Free resource · Auditor checklist

ISO internal audit checklist

A reusable, auditor-led checklist for running an ISO internal audit that stands up to external scrutiny — from planning the programme to closing out corrective actions. Works across ISO 9001, 14001, 45001 and 27001. Written by an IRCA Registered Principal Auditor.

See how PICMS runs ISO audits Try PICMS Free

1 · Plan

Set the programme up so the audit is defensible

A good internal audit is decided before anyone walks the floor. ISO 9001/14001/45001/27001 all require a planned, risk-based programme — not an annual scramble.

An audit programme covering every process/clause over a defined cycle (risk- and importance-based frequency)
Defined scope, criteria (the standard + your own procedures) and objectives for this audit
Auditor independence — auditors do not audit their own work
A schedule agreed with the area being audited, with enough time to sample properly

2 · Prepare

Do the desk work before the opening meeting

Most weak audits are under-prepared audits. Walk in already knowing what "good" looks like for this area.

Review the relevant procedures, previous audit findings, and any open corrective actions
Build an audit checklist from the clauses/criteria so coverage is evidenced
Identify the records and metrics you will sample, and the people you need to speak to

3 · Conduct

Gather objective evidence — sample, ask, observe

Findings must rest on evidence you saw, not on what someone told you should happen. Three sources beat one.

Hold a brief opening meeting to confirm scope, criteria and logistics
Sample records rather than reviewing everything; note exactly what you examined (IDs, dates)
Triangulate: interview the person, review the record, observe the activity
Record conformities as well as nonconformities — and capture opportunities for improvement

4 · Findings & report

Classify findings consistently and report promptly

Inconsistent grading is the single biggest credibility problem in internal audit. Define the bands and apply them the same way every time.

Major NC — a clause not addressed, or a breakdown that puts conformity/certification at risk
Minor NC — an isolated lapse against a requirement that is otherwise met
Observation / OFI — not a nonconformity, but a risk or improvement worth raising
Issue a clear audit report (scope, criteria, evidence, findings) within an agreed timescale, distributed to the process owner

5 · Follow-up & closure

Close the loop and feed the management review

An audit that ends at the report has done half the job. ISO wants the correction, the root-cause action, and verification.

Process owner provides correction + corrective action with root cause and a due date
Verify the action was effective before closing the finding
Track open actions to closure; trend recurring findings
Feed audit results and trends into the management review (a mandatory input)

Watch-outs

Common internal-audit mistakes auditors see

Avoid these and your internal audit will stand up to external scrutiny.

Auditing to a checklist of opinions instead of the standard + your procedures
No evidence of what was sampled — findings that cannot be retraced
Grading everything as an "observation" to avoid raising nonconformities
Corrective actions that fix the symptom, never the root cause — so the finding returns next year
Reports that never reach the management review

PICMS runs the whole internal-audit cycle — programme, checklists, findings, corrective actions and management-review inputs — in one auditable place.

See the PICMS platform Start a free trial