Back to Articles

ISO 14001 Internal Audit: What Auditors Actually Look For (And What They Let Slide)

ISO 14001

By Trenton Steadman

12 min read|
ISO 14001 Internal Audit: What Auditors Actually Look For (And What They Let Slide)

What to expect from your ISO 14001 Internal Audit - how findings are classified, what auditors sample, timing, preparation, and how Kaizen Audit structures the process for clear, actionable results.

The Internal Audit is one of the last boxes to check before you go for ISO 14001 Certification - and it's the one that causes the most unnecessary anxiety. Companies that have spent months building their Environmental Management System suddenly freeze up when it's time to audit their own work, worried they'll find something catastrophic.

Here's the thing: the Internal Audit is supposed to find gaps. That's the entire point. It's your rehearsal before the external auditor shows up. If you come out of it with zero findings, you either didn't look hard enough or your EMS is more mature than most first-timers - and I've rarely seen the latter.

What matters isn't whether you find problems. It's what you do about them.

The Purpose Most People Get Wrong

When I bring up the Internal Audit during consulting sessions, clients often treat it as a pass/fail exercise. They think the goal is to prove their EMS works perfectly. It's not.

The purpose of the Internal Audit is to verify that what you documented is actually what's happening on the floor, identify gaps between your system and the ISO 14001 requirements, and give you time to fix issues before the Certification Body arrives. Think of it as a diagnostic, not a test.

One manufacturer I worked with had six real entries in their Environmental Incident and Improvement Log - nonconformities, near misses, and opportunities for improvement that their team had identified once the log was set up. The EHS Manager's reaction was telling: "As soon as I made the log, all of a sudden people start pointing stuff out." That's exactly what a healthy system looks like. The Internal Audit does the same thing at a system level - it surfaces what needs attention so you can address it with time on your side.

What Gets Audited

An ISO 14001 Internal Audit should cover the full scope of your Environmental Management System. In practice, that means looking at:

  • Environmental Aspects and Impacts - Is the Aspect Log current? Does the significance determination hold up? Has anything changed in your operations that should trigger a reassessment?
  • Compliance Obligations - Are you tracking your legal and regulatory requirements? Is your compliance status current? Are monitoring and evaluation activities happening at the defined frequency?
  • Emergency Preparedness - Do you have procedures? Are you testing them? When was the last drill? Can you show records?
  • Environmental Objectives - Are they documented? Are they measurable (or at least monitored)? Is there evidence of progress?
  • Competency and Training - Is there evidence that relevant personnel understand the EMS, the Environmental Policy, and their role in it?
  • Operational Controls - Are the controls you identified for significant aspects actually in place? Are they working?
  • Document Control - Is documentation current, properly versioned, and accessible? Are obsolete versions archived?
  • Management Review - Has it been conducted? Did it cover the required inputs? Were decisions and actions recorded?
  • Nonconformity and Corrective Action - Is the Improvement Log being used? Are Corrective Actions proportionate, tracked, and closed out with evidence of effectiveness?

That's a lot to cover, and a common question is whether you need to audit everything in one go. You don't. The standard requires that Internal Audits are conducted at planned intervals and that the program covers the full scope over time. If you want to split it into focused sessions - compliance obligations this month, operational controls next month - that's perfectly acceptable. What matters is that nothing gets permanently overlooked.

Remote vs. In-Person: Making the Call

For multi-site operations, one of the first practical decisions is whether the Internal Audit happens remotely, in person, or some combination.

I was working with a services company operating across 16 locations in multiple states. Their central office is in the Southeast, but their operations span the country. The question came up: does the Internal Audit need to cover all sites? The answer is no - you're sampling, not inspecting every location. But the sample needs to be representative.

For that engagement, we did the document review and system-level audit remotely using Kaizen Audit, our custom-built audit software - policies, objectives, the Compliance Tracker, the Improvement Log, training records. All of that can be evaluated without being on-site, and the tool structures the process so findings, evidence, and observations are captured consistently rather than scribbled on a clipboard. The in-person portion focused on the headquarters and would have included facility walkthroughs, conversations with personnel, and verification that operational controls are actually in place.

A material handling manufacturer with three plants wanted the Internal Audit in person specifically because they saw it as a measuring stick: "Use it as a measuring stick and tell us if we're on track or not." That's the right attitude. The in-person component lets you physically verify things that look good on paper - the spill kit is actually stocked, the secondary containment is actually intact, the labeling is actually current.

What Auditors Sample (and What They Skip)

Here's something that surprises first-timers: auditors don't check everything. They can't - there isn't enough time. Both Internal Auditors and external Certification Body auditors work by sampling. They select items from your records, follow the audit trail, and draw conclusions about the broader system based on what they find in the sample.

Understanding this changes how you prepare. You don't need every single record to be perfect. You need your system to be consistently maintained so that any sample an auditor pulls looks representative of how you actually operate.

When an external auditor opens your Improvement Log, they might pick two or three entries and trace them end to end. Did you identify the issue? Did you determine the Root Cause? Did you implement Corrective Action? Did you verify it was effective? If those two or three entries tell a coherent story, the auditor moves on. If one of them has a blank Root Cause field and no evidence of follow-up, that's a finding - and it raises questions about whether the rest of the log is similarly incomplete.

The same applies across the system. An auditor might sample three compliance obligations from your tracker and verify you're monitoring them. They might ask to see evidence of your last emergency drill. They might interview a site manager to check whether they're aware of the Environmental Policy and know how to report an environmental incident.

The output from a Kaizen Audit engagement gives the client a clear, organized record of what was evaluated, what was found, and what needs attention - which is exactly what the Certification Body auditor wants to see when they ask about your Internal Audit. One client asked me directly: "Any objective that we list is fair game during the audit, correct?" Yes. If it's in your system, it's auditable. If you documented it, an auditor can ask about it. That's not a reason to document less - it's a reason to document accurately. Don't write down that you inspect fire extinguishers monthly if you actually do it quarterly. The auditor will find the gap, and it'll be a self-inflicted finding.

What Findings Look Like in an Internal Audit

For Internal Audits, I don't use the Major/Minor classification that Certification Bodies apply during external audits. Those distinctions matter at certification time, but for an internal audit, they can overcomplicate things. Instead, I classify findings into three categories that give the client a clear picture of where they stand:

Nonconformity - A requirement isn't being met. Your Compliance Tracker exists but three obligations haven't been evaluated in over a year. Your Improvement Log has entries with no Root Cause or Corrective Action recorded. Your emergency procedures haven't been tested. These need action - they're the gaps that a Certification Body auditor would flag, and they need to be addressed before the external audit.

Observation - Something the auditor notices that isn't a clear nonconformity but warrants attention. Your Aspect Log is current but hasn't been formally reviewed since the initial assessment. Your training records are complete but the format makes it hard to verify who was trained on what. These are signals - not failures, but areas where a small improvement now prevents a real finding later.

Opportunity for Improvement (OFI) - The system is working, but there's a better way to do it. Your drill records exist but could include more detail on what was evaluated and what was learned. Your compliance evaluation process works but could be more efficient. These are free advice - things I notice during the audit that could strengthen the system beyond what the standard requires.

The fourth outcome, of course, is conformity - the requirement is met and the evidence supports it. That's the majority of what you'll see in a well-implemented system.

The key insight from any Internal Audit is the pattern, not the individual instance. One incomplete entry in the Improvement Log is a straightforward fix. Five incomplete entries across different months suggests the process itself isn't working - and that's where the real value of the audit lies.

Timing: When to Schedule the Internal Audit

The Internal Audit needs to happen before the Certification Audit, but how far before matters.

I typically recommend completing the Internal Audit at least four to six weeks before the external Stage 1 audit. That gives you time to address any findings - implement Corrective Actions, close gaps, and generate evidence that the fixes are working. If you squeeze the Internal Audit in the week before the external audit, you've lost that buffer.

Some clients prefer to complete the Internal Audit before Stage 1 so they go in with a clean slate. Others are comfortable with the Internal Audit happening between Stage 1 and Stage 2. If you take the latter approach, the Stage 1 auditor will record a finding for not having completed the Internal Audit - but it won't impact Certification as long as you complete it before Stage 2.

There's no wrong choice, but I prefer having it done up front. As one client's operations lead put it: "I would prefer to just knock them out before Stage 1. Just use it as a measuring stick." That approach means you walk into the Certification Audit knowing where you stand.

Preparing Without Overthinking It

The best preparation for an Internal Audit isn't creating a binder of perfect records. It's making sure the records you have are real, current, and tell a consistent story.

Walk your facility. Before the auditor shows up (internal or external), walk the floor yourself. Are the spill kits stocked? Are chemicals properly labeled? Are the emergency procedures posted? Are waste containers properly identified? These are the things an auditor will notice on a walkthrough, and they're easy to fix if you catch them first.

Verify your key documents are current. Environmental Policy signed and dated? Aspect Log reviewed within the last 12 months? Compliance Tracker up to date? Emergency drill conducted? Objectives documented with evidence of progress? If any of these are stale, update them before the audit - not to fake currency, but because they should be current regardless.

Brief your team. The auditor may interview personnel. They don't need to be experts on ISO 14001, but they should be able to answer basic questions: Do you know there's an Environmental Management System? Have you seen the Environmental Policy? How do you report an environmental incident? Who do you talk to if something goes wrong? A five-minute conversation with site leads or key personnel before the audit prevents the "I have no idea what you're talking about" moment that creates unnecessary findings.

Review your Improvement Log. Make sure entries are complete - Root Cause documented, Corrective Actions recorded, results noted, closures signed off. If you have open items, that's fine - just make sure they have target dates and responsible parties. An auditor would rather see five complete entries and two in progress than seven entries with no follow-through.

What the External Auditor Adds

If your Internal Audit is the rehearsal, the Certification Audit is the performance - but it's a collaborative one, not adversarial. External auditors are evaluating whether your system conforms to the standard and whether it's effectively implemented. They're not trying to catch you out.

Stage 1 is typically a document review and readiness assessment. The auditor looks at your EMS documentation, verifies your scope, reviews your Compliance Tracker and Aspect Log, and determines whether you're ready for the full Stage 2 audit. This can often be done remotely.

Stage 2 is the implementation audit. The auditor verifies that what's documented is actually happening. This includes interviews with personnel, facility walkthroughs, and sampling of records across the system. This is where your preparation pays off.

Between Stage 1 and Stage 2, you have time to address any issues identified. If Stage 1 reveals gaps, that's exactly the information you need - and closing those gaps before Stage 2 is expected.

Practical Takeaways

  • The Internal Audit is a diagnostic tool, not a pass/fail test. Findings are expected and healthy.
  • Audit by sampling - you don't need to check everything, but what you check should be representative.
  • Schedule the Internal Audit four to six weeks before the Certification Audit for adequate fix-it time.
  • Walk the facility before any audit. Physical conditions are the easiest things to fix and the easiest things for an auditor to spot.
  • Brief your team on the basics: Environmental Policy awareness, incident reporting, who to contact.
  • Keep your Improvement Log current with complete entries. Open items are fine; abandoned items are not.
  • One isolated miss is a straightforward fix. A pattern of misses suggests a systemic problem worth investigating.
  • Don't document things you don't actually do. The auditor will follow the audit trail.

Getting Started

If you're approaching your first ISO 14001 Internal Audit and want help planning the scope, developing the Audit Schedule, or just understanding what to expect, we perform Internal Audits and Gap Analyses for clients using Kaizen Audit - purpose-built software that produces clear, actionable outputs rather than generic checklist reports. We offer a free initial consultation to help you get there with confidence rather than anxiety.

Share this article:

LinkedInX-AppFacebook

Related Articles

iso-img
Emergency Preparedness Under ISO 14001: More Than Just a Fire Drill

ISO 14001 emergency preparedness goes beyond fire drills - environmental spill response, drill records, testing frequency, and what auditors actually ask about during certification....

iso-img
The ISO 14001 Climate Change Amendment: What It Actually Means for Manufacturers

The 2024 ISO 14001 climate change amendment explained for manufacturers - what it requires, what it doesn't, how to address it practically, and what auditors will ask....

iso-img
Setting Environmental Objectives That Won't Backfire

How to set ISO 14001 Environmental Objectives you can actually measure, control, and defend in an audit. Real examples of objectives that worked and one that got killed on the spot....

Contact

Free initial consultation.

Phone

+1 833 I-GET-ISO+1 833 443 8476

Business Hours

Monday - Friday: 9:00 AM - 6:00 PM
Saturday: 10:00 AM - 2:00 PM
Sunday: Closed
(Central Time, UTC-6)