After two decades of certification work, I can tell you that ISO 14001 internal audits are where the wheels most often come off — not at the external audit, but in the months beforehand, when businesses convince themselves their internal process is working when it plainly isn't.
Here's what separates a useful internal audit from a box-ticking exercise.
It's Not a Document Review
The single most common mistake I see is internal auditors spending the entire audit checking whether procedures exist and whether records are filed correctly. That's not an internal audit — that's a filing cabinet inspection.
A genuine ISO 14001 internal audit has to evaluate conformance and effectiveness. Are your environmental controls actually working? Is your significant environmental aspects register still accurate, or has it drifted out of date as your operations changed? Are people on the shop floor or in the field actually aware of the procedures that apply to them?
Clause 9.2 requires you to audit the entire management system. That includes how well top management is demonstrating leadership under Clause 5 — which most internal auditors politely skip. Don't.
Your Audit Programme Needs to Reflect Risk
A flat schedule that audits every area once a year at equal depth is a missed opportunity. Your audit programme should be risk-based. Areas with significant environmental aspects, previous nonconformances, or operational changes warrant more scrutiny. A low-risk administrative function does not need the same depth as your waste handling or chemical storage operations.
When your external auditor reviews your audit programme — and they will — they want to see that your planning decisions are justified, not just that you ticked every box on a spreadsheet.
Competence of the Internal Auditor Matters
ISO 14001 Clause 9.2.2 requires that auditors are competent. In practice, this is where many SMEs struggle. Appointing someone because they're available, or because they've attended a half-day awareness session, doesn't meet the standard's intent.
Your internal auditor needs to understand the requirements of ISO 14001, your organisation's environmental context, and how to gather objective evidence through interview, observation, and document review. If you haven't invested in proper auditor training, your internal audit findings will lack credibility — and your certification body will notice.
Nonconformances Should Be Uncomfortable
A clean internal audit report is not a badge of honour. It usually means the auditor didn't look hard enough, or felt too awkward to raise issues with colleagues.
Internal audits should surface improvement opportunities and genuine nonconformances. If your system is performing well, you'll still find observations worth raising. If your internal audit has returned zero findings for three consecutive cycles, that's a red flag — not a sign of excellence.
Your external auditor will be sceptical, and rightly so.
Close the Loop on Corrective Actions
Finding a nonconformance and logging it is only half the job. The corrective action process — root cause analysis, action, verification of effectiveness — is where organisations demonstrate they actually learn from what their audits find.
I regularly see corrective actions closed with no evidence of root cause analysis, or with actions that address the symptom rather than the underlying problem. That's a significant finding waiting to happen.
If you want your ISO 14001 audit programme to genuinely strengthen your environmental management system rather than just satisfy a certification requirement, start here.
Ready to talk about your business?
Book a free, no-obligation call. We will tell you exactly what certification would involve for your size, sector, and starting point.