Under ISO management system standards such as ISO 9001 (Quality), ISO 14001 (Environmental) and ISO 45001 (Occupational Health & Safety), organisations are required to conduct internal audits to evaluate their systems.

Certification audits, on the other hand, are conducted by an external certification body to determine whether the organisation meets the requirements for ISO certification.

While both types of audits examine the same management system, their purpose, authority, and outcomes are different.

Purpose of Internal Audits

Internal audits are conducted by the organisation itself to evaluate whether its management system is functioning as intended.

The objective is to determine whether processes:

• Conform to ISO requirements

• Conform to the organisation’s own procedures

• Are implemented effectively

• Are maintained and continuously improved

Internal audits act as a management tool. They help organisations detect issues early, correct weaknesses and strengthen system performance before external audits occur.

ISO standards require internal audits to be conducted at planned intervals.

For example:

• ISO 9001 clause 9.2 requires organisations to conduct internal audits to determine whether the quality management system conforms to both ISO requirements and the organisation’s own requirements.

• ISO 14001 clause 9.2 requires similar verification for environmental management systems.

• ISO 45001 clause 9.2 requires internal auditing of occupational health and safety systems.

In practice, internal audits help organisations understand whether their systems actually work in day-to-day operations.

Purpose of Certification Audits

Certification audits are conducted by an independent certification body accredited by a national accreditation authority.

In Australia, certification bodies are typically accredited by JAS-ANZ (Joint Accreditation System of Australia and New Zealand).

The purpose of a certification audit is to determine whether an organisation’s management system meets the requirements of the ISO standard and is eligible for certification.

Unlike internal audits, certification audits determine whether an organisation can obtain or retain an ISO certificate.

Certification audits also verify that the management system is:

• Implemented across the organisation

• Effectively maintained

• Capable of consistently achieving intended results

If conformity is demonstrated, the certification body issues the ISO certificate.

Who Conducts the Audit

One of the most important differences between the two audits is who performs them.

Internal Audit

Internal audits are performed by:

• Internal employees trained as auditors

• Internal cross-functional auditors

• Independent internal audit teams

• Sometimes external consultants acting on behalf of the organisation

However, internal auditors must remain independent of the activities they audit.

For example, a safety manager should not audit their own safety program.

Certification Audit

Certification audits are conducted by auditors employed or contracted by an accredited certification body.

These auditors must:

• Be independent of the organisation

• Be qualified in the relevant ISO standard

• Follow formal audit protocols

• Report findings to the certification body

The certification body then makes the certification decision.

Audit Authority and Outcomes

The authority and consequences of each audit differ significantly.

Internal Audit Outcomes

Internal audits typically result in:

• Nonconformities

• Observations

• Opportunities for improvement

• Recommendations
  
  

Internal audit findings are used internally by management to improve processes and address system weaknesses.

They do not affect certification status directly.

However, unresolved issues discovered during internal audits may later become findings during certification audits.

Certification Audit Outcomes

Certification audits may result in:

• Major nonconformities

• Minor nonconformities

• Observations

• Positive practices

If major nonconformities are identified, the organisation may be required to correct them before certification can be granted or maintained.

Certification auditors do not provide consultancy advice. Their role is strictly to assess conformity against the ISO standard.

Frequency of Audits

Internal audits and certification audits occur at different intervals.

Internal Audits

Internal audits must be conducted according to an audit programme developed by the organisation.

The frequency depends on:

• Process risk

• Previous audit results

• Operational complexity

• Regulatory exposure

Many organisations audit all processes at least once per year, although high-risk areas may be audited more frequently.

Certification Audits

Certification audits follow a formal certification cycle.

This typically includes:

Stage 1 Audit

A readiness review where auditors evaluate whether the organisation is prepared for certification.

Stage 2 Audit

The full certification audit assessing implementation of the management system.

If successful, certification is granted.

Surveillance and Recertification Audits

After certification, organisations undergo periodic external audits to ensure the system continues to operate effectively.

These include:

Surveillance Audits

Conducted annually by the certification body to verify ongoing compliance.

Recertification Audits

Conducted every three years to renew certification.

Internal audits continue throughout this cycle and remain the organisation’s primary self-monitoring mechanism.

Scope and Depth of Audits

Another key difference is the level of organisational coverage.

Internal Audits

Internal audits can be flexible and targeted.

Organisations may audit:

• Specific processes

• Departments

• Operational risks

• Regulatory obligations

• Management system clauses

Internal audits are often used to investigate areas where performance issues have occurred.

Certification Audits

Certification audits follow a structured sampling approach determined by the certification body.

Auditors will review:

• Management commitment

• System documentation

• Process implementation

• Operational controls

• Performance monitoring

• Corrective action systems

The scope must align with the certification scope defined in the organisation’s management system.

Role of Internal Audits in Certification Success

Although certification audits determine whether an organisation receives ISO certification, internal audits play a critical role in maintaining system effectiveness.

Internal audits allow organisations to:

• Identify gaps early

• Test system performance

• Strengthen process control

• Prepare for external audits

In practice, strong internal auditing programmes often lead to smoother certification audits and fewer external findings.

Key Differences at a Glance

Final Perspective

Internal audits and certification audits serve complementary roles within ISO management systems.

Internal audits help organisations understand how well their management systems operate in practice and identify opportunities for improvement.

Certification audits provide independent verification that the management system meets the requirements of the relevant ISO standard.

Together, they create a structured framework for maintaining system integrity, supporting regulatory compliance, and ensuring that organisational processes continue to perform as intended.