Guide · Audit
Internal audit & mock audit: getting certification-ready
The internal audit is where most small businesses discover — too late — that their management system looks good on paper but falls over under questioning. Here is how to run a proper internal audit for ISO 9001, 14001 or 45001, and how a mock audit finds the gaps before the auditor who matters does.
Why internal audit matters
All three standards require internal audits at planned intervals (clause 9.2). It is not box-ticking: the internal audit is your own check that the system you built is actually being used, is effective, and meets the standard. A certification body will expect to see at least one completed internal audit — and a management review that responds to it — before your Stage 2 certification audit. Skipping it, or running a token one, is one of the most common reasons a first certification attempt stumbles.
What an internal audit involves
- An audit programme — what will be audited, when, and by whom, across the year.
- Clause-mapped checklists — so every requirement of the standard is covered, not just the easy ones.
- Objective evidence — records, documents and interviews that show the system works, not just that it exists.
- Findings — nonconformities and observations, each with enough detail to act on.
- Corrective actions — findings feed into your CAPA process and are tracked to closure.
What auditors actually look for
Auditors probe the seams between "documented" and "done". The recurring weak spots:
- Documents that exist but staff can't access or don't follow.
- A training matrix that doesn't match who's actually on site, with expired tickets.
- Risks and legal obligations listed once and never reviewed.
- Corrective actions raised but never verified as effective.
- Management review that misses required inputs.
Run an AI mock audit first
A mock audit is a dress rehearsal. BigTick's AI auditor reviews your live documents, registers, actions, objectives, audits and reviews, then hands back the findings a real certification auditor would raise — with a readiness score and the exact gaps to close. You fix them on your own timeline, before the audit that counts.
A simple internal-audit sequence
- Plan the programme so every clause and process is covered over the cycle.
- Prepare a checklist mapped to the standard and to your own procedures.
- Gather evidence — sample records, walk the site, talk to the people doing the work.
- Record findings clearly, referencing the clause and the evidence.
- Raise corrective actions and track root cause, action and effectiveness.
- Feed the results into management review and close the loop.
See your readiness score before the auditor does
BigTick builds your whole ISO system, runs the internal audit programme with clause-mapped checklists, and lets you run an AI mock audit any time — so you walk into certification knowing exactly where you stand.
Start a free trialFrequently asked questions
Do I need an internal audit before ISO certification?
Yes. ISO 9001, 14001 and 45001 all require internal audits at planned intervals (clause 9.2). A certification body will expect to see at least one full internal audit, and a management review, before your Stage 2 audit.
What is a mock audit?
A practice run of your certification audit. It reviews your management system the way an external auditor would, raising the findings a real auditor would raise so you can close them before the audit that counts.
Can I audit my own management system?
You can run internal audits yourself, as long as auditors stay objective and don't audit their own work. The external certification audit itself must be done by an accredited certification body.
Related guides
General information about ISO management-system requirements, not audit or legal advice. Certification is issued by accredited certification bodies.