Yes, as long as internal auditors keep their independence by not auditing their own work, and as long as they comply with company requirements for competent internal auditors.
2) Does an internal auditor have to be certified? We would use our staff.
An internal auditor must be competent to perform internal audits. Companies have the authority to determine what should be their requirements for competency. Normally, they are about knowing the standard and about knowing good audit practices and some previous experience.
3) Is a surveillance audit required for years 1 and 2?
Yes, certification body will perform a surveillance audit for years 1 and 2.
> Are the surveillance audits a new requirement of the ISO 9001:2015 standard?
> What happens if we don’t do the surveillance audits and just do the renewal on year 3?
Surveillance audits are not a requirement of ISO 9001:2015. Surveillance audits are a requirement from your contract with the certification body. Certification is not an ISO 9001:2015 requirement. Certification is a management decision. Many organizations use ISO 9001 as help to implement a management system without performing the extra step of certification.
ISO 9001 only mentions internal audits.
Certification bodies cannot propose a contract that does not include surveillance audits because that would go against their accreditation procedures.