When certifying management systems such as ISO 9001 you will be confronted with the terms internal and external audit. But what are these actually? Who may carry out an internal audit? When is an external audit necessary? And what do you have to do to carry out internal audits yourself?


Internal and external audits are used to check the extent to which companies meet the requirements of a management system. There are three aspects to this:

The formal aspect: Have the requirements of the ISO standard, for example, been implemented? For example, has the company created structures to increase customer orientation or has the company improved its customer orientation through continuous improvement?

The strategic component: Is the overall system set up in such a way that the company can better achieve its strategic goals? Have strategic goals been defined within the company? Have structural requirements been derived from these goals?

Is the system accepted and used in the company? From this point of view, for example, it is examined to what extent employees have access to the directory of all internal processes and to what extent the effectiveness of these processes is regularly reviewed. What good is it if all processes have been documented, but the file folder is gathering dust in the cupboard?


During an internal audit, the responsible persons of a company or organization check to what extent the requirements of a management system or standard are fulfilled. In contrast to an external audit, no externally appointed auditors are used.

Those responsible for carrying out an internal audit must be authorized to do so. They undergo several stages of training and demonstrate their competence by passing final tests. Please also read the principle of the four steps of a certification by DICIS: training.

Learn more about the Dicis certification


In an external audit, an external independent body undertakes the examination of the extent to which the management system of a company or organisation conforms to standards. The extent to which the requirements of a specific standard (e.g. ISO 9001: 2015, ISO 14001, ISO 27001) or other management systems are met is checked.

An external audit is significantly more expensive than an internal one. This is one reason why many companies do not have themselves certified according to the principles of the ISO standards, although it would actually bring great advantages for their company.

DICIS (Digital Institute for Certification of International Norms) offers an innovative approach here: A digitally-supported internal audit which, thanks to clear and transparent algorithms, has a neutral digital control authority. This makes the classic external audit superfluous.


Management systems like ISO 9001 were developed in an analogous world. In this world, internal audits were susceptible to manipulation because documents could be changed and exchanged at any time. In addition, it was not possible to check, for example by means of data, which acceptance a management system would find in a company. As a result, internal audits did not enjoy the same trust among customers and contract partners as external ones.

Digitalization is changing that.

  • Requirements of standards are mapped in the form of digital audit assistants, and those responsible follow clearly defined paths.

  • The requirements for internal audits are transparent and open, manipulations and deviations are not possible.

  • Digital-based internal audits can be carried out much more frequently and flexibly. Companies that have to adapt to markets quickly or work more frequently with customers in the form of projects are able to certify parts of their activities with a digitally supported audit.

In a digitally supported audit, algorithms take over partial functions of an external audit. More about the procedure and the digital DICIS approach can be found in our article about the four steps of certification.

Learn more about the digital certification by DICIS here