Internal Audit & Management Review: The Overlooked Duty
Every management system requires internal audit and management review. What each delivers, why the certification body checks them first, and how they drive improvement.
In short
Internal audit and management review are mandatory in every modern management system standard. In the internal audit, the organization checks itself against its own audit program. In the management review, top management looks at the whole system and makes decisions. The certification body asks for both first, because without self-assessment there is no living management system.
Auf Deutsch lesen: deutsche Fassung
Two requirements appear in every modern management system standard, and they are the ones most often underestimated by small and mid-sized organizations: the internal audit and the management review. They are not a tiresome formality. They are the built-in engine of improvement.
The internal audit
In an internal audit, the organization checks itself, in a planned way, against its own audit program. Independence is essential: no one should audit their own work. In small operations you solve this through peer audits, contracted internal auditors, or a clear separation of roles.
- An audit program defines what is audited, when, and in what depth.
- The findings feed into corrective actions and into the management review.
- The goal is not to tick a box, but to get an honest picture before the external audit.
The management review
In the management review, top management looks at the entire system at planned intervals: Is it working? Is it meeting its objectives? Where does it need to be adjusted? This is the moment when leadership visibly takes ownership.
Typical inputs are audit results, performance indicators, risks and opportunities, feedback from interested parties, changes, and the status of open actions. Typical outputs are decisions on improvements, resources, and objectives.
The internal audit supplies the facts, the management review makes the decisions. Together they keep the PDCA cycle turning.
Why the certification body looks here first
In a certification audit, the internal audit and the management review are among the first records requested, often already in Stage 1. The reason is simple: an organization that does not assess and review itself cannot have a living management system. If they are missing, the audit fails before it has really begun.
The most common mistakes
- Running the internal audit pro forma just before the external audit.
- Treating the management review as a minute-taking exercise with no real decisions.
- Documenting findings, but never verifying that the corrective actions were effective.
Frequently asked questions
Do I really have to perform an internal audit and a management review?+
Yes. Both are a mandatory part of every common management system standard and must be evidenced in the external audit.
Am I allowed to audit my own team?+
Only independently: no one should audit their own work. In small organizations, peer audits or contracted internal auditors help maintain that independence.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 26 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.