ISO 14001:2026 for Auditors > Clause 9.2

Explained: Internal Audit

Clause 9.2 of ISO 14001 asks an organisation to carry out internal audits at planned intervals. In plain English, this means the organisation must check whether its Environmental Management System conforms to requirements, is properly implemented, and is being maintained effectively.

What is ISO 14001 Clause 9.2 trying to achieve?

Clause 9.2 is about using internal audit to test the EMS honestly and constructively.

Internal audits should provide information on whether the EMS:

• conforms to the organisation’s own EMS requirements;
• conforms to the requirements of ISO 14001;
• is effectively implemented;
• is properly maintained;
• supports environmental performance, compliance and improvement.

The purpose is not to “catch people out”. The purpose is to provide useful, evidence-based information so the organisation can understand whether the EMS is working.

Why internal audit matters in an EMS

Internal audit is one of the EMS’s strongest checking tools.

It helps the organisation identify:

• where requirements are being met;
• where controls are working well;
• where procedures do not match practice;
• where compliance risks may exist;
• where people need support, competence or awareness;
• where records are missing or weak;
• where corrective action or improvement is needed;
• where top management needs better information.

A good internal audit programme helps the organisation find issues before customers, regulators or certification auditors do. Much cheaper. Much less sweaty.

What does ISO 14001 expect?

ISO 14001 expects the organisation to conduct internal audits at planned intervals.

The organisation should establish, implement and maintain an internal audit programme that includes:

• audit frequency;
• audit methods;
• audit responsibilities;
• audit planning requirements;
• audit reporting arrangements;
• audit criteria;
• audit scope;
• selection of auditors;
• objectivity and impartiality;
• reporting of results to relevant management;
• retention of documented information as evidence.

The programme should consider the environmental importance of the processes concerned, changes affecting the organisation, and results of previous audits.

Clause 9.2.1 — General internal audit requirements

Clause 9.2.1 sets out the basic purpose of internal audit.

It asks whether the EMS conforms to:

• the organisation’s own requirements for its EMS;
• the requirements of ISO 14001.

It also asks whether the EMS is effectively implemented and maintained.

This means internal audit should not only check documents. It should test actual practice. Auditors should look for objective evidence that the EMS is working in real operations.

Clause 9.2.2 — Internal audit programme

Clause 9.2.2 asks the organisation to establish, implement and maintain an internal audit programme.

An audit programme is the overall arrangement for internal audits over a period of time. It is not the same as an individual audit plan or checklist.

A good EMS audit programme should consider:

• which processes or areas will be audited;
• how often audits will take place;
• which audit methods will be used;
• who will conduct the audits;
• what criteria will be used;
• what scope each audit will cover;
• how results will be reported;
• how actions will be followed up.

The programme should also consider environmental importance, changes affecting the organisation and previous audit results.

Audit programme, audit plan and audit checklist

These terms are often confused, so it helps to separate them.

An audit programme is the overall schedule or system for audits over time.

An audit plan is the plan for a specific audit, including scope, criteria, timings, people and areas to visit.

An audit checklist is a working tool used during the audit to help gather evidence and structure questions.

Internal audit should be risk-based and useful

A weak audit programme simply audits every clause once per year in the same order.

That may provide coverage, but it may not focus attention where the EMS needs it most.

A stronger audit programme considers:

• significant environmental aspects;
• compliance obligations;
• previous audit findings;
• environmental incidents or complaints;
• changes to processes, suppliers, people or legal requirements;
• contractor or outsourced process risks;
• progress against environmental objectives;
• areas of poor performance or uncertainty;
• management priorities and improvement needs.

Internal audit should help the organisation learn something useful. If the same checklist produces the same sleepy answers every year, the programme probably needs a strong coffee.

Audit criteria and audit scope

Each audit should have defined criteria and scope.

Audit criteria are the requirements the audit is checking against.

Criteria may include:

• ISO 14001 requirements;
• the organisation’s EMS procedures;
• environmental policy commitments;
• legal and other compliance obligations;
• operational control requirements;
• customer or contract requirements;
• internal objectives, targets or standards.

Audit scope defines the boundaries of the audit.

Scope may include:

• sites or locations;
• departments or functions;
• processes or activities;
• ISO 14001 clauses;
• environmental aspects;
• specific compliance obligations;
• time period or records to be sampled.

Clear criteria and scope help prevent vague audits with vague findings.

Audit methods

Internal audits should use suitable methods to gather objective evidence.

Audit methods may include:

• interviews;
• site walkarounds;
• observation of activities;
• document and record review;
• sampling of evidence;
• process tracing;
• following an aspect from planning to control to monitoring;
• checking records against observed practice;
• remote interviews or digital evidence review where suitable.

The method should suit the audit objective. For operational control, a site walkaround may be essential. For document control, a records review may be more appropriate. For competence and awareness, interviews can be invaluable.

Objectivity and impartiality

ISO 14001 expects auditors to be selected and audits conducted in a way that ensures objectivity and impartiality.

In simple terms, auditors should not audit their own work where that would compromise independence.

Objectivity may be supported by:

• using auditors from another department;
• using trained internal auditors who are not responsible for the area being audited;
• using external auditors for sensitive or specialist audits;
• peer audits between sites;
• review of audit findings by someone independent;
• clear audit criteria and evidence-based reporting.

Small organisations may have limited people available, so the approach should be practical. The key is to avoid marking your own homework and awarding yourself a gold star.

Internal auditor competence

Internal auditors should be competent for the audits they carry out.

EMS internal auditors should understand:

• the purpose and structure of ISO 14001;
• environmental aspects and impacts;
• compliance obligations;
• EMS processes and operational controls;
• audit principles and evidence gathering;
• interviewing and observation techniques;
• how to identify conformity and nonconformity;
• how to write clear audit findings;
• how to report results constructively.

Competence may be based on training, experience, supervised audits, mentoring, professional background or periodic review of audit performance.

Audit evidence

Internal audit findings should be based on objective evidence.

Evidence may include:

• records;
• documents;
• observations;
• interview responses;
• monitoring data;
• inspection results;
• training records;
• photographs where permitted;
• system screenshots;
• samples of completed forms;
• physical conditions observed during a site visit.

Good auditors do not rely on opinion alone. They link findings to evidence and criteria.

Audit findings and nonconformities

Audit findings should clearly explain what was found and why it matters.

A strong nonconformity statement usually includes:

• the requirement or audit criteria;
• the evidence found;
• the gap between the requirement and the evidence;
• enough detail for the organisation to understand and correct the issue.

Findings should be factual, clear and proportionate. The aim is to support correction and improvement, not to write dramatic prose.

Reporting audit results

Internal audit results should be reported to relevant management.

Audit reports may include:

• audit objective;
• audit scope;
• audit criteria;
• audit date;
• auditor names;
• areas or processes audited;
• people interviewed;
• evidence sampled;
• conformities;
• nonconformities;
• observations or opportunities for improvement;
• conclusions on EMS effectiveness;
• required actions and responsibilities.

The report should be useful to the people who need to act on the findings.

Follow-up and corrective action

Internal audit does not end when the report is issued.

Where nonconformities or significant weaknesses are identified, the organisation should take appropriate action.

Follow-up may include:

• correction of the immediate issue;
• root cause analysis;
• corrective action planning;
• assigning responsibility and timescales;
• checking whether actions are completed;
• reviewing whether actions were effective;
• updating the audit programme based on results.

Repeated findings are a useful warning sign. They may suggest that corrective action is treating symptoms rather than causes.

Documented information for internal audit

The organisation should retain documented information as evidence of the audit programme and audit results.

Evidence may include:

• internal audit programme;
• audit schedule;
• audit plans;
• audit criteria and scope;
• audit checklists or working notes;
• audit reports;
• evidence sampled;
• nonconformity records;
• corrective action records;
• auditor competence records;
• management reporting records;
• evidence of follow-up and closure.

Records should be clear enough to show that audits were planned, conducted, reported and followed up.

Practical implementation guidance

A practical internal audit process should answer:

• What will be audited?
• How often will audits be carried out?
• What risks, aspects, obligations and previous results affect the programme?
• Who will audit?
• How will auditor competence and objectivity be ensured?
• What criteria and scope apply to each audit?
• How will evidence be gathered?
• How will findings be reported?
• Who needs to receive audit results?
• How will actions be tracked and verified?
• How will audit results feed into management review and improvement?

Internal audit should be planned enough to be reliable, but flexible enough to follow evidence when something interesting appears.

What auditors typically look for

Auditors look for evidence that internal audits are planned, risk-based, objective, competent, reported and followed up.

Evidence may include:

• internal audit procedure or process;
• audit programme;
• audit plans;
• records showing environmental importance was considered;
• records showing previous audit results were considered;
• audit reports;
• audit findings and evidence;
• corrective action records;
• auditor competence records;
• management review records;
• interviews with auditors and auditees.

Common weaknesses in Clause 9.2

• audit programme does not consider environmental importance;
• audit programme ignores previous audit results;
• same checklist used every year with little thought;
• audit criteria and scope are unclear;
• auditors audit their own work without suitable objectivity;
• auditor competence is not demonstrated;
• audit findings are vague or unsupported by evidence;
• nonconformities are not reported to relevant management;
• corrective actions are overdue or ineffective;
• audit records are missing or incomplete;
• audits focus on paperwork but ignore operational reality.

Weak example

Better example

Real-world example: warehouse and distribution company

A warehouse and distribution company identifies fuel use, waste segregation, packaging waste, chemical storage and contractor activity as important EMS issues.

Its internal audit programme may include:

• quarterly site audits of waste and loading bay controls;
• annual audit of compliance obligations and waste documentation;
• audit of contractor controls before peak maintenance periods;
• audit of fuel monitoring and route planning linked to environmental objectives;
• follow-up audits where previous nonconformities were raised.

An auditor could test whether the programme reflects environmental importance and whether audit results have led to real improvements.

Real-world example: office-based organisation

An office-based organisation may have a simpler audit programme, but Clause 9.2 still applies.

Its internal audits may cover:

• energy and travel data;
• environmental objectives;
• waste and recycling arrangements;
• IT equipment disposal;
• supplier environmental checks;
• competence and awareness;
• management review and corrective action.

The programme should still consider significance, previous findings and changes, even where the EMS is relatively low-risk.

Auditor questions for ISO 14001 Clause 9.2

• How does the organisation plan its internal audit programme?
• How are audit frequency, methods, responsibilities and reporting arrangements defined?
• How does the programme consider environmental importance?
• How does the programme consider changes affecting the organisation?
• How are previous audit results considered?
• How are audit criteria and scope defined?
• How are auditors selected?
• How is auditor objectivity and impartiality ensured?
• How is auditor competence demonstrated?
• How are audit results reported to relevant management?
• How are nonconformities and corrective actions followed up?
• What documented information is retained as evidence?

Related ISO 14001 clauses

• Clause 5.3 — Roles, responsibilities and authorities
• Clause 6.1.2 — Environmental aspects
• Clause 6.1.3 — Compliance obligations
• Clause 7.2 — Competence
• Clause 7.5 — Documented information
• Clause 8.1 — Operational planning and control
• Clause 8.2 — Emergency preparedness and response
• Clause 9.1 — Monitoring, measurement, analysis and evaluation
• Clause 9.1.2 — Evaluation of compliance
• Clause 9.3 — Management review
• Clause 10.2 — Nonconformity and corrective action

Continue learning

This page is part of SQMC’s ISO 14001:2026 guidance library for auditors, managers and QHSE professionals.

• Return to ISO 14001:2026 for Auditors
• Clause 9 — Performance evaluation
• Monitoring, measurement, analysis and evaluation explained
• Evaluation of compliance explained
• ISO 14001 audit programme template
• Management review explained

Ready to put ISO 14001 into practice?

SQMC’s ISO 14001 Internal Auditor course helps you move from understanding the Standard to auditing it with confidence. Over two practical days, you’ll learn how to plan EMS audits, gather evidence, ask better questions, write nonconformities and report findings clearly.

Learn from anywhere in our Virtual Classroom, attend one of our training centres, or arrange private in-company training for your team.

Find out more and get qualified!