Overview
Establish a comprehensive internal audit program per ISO/IEC 17025:2017 Clause 8.8. Internal audits are one of the most critical elements of a laboratory’s quality management system — they provide the systematic, independent evaluation that confirms your QMS is effectively implemented and maintained. Accreditation bodies expect to see a mature audit program with evidence of findings, corrective actions, and follow-up.
The skill produces four deliverables: an audit procedure defining scope, frequency, methodology, and follow-up processes; an annual plan with a schedule that ensures every clause area is audited at least once per year; a clause-by-clause checklist organized by ISO 17025 sections 4 through 8 with specific verification criteria; and a standardized report template with finding classification (major nonconformity, minor nonconformity, observation, opportunity for improvement).
A key requirement that many small laboratories struggle with is auditor impartiality — auditors must not audit their own work. For a 12-person lab, this means planning carefully to ensure that the person auditing the metals section isn’t someone who performs metals testing. The audit program also needs to define auditor competence requirements, including training in audit techniques and familiarity with ISO 17025.
What It Covers
- Audit procedure — scope, frequency, planning, execution methodology, reporting, and follow-up
- Annual plan — schedule covering all clause areas at least annually, with auditor assignments
- Auditor impartiality — rules ensuring auditors do not audit their own work area
- Auditor competence — training requirements, qualifications, and experience criteria
- Audit methodology — document review, interviews, observation of activities, record sampling
- Clause-by-clause checklist — verification criteria organized by Clauses 4-8
- Finding classification — major NC, minor NC, observation, opportunity for improvement (OFI)
- Report template — finding ID, clause reference, type, evidence, auditee response, corrective action, deadline
- Follow-up and close-out — verification that corrective actions are implemented and effective
Example Conversation
You: We need an internal audit program for our lab. LabTech Analytical, environmental testing in Austin. 12 analysts, going for first-time A2LA accreditation. We’ve never done an internal audit before. Our QM James Park went to a lead auditor course last month so at least we have one trained auditor.
Agent: Good that James has the lead auditor training — that’s a solid foundation. But there’s a complication: as QM, James owns most of the management system processes (document control, CAPA, complaints). He can’t audit those areas because he’d be auditing his own work. We need to plan around that. Some questions:
- Is anyone else trained or willing to be trained as an internal auditor?
- Would you consider using an external auditor (consultant) for the areas James can’t cover?
- What is your target assessment date with A2LA? We need at least one complete audit cycle before then.
You: Sarah Chen our lab director could audit the management system stuff since James runs it day to day. She hasn’t had formal training though. We’re targeting the A2LA assessment in September 2026, so we need to get moving. Could we do the first round of audits in Q2?
Agent: Sarah auditing management system areas works for impartiality — she doesn’t perform those activities, James does. For auditor competence, she doesn’t need full lead auditor certification, but she should complete at least a 1-day internal auditor awareness course. Many are available online.
Here’s the annual plan I’m building for 2026:
Quarter Clause Area Auditor Rationale Q2 (Apr) Clause 8: Management System (QMS, doc control, records, risk, CAPA) Sarah Chen James owns these processes, Sarah provides impartiality Q2 (May) Clause 6: Resources (personnel, facilities, equipment, traceability) James Park James doesn’t manage equipment or facilities directly Q2 (Jun) Clause 7: Process Requirements (methods, sampling, QC, reporting, complaints, NCW) James Park James doesn’t perform testing Q3 (Jul) Clause 4: General Requirements (impartiality, confidentiality) James Park Structural/policy area Q3 (Jul) Clause 5: Structural Requirements James Park Organizational structure This gets the full cycle done before your September assessment.
You: That’s tight but doable. For the checklist — I don’t want it to be just a yes/no checkbox thing. The assessors at our last consulting visit said they want to see we actually looked at objective evidence.
Agent: Agreed. I’ll design the checklist with three columns per item: the requirement, what objective evidence to examine, and the auditor’s finding. For example:
Clause 6.4 — Equipment:
- Requirement: Equipment uniquely identified (6.4.4)
- Evidence to examine: Check 3 instruments for asset tags matching equipment register
- Finding: [auditor records what they observed]
This forces the auditor to go beyond “yes they have an equipment list” and actually verify specific items against records.
I’ve drafted all four documents. Running validation now.
Running
audit_plan_validator… PASS. All clause areas (4-8) covered in scope. Annual frequency confirmed. Schedule with quarterly assignments present. Auditor impartiality addressed — Sarah audits management system, James audits technical/process areas. Auditor competence requirements defined. Methodology includes checklist, interviews, observation, and record review. Follow-up and close-out process linked to CAPA.Running
finding_completeness_checker… PASS. Report template includes finding IDs, clause references, finding types (major NC, minor NC, observation, OFI), description field, objective evidence field, auditee response, corrective action requirements for NCs, deadlines, responsible persons, audit team/attendees list, and overall conclusion section.
Sample Output Excerpt
The skill produces an audit procedure, annual plan, clause-by-clause checklist, and report template. Here is an excerpt from the audit checklist showing the verification approach for Clause 7.
Internal Audit Checklist — Clause 7: Process Requirements
Audit Date: ___________ | Auditor: ___________ | Auditee(s): ___________
7.2 Selection, Verification and Validation of Methods
| Ref | Requirement | Objective Evidence to Examine | Finding |
|---|---|---|---|
| 7.2.1 | Methods appropriate for requested testing activities | Select 2 recent test reports — verify method used matches client request and is within scope | |
| 7.2.1 | Current authorized editions of methods in use | Check 3 SOPs for correct standard edition references; compare against NIST/EPA website | |
| 7.2.2 | Methods validated before introduction | Review validation records for most recently introduced method — verify acceptance criteria met |
7.7 Ensuring the Validity of Results
| Ref | Requirement | Objective Evidence to Examine | Finding |
|---|---|---|---|
| 7.7.1 | Monitoring procedure for validity of results | Examine QC SOP — verify acceptance criteria defined for blanks, LCS, CCV, duplicates | |
| 7.7.1 | QC data monitored and evaluated | Pull last month of QC charts for metals — check for trends, outliers, corrective actions taken | |
| 7.7.1 | Predetermined criteria for acceptance | Verify method-specific QC limits documented (e.g., LCS recovery 80-120%, RPD <20%) | |
| 7.7.2 | Proficiency testing participation | Verify PT schedule, examine most recent PT results, confirm corrective actions for any unsatisfactory results |
7.8 Reporting of Results
| Ref | Requirement | Objective Evidence to Examine | Finding |
|---|---|---|---|
| 7.8.2 | Reports contain all required information | Review 3 recent test reports against Clause 7.8.2 checklist (date, lab ID, method, results, uncertainty where required) | |
| 7.8.6 | Amendments to reports clearly identified | If any amended reports issued in past year, verify original is marked superseded and amendment reason documented |
Finding Classification Guide
| Type | Definition | Action Required |
|---|---|---|
| Major NC | Absence or complete breakdown of a system to meet a requirement | Corrective action required within 30 days; root cause analysis mandatory |
| Minor NC | Single observed lapse or partial implementation of a requirement | Corrective action required within 60 days |
| Observation | Situation that could lead to a nonconformity if not addressed | Recommended action; tracked but no formal CAPA required |
| OFI | Opportunity for improvement beyond compliance | Optional; documented for management review consideration |
Extension Tools
audit_plan_validator
Validates the internal audit plan for scope coverage, frequency, and auditor assignment.
| Check | What It Validates |
|---|---|
| Clause 4 coverage | General requirements (impartiality, confidentiality) included in audit scope |
| Clause 5 coverage | Structural requirements included in audit scope |
| Clause 6 coverage | Resource requirements (personnel, equipment, facilities) included |
| Clause 7 coverage | Process requirements (methods, sampling, reporting, etc.) included |
| Clause 8 coverage | Management system requirements (QMS, risk, audit, review) included |
| Frequency | Each clause area audited at least annually |
| Schedule | Audit calendar or quarterly schedule defined |
| Auditor impartiality | Auditors do not audit their own work areas |
| Auditor competence | Auditor qualification and training requirements defined |
| Methodology | Audit techniques specified (checklist, interviews, observation, record review) |
| Follow-up | Close-out process and corrective action linkage defined |
finding_completeness_checker
Validates the audit report template for required finding structure and report elements.
| Check | What It Validates |
|---|---|
| Finding ID | Unique identifier field for each finding |
| Clause reference | ISO 17025 clause reference linked to each finding |
| Finding type | Classification defined (major NC, minor NC, observation, OFI) |
| Description | Finding description or detail field present |
| Objective evidence | Evidence field requiring auditor to document what was observed |
| Auditee response | Field for management or auditee response to findings |
| Corrective action | Corrective action requirement specified for nonconformities |
| Deadline | Target date or completion deadline for each finding |
| Responsible person | Owner or assigned person field present |
| Conclusion | Overall audit conclusion or summary section in the report |
| Audit team | Attendees or audit team list documented |
Getting Started
Activate the ISO 17025 Internal Audit Program skill and describe your laboratory’s current audit experience, team size, and target assessment timeline. The agent will help you design an audit program that fits your organizational structure while meeting all Clause 8.8 requirements.
Have this information ready:
- Who has internal auditor training (or is willing to get trained)
- Your organizational structure — who performs what activities (needed to plan auditor impartiality)
- Target date for your accreditation body assessment (audits must be completed before then)
- Whether you want to conduct all audits at once or spread them across the year
- Any areas of concern where you want deeper audit coverage
- Whether you would consider using an external auditor for areas where internal impartiality is difficult
The internal audit program feeds directly into the management review (Clause 8.9) — audit results are a required input. Audit findings that identify nonconformities trigger the corrective action process (Clause 8.7). Plan to have at least one complete audit cycle finished before your accreditation body assessment so you can demonstrate the full find-fix-verify loop.