Audit evidence is the information an auditor collects and evaluates to decide whether an Environmental Management System meets ISO 14001 requirements, the organisation’s own EMS requirements, and any other audit criteria. In plain English, it is the proof behind the audit finding.
Audit evidence is the information gathered during an audit and used to support audit conclusions.
It may come from:
Audit evidence should be relevant, reliable and sufficient for the auditor to make a fair judgement. The aim is not to collect everything. The aim is to collect enough suitable evidence to evaluate whether the audit criteria are being met.
These three terms work together.
Audit criteria are the requirements the auditor is auditing against.
In an ISO 14001 audit, criteria may include:
Audit evidence is what the auditor collects to compare against the criteria.
Audit findings are the conclusions reached after comparing evidence with the criteria.
If the audit criterion says spill kits are checked monthly, the auditor may review the inspection record, look at the spill kit, and interview the person responsible. The evidence then supports a finding of conformity, nonconformity or an observation for improvement.
Audit evidence matters because audit findings should be based on facts, not feelings.
Without good evidence, audits become weak, inconsistent and easy to challenge.
Good audit evidence helps the auditor:
A good audit finding should be traceable back to evidence. If an auditor cannot explain what evidence supports the finding, the finding is probably wobblier than a camping chair in a gale.
ISO 14001 audits normally use several types of evidence.
This includes procedures, records, registers, forms, reports, plans and electronic system records.
Examples include:
Interviews help the auditor understand what people know, what they do, and whether the EMS works in practice.
Interview evidence may come from:
Observation evidence comes from what the auditor sees.
Examples include:
Data helps the auditor evaluate environmental performance and whether the EMS is producing useful results.
Examples include:
Relevant evidence is evidence that relates directly to the audit criteria and audit scope.
For example, if the auditor is checking emergency preparedness and response, relevant evidence may include:
An impressive spreadsheet about something unrelated is still unrelated. Audit evidence needs to answer the audit question being asked.
Reliable evidence is evidence the auditor can reasonably trust.
Reliability may be affected by:
One person saying “I think we do that” may be a useful lead. It is not always enough by itself to support a strong audit conclusion.
Sufficient evidence means enough evidence to support the audit conclusion.
The auditor rarely checks everything. Instead, they sample.
The size and depth of the sample should depend on factors such as:
A single record may be enough for a low-risk check. A repeated issue, high-risk process or compliance obligation may need a deeper sample.
Auditors use sampling because it is normally impossible to check every record, interview every person or observe every activity.
Sampling may involve selecting:
Sampling should be sensible and defensible. If the auditor finds a problem in one sample, they may need to widen the sample to understand whether it is isolated or systemic.
An audit trail is the path the auditor follows through evidence.
A strong audit trail often links several clauses together.
The auditor starts with the aspect register and sees chemical storage identified as significant. They then check operational controls, storage inspections, spill response arrangements, competence records, emergency drill evidence, and management review discussion of incidents or improvements.
Good audit trails help students and auditors avoid treating ISO 14001 as disconnected clauses. The EMS should work as a system.
Different clauses call for different types of evidence. The table below gives practical examples.
| Clause area | What the auditor may check | Possible audit evidence |
|---|---|---|
| Clause 4 — Context | Whether context, interested parties, scope and EMS processes are understood | Context review, interested party review, scope statement, EMS process map, management review records |
| Clause 5 — Leadership | Leadership commitment, policy, roles and responsibilities | Policy, objectives, resource decisions, role descriptions, interviews with top management and process owners |
| Clause 6 — Planning | Aspects, obligations, risks, opportunities, objectives and planned changes | Aspect register, compliance obligations, risk/opportunity records, objective plans, change records |
| Clause 7 — Support | Resources, competence, awareness, communication and documented information | Training records, competence evidence, communication records, controlled documents, interviews, system access records |
| Clause 8 — Operation | Operational controls, externally provided processes, lifecycle controls and emergency response | Site observations, procedures, inspection records, contractor inductions, procurement requirements, emergency drill records |
| Clause 9 — Performance evaluation | Monitoring, compliance evaluation, internal audit and management review | Monitoring data, evaluation records, audit programme, audit reports, management review inputs and results |
| Clause 10 — Improvement | Continual improvement, nonconformity and corrective action | Improvement actions, nonconformity records, cause analysis, corrective action evidence, effectiveness review records |
Documented information is one of the most common forms of audit evidence, but it should not be the only form.
Useful documented evidence may include:
The auditor should check whether documented information is controlled, available where needed, suitable for use, and protected from unintended changes or loss.
Read the SQMC guide to documented information.
Interviews are essential because they show whether people understand and apply the EMS.
Good interview questions are usually open and evidence-seeking.
For example:
Interview evidence is stronger when it is supported by observation or records. If three people describe the same process clearly, and the records and site conditions match, the evidence is much stronger than a lone “aye, probably”.
Observation is often where EMS audits come alive.
The auditor may look at:
Observation helps verify whether procedures are actually being followed. A beautifully controlled document can say anything it likes; the yard tends to tell the truth.
Evidence can support a finding that requirements are being met.
For example, conformity evidence might include:
Good audits should recognise conformity as well as nonconformity. Conformity evidence helps the organisation understand what is working and where controls are effective.
Evidence can also support a finding that a requirement is not being met.
A nonconformity should normally include:
Requirement: waste transfer records must be checked and retained. Evidence: three sampled records from March were missing required carrier information and had not been reviewed. Finding: the waste record review process was not implemented effectively.
A nonconformity should be written clearly and fairly. It should not be a personal attack, a vague complaint or an auditor’s pet preference wearing a fake moustache.
Read the SQMC guide to nonconformity and corrective action.
Audit findings should not overstate what the evidence proves.
For example, if the auditor checks one missing record, they should be careful about claiming that the whole system has failed unless wider evidence supports that conclusion.
More careful wording might be:
The evidence should be specific enough that the auditee can understand the issue and the organisation can investigate the cause.
Weak evidence can make audit findings unclear or unfair.
Common weak evidence includes:
Stronger evidence is specific, relevant and traceable.
“The April spill-kit inspection record for the loading bay was not completed. The spill kit was checked during the site tour and absorbent pads were missing. The loading bay supervisor confirmed that responsibility for the check had not been reassigned after a staff change.”
“The audit sampled five waste transfer records from January to March. Three did not include complete carrier information. The waste procedure requires records to be checked before filing. No evidence of review was available for the sampled records.”
“The EMS objective to reduce electricity consumption by 8% was reviewed. Monthly electricity data was available, but no analysis had been carried out since June and no action had been taken after consumption increased for four consecutive months.”
Auditors should evaluate evidence objectively.
This means:
Objectivity does not mean being cold or robotic. It means being fair, evidence-based and professional.
ISO 14001 expects certain documented information to be available in different parts of the EMS. It also allows organisations to decide what additional documented information they need for EMS effectiveness.
Auditors should avoid assuming that every process needs a detailed procedure. Instead, they should ask whether enough documented information exists to support effective control and provide confidence that important processes are being carried out as planned.
In practice, the strongest audits do not ask only “is there a document?” They ask:
Management review is another important source of audit evidence.
Evidence may include:
Auditors should check whether management review is more than a meeting record. Good evidence shows what was reviewed, what was concluded, what decisions were made and what happened afterwards.
Read the SQMC guide to management review.
Corrective action evidence should show more than “done”.
Useful evidence may include:
Corrective action evidence is especially important where the organisation claims the issue has been fixed. The auditor should check whether the fix actually addressed the problem.
When collecting audit evidence, auditors should ask:
“The waste process is not effective.”
This is weak because it does not identify the requirement, the evidence, the sample, the location, the date, or why the process is considered ineffective.
“The waste procedure requires completed waste transfer records to be checked before filing. The audit sampled five records from March and April. Three records were missing required carrier details, and no evidence of review was available. This indicates the waste record review process has not been implemented effectively.”
This is stronger because it links the finding to a requirement, a sample and specific evidence.
An auditor wants to check whether emergency preparedness arrangements are effective.
Useful evidence may include:
This gives a rounded view: records, observation, interviews and follow-up.
An auditor wants to check whether compliance obligations are being evaluated.
Useful evidence may include:
A legal register alone is not enough. The auditor needs evidence that the organisation evaluates whether obligations are being fulfilled.
An auditor wants to check whether people doing work under the organisation’s control are competent.
Useful evidence may include:
A training certificate may be useful evidence, but it is not always enough by itself. Competence should be demonstrated in the way work is actually performed.
This page is part of SQMC’s ISO 14001:2026 guidance library for auditors, managers and QHSE professionals.
SQMC’s ISO 14001 Internal Auditor course helps you move from understanding the Standard to auditing it with confidence. Over two practical days, you’ll learn how to plan EMS audits, gather evidence, ask better questions, write nonconformities and report findings clearly.
Learn from anywhere in our Virtual Classroom, attend one of our training centres, or arrange private in-company training for your team.
Find out more and get qualified!