Internal Audit ISO 14001: Key Requirements Explained

Share with

Contents

An internal audit ISO 14001 is not just a box to tick before your certification visit. It is one of the most practical tools your organisation has to check whether your Environmental Management System is actually working - not just documented.

Clause 9.2 of ISO 14001:2015 makes internal audits a mandatory requirement. The standard expects you to plan, conduct, and follow up on audits at defined intervals, covering all areas of your EMS. Done well, the internal audit process helps you find gaps before an external auditor does, build evidence of continuous improvement, and stay on top of your environmental compliance obligations.

This page walks through what ISO 14001 internal audits involve, how to structure them, what auditors look for, and how to handle findings in a way that strengthens your system over time.

What ISO 14001 Says About Internal Audits

Clause 9.2 of ISO 14001:2015 sets out two specific requirements:

9.2.1 - General: The organisation must conduct internal audits at planned intervals to determine whether the EMS conforms to the organisation's own requirements and to ISO 14001, and whether it has been effectively implemented and maintained.

9.2.2 - Internal Audit Programme: You need a documented audit programme that defines the frequency, methods, responsibilities, and reporting requirements. The programme should take into account the environmental significance of the processes being audited, changes affecting the organisation, and results of previous audits.

This means a one-size-fits-all schedule does not meet the intent of the standard. High-risk areas or processes with significant environmental aspects should be audited more frequently than low-risk administrative functions.

Planning Your ISO 14001 Internal Audit Programme

Setting Audit Frequency and Scope

Your audit programme should be risk-based. Processes that relate to significant environmental aspects - such as waste management, air emissions, or chemical handling - need closer attention than, say, document filing processes.

At minimum, every element of your EMS should be covered within each audit cycle - typically one year. You can split this across multiple audits rather than one large annual event.

Planning Your ISO 14001 Internal Audit Programme

Scope your audits clearly. Each audit should define:

Which processes or departments are covered
Which clauses of ISO 14001 apply
The audit criteria (the standard, your procedures, your objectives)
The time period and location

Selecting and Training Internal Auditors

ISO 14001 requires that auditors be objective and impartial. This means you should not audit your own work. Beyond that, auditors need to be competent - understanding both the standard and the processes they are reviewing.

Internal auditors do not need to be external consultants. Many organisations train their own staff. What matters is that they can gather evidence, ask the right questions, and judge conformance without being influenced by the process owner. Pairing auditors from different departments is a practical way to maintain independence in smaller teams.

How to Conduct an ISO 14001 Internal Audit

Opening Meeting

Start with a brief meeting with the auditee. Explain the scope, the criteria, how evidence will be gathered, and how findings will be reported. This sets a professional tone and helps avoid misunderstandings later.

Evidence Gathering and Observation

Auditors collect evidence through three main methods: interviews, document review, and observation of actual activities. Do not rely on documentation alone - what is written and what happens on the ground can differ significantly.

When reviewing against ISO 14001 clauses, check:

Are environmental objectives set and being tracked?
Are operational controls in place and followed?
Are staff aware of the environmental policy and their own role in it?
Are monitoring results recorded and reviewed?
Are emergency preparedness procedures tested and current?

Using an ISO 14001 audit checklist helps auditors stay consistent and ensures no clause is overlooked.

Recording Findings

Findings fall into three categories:

Nonconformity (Major): A complete failure to meet a requirement - for example, no documented audit programme at all.
Nonconformity (Minor): An isolated lapse or gap - for example, one procedure not updated after a process change.
Observation / Opportunity for Improvement: Not a nonconformity, but an area worth attention before it becomes one.

Document findings clearly, with objective evidence. Vague findings like "communication could be better" are not useful. Specific findings like "operators in Section B could not describe the environmental aspects relevant to their role" are actionable.

Common Nonconformances Found in ISO 14001 Internal Audits

Internal environmental audits repeatedly surface similar issues across organisations. Knowing these in advance helps you audit smarter and fix problems before external certification.

Common Nonconformances Found in ISO 14001 Internal Audits

The most common ones include:

Environmental objectives set but never tracked or reviewed
Significant aspects identified but not linked to operational controls
Legal register not updated when regulations change - see the ISO 14001 legal compliance requirements for context
Monitoring and measurement records incomplete or not reviewed
Staff unable to explain their environmental responsibilities
Corrective actions from previous audits not closed out

Avoiding the most common ISO 14001 nonconformances is a good starting point when building your audit checklist. Reviewing how to avoid the 3 most common ISO 14001 nonconformances gives practical guidance on each one.

Handling Audit Findings and Corrective Actions

An internal audit is only useful if findings are acted on. ISO 14001 requires that nonconformities be addressed through a defined corrective action process - not just acknowledged.

For each nonconformity, the responsible team should:

Contain the immediate issue
Identify the root cause
Define and implement a corrective action
Verify the action was effective

Timelines matter here. Leaving findings open for months signals that your EMS is not functioning as intended. Your internal audit programme should include a mechanism for tracking open actions and escalating overdue ones.

Results of internal audits must also feed into your management review - this is where leadership evaluates overall EMS performance and makes decisions about resources and direction.

Internal Audit Frequency for ISO 14001

ISO 14001 does not specify how often audits must happen - only that they occur "at planned intervals." In practice, most organisations conduct a full cycle annually, with some high-risk processes audited twice a year or more.

Your internal audit frequency should be documented in your audit programme and reviewed regularly. If your organisation undergoes significant operational changes - new facilities, new processes, new legal requirements - your audit schedule may need to be updated to reflect that.

Audit frequency is not just a compliance question. It is a risk management one. Organisations that audit too infrequently tend to find larger problems during certification visits.

Using Software to Manage ISO 14001 Internal Audits

Managing an audit programme through spreadsheets and email threads works - until it does not. Scheduling conflicts, missed findings, overdue corrective actions, and gaps in audit trail all become harder to manage as your organisation grows.

Effivity's EMS software includes dedicated modules for planning and executing internal audits, tracking findings, and managing corrective actions through to closure. Everything is logged, time-stamped, and linked back to the relevant EMS element - making it straightforward to demonstrate compliance during external audits.

If you are comparing manual versus digital approaches, Effivity's built-in audit workflow removes the administrative burden so your auditors can focus on the audit itself.

Get a Free Personalized Demo to see how audit management works in practice.

Free Demo →

Frequently Asked Questions

An internal audit in ISO 14001 is a systematic review conducted by the organisation to check whether its Environmental Management System meets the requirements of the standard and its own procedures. It is required under Clause 9.2 of ISO 14001:2015.

ISO 14001 does not specify an exact frequency, but audits must happen at planned intervals. Most organisations complete a full audit cycle annually, with higher-risk processes audited more often.

Internal auditors must be competent and impartial - they should not audit their own work. Staff trained in ISO 14001 and audit techniques can conduct internal audits, provided they are independent from the area being audited.

The organisation must investigate the root cause, implement a corrective action, and verify the action was effective. Open nonconformities must be tracked and reported in management reviews.

The standard does not mandate a checklist, but using one helps ensure consistency and coverage. A structured checklist aligned to ISO 14001 clauses reduces the risk of missing critical areas during the audit.

An internal audit is conducted by the organisation itself to check its own system. A certification audit is conducted by an accredited external body to determine whether the organisation meets ISO 14001 requirements for certification.

Share with