SGRII Insights · ISO 9001:2015 · 2026
Internal Audit & Management Review — The Two Mechanisms That Determine Whether Your System Is Alive or Archived
An internal audit programme that audits clauses instead of processes finds compliance, not performance. A management review that ticks input boxes instead of making decisions changes nothing.
SGRII Performance & Digital Solutions
QMS Practice · April 2026 · 10 min read
SGRII Pillar Lens
Systems
Clauses 9.2 and 9.3 are the system’s self-correction mechanisms — the internal audit identifies where the system deviates from its design, and the management review determines what leadership will do about it. When both operate as administrative exercises, the system loses its ability to learn from its own operation.
Clause 9.2 — The Process Audit vs. The Clause Audit
The single most impactful change an organisation can make to its internal audit programme is to stop auditing clauses and start auditing processes. A clause-based audit schedule — “Audit Clause 4 in January, Clause 5 in February, Clause 6 in March” — fragments the system into administrative components that are reviewed in isolation. A process-based audit — “Audit the purchasing process, tracing Clause 8.4, 7.1.5, 6.1, and 9.1 requirements through a single process thread” — reveals how the system performs in practice.
ISO 19011:2018 — the guidance standard for auditing management systems — explicitly promotes the process approach to auditing. The auditor selects a process, follows it from input to output, and tests whether the applicable requirements from multiple clauses are met within that process flow. This approach mirrors how certification body auditors work during Stage 2 — and it produces findings that are operationally meaningful rather than administratively correct.
The SGRII Audit Pack is built on this model. Audit checklists are process-oriented, not clause-oriented. Each audit trail follows a process thread through the relevant clause requirements, with finding classification aligned to ISO 19011: Major NC, Minor NC, or Observation. This classification is essential — organisations using non-standard severity scales (High / Medium / Low, Critical / Major / Minor) create confusion when certification body auditors arrive with the ISO 19011 framework.
Auditor Competence — The Unaddressed Prerequisite
Clause 9.2.2 requires the organisation to select auditors who ensure objectivity and impartiality. In SMEs, the internal audit function is often assigned to the quality manager — who is also the process owner for most QMS processes. This creates an independence conflict: the person who designed the system is auditing the system they designed.
The standard doesn’t require external auditors. It requires objectivity. Practical solutions include cross-functional auditing (the production manager audits the purchasing process, the purchasing officer audits the warehouse process), peer auditing programmes, or engaging external support for specific audit cycles. The key is that the auditor does not audit their own work — and that auditor competence (understanding of the standard, auditing technique, and sector knowledge) is demonstrable.
An internal audit that consistently finds zero nonconformities is not evidence of a perfect system. It’s evidence of an audit programme that lacks the capability or willingness to identify system weaknesses. If the certification body consistently finds issues that internal audits missed, the internal audit programme has a credibility problem — and Clause 9.2 is not effectively implemented.
Clause 9.3 — Management Review: Decisions, Not Data Presentations
Clause 9.3.2 specifies nine categories of input that management review must consider: status of actions from previous reviews, changes in external and internal issues, QMS performance and effectiveness (including customer satisfaction, quality objectives, process performance, nonconformities and corrective actions, audit results, and external provider performance), adequacy of resources, effectiveness of risk and opportunity actions, and opportunities for improvement.
Most management reviews address these inputs as a data presentation. The quality manager prepares slides covering each category, leadership reviews the slides, and minutes are recorded noting that the inputs were “discussed.” But Clause 9.3.3 requires specific outputs: decisions and actions related to opportunities for improvement, any need for changes to the QMS, and resource needs. If the management review minutes don’t contain decisions with assigned owners and deadlines, the review hasn’t met its purpose.
The test is direct: can the organisation demonstrate that management review outputs led to tangible changes in the QMS? If the same issues appear in successive management reviews without resolution, the review is a reporting exercise, not a governance mechanism. Management review should be the point where system performance data is translated into leadership action — the governance function that ensures the system adapts, improves, and delivers.
Frequency and Format — Challenging the Annual Review
The standard does not specify the frequency of management review — only that it shall be conducted “at planned intervals.” Many organisations default to an annual review, which creates a twelve-month gap between system evaluation events. For an SME operating in a dynamic environment, this is too infrequent to be effective.
The SGRII approach recommends distributing management review inputs across regular leadership meetings — quarterly as a minimum — rather than concentrating all nine input categories into a single annual session. This produces a management review that is continuous rather than episodic, integrated into normal business governance rather than conducted as a separate quality event. The standard requires planned intervals and documented outputs — it doesn’t require a single annual meeting with a forty-page pack.
Cross-Standard Review Architecture
For organisations operating integrated management systems, Clause 9.3 should function as a unified governance mechanism. ISO 14001 adds environmental performance to management review inputs. ISO 45001 adds OH&S performance, consultation results, and incident trends. ISO 37001 uniquely adds Clause 9.4 — Governing Body Review — a separate, higher-level review function that exists in no other management system standard. ISO 27001 adds information security risk treatment status and incident analysis.
Running separate management reviews for each standard multiplies administrative overhead and prevents cross-system pattern recognition. An integrated review framework — with standard-specific inputs feeding into a unified decision-making process — produces better governance outcomes and demonstrates the integration that certification bodies increasingly expect during multi-standard audits.
THE SGRII IMS AUDIT MANAGER & ISO 9001 AUDIT PACK
Process-based audit checklists, ISO 19011-compliant finding classification, management review templates with structured inputs and required outputs — built for systems that govern, not systems that report.
EXPLORE THE AUDIT PACK ›Join the Conversation
Does your internal audit programme consistently find nonconformities that your certification body would also find? And does your management review produce decisions with owners and deadlines — or data presentations that get filed?
Practitioner perspectives that challenge or extend this analysis are particularly welcome. Leave your comment below — the SGRII team responds to every substantive contribution.
Build it, don’t just read about it
SGRII ISO 9001:2015 QMS Framework
Six-module QMS with clause-referenced procedures, registers and an audit pack for SMEs.
View the Framework → Get the newsletterCoverage is not compliance. SGRII frameworks provide structured coverage, templates and guidance. They are designed for audit defensibility and structured for certification readiness; they do not certify you, do not guarantee a successful audit, and are not legal advice. The official ISO standard remains the only authoritative source of requirements.