the business – Is it wasting time, effort, and cash on inefficient processes?
  • The strength of the management system – Is it coping with and adapting to changes? Are improvements needed to restore its health?


So, to answer the question are audits a necessary evil or a great benefit, I would argue they are both!  They need to be done as a health, wealth, and strength measure of the Management System BUT more importantly if they are done in a timely, professional, and presentable way to Senior Management then they do add huge benefit and insight into the operation of the system within the organization.


How can CertiKit help?

CertiKit offer both full pre-certification audits and ongoing internal audits performed by a qualified ISO27001 lead auditor. Whether you’re a toolkit customer or not, we’d be happy to assist you with your ISO27001 internal auditing requirements. CertiKit’s audits are performed remotely via MS Teams by our consultants in the UK and are most suitable for organizations +/- 2 hours of UK time zone. Please note, CertiKit are not a Registered Certification Body and cannot provide you with a formal management system certification. 

Find out more

We’ve helped more than 4000 businesses with their compliance


It was like having your hand held through the whole confusing and frustrating process of getting GDPR compliant, making it much more bearable.

EBY Design

View all Testimonials