FAQ 60

Regarding requirement 8.6.4 of ISO/IEC 17020 (internal audits):

The requirement states that “internal audits must be performed at least annually.” Does this mean that internal audits must be carried out every 12 months, or can we consider it once per calendar year? For example: can an internal audit in March 2023 then a new internal audit in November 2024 be considered compliant with the standard?). It also indicates “The frequency of internal audits can be adjusted according to the effectiveness and demonstrated stability of the management system”. Can we consider that the adjustment is within the period of 12 months/calendar year or beyond this period?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 8.6.4 ·  TOPIC: Performing Internal Audits

Answer:

The ISO/IEC 17020 Standard does not use the word “annually”, rather it uses the phrase “every 12 months”, which is taken literally in this case. If your internal audit was conducted in March 2023, the expectation is that it is conducted again by March 2024.   The same clause also allows you to extend your frequency beyond 12 months, if your QMS is stable. Stable generally means no turnover of key personnel, no ownership changes, no findings in your last few internal and external audits, etc. ILAC P15, clauses 8.6.4 n1/n2 provide examples of when it is or is not appropriate to extend the frequency. It also provides guidance on when the IB should conduct them more frequently. The AB will generally evaluate the frequency vs. the stability during their assessments. If they feel that the frequency is too long (e.g. 5 years) or is not warranted for a variety of reasons, they will identify that and discuss.