# ISO 17025 Internal Audit Program

> Establish and manage an internal audit program per ISO/IEC 17025:2017 Clause 8.8. Produces audit procedure, annual plan with schedule, clause-by-clause checklist, and report template with finding classification. Audit plan validator checks scope coverage and auditor impartiality; finding completeness checker validates report structure and evidence requirements.



Tags: ISO 17025, Internal Audit, Clause 8.8, Audit Program, Quality Audit


## Example Prompts

- Create an internal audit program for our ISO 17025 accredited laboratory
- Build an audit checklist covering all ISO 17025 clause requirements
- Design an audit report template with finding classification for our lab QMS

URL: https://rakenne.app/skills/iso17025-internal-audit/index.md

Try this skill: https://rakenne.app/a/?skill=iso17025-internal-audit


## Overview

Establish a comprehensive internal audit program per ISO/IEC 17025:2017 Clause 8.8. Internal audits are one of the most critical elements of a laboratory's quality management system — they provide the systematic, independent evaluation that confirms your QMS is effectively implemented and maintained. Accreditation bodies expect to see a mature audit program with evidence of findings, corrective actions, and follow-up.

The skill produces four deliverables: an audit procedure defining scope, frequency, methodology, and follow-up processes; an annual plan with a schedule that ensures every clause area is audited at least once per year; a clause-by-clause checklist organized by ISO 17025 sections 4 through 8 with specific verification criteria; and a standardized report template with finding classification (major nonconformity, minor nonconformity, observation, opportunity for improvement).

A key requirement that many small laboratories struggle with is auditor impartiality — auditors must not audit their own work. For a 12-person lab, this means planning carefully to ensure that the person auditing the metals section isn't someone who performs metals testing. The audit program also needs to define auditor competence requirements, including training in audit techniques and familiarity with ISO 17025.

### What It Covers

- **Audit procedure** — scope, frequency, planning, execution methodology, reporting, and follow-up
- **Annual plan** — schedule covering all clause areas at least annually, with auditor assignments
- **Auditor impartiality** — rules ensuring auditors do not audit their own work area
- **Auditor competence** — training requirements, qualifications, and experience criteria
- **Audit methodology** — document review, interviews, observation of activities, record sampling
- **Clause-by-clause checklist** — verification criteria organized by Clauses 4-8
- **Finding classification** — major NC, minor NC, observation, opportunity for improvement (OFI)
- **Report template** — finding ID, clause reference, type, evidence, auditee response, corrective action, deadline
- **Follow-up and close-out** — verification that corrective actions are implemented and effective

## Example Conversation

> **You:** We need an internal audit program for our lab. LabTech Analytical, environmental testing in Austin. 12 analysts, going for first-time A2LA accreditation. We've never done an internal audit before. Our QM James Park went to a lead auditor course last month so at least we have one trained auditor.
>
> **Agent:** Good that James has the lead auditor training — that's a solid foundation. But there's a complication: as QM, James owns most of the management system processes (document control, CAPA, complaints). He can't audit those areas because he'd be auditing his own work. We need to plan around that. Some questions:
>
> 1. Is anyone else trained or willing to be trained as an internal auditor?
> 2. Would you consider using an external auditor (consultant) for the areas James can't cover?
> 3. What is your target assessment date with A2LA? We need at least one complete audit cycle before then.
>
> **You:** Sarah Chen our lab director could audit the management system stuff since James runs it day to day. She hasn't had formal training though. We're targeting the A2LA assessment in September 2026, so we need to get moving. Could we do the first round of audits in Q2?
>
> **Agent:** Sarah auditing management system areas works for impartiality — she doesn't perform those activities, James does. For auditor competence, she doesn't need full lead auditor certification, but she should complete at least a 1-day internal auditor awareness course. Many are available online.
>
> Here's the annual plan I'm building for 2026:
>
> | Quarter | Clause Area | Auditor | Rationale |
> |---------|------------|---------|-----------|
> | Q2 (Apr) | Clause 8: Management System (QMS, doc control, records, risk, CAPA) | Sarah Chen | James owns these processes, Sarah provides impartiality |
> | Q2 (May) | Clause 6: Resources (personnel, facilities, equipment, traceability) | James Park | James doesn't manage equipment or facilities directly |
> | Q2 (Jun) | Clause 7: Process Requirements (methods, sampling, QC, reporting, complaints, NCW) | James Park | James doesn't perform testing |
> | Q3 (Jul) | Clause 4: General Requirements (impartiality, confidentiality) | James Park | Structural/policy area |
> | Q3 (Jul) | Clause 5: Structural Requirements | James Park | Organizational structure |
>
> This gets the full cycle done before your September assessment.
>
> **You:** That's tight but doable. For the checklist — I don't want it to be just a yes/no checkbox thing. The assessors at our last consulting visit said they want to see we actually looked at objective evidence.
>
> **Agent:** Agreed. I'll design the checklist with three columns per item: the requirement, what objective evidence to examine, and the auditor's finding. For example:
>
> **Clause 6.4 — Equipment:**
> - Requirement: Equipment uniquely identified (6.4.4)
> - Evidence to examine: Check 3 instruments for asset tags matching equipment register
> - Finding: [auditor records what they observed]
>
> This forces the auditor to go beyond "yes they have an equipment list" and actually verify specific items against records.
>
> I've drafted all four documents. Running validation now.
>
> Running `audit_plan_validator`... **PASS**. All clause areas (4-8) covered in scope. Annual frequency confirmed. Schedule with quarterly assignments present. Auditor impartiality addressed — Sarah audits management system, James audits technical/process areas. Auditor competence requirements defined. Methodology includes checklist, interviews, observation, and record review. Follow-up and close-out process linked to CAPA.
>
> Running `finding_completeness_checker`... **PASS**. Report template includes finding IDs, clause references, finding types (major NC, minor NC, observation, OFI), description field, objective evidence field, auditee response, corrective action requirements for NCs, deadlines, responsible persons, audit team/attendees list, and overall conclusion section.

## Sample Output Excerpt

The skill produces an audit procedure, annual plan, clause-by-clause checklist, and report template. Here is an excerpt from the audit checklist showing the verification approach for Clause 7.

---

## Internal Audit Checklist — Clause 7: Process Requirements

**Audit Date:** ___________ | **Auditor:** ___________ | **Auditee(s):** ___________

### 7.2 Selection, Verification and Validation of Methods

| Ref | Requirement | Objective Evidence to Examine | Finding |
|-----|-------------|------------------------------|---------|
| 7.2.1 | Methods appropriate for requested testing activities | Select 2 recent test reports — verify method used matches client request and is within scope | |
| 7.2.1 | Current authorized editions of methods in use | Check 3 SOPs for correct standard edition references; compare against NIST/EPA website | |
| 7.2.2 | Methods validated before introduction | Review validation records for most recently introduced method — verify acceptance criteria met | |

### 7.7 Ensuring the Validity of Results

| Ref | Requirement | Objective Evidence to Examine | Finding |
|-----|-------------|------------------------------|---------|
| 7.7.1 | Monitoring procedure for validity of results | Examine QC SOP — verify acceptance criteria defined for blanks, LCS, CCV, duplicates | |
| 7.7.1 | QC data monitored and evaluated | Pull last month of QC charts for metals — check for trends, outliers, corrective actions taken | |
| 7.7.1 | Predetermined criteria for acceptance | Verify method-specific QC limits documented (e.g., LCS recovery 80-120%, RPD <20%) | |
| 7.7.2 | Proficiency testing participation | Verify PT schedule, examine most recent PT results, confirm corrective actions for any unsatisfactory results | |

### 7.8 Reporting of Results

| Ref | Requirement | Objective Evidence to Examine | Finding |
|-----|-------------|------------------------------|---------|
| 7.8.2 | Reports contain all required information | Review 3 recent test reports against Clause 7.8.2 checklist (date, lab ID, method, results, uncertainty where required) | |
| 7.8.6 | Amendments to reports clearly identified | If any amended reports issued in past year, verify original is marked superseded and amendment reason documented | |

### Finding Classification Guide

| Type | Definition | Action Required |
|------|-----------|-----------------|
| **Major NC** | Absence or complete breakdown of a system to meet a requirement | Corrective action required within 30 days; root cause analysis mandatory |
| **Minor NC** | Single observed lapse or partial implementation of a requirement | Corrective action required within 60 days |
| **Observation** | Situation that could lead to a nonconformity if not addressed | Recommended action; tracked but no formal CAPA required |
| **OFI** | Opportunity for improvement beyond compliance | Optional; documented for management review consideration |

<!-- /excerpt -->

## Extension Tools

### `audit_plan_validator`

Validates the internal audit plan for scope coverage, frequency, and auditor assignment.

| Check | What It Validates |
|-------|-------------------|
| **Clause 4 coverage** | General requirements (impartiality, confidentiality) included in audit scope |
| **Clause 5 coverage** | Structural requirements included in audit scope |
| **Clause 6 coverage** | Resource requirements (personnel, equipment, facilities) included |
| **Clause 7 coverage** | Process requirements (methods, sampling, reporting, etc.) included |
| **Clause 8 coverage** | Management system requirements (QMS, risk, audit, review) included |
| **Frequency** | Each clause area audited at least annually |
| **Schedule** | Audit calendar or quarterly schedule defined |
| **Auditor impartiality** | Auditors do not audit their own work areas |
| **Auditor competence** | Auditor qualification and training requirements defined |
| **Methodology** | Audit techniques specified (checklist, interviews, observation, record review) |
| **Follow-up** | Close-out process and corrective action linkage defined |

### `finding_completeness_checker`

Validates the audit report template for required finding structure and report elements.

| Check | What It Validates |
|-------|-------------------|
| **Finding ID** | Unique identifier field for each finding |
| **Clause reference** | ISO 17025 clause reference linked to each finding |
| **Finding type** | Classification defined (major NC, minor NC, observation, OFI) |
| **Description** | Finding description or detail field present |
| **Objective evidence** | Evidence field requiring auditor to document what was observed |
| **Auditee response** | Field for management or auditee response to findings |
| **Corrective action** | Corrective action requirement specified for nonconformities |
| **Deadline** | Target date or completion deadline for each finding |
| **Responsible person** | Owner or assigned person field present |
| **Conclusion** | Overall audit conclusion or summary section in the report |
| **Audit team** | Attendees or audit team list documented |

## Getting Started

Activate the *ISO 17025 Internal Audit Program* skill and describe your laboratory's current audit experience, team size, and target assessment timeline. The agent will help you design an audit program that fits your organizational structure while meeting all Clause 8.8 requirements.

Have this information ready:
- Who has internal auditor training (or is willing to get trained)
- Your organizational structure — who performs what activities (needed to plan auditor impartiality)
- Target date for your accreditation body assessment (audits must be completed before then)
- Whether you want to conduct all audits at once or spread them across the year
- Any areas of concern where you want deeper audit coverage
- Whether you would consider using an external auditor for areas where internal impartiality is difficult

The internal audit program feeds directly into the management review (Clause 8.9) — audit results are a required input. Audit findings that identify nonconformities trigger the corrective action process (Clause 8.7). Plan to have at least one complete audit cycle finished before your accreditation body assessment so you can demonstrate the full find-fix-verify loop.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)