How to Build an Internal Audit Checklist That Actually Works

Why Your Checklist Is Either Helping or Hurting You

An internal audit checklist is one of those tools that can either sharpen your audit or quietly undermine it. A well-built checklist keeps you focused, ensures you cover the right ground, and gives you a consistent record of what you examined. A poorly built one turns you into a box-ticker who walks away from the audit having confirmed that documents exist but having no real idea whether the system is working.

If you have ever finished an internal audit and felt like you missed something important, or if your auditees seem to treat the process as a paperwork exercise, the checklist is often where the problem starts. This article walks you through how to build an internal audit checklist that is genuinely useful, whether you are auditing against ISO 9001, ISO 14001, ISO 45001, or any combination of the three.

What a Checklist Is Actually For

Before you build one, you need to be clear on what a checklist is supposed to do. It is not a script. It is not a complete list of everything you must ask. It is a planning tool that helps you prepare your lines of inquiry, organise your time, and record your findings as you go.

A checklist gives you a starting point for each area of the audit. From there, you follow the evidence. If a question on your checklist leads you somewhere unexpected, you pursue it. That is auditing. If you ignore what you find because it is not on the list, you are not auditing. You are just ticking boxes.

This distinction matters because the most valuable findings in an internal audit often come from following a thread that was not on the original checklist. Your checklist should create the conditions for that kind of inquiry, not prevent it. For a deeper look at this balance, see our article on how to use an audit checklist without becoming checklist dependent.

Step One: Start With the Audit Scope and Objectives

Every checklist should be built for a specific audit, not recycled from a generic template without thought. Before you write a single question, you need to know what you are auditing and why.

Define the scope

The scope tells you which processes, departments, sites, or clauses are included in this particular audit. A checklist for an audit of the purchasing process will look very different from one covering the entire quality management system. If you are running a targeted audit of a high-risk process, your checklist should go deeper into that area and leave out what is not relevant.

Clarify the objectives

The objectives tell you what you are trying to find out. Are you checking conformance to a specific clause? Are you following up on a previous nonconformity? Are you assessing whether a recently changed process is working as intended? Your objectives shape the questions you ask. An audit designed to verify corrective action effectiveness needs different questions from one designed to assess system-wide conformance.

If you are not sure how to set clear audit objectives, our article on how to write audit objectives that actually focus your audit covers this in detail.

Step Two: Identify the Audit Criteria

Your audit criteria are the requirements against which you will assess conformance. For an internal audit, this typically includes the relevant clauses of the ISO standard, the organisation's own documented procedures and policies, and any legal or contractual requirements that apply to the scope.

List the specific clauses you intend to cover. For each clause, note what the standard actually requires. Do not rely on memory. Go back to the standard and read the requirements carefully. This is especially important if you are auditing against a standard you do not work with every day, or if a standard has recently been revised.

For ISO 9001, for example, if you are auditing the internal audit process itself, the relevant clause is 9.2. That clause requires the organisation to plan, establish, implement, and maintain an audit programme, to define the criteria and scope of each audit, to select auditors who ensure objectivity and impartiality, and to report results to relevant management. Each of those requirements can become a line of inquiry on your checklist.

Step Three: Structure Your Checklist Around Processes, Not Just Clauses

One of the most common mistakes in checklist design is organising everything by clause number. Clause-based checklists can work, but they tend to produce fragmented audits that jump between topics without following the natural flow of work. A process-based structure is usually more effective.

Instead of working through Clause 7.1, then 7.2, then 7.3, think about the process you are auditing. If you are auditing the production process, structure your checklist around how work actually flows: from receiving an order, through planning and scheduling, into production, quality checks, and final release. As you follow that process, you will naturally encounter the requirements from multiple clauses.

This approach produces richer evidence and a more coherent audit narrative. It also tends to engage auditees more effectively because you are talking about their work, not abstract clause requirements.

Step Four: Write Questions That Prompt Evidence, Not Yes or No Answers

The quality of your checklist questions determines the quality of your audit. Weak questions produce weak evidence. Strong questions open up lines of inquiry that lead you to real findings.

Avoid closed questions as your primary tool

A question like “Do you have a documented procedure for this process?” will get you a yes or no. Even if the answer is yes, you have not learned whether the procedure is current, whether people follow it, or whether it actually reflects how work is done. That question is not worth much on its own.

Build in prompts for evidence

Better checklist entries look like this:

• Ask to see the current version of the procedure and check the review date
• Ask the operator to walk you through how they actually perform the task
• Compare what they describe with what the procedure says
• Check training records for the people performing this activity
• Look for records that show the procedure was followed on recent jobs

These prompts remind you to gather multiple types of evidence: documents, records, interviews, and observation. That triangulation is what makes an audit finding credible.

Include process-specific questions

Generic checklists miss the things that matter most in a specific context. If you are auditing a construction company's quality system, your checklist should include questions about inspection and test plans, hold points, lot records, and subcontractor management. If you are auditing a service business, those questions are irrelevant, but questions about customer communication, complaint handling, and service delivery records are not.

Take time to understand the process before you build the checklist. Talk to the process owner. Review previous audit reports. Look at any nonconformities or complaints that have been raised against this area. That background knowledge is what allows you to ask the right questions.

Step Five: Include a Column for Evidence and Findings

A checklist that only lists questions is half-finished. You also need space to record what you found. At a minimum, your checklist should include columns or fields for:

• The question or line of inquiry
• The evidence examined (document reference, record number, person interviewed)
• The finding: conforming, nonconformity, observation, or opportunity for improvement
• Any notes that will support the audit report

Recording evidence as you go is not just good practice. It is essential for producing a credible audit report and for defending your findings if they are challenged. If you raise a nonconformity and cannot point to specific evidence, the finding will not hold up.

Keep your notes factual and specific. “Procedure WI-04 version 2.1 was observed in use at the workstation, however the current approved version is 3.0 dated 15 March 2025” is useful. “Outdated document in use” is not.

Step Six: Calibrate the Depth of Coverage to the Risk Level

Not every area of the system deserves equal attention on your checklist. Risk-based audit planning means you go deeper into areas where the consequences of failure are higher, where previous audits have found problems, or where recent changes have been made.

A process that has generated multiple customer complaints in the past year warrants more detailed questions than a stable process that has been running without issues for several years. A procedure that was recently rewritten deserves more scrutiny than one that has been unchanged and consistently followed.

Build this risk weighting into your checklist by allocating more questions and more evidence-gathering prompts to higher-risk areas. You do not need to be scientific about it. A practical judgement based on your knowledge of the organisation and its history is enough.

Step Seven: Review and Refine Before the Audit

Once you have drafted your checklist, review it before the audit. Ask yourself:

• Does this checklist cover the full scope and all the relevant audit criteria?
• Are my questions specific enough to generate useful evidence?
• Have I built in enough space to record what I find?
• Is the structure logical and easy to follow during the audit?
• Have I allowed enough time to cover everything without rushing?

If you are working with a co-auditor or an audit team, share the checklist in advance. Make sure everyone understands what they are responsible for and how findings should be recorded consistently.

It is also worth reviewing previous audit reports and any open corrective actions for the areas you are about to audit. This gives you context and helps you identify whether previous findings have been properly addressed.

Common Mistakes to Avoid

After conducting hundreds of internal and external audits, a few checklist mistakes come up repeatedly.

Copying a template without adapting it

Generic templates are useful as a starting point, but they are not a substitute for thinking. A checklist downloaded from the internet will not reflect your organisation's specific processes, risks, or history. Always adapt any template to the actual scope and context of the audit.

Making the checklist too long

A checklist with 150 questions for a half-day audit is not thorough. It is unrealistic. You will either rush through everything superficially or run out of time before you finish. Be selective. Cover the important areas well rather than covering everything poorly.

Treating the checklist as a script

If you read questions directly from your checklist in sequence without listening to the answers or following up on what you hear, you are not auditing. The checklist is a guide. The audit is a conversation. Let the evidence lead you.

Failing to update checklists after the audit

After each audit, note what worked and what did not. Were there important areas the checklist missed? Were some questions redundant? Did you find anything that should be added for next time? A checklist that improves after each use becomes a genuine organisational asset.

Building Checklists for Integrated Audits

If your organisation is certified to more than one standard, or if you are running an integrated audit covering ISO 9001, ISO 14001, and ISO 45001 together, your checklist needs to reflect that. The High Level Structure shared by all three standards means there is significant overlap in areas like context, leadership, planning, support, and improvement.

For an integrated checklist, structure your questions around the shared elements first, then add standard-specific sections for the areas that differ. For example, questions about competence and training records can be asked once and applied across all three standards. Questions about environmental aspects and impacts, or hazard identification and risk assessment, are specific to ISO 14001 and ISO 45001 respectively.

This approach saves time and reduces audit fatigue for both the auditor and the auditees.

Using Your Checklist After the Audit

Your completed checklist is a working paper. It forms part of the audit record and should be retained in line with your documented information requirements. It provides the evidence trail that supports your audit report and any nonconformity reports you raise.

If a finding is later challenged, your checklist notes are what you refer back to. This is why the quality of your in-audit recording matters as much as the quality of your questions. A checklist that was thorough in planning but poorly completed during the audit is only half as useful as it could be.

For guidance on turning your checklist findings into a clear and useful report, see our article on audit report writing and how to communicate findings clearly.

Getting the Skills to Build Better Checklists

Building an effective internal audit checklist is a skill that develops with practice and proper training. Understanding how to interpret standard requirements, how to design process-based lines of inquiry, and how to record evidence properly are all things that a structured internal auditor course will cover in practical terms.

At Audit Workshop, our internal auditor training courses for ISO 9001, ISO 14001, and ISO 45001 are built around practical auditing skills, including how to plan and prepare for an audit, how to design effective checklists, how to gather and evaluate evidence, and how to report findings clearly. The training is delivered by a practising lead auditor with over 500 external certification audits behind him, so the content reflects what actually happens in audits, not just what the theory says should happen.

If you are serious about building your auditing capability, whether you are new to the role or looking to sharpen existing skills, visit auditworkshop.com to explore available courses.