Clause 9.2.2 then specifies what the audit programme must account for. Four inputs are mandatory:<\/p>\n\n\n\n
Clause 9.2.2(a) requires the programme to be planned, established, implemented, and maintained \u2014 with “maintained” implying documented programme management against performance inputs, not annual date renewal.<\/p>\n\n\n\n
Clause 9.2.2(b) requires the programme to consider “the importance of the processes concerned.” This is the risk-calibration requirement. A programme that audits document control and production at the same frequency, regardless of nonconformity history or product risk, does not satisfy it. The CB question this clause generates is direct: why is this process audited at this interval? The answer must reference process-specific data.<\/p>\n\n\n\n
Clause 9.2.2(d) requires the programme to consider “the results of previous audits.” This creates a mandatory feedback loop. If a process produced three minor nonconformities in the previous cycle, the current programme should show increased frequency or scope focus for that process. If it doesn’t, the feedback loop the clause requires does not exist.<\/p>\n\n\n\n
These requirements are not new. They have been in ISO 9001 since the 2015 edition. The gap is not in the standard \u2014 it’s in enforcement.<\/p>\n\n\n\n
Clause references reflect mapped standard requirements confirmed via certification body guidance. Verify against the current edition before audit use.<\/em><\/p>\n\n\n\n The structural failure has three root causes.<\/p>\n\n\n\n First, path dependency from initial certification. The audit programme designed for Stage 1 and Stage 2 \u2014 typically a uniform annual rotation covering all processes \u2014 becomes the permanent programme. It worked for certification. Nobody revisits it. The schedule is copied forward year after year with updated dates and no other changes.<\/p>\n\n\n\n Second, certification body acceptance patterns. No IAF mandatory document, CB guidance publication, or ISO Auditing Practices Group document defines what evidence constitutes a valid risk-based frequency determination under Clause 9.2.2(b). IAF MD 11:2023 governs CB audit duration calculations \u2014 it does not address internal audit<\/a> programme frequency logic. ISO 19011:2018 Clause 5.4 requires a risk-based approach to audit programme management but provides no minimum evidence threshold for frequency adequacy. Without a prescriptive benchmark, CBs accept a written procedure that cites Clause 9.2.2(b) as conformity evidence. The procedure exists. Whether the logic was applied is not verified.<\/p>\n\n\n\n This is not a CB failure \u2014 it’s a structural gap in the normative framework. Auditors assess against requirements. Where the requirement says “take into account the importance of the processes” but no guidance defines what taking it into account looks like in evidence terms, a documented procedure is a defensible conformity finding.<\/p>\n\n\n\n Third, the absence of programme review culture. Clause 9.2.2(a) requires the programme to be maintained. Most organisations interpret “maintained” as “dates updated.” A genuine programme review would cross-reference the next cycle’s schedule against corrective action volumes by process, customer complaint trends, supplier nonconformity data, management review outputs, and any changes to the organisation’s risk profile. That review almost never happens. The data exists in the management system. The connection to the audit programme does not.<\/p>\n\n\n\n The audit pattern is consistent across sources, though no IAF or CB statistical report quantifying nonconformity frequency at Clause 9.2.2 was identified during research.<\/p>\n\n\n\n Programmes show identical audit scope year-on-year with no documented frequency rationale. Audit scheduling runs independently of process KPI data, corrective action volumes, or customer complaint trends. Audit reports restate clause text rather than presenting process performance evidence \u2014 “the organisation has a procedure for X” rather than “the procedure for X was effective at preventing Y in the assessed period.” Corrective action records and internal audit planning operate in separate systems with no cross-reference.<\/p>\n\n\n\n The most telling indicator is the absence of per-audit objectives. Audit programmes define scope and criteria \u2014 which process, against which clause \u2014 but not what the audit is designed to determine. Without an objective, the audit cannot produce a directed finding. It confirms clause presence. It does not evaluate process effectiveness. The audit function becomes a compliance event, not a performance intelligence tool.<\/p>\n\n\n\n Ideagen’s 2025 analysis of internal audit programme failures identifies inconsistent data collection across sites and reactive compliance-checking \u2014 rather than proactive quality intelligence \u2014 as the dominant failure pattern in pre-transition programmes.<\/p>\n\n\n\n The draft international standard, published August 2025, adds an explicit requirement at Clause 9.2.2 for defined objectives per audit. Under the current 2015 edition, the programme must define scope and criteria. Under the DIS, it must also define what each audit is specifically designed to determine.<\/p>\n\n\n\n T\u00dcV Austria Hellas confirmed in November 2025 that internal audit quality is a key change driver in the DIS, identifying the need for organisations to confirm audit objectives and review criteria to meet the new requirements. Quality Austria flagged the defined-objectives addition immediately upon DIS publication in August 2025.<\/p>\n\n\n\n None of this is conceptually new. ISO 19011:2018 Clause 5.4 already describes audit programme objectives as a foundational element. What the DIS does is convert a guideline-level expectation into a normative requirement within ISO 9001 itself \u2014 creating an evidence test that CB auditors must assess during transition audits.<\/p>\n\n\n\n The practical consequence is significant. An organisation running a fixed-rotation programme where every audit carries the same implicit objective \u2014 “verify conformance to Clause X” \u2014 now has a documentable gap. Identical objectives across all audits are evidence that the programme is not differentiated by process risk. The defined-objectives requirement becomes a probe for frequency logic adequacy: if objectives don’t vary, the programme wasn’t built from process performance data.<\/p>\n\n\n\n ISO DIS 9001:2025 content reflects the draft international standard published August 2025. Requirements may change before final publication.<\/em><\/p>\n\n\n\n The persistence of fixed-rotation programmes is not primarily an organisational failure. It’s a normative framework gap.<\/p>\n\n\n\n ISO 9001:2015 Clause 9.2.2(b) requires frequency to reflect process importance. It does not define how. ISO 19011:2018 Clause 5.4 provides a risk-based programme management framework. It does not define what evidence threshold separates a defensible frequency from a default one. No IAF mandatory document addresses internal audit programme frequency methodology. No major CB \u2014 BSI, LRQA, SGS, T\u00dcV, Bureau Veritas \u2014 has published guidance defining what data inputs, scoring methodology, or evidence standard constitute an adequate risk-based frequency determination.<\/p>\n\n\n\n The result is a structural enforcement vacuum. A quality manager presenting a procedure that references Clause 9.2.2(b) satisfies most CB audit teams. No risk score, frequency matrix, or performance data record is required. The clause is technically assessed. The intent behind it \u2014 that high-risk processes receive more audit attention than low-risk ones \u2014 is not verified.<\/p>\n\n\n\n ISO DIS 9001:2025’s defined-objectives requirement partially addresses this gap by creating a per-audit evidence test. But the underlying methodology gap remains: even after the revision, no normative document will define what a risk-based internal audit programme must contain. Organisations that want a defensible programme will need to build the methodology themselves.<\/p>\n\n\n\n The conversion is not a documentation exercise. It requires rebuilding the frequency logic from process performance data.<\/p>\n\n\n\n Map every process in the audit programme against three data streams: corrective action volume and severity over the previous two cycles, process KPI trends (scrap rates, customer complaints, delivery failures, incident rates \u2014 whatever the process measures), and changes to the process since the last audit (new equipment, personnel changes, scope expansion, supplier changes). Score each process on a simple scale \u2014 high, medium, low. The scoring methodology matters less than the fact that it exists and is documented.<\/p>\n\n\n\n High-risk processes get audited more frequently \u2014 twice per year or quarterly, depending on severity. Medium-risk processes maintain annual frequency. Low-risk processes extend to 18-month or two-year intervals, provided no triggers (nonconformities, complaints, changes) activate an earlier audit. Document the frequency rationale per process. The rationale is the evidence Clause 9.2.2(b) requires.<\/p>\n\n\n\n For each scheduled audit, document a specific objective beyond “verify conformance.” Objectives should be performance questions: “Determine whether the revised supplier evaluation process has reduced incoming inspection reject rates since Q2 implementation.” “Evaluate whether corrective actions from the March audit have prevented recurrence of the packaging nonconformity pattern.” “Assess whether the new production line’s process controls are producing output within specification at the volumes planned.” The point is that someone reading the objective knows exactly what the auditor was sent to evaluate. Each objective is unique to the process context and the current risk profile. Identical objectives across audits are a programme design failure.<\/p>\n\n\n\n After each audit cycle, cross-reference results against the risk profile. Processes where audits identified nonconformities or where objectives were not met escalate in frequency or scope for the next cycle. Processes with clean results and stable KPIs may reduce frequency. Document the programme review decision \u2014 this is the evidence trail for Clause 9.2.2(d) and the “maintained” requirement in Clause 9.2.2(a). Present the programme review output at management review under Clause 9.3.<\/p>\n\n\n\n Before the transition audit, review the programme against the ISO DIS 9001:2025 defined-objectives requirement. Can each scheduled audit in the current cycle show a documented, differentiated objective? Does the objective connect to process performance data or risk profile? If the answer is no for any audit, the programme has a gap<\/a> the transition auditor will find.<\/p>\n\n\n\n The final edition of the revised standard is expected in 2026. The transition period will follow IAF standard practice \u2014 typically three years from publication, though the exact timeline will be confirmed by IAF resolution after final publication. Organisations preparing for the ISO 9001 Clause 4 transition<\/a> should recognise that Clause 9.2 carries comparable transition exposure.<\/p>\n\n\n\n There is no reason to wait. The current 2015 edition already requires risk-based frequency and feedback-loop integration at Clause 9.2.2. Rebuilding the programme now satisfies the existing requirement more defensibly and eliminates the structural gap before the transition auditor arrives.<\/p>\n\n\n\n The risk is not that the revision introduces something organisations haven’t seen. The risk is that it creates an evidence test for something they’ve been failing to do since 2015 \u2014 and their current programme structure cannot produce the evidence the test requires.<\/p>\n\n\n\n A fixed-rotation internal audit programme with no per-audit objectives is not a risk-based programme under ISO 9001:2015 Clause 9.2.2 \u2014 it’s a scheduling exercise that CBs have accepted in the absence of an enforcement benchmark. ISO DIS 9001:2025 supplies that benchmark by requiring defined objectives per audit. Organisations that rebuild frequency logic from process performance data and document differentiated objectives now will satisfy both the 2015 requirement as intended and the incoming revision. Those that add an “objectives” field to an unchanged annual template will find the transition auditor asking the question their programme was never designed to answer. What was this audit trying to determine \u2014 and why was this process audited at this frequency?<\/p>\n\n\n\n Clause mapping reflects common audit practice. Verify with your certification body for specific expectations.<\/em><\/p>\n\n\n\n AEC International provides ISO certification, training, and consultancy services at the intersection of quality management, audit programme design, and management system performance. We support organisations across industries in achieving and maintaining ISO certification \u2014 from gap analysis and implementation through audit preparation and continual improvement.<\/p>\n\n\n\n![\"ISO](\"https:\/\/aec.llc\/blog\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-Apr-3-2026-02_31_34-PM-1024x683.png\")
<\/figure>\n\n\n\nWhy Fixed-Rotation Schedules Persist<\/h2>\n\n\n\n
![\"Process](\"https:\/\/aec.llc\/blog\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-Apr-3-2026-02_31_32-PM-1024x683.png\")
<\/figure>\n\n\n\nWhat Auditors Actually Find<\/h2>\n\n\n\n
What ISO DIS 9001:2025 Changes<\/h2>\n\n\n\n
![\"Fixed-rotation](\"https:\/\/aec.llc\/blog\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-Apr-3-2026-02_31_29-PM-1024x683.png\")
<\/figure>\n\n\n\nThe Coverage Gap That Created This Problem<\/h2>\n\n\n\n
Converting a Fixed-Rotation Audit Programme to Risk-Based Design<\/h2>\n\n\n\n
Build the Process Risk Profile<\/h3>\n\n\n\n
Calibrate Frequency to Risk<\/h3>\n\n\n\n
Define Per-Audit Objectives<\/h3>\n\n\n\n
Build the Feedback Loop<\/h3>\n\n\n\n
Test Against the DIS Requirement<\/h3>\n\n\n\n
![\"risk-based](\"https:\/\/aec.llc\/blog\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-Apr-3-2026-02_31_23-PM-1024x683.png\")
<\/figure>\n\n\n\nWhat This Means for the Transition<\/h2>\n\n\n\n
Key Takeaway<\/h2>\n\n\n\n
\n\n\n\nAbout AEC International<\/h2>\n\n\n\n