How often do ISO 14001 internal audits need to be conducted?

ISO 14001 requires internal audits to be conducted at planned intervals, but it does not specify a minimum frequency. Most organisations audit the full EMS at least once per year, with higher-risk or higher-significance areas audited more frequently. Your audit programme should be based on the environmental significance of processes, the results of previous audits, and any changes to the organisation or its operations. A risk-based approach to scheduling is expected, not a simple annual rotation through all clauses.

Can the environmental manager conduct the ISO 14001 internal audit?

Yes, provided they do not audit their own work. The person responsible for maintaining a particular process or document should not be the auditor for that area. The environmental manager can audit operational areas they are not directly responsible for, and another competent person should audit the EMS management processes the environmental manager owns. Auditor independence is a core requirement of ISO 14001 and ISO 19011.

What documented information does ISO 14001 require from internal audits?

ISO 14001 requires you to retain documented information as evidence of the audit programme and the audit results. In practice, this means you need records of your audit programme, individual audit plans, audit checklists or working papers, audit reports including any nonconformities or observations, and records of corrective actions raised and closed. The format is not prescribed, but the records need to be sufficient to demonstrate that audits were conducted as planned and that findings were followed up.

What is the difference between conformity and effectiveness in an ISO 14001 audit?

Conformity means the system meets the requirements of the standard and the organisation's own procedures. Effectiveness means the system is actually achieving its intended outcomes, which for an EMS means improving environmental performance, meeting compliance obligations, and achieving environmental objectives. An organisation can have conforming documentation but an ineffective EMS. Internal auditors need to test both, not just check whether documents exist and whether they reference the right clauses.

Do ISO 14001 internal auditors need formal qualifications?

ISO 14001 does not mandate a specific qualification for internal auditors. It requires that auditors be competent, which means they need to understand the standard, understand the processes being audited, and have the skills to gather and evaluate evidence objectively. In practice, completing a recognised ISO 14001 internal auditor course is the most straightforward way to demonstrate and develop that competence. It also gives auditors the structured knowledge of audit techniques that makes the difference between a superficial checklist review and a genuinely useful audit.

Can ISO 14001 internal audits be conducted remotely?

Remote internal audits are possible and have become more common, particularly for document-heavy elements of the EMS such as reviewing the aspects register, compliance obligations, objectives, and documented information. However, for processes with significant environmental aspects, physical site observation adds evidence that remote methods cannot replicate. If you are auditing waste management practices, chemical storage, or stormwater controls, being on site is almost always more effective. A hybrid approach, using remote methods for document review and on-site methods for operational areas, is often the most practical solution.

ISO 14001 Internal Audit Requirements and Checklist

Why ISO 14001 Internal Audits Matter More Than Most People Think

An ISO 14001 internal audit is not a box-ticking exercise before your certification body shows up. It is the mechanism your organisation uses to find out whether your Environmental Management System is actually working, not just whether your documents are in order. Done well, it surfaces real problems early. Done poorly, it gives management false confidence and leaves your certification exposed.

On this page

ISO 14001 internal audit requirements sit in Clause 9.2 of the standard. But to audit an EMS properly, you need to understand what the standard expects across every clause, from the environmental aspects register in Clause 6.1.2 through to corrective action closure in Clause 10.2. This article walks through the full picture: what the standard requires, how to plan and conduct the audit, and what a practical checklist looks like clause by clause.

If you are preparing for your first ISO 14001 internal audit, or you want to sharpen what you are already doing, this is the guide to work through.

What ISO 14001 Clause 9.2 Actually Requires

Clause 9.2 of ISO 14001:2015 (and the updated ISO 14001:2026) sets out the internal audit requirements in two parts: Clause 9.2.1 covering the general requirements for conducting audits, and Clause 9.2.2 covering the internal audit programme.

Clause 9.2.1: General Internal Audit Requirements

The standard requires your organisation to conduct internal audits at planned intervals to determine whether the EMS conforms to your own requirements and to the requirements of the standard, and whether it is effectively implemented and maintained. That last part is critical. Conformity and effectiveness are two different things. A document can conform to a requirement on paper but still not be working in practice.

The standard also requires that audit results are reported to relevant management, and that documented information is retained as evidence of the audit programme and results.

Clause 9.2.2: The Audit Programme

Your audit programme must consider the environmental significance of processes, changes affecting the organisation, and the results of previous audits. This is where risk-based thinking enters the picture. Processes with significant environmental aspects, areas with recent nonconformities, or activities that have changed since the last audit should receive more attention in your programme.

The programme must define the audit frequency, methods, responsibilities, planning requirements, and reporting. It is not enough to say you will audit everything once a year. You need a structured plan that reflects the actual risk profile of your EMS.

For a deeper look at how the 2026 revision has updated these requirements, see our article on ISO 14001:2026 and what changed.

Become a certified ISO auditor

Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.

ISO 9001 ISO 14001 ISO 45001 ISO 27001 ISO 42001

Explore Courses

Recognised Training ProviderRTP No. 310970

Auditor Competence and Independence

ISO 14001 requires that internal auditors be competent and that audits are conducted impartially. In practice, this means two things. First, auditors need to understand both the ISO 14001 standard and the processes they are auditing. Second, they cannot audit their own work. A person responsible for maintaining the aspects and impacts register should not be the one auditing it.

Competence does not require a formal qualification, but it does require demonstrated knowledge of the standard, auditing techniques, and relevant environmental processes. For most organisations, sending internal auditors through a formal ISO 14001 internal auditor course is the most practical way to meet this requirement and build genuine capability.

How to Plan an ISO 14001 Internal Audit

Planning is where most internal audit programmes fall short. Many organisations treat planning as a scheduling exercise rather than a risk-based analysis of where audit effort should go. Here is how to approach it properly.

Step 1: Define the Scope and Objectives

Decide what the audit will cover. Will it be the full EMS in one audit, or will you split it across multiple audits over the year? For a medium-to-large organisation, splitting by process or by clause cluster is common. Whatever you choose, the programme must ensure that every element of the EMS is audited over the programme period.

Your audit objectives should focus on conformity with ISO 14001 requirements, conformity with your own EMS procedures and policies, and the effectiveness of environmental controls. Write these down in your audit plan before you start.

Step 2: Review Prior Audit Results and Nonconformities

Pull out the results from your last internal audit and any nonconformities raised by your certification body. Areas that generated findings last time are higher risk and warrant more scrutiny this time. This is not about punishing those areas. It is about allocating audit time where it is most likely to add value.

Step 3: Identify Significant Environmental Aspects

Your aspects and impacts register should drive your audit focus. Processes associated with significant environmental aspects, such as waste disposal, chemical handling, stormwater management, or emissions to air, need more thorough audit coverage than low-risk administrative processes.

Step 4: Prepare Your Checklist

A checklist is a planning tool, not a script. Prepare questions that probe whether requirements are being met in practice, not just whether documents exist. We cover this in detail in the checklist section below.

Step 5: Notify the Auditee and Agree the Schedule

Give the relevant process owners enough notice to have records available and key personnel present. Springing an unannounced audit on a busy team rarely produces useful results. Confirm the audit scope, timing, and what you will need access to.

Conducting the ISO 14001 Internal Audit

The Opening Meeting

Start with a brief opening meeting, even if it is just you and one other person. Confirm the scope, objectives, and schedule. Explain how findings will be recorded and what happens after the audit. This sets the tone and reduces the defensiveness that can derail an audit.

Gathering Evidence

ISO 14001 auditing is evidence-based. You are looking for objective evidence that requirements are being met, which means documents, records, observations, and interviews. A procedure that says the right thing but is not followed in practice is a nonconformity. A verbal assurance from a manager is not evidence.

Use a mix of document review, interviews with workers at the relevant level, and physical observation where applicable. For an EMS audit, walking the site is often where the most valuable evidence emerges. You will see things in a chemical storage area or near a stormwater drain that no document will tell you about.

The Closing Meeting

Summarise your findings before you leave. Present any nonconformities clearly, with the specific requirement they relate to and the evidence you found. Avoid surprises in the written report. What you say in the closing meeting should match what appears in your audit report.

ISO 14001 Internal Audit Checklist by Clause

The following checklist covers the key audit points across the main clauses of ISO 14001. Use it as a starting point and adapt it to your organisation's specific context and significant aspects.

Clause 4: Context of the Organisation

Has the organisation identified internal and external issues relevant to its environmental performance and strategic direction?
Are interested parties and their relevant needs and expectations identified and documented?
Is the EMS scope clearly defined and documented, including any boundaries and exclusions?
Does the scope reflect the organisation's actual activities, products, and services?

Clause 5: Leadership

Is there evidence that top management takes accountability for the effectiveness of the EMS, not just delegates it?
Has an environmental policy been established that includes commitments to protection of the environment, compliance with legal obligations, and continual improvement?
Is the environmental policy communicated, available, and understood by workers?
Are EMS roles and responsibilities assigned, documented, and communicated?

Clause 6: Planning

Has the organisation identified environmental aspects for all activities, products, and services within the EMS scope, including those it can influence?
Has a methodology been used to determine which aspects are significant?
Does the register reflect the lifecycle perspective, including upstream and downstream considerations?
Are compliance obligations identified, including applicable legislation, regulations, licences, and voluntary commitments?
Are compliance obligations integrated into the EMS and monitored?
Have risks and opportunities been determined in relation to significant aspects and compliance obligations?
Are environmental objectives established, measurable, and consistent with the environmental policy?
Are plans in place to achieve objectives, including who is responsible, what resources are needed, and when they will be completed?

Clause 7: Support

Are the resources needed to establish, implement, maintain, and improve the EMS available and adequate?
Are workers competent for their roles that affect environmental performance? Are competence records current?
Are workers aware of the environmental policy, significant aspects, their contribution to EMS effectiveness, and the consequences of not conforming?
Are internal and external communication processes defined, including what is communicated, to whom, when, and how?
Is documented information controlled, including version management, access, and retention?

Clause 8: Operation

Are operational controls in place for processes associated with significant environmental aspects?
Are controls documented where their absence could lead to deviation from the environmental policy or objectives?
Are externally provided processes, products, and services that have significant aspects controlled appropriately?
Is there an emergency preparedness and response procedure covering potential environmental incidents?
Has the procedure been tested? Are records of drills or exercises available?

Clause 9: Performance Evaluation

Are monitoring and measurement processes in place for significant environmental aspects, compliance obligations, and progress toward objectives?
Is monitoring equipment calibrated or verified where applicable?
Are compliance evaluations conducted at planned intervals? Are records maintained?
Does the compliance evaluation cover all applicable legal and other requirements?
Is the internal audit programme documented and implemented as planned?
Are audit results reported to relevant management?
Is management review conducted at planned intervals and does it cover all required inputs?
Do management review outputs include decisions on improvement opportunities and any needed changes to the EMS?

Clause 10: Improvement

Are nonconformities identified, corrected, and investigated for root cause?
Are corrective actions implemented and their effectiveness evaluated?
Is there evidence of continual improvement in the EMS, not just correction of problems?

Common ISO 14001 Internal Audit Nonconformities

After hundreds of EMS audits, certain findings come up repeatedly. Being aware of them helps you focus your audit effort where problems are most likely to occur.

Aspects and Impacts Register Not Current

This is probably the most common finding. Organisations update their operations, bring in new chemicals, change waste contractors, or alter their processes, and the aspects register does not keep up. Ask when the register was last reviewed and what triggered the review. If the answer is a scheduled date rather than a change in operations, dig deeper.

Compliance Obligations Not Fully Identified

Many organisations identify the obvious legislation, such as the relevant state Protection of the Environment Operations Act, but miss licence conditions, council approvals, or voluntary commitments made to customers or community groups. Ask to see the compliance obligations register and check whether it has been reviewed recently against current regulatory requirements.

Objectives Without Measurable Targets

Environmental objectives that say things like

reduce waste

without a baseline, a target, and a timeframe do not meet the standard's requirements. Look for objectives that are specific, have someone responsible, and have a plan to achieve them.

Awareness Training Not Reaching the Right People

Contractors, labour hire workers, and new starters are frequently missed in environmental awareness activities. Ask how the organisation ensures that anyone working in areas with significant aspects understands what those aspects are and what they are expected to do.

Emergency Procedures Not Tested

Having a spill response procedure is not enough. The standard requires that emergency preparedness and response is periodically tested. Ask for records of drills or exercises. If the last drill was three years ago, that is a finding.

Documenting and Reporting Audit Findings

Your audit report needs to be clear enough that someone who was not present can understand what was audited, what evidence was reviewed, what was found, and what needs to happen next. Vague findings like

environmental awareness could be improved

are not useful. A well-written nonconformity identifies the requirement, the evidence of the gap, and the process or area where it was found.

For practical guidance on writing findings that actually drive action, our article on what you need to know before starting as an ISO 14001 internal auditor covers the key principles in detail.

After the Audit: Corrective Actions and Follow Up

An internal audit that generates nonconformities but no corrective actions is a waste of everyone's time. Once findings are reported, the process owners responsible for those areas need to investigate root cause, implement corrections, and close out the nonconformities within agreed timeframes.

Your role as the internal auditor does not end with the report. You need to verify that corrective actions have been implemented and that they have addressed the root cause, not just the symptom. If a corrective action says the procedure has been updated but the workers doing the job have not been informed, the root cause has not been addressed.

Track open corrective actions and escalate to management if they are not being closed on time. This is where the internal audit programme connects directly to management review. Clause 9.3 requires management review inputs to include internal audit results, which means your findings need to reach the right people to drive genuine improvement.

Building Your ISO 14001 Internal Audit Capability

Running effective ISO 14001 internal audits requires more than a checklist. It requires understanding how the standard works as a system, how to gather and evaluate evidence, how to write findings that hold up, and how to handle auditees who push back on your findings.

If you are responsible for the EMS and want to conduct internal audits yourself, or if you are building a team of internal auditors, structured training makes a significant difference to the quality of your audits. The difference between an auditor who asks whether a procedure exists and one who tests whether the procedure is actually followed in practice comes down to training and experience.

Audit Workshop offers ISO 14001 internal auditor training for environmental managers, HSE professionals, and quality managers who want practical skills they can apply immediately. Our courses are built around real audit scenarios, not just standard interpretation, and are delivered by auditors with direct experience conducting EMS audits across a range of industries in Australia and internationally. If you are serious about running audits that add value rather than just ticking a compliance box, take a look at what our ISO 14001 internal auditor training covers.

For those looking to build on internal auditor credentials and move toward conducting certification audits, our guide comparing ISO Lead Auditor and Internal Auditor courses explains the difference and helps you decide which path suits your goals.