Featured Product
This Week in Quality Digest Live
Standards Features
Dawn Bailey
A legacy of forward thinking kept medical center on its award-winning path
UC Berkeley NewsCenter
Important confirmation that scale-up will work
Emily Newton
Consumers want to know that EVs are safe and reliable
Eliot Dratch
Responding to the organization in the mirror
Taran March @ Quality Digest
The Olympus CIX100 inspection system enables 21 CFR Part 11 compliance

More Features

Standards News
First trial module of learning tool focuses on ISO 9001 and is available now
Both quality professionals and their business leaders agree that openness and communication is essential to moving forward
July 8, 2021, at 12:01 p.m Pacific standard time, 12 p.m GST, and 10 a.m Beijing time
ISO 37301 provides everything needed to develop, implement, maintain, and improve an effective compliance management system
Two new standards join the ISO series
Design, develop, implement, continually improve risk management in systems and software engineering
ISO/IEC/IEEE 16085 has just been updated
Patient safety is a key focus in update of ISO 14155, the industry reference for good practice in clinical trials.

More News

Miriam Boudreaux


Gap Analysis vs. Internal Audit vs. Pre-Assessment

What’s the difference?

Published: Thursday, September 2, 2010 - 06:00

If you have ever wondered what the difference was between a gap analysis, an internal audit, or a pre-assessment, you might not be alone. When trying to figure out whether your company meets the requirements of a standard, such as one the International Organization for Standardization (ISO), chances are you are trying to decide which one of these activities is best for you. Let me explain the difference and give you a clear idea of the goal for each one.

Gap analysis

A gap analysis is mainly a determination of the degree of conformance of your organization to the requirements of a specification or standard. A gap analysis is mainly a document review or a “show me the evidence” activity, evidence which usually will come in the form of a record or document. During a gap analysis, only very minor auditing is done; rather, key process owner or project stakeholders provide evidence that they have met the requirements set forth in the specification or standard.

Gap analysis is often conducted at the beginning of an organization’s journey seeking compliance to a chosen specification or standard. However, it may also be conducted after some development of processes for achieving compliance has taken place. The main reason why gap analysis is conducted at the beginning of the development phase or after some development has occurred is because the organization wants to know where it stands in regard to meeting the standard, and it wants to know specifically what it must do to close the gaps. Basically the organization wants to know where the holes are—whether few or many—and what it needs to do to close those holes and get closer to fully meeting the requirements.

This leads us into the reporting aspect of gap analysis. A good gap analysis report usually presents a clear summary of where the major gaps exist between the company’s documentation and the chosen requirements. It should also show a detailed account of each requirement and the degree of compliance, with corresponding actions that should be taken to close these gaps. Here lies a major difference between an audit report, for example, and a gap analysis report: The gap analysis report has some inherent advice to it, which makes it suitable to be accomplished by consultants or experts in the chosen specification or standards. A gap analysis will seldom be performed by a registrar or company providing certification because they are not allowed to provide the advice, due to an inherent conflict of interest.  

Internal audit

An internal audit is an activity that also seeks to determine the degree to which your organization conforms to the requirements of a specification or standard or to your own organizational requirements. This audit is performed in more than one dimension, through review of documentation evidence and also by questioning employees.

An internal audit is usually conducted after development of processes (e.g., a quality management system) has been completed and some implementation has occurred. The reason is that internal auditors will be questioning individuals to assess their knowledge of the system. If implementation is not underway, it may be hard to prove that employees are actually using the system and are knowledgeable of their roles in meeting the specification or standard or of the organization’s own requirements.

Internal audit reports usually present the lead internal auditor’s summary on the overall impression of the organization’s degree of conformance and a list of findings. Good reports include not just nonconformities, but also observations, noteworthy efforts, and even opportunities for improvement. I always like to point out at least one noteworthy effort to my clients because it gives the report a positive note. I also believe that if there are no specific efforts to praise, the organization should at least be lauded for committing the resources and time to meet the requirements of the specification or standard. There is not much advice in an internal audit report; however, “opportunities for improvement” and observations, when presented correctly, should give the organization enough fuel for action and follow up.

The last issue about internal audits is who conducts them. As the word “internal” says, internal audits should be conducted by internal employees, although this is easier said than done. In large organizations the task is easier because there are departments whose sole function is to perform audits throughout the business units and locations. However, in small organizations, this is a real problem. First, we are dealing with the issue of independence. If you have one auditor who audits the whole facility, who audits his area?  If the same auditor also audits his area, then you will not be able to prove that the audit is unbiased.

The other big question is how effective are your audits? Internal auditors who only perform audits once or twice a year do not truly have a chance to polish their auditing skills, and therefore you may not be getting good value from your audits. That’s when hiring an independent consultant sometimes works in your favor: They are independent, bring a lot of expertise from other organizations, and have excellent up-to-date auditing skills. However, if you decide to have your employees perform your audits, make sure you keep them current in auditing techniques by providing continuing education on auditing at least once a year.


A pre-assessment is usually the ante to an external, registrar, or certification audit. If you want a pre-assessment of your organization, chances are your system has been conforming to the chosen specification or standard for at least three months, you have conducted a full internal audit of your organization, and all the findings reported in the internal audit report have been remedied and are closed. You are basically ready but want to have a last look before you bring the big boys in. 

A pre-assessment is therefore a rehearsal of an external audit, and consequently there is plenty of document review as well as actual questioning of employees. As with the internal audit, the pre-assessment’s objective is to seek the degree of conformance of your system to the chosen specification or standard. It can also be your green light to go for the certification audit, or maybe a yellow light if some fine tuning is necessary. The pre-assessment report will not give advice but should show if there are any nonconformities and allow the organization to close those out prior to the certification audit. The better you are prepared for a certification audit, the more you increase your chances of obtaining certification or being recommended for certification on the day of your external audit. 

Pre-assessments can be conducted by consultants, registrars, or competent individuals who are experts in the certifications or standards chosen by your organization.

So which one do you really need?

Hopefully by now you are more clear on the difference between these three important activities in your continual improvement journey. Depending on the size of your company, you may need all three, although I usually recommend a gap analysis to define the starting point and a thorough internal audit because that’s a “must do” anyway. Your organization may not need a pre-assessement or benefit from one. Most registrars or certification bodies have implemented a Stage 1 and Stage 2 audit, which seeks to give organizations an opportunity to determine their readiness. But this is a topic for another article.

Remember that the quality of these compliance activities is only as good as the quality of people performing the activities. Whether you chose all three or just the internal audit, make sure they are performed by highly competent individuals. Only with expertise on hand and excellent reports will you get closer to world-class quality.


About The Author

Miriam Boudreaux’s picture

Miriam Boudreaux

Miriam Boudreaux is the CEO and founder of Mireaux Management Solutions, a technology and consulting firm headquartered in Houston, Texas. Mireaux’s products and services encompass international standards ISO and API consulting, training, auditing, document control and implementation of Web QMS software platform. Mireaux’s 6,500 square foot headquarters, located in the northwest area of Houston, houses their main offices as well as their state-of-the art training center. Mireaux itself is certified to ISO 9001:2015 and ISO 27001:2013. To get in touch with Miriam Boudreaux, please contact her at info@mireauxms.com.


Thank you Miriam! Such a

Thank you Miriam! Such a timely comparative analysis; it's helped me greatly. I was wondering exactly what my best approach should for our transition to AS9100:2009 and, after reading your article, I now understand our first step should definitely be a gap analysis - even though my manager thinks an internal audit is all we need. But, you've helped me understand the gap analysis will make us aware of the processes that need to be development to meet the new AS9100:2009 requirements and then audit after those processes are implemented. Thanks again! You might think about posting your article on LinkedIn.