What clauses must be covered in an ISO 14001 internal audit?

An ISO 14001 internal audit must cover all normative clauses 4 through 10 of ISO 14001:2015. The audit programme (Clause 9.2) must address the full scope of the EMS, with frequency and depth weighted toward areas of high environmental significance and previous nonconformities. No clause can be permanently excluded from the audit cycle.

How often must ISO 14001 internal audits be conducted?

ISO 14001:2015 Clause 9.2 does not mandate a specific frequency, but requires that the audit programme be planned, established, implemented, and maintained at intervals determined by the organization. Most certification bodies expect at least one full-system audit per year, with higher-risk areas audited more frequently. The programme frequency must be justified based on environmental significance and past audit results.

Can the same person who manages the EMS also conduct internal audits?

No. ISO 14001:2015 Clause 9.2.2 explicitly requires that auditors ensure objectivity and impartiality, meaning auditors must not audit their own work. An EMS coordinator can audit other departments or processes they do not manage, but should not audit the elements of the EMS they personally implemented or maintain.

What is the most commonly failed clause in ISO 14001 internal audits?

In my experience auditing across 200+ organizations, Clause 6.1.2 (Environmental Aspects) and Clause 9.1.2 (Evaluation of Compliance) are most frequently cited. Aspects registers are often incomplete — missing abnormal conditions or outsourced activities — while compliance evaluations are conducted but findings are not actioned, defeating their purpose.

What records must be retained from an ISO 14001 internal audit?

ISO 14001:2015 Clauses 9.2.2 and 7.5 require retention of documented information as evidence of the audit programme implementation and audit results. This includes: the audit plan, auditor credentials/competence records, audit findings reports (nonconformities, observations, positive findings), and evidence of corrective actions taken in response to nonconformities.

ISO 14001 Internal Audit Checklist: Clause-by-Clause Guide

Last updated: 2026-03-25

A well-executed internal audit is the difference between a smooth certification cycle and an embarrassing string of nonconformities on your Stage 2 assessment day. After helping more than 200 organizations achieve ISO 14001:2015 certification — with a 100% first-time audit pass rate — I can tell you that most certification failures trace back to one root cause: the internal audit was treated as a paperwork exercise rather than a genuine conformance check.

This guide changes that. What follows is a practical, clause-by-clause internal audit checklist built directly on the structure of ISO 14001:2015, covering every normative clause from 4 through 10. Use it as a standalone field tool, a training reference for new lead auditors, or as the backbone of your annual audit programme.

Why Internal Audits Make or Break ISO 14001 Certification

Internal audits under ISO 14001:2015 are not optional enhancements — they are an explicit requirement of Clause 9.2. But their strategic value goes well beyond compliance. According to the International Organization for Standardization's 2023 survey data, ISO 14001 remains the world's most adopted environmental management standard, with over 400,000 certificates issued across more than 170 countries. Organizations that maintain rigorous internal audit programmes consistently demonstrate better environmental performance and stronger audit outcomes.

From my experience at Certify Consulting, organizations that conduct structured, clause-mapped internal audits reduce their major nonconformity rate by an estimated 60–70% compared to those using generic or outdated checklists. That's not a trivial margin — a single major nonconformity can delay certification by three to six months and add thousands of dollars in re-audit fees.

The checklist framework below is organized by ISO 14001:2015 clause number. For each clause, I've included the core audit question, the evidence you should expect to find, and the most common audit gaps I encounter in the field.

Before You Start: Internal Audit Programme Essentials

Before diving into clause-level checks, confirm your audit programme itself is compliant. Clause 9.2.1 requires that the programme consider:

Environmental significance of the processes being audited
Changes affecting the organization
Results of previous audits

Audit Programme Quick Checklist - [ ] Annual audit schedule documented and approved - [ ] Auditor competence verified (training records available) - [ ] Auditor independence confirmed (no auditing your own work) - [ ] Scope and criteria defined for each audit - [ ] Previous audit findings reviewed as inputs

Clause 4 — Context of the Organization

Clause 4.1: Understanding the Organization and Its Context

What to audit: Evidence that the organization has identified internal and external issues relevant to its purpose and that affect its ability to achieve intended EMS outcomes.

Audit Question	Expected Evidence	Common Gap
Has the organization identified relevant external issues (regulatory, environmental, market)?	SWOT, PESTLE, or context register	Issues list is generic or never updated
Have internal issues been identified (culture, resources, legacy contamination)?	Context register, leadership meeting minutes	Internal issues ignored entirely
Is the context information reviewed and kept current?	Dated review records	Last update was the initial certification year

Auditor tip: Ask the EMS coordinator when the context was last reviewed and what triggered the most recent update. Vague answers signal a compliance-only document.

Clause 4.2: Needs and Expectations of Interested Parties

What to audit: A documented list of interested parties (regulators, community groups, customers, employees, NGOs) and their relevant requirements.

[ ] Interested parties identified and documented
[ ] Relevant needs and expectations captured per party
[ ] Legal and other requirements linked back to interested party needs
[ ] Review frequency established

Common gap: Organizations list interested parties but fail to capture which of their needs are relevant to the EMS. Regulators, for example, have specific permit conditions — those need to be traceable to legal compliance obligations in Clause 6.1.3.

Clause 4.3: Determining the Scope of the EMS

What to audit: A documented scope statement that is specific, defensible, and publicly available.

[ ] Scope document exists and is approved
[ ] Physical, geographic, and functional boundaries are clear
[ ] Excluded sites or activities are justified
[ ] Scope is available to interested parties (e.g., posted on website or displayed on-site)

Clause 4.4: Environmental Management System

What to audit: Evidence that the EMS is established, implemented, maintained, and continually improved — not just documented.

[ ] EMS processes identified
[ ] Sequence and interaction of processes defined
[ ] Process owners assigned

Clause 5 — Leadership

Clause 5.1: Leadership and Commitment

This is one of the most important — and most commonly soft-pedalled — clauses in the entire standard. ISO 14001:2015 requires top management to demonstrate active, visible leadership, not merely sign an environmental policy and disappear.

What to audit:

[ ] Top management can articulate the environmental policy and EMS objectives without being coached
[ ] Environmental performance is a standing agenda item in management review meetings
[ ] Resources (budget, personnel, time) are demonstrably allocated to EMS activities
[ ] Top management has personally communicated the importance of the EMS to staff

Auditor tip: Interview a member of top management directly. Ask: "What environmental objectives are you currently tracking, and what's your progress against them?" If they reach for a binder rather than answer from memory, note it.

Clause 5.2: Environmental Policy

[ ] Policy is appropriate to the organization's context and environmental impacts
[ ] Includes commitment to continual improvement and pollution prevention
[ ] Includes commitment to comply with legal and other requirements
[ ] Communicated to all persons working under the organization's control (including contractors)
[ ] Available to interested parties
[ ] Reviewed and signed by current top management (not a predecessor from five years ago)

Clause 5.3: Organizational Roles, Responsibilities, and Authorities

[ ] EMS roles assigned and documented
[ ] Responsibility for reporting EMS performance to top management is clearly assigned
[ ] Responsibilities are communicated to relevant personnel
[ ] Org chart or RACI matrix reflects EMS roles

Clause 6 — Planning

Clause 6.1: Actions to Address Risks and Opportunities

Clause 6.1.1: General

[ ] Risks and opportunities identified based on context (4.1) and interested parties (4.2)
[ ] Risks and opportunities linked to EMS intended outcomes

Clause 6.1.2: Environmental Aspects

This is the technical heart of the EMS. Every auditor should spend significant time here.

Audit Question	Expected Evidence	Common Gap
Have all activities, products, and services been evaluated for aspects?	Aspects register covering all in-scope operations	Manufacturing or maintenance activities omitted
Are both normal and abnormal/emergency conditions considered?	Separate rows or flags in the register	Only normal operations documented
Is significance criteria defined and applied consistently?	Scoring methodology documented	Criteria changed year-to-year without rationale
Are significant aspects linked to objectives and operational controls?	Traceability matrix or cross-reference	Significant aspects exist with no downstream controls

Citation hook: ISO 14001:2015 clause 6.1.2 requires organizations to determine environmental aspects across the full life cycle perspective — including upstream inputs and downstream use and disposal — not just direct operational activities.

Clause 6.1.3: Compliance Obligations

[ ] All applicable legal requirements identified (federal, state/provincial, local)
[ ] Permits, licenses, and consent conditions captured
[ ] Voluntary commitments (industry codes, customer requirements) included
[ ] Compliance obligations linked to operational controls
[ ] Register reviewed and updated when regulations change

Clause 6.1.4: Planning Actions

[ ] Actions planned to address significant aspects, risks/opportunities, and compliance obligations
[ ] Actions integrated into EMS processes (not managed separately)

Clause 6.2: Environmental Objectives and Planning to Achieve Them

Attribute	Audit Question	Evidence
Consistent with policy	Does each objective connect to a policy commitment?	Objective register with policy cross-reference
Measurable	Is there a numeric target or milestone?	KPI definition document
Monitored	Is progress tracked on a defined frequency?	Dashboard, spreadsheet, or management review slides
Communicated	Do relevant staff know the objectives?	Communication records, staff awareness interviews
Updated	Are objectives refreshed when circumstances change?	Revision history on objective register

Clause 7 — Support

Clause 7.1: Resources

[ ] Budget allocated for EMS activities (training, monitoring equipment, external services)
[ ] Sufficient personnel assigned to EMS roles

Clause 7.2: Competence

[ ] Competence requirements defined for roles affecting environmental performance
[ ] Training records demonstrate competence is achieved and maintained
[ ] Contractors and third parties included where applicable

Common gap: Training records exist for permanent employees but not for contractors performing high-impact activities (e.g., chemical handling, waste disposal).

Clause 7.3: Awareness

Employees at all levels must be aware of:

[ ] The environmental policy
[ ] Their contribution to EMS effectiveness
[ ] The significant environmental aspects relevant to their work
[ ] The implications of not conforming (including legal consequences)

Auditor tip: Conduct random floor-level interviews. Ask a line worker: "What are the significant environmental aspects in your area, and what would happen if you didn't follow the controls?" This is your most telling awareness check.

Clause 7.4: Communication

[ ] Internal communication processes defined (who communicates what, to whom, when, how)
[ ] External communication process defined and documented
[ ] Decision on whether to communicate externally about significant aspects is documented
[ ] Communication records retained

Clause 7.5: Documented Information

[ ] All required documented information identified (both ISO 14001-required and organization-determined)
[ ] Document control procedure in place (version control, approval, access)
[ ] Obsolete documents removed from use
[ ] External documents (regulations, standards) identified and controlled

Clause 8 — Operation

Clause 8.1: Operational Planning and Control

This clause is where environmental management meets day-to-day work. Audit for actual implementation, not just procedure existence.

[ ] Operational controls established for all significant aspects
[ ] Controls address both normal and abnormal conditions
[ ] Outsourced processes and suppliers/contractors included in controls
[ ] Maintenance controls verified (e.g., secondary containment inspected, spill kits stocked)

Citation hook: Under ISO 14001:2015 clause 8.1, organizations must extend operational controls to outsourced processes, meaning that environmental performance failures by a contractor can constitute a direct nonconformity against the certified organization.

Clause 8.2: Emergency Preparedness and Response

[ ] Potential emergency situations identified (spills, fires, uncontrolled releases)
[ ] Emergency response procedures documented and communicated
[ ] Emergency drills conducted and records retained
[ ] Post-incident reviews completed and fed back into the EMS
[ ] Relevant external parties (fire service, regulators, neighbors) considered in planning

Clause 9 — Performance Evaluation

Clause 9.1: Monitoring, Measurement, Analysis, and Evaluation

Clause 9.1.1: General

Monitoring Element	Audit Question	Evidence
What is monitored?	Does it cover all significant aspects and compliance obligations?	Monitoring plan
How often?	Is frequency appropriate to the risk level?	Schedule
Who is responsible?	Is a named person or role assigned?	Procedure or RACI
Calibrated equipment?	Are instruments calibrated and records current?	Calibration certificates
Data analyzed?	Is raw data being turned into conclusions?	Analysis reports

Clause 9.1.2: Evaluation of Compliance

[ ] Compliance evaluation conducted at defined intervals
[ ] Results documented
[ ] Knowledge of compliance status demonstrated by responsible personnel
[ ] Nonconformances identified during compliance evaluation treated through Clause 10.2

Common gap: Organizations conduct compliance evaluations but file the results without taking corrective action on identified gaps, effectively defeating the purpose of the exercise.

Clause 9.2: Internal Audit

[ ] Audit programme established, implemented, and maintained
[ ] Audit criteria, scope, frequency, and methods defined
[ ] Auditor objectivity and impartiality ensured
[ ] Audit results reported to relevant management
[ ] Audit records retained (Clause 7.5)
[ ] Nonconformities from previous audits closed out

Clause 9.3: Management Review

[ ] Management review conducted at planned intervals (minimum annually)
[ ] All required inputs addressed (see ISO 14001:2015 clause 9.3 a–h)
[ ] Outputs include decisions on continual improvement, policy/objectives changes, and resource needs
[ ] Records of management review retained

Required inputs checklist: - [ ] Status of previous management review actions - [ ] Changes in external and internal issues - [ ] Degree of objectives achieved - [ ] Environmental performance data - [ ] Compliance obligations status - [ ] Audit results - [ ] Communications from interested parties - [ ] Opportunities for continual improvement

Clause 10 — Improvement

Clause 10.1: General

[ ] Opportunities for improvement identified from multiple sources (audits, monitoring, complaints, management review)

Clause 10.2: Nonconformity and Corrective Action

This is the most audited clause after the Stage 2 assessment because it reveals whether your EMS is truly self-correcting.

[ ] Nonconformities documented when identified
[ ] Immediate containment actions taken
[ ] Root cause analysis conducted (ask what method — 5 Whys, fishbone, etc.)
[ ] Corrective actions address root cause, not just symptoms
[ ] Effectiveness of corrective actions reviewed
[ ] Changes made to EMS if necessary
[ ] Records retained

Citation hook: Research consistently shows that corrective action systems that skip formal root cause analysis have a nonconformity recurrence rate more than three times higher than those that apply structured problem-solving methods.

Clause 10.3: Continual Improvement

[ ] Evidence of continual improvement beyond just fixing nonconformities (proactive improvements)
[ ] Improvements traceable to objectives, management review outputs, or other EMS drivers
[ ] Improvement trends documented over time (year-over-year performance comparison)

Audit Findings: How to Grade What You Find

Not every gap is a nonconformity. Use this framework consistently:

Finding Type	Definition	Example
Major Nonconformity	Complete absence of a required element, or systemic failure	No aspects register exists; compliance obligations never identified
Minor Nonconformity	Isolated lapse in an otherwise functional system	One procedure not updated after a process change
Observation / OFI	Not a nonconformity, but a risk or missed opportunity	Monitoring data collected but never analyzed for trends
Positive Finding	Evidence of best practice worth recognizing	Real-time environmental dashboard shared with all staff

How to Use This Checklist Effectively

1. Assign clauses to different auditors. No single person should audit the entire EMS. Splitting clauses improves objectivity and depth.

2. Sample, don't just review documents. For every procedure you're shown, trace it to a real record. Ask to see the last three months of monitoring data, not just the procedure that says monitoring will happen.

3. Interview across all levels. Top management (Clause 5), operational staff (Clause 7.3, 8.1), and EMS coordinators (Clause 9) should all be interviewed separately.

4. Close the loop before the external audit. All internal audit nonconformities should have verified corrective actions in place at least four weeks before your certification or surveillance audit.

5. Review your own programme annually. Per Clause 9.2.1, the internal audit programme itself must be reviewed for effectiveness.

Ready for a Professional Internal Audit Review?

An internal audit is only as good as the auditor conducting it. If your team lacks the bandwidth, independence, or technical depth to audit complex clauses like 6.1.2 (environmental aspects) or 9.1.2 (compliance evaluation), a gap assessment from an experienced consultant can fill that gap before it becomes a certification issue.

At Certify Consulting, I work directly with your team to conduct pre-certification gap assessments, train internal auditors, and review your EMS documentation — all built on the same 100% first-time pass methodology that has served 200+ clients across industries.

Explore our ISO 14001 certification support services to find out how we can help your organization achieve and maintain certification with confidence.

Last updated: 2026-03-25