Free Audit Checklist Template — ISO 9001, Safety & Internal Audit

Q: What should an audit checklist include?

An audit checklist should include: audit scope and objectives, list of audit criteria referenced to the relevant standard or procedure, compliance status column (Conforming / Minor NC / Major NC / Observation), evidence reviewed, auditor notes and findings, and a summary section showing overall compliance status and required corrective actions.

Q: What is an internal audit checklist?

An internal audit checklist is a structured list of questions or criteria used to assess whether an organization's processes, procedures, and systems comply with its own quality management system requirements (such as ISO 9001) or regulatory requirements. Internal audits are conducted by employees trained as internal auditors, typically on a planned annual schedule.

Q: How do I create an audit checklist for ISO 9001?

To create an ISO 9001 audit checklist: (1) Review the relevant ISO 9001 clauses for the process being audited, (2) Convert each clause requirement into a specific question or criterion, (3) Add columns for conforming/non-conforming status, evidence reviewed, and notes, (4) Include space for the auditor's name, date, and findings summary. ISO 9001:2015 has 10 main clauses covering context, leadership, planning, support, operations, performance evaluation, and improvement.

Q: What is the difference between an internal audit and an external audit?

An internal audit is conducted by employees of the organization (first-party audit) to assess compliance with internal procedures and management system standards. An external audit is conducted by an independent third party — either a certification body performing surveillance audits (third-party) or a customer auditing a supplier (second-party). External audits typically have higher stakes and may result in certification decisions or supplier approval/disqualification.

Q: What is a non-conformance report (NCR) in auditing?

A non-conformance report (NCR) is a formal document recording a failure to meet a specified requirement during an audit. NCRs are graded by severity: minor (isolated lapse with no systemic failure), major (systemic failure or complete absence of a required element), or critical (immediate risk to safety, product integrity, or regulatory compliance). Each NCR must specify the requirement violated, the objective evidence found, and requires a root cause analysis and corrective action plan from the auditee.

Q: How long should corrective actions from an audit be tracked?

Corrective actions from audit non-conformances should be tracked until the root cause has been addressed and the effectiveness of the corrective action has been verified — typically 30 to 90 days for minor non-conformances and up to 6 months for major non-conformances. ISO 9001 requires that corrective action effectiveness be reviewed. Many organizations use a corrective action tracking register and verify closure during the next scheduled audit cycle.

Download free audit checklist templates for internal audits, supplier audits, ISO 9001, ISO 14001, SOX financial audits, IT security audits, and food safety (HACCP/BRC) compliance. Customizable PDF audit checklists for quality managers, compliance teams, and trained internal auditors across every industry.

Create Free Audit Checklist 5S Audit Checklist

Internal vs External Audit Checklists

The structure of an audit checklist depends significantly on whether it is being used for an internal (first-party) audit or an external (second- or third-party) audit. Understanding the difference ensures you build the right checklist for the right purpose.

Internal Audit Checklists

Conducted by trained employees (first-party auditors) to evaluate compliance with the organization’s own quality management system, procedures, and applicable standards such as ISO 9001. Internal audits are planned annually and cover all QMS processes over a defined cycle.

✓ Focus: internal procedure compliance and QMS effectiveness
✓ Auditors: company employees with internal auditor training
✓ Frequency: typically annual audit plan covering all processes
✓ Output: internal NCRs and corrective action requests (CARs)

External Audit Checklists

Conducted by a certification body (third-party) or by a customer auditing a supplier (second-party). External audits carry higher stakes — they may determine certification status or supplier approval. Checklists must align precisely with the standard being assessed.

✓ Focus: conformance to the standard and customer requirements
✓ Auditors: certified lead auditors from an independent body
✓ Frequency: surveillance audits (annual) plus recertification (3-year)
✓ Output: formal audit report with official NC grading

Audit Types Covered

A well-designed audit checklist template adapts to the requirements of each audit standard. Below are the most common audit types and what makes each checklist unique.

ISO 9001 Quality Management Audit

Clause-by-clause checklist covering all 10 sections of ISO 9001:2015 — from context of the organization (Clause 4) through improvement (Clause 10). Questions verify documented procedures, records, process controls, and management review outputs.

ISO 14001 Environmental Management Audit

Assesses environmental aspects, impacts, legal compliance, emergency preparedness, monitoring data, and environmental targets. Checklist maps to ISO 14001:2015 clauses and includes site walk inspection items for spill containment, waste segregation, and emissions monitoring.

SOX Financial Audit Checklist

Sarbanes-Oxley (SOX) Section 404 compliance checklists verify internal controls over financial reporting (ICFR). Items cover segregation of duties, access controls, reconciliation procedures, approval workflows, and audit trail completeness for financial systems.

IT Security Audit Checklist

Evaluates cybersecurity controls against frameworks like ISO 27001, NIST CSF, or SOC 2. Covers access management, patch management, backup and recovery, network segmentation, incident response procedures, and security awareness training records.

Food Safety Audit — HACCP/BRC

HACCP audits verify that all critical control points (CCPs) are identified, monitored, and recorded. BRC (now BRCGS) Food Safety checklists cover prerequisite programs, allergen controls, traceability, foreign body controls, and pest management alongside HACCP verification.

5S Workplace Audit Checklist

Scores each 5S pillar (Sort, Set in Order, Shine, Standardize, Sustain) across work areas using a 0-4 or 1-5 scale. Tracks improvement over time and drives lean manufacturing culture.

View template →

How to Conduct an Effective Audit: 6-Step Guide

Following a structured audit process ensures your findings are defensible, objective, and actionable. Every step in this process corresponds to a section of a well-designed audit checklist template.

Audit Planning

Define the audit scope (which processes, clauses, or departments), the audit criteria (which standard or procedure applies), and the audit objectives. Prepare your audit checklist by mapping each requirement to a specific question. Notify the auditee at least one week in advance and share the audit plan so they can prepare relevant records and have the right personnel available.

Opening Meeting

Begin with a brief formal opening meeting — typically 15 to 30 minutes — with the auditee, their supervisor or manager, and any relevant department heads. Confirm the audit scope, agenda, and methodology. Explain how non-conformances will be classified and documented, and agree on the time for the closing meeting. This meeting sets a professional tone and prevents misunderstandings about the audit process.

Document Review

Before going to the shop floor or office, review relevant documentation: procedures, work instructions, training records, previous audit reports, corrective action logs, and monitoring data. Document review reveals gaps between what is documented and what the standard requires — and helps you frame targeted questions for the field audit. Note any documents that appear outdated, missing, or non-compliant.

Field Audit (On-Site Assessment)

Walk the work area with your checklist. Observe processes being performed, interview operators and supervisors using open-ended questions, and physically verify conditions. For each checklist item, record the objective evidence you found — specific document numbers, observations, and interview quotes. Avoid relying on memory; record everything in real time. Mark each item: Conforming, Minor NC, Major NC, or Observation.

Findings Compilation

After the field audit, compile your findings and write a non-conformance report (NCR) for each non-conformance identified. Each NCR must reference the specific clause or procedure requirement that was not met, state the objective evidence found, and classify the finding as minor, major, or critical. Prepare an audit summary table showing the total count of each finding type. Review your findings for consistency and completeness before the closing meeting.

Closing Meeting

Present all findings to the auditee and their management. Walk through each non-conformance in detail, citing the objective evidence and the requirement violated. Allow the auditee to ask clarifying questions — but keep the scope of findings as documented. Agree on timelines for corrective action responses: typically 30 days for minor NCs and immediate containment plus 30-60 days for major NCs. Obtain signatures from both auditor and auditee on the audit report.

Audit Checklist Template Structure

A professional audit checklist template includes these eight core elements. Each element serves a specific purpose in producing a defensible, actionable audit record.

Audit header

Organization name, audit date, auditor name, department/area being audited, and audit scope.

Criteria reference

Each checklist item references the specific clause, procedure, or regulation being assessed. Auditors must justify every finding.

Compliance rating

Conforming / Minor Non-Conformance / Major Non-Conformance / Observation — with clear definitions for each rating.

Evidence reviewed

Documents reviewed, processes observed, and personnel interviewed. Audit findings must be supported by objective evidence.

Findings and notes

Description of what was found — both conforming evidence and non-conformances. Written to be understood by someone who wasn't present.

Corrective action

Required corrective actions for all non-conformances, with assigned owner and target completion date.

Summary section

Count of conformances, minor NCs, major NCs, and observations. Overall audit conclusion and recommendations.

Sign-off

Auditor and auditee signatures confirming the audit was conducted and findings were communicated.

Non-Conformance Documentation: Writing Effective NCRs

A non-conformance report (NCR) is the formal record of any finding where a requirement has not been met. Writing clear, well-evidenced NCRs is one of the most critical skills in auditing — poorly written NCRs lead to disputes, ineffective corrective actions, and repeat findings.

NCR Grading: Minor, Major, and Critical

Minor NC

An isolated lapse or single instance of non-compliance that does not indicate a systemic failure. The overall system or process is still functioning, but one element has slipped. Example: a single training record missing a date, or one calibration label found to be one week overdue.

Major NC

A systemic failure, the complete absence of a required element, or a finding that is likely to result in the customer receiving non-conforming product or service. Example: no documented calibration procedure exists, or corrective actions from previous audits have not been implemented across the organization.

Critical NC

An immediate risk to health and safety, product integrity, or regulatory compliance. Requires immediate containment action before the audit can continue. Example: a food facility with pest evidence in a production zone, or a financial control that has been deliberately bypassed. Critical NCs may result in immediate suspension of certification or supplier status.

How to Write a Well-Structured NCR

Every NCR should contain three parts: the requirement violated (citing the specific clause or procedure), the objective evidence found (what the auditor saw, read, or was told), and the classification (minor/major/critical). A weak NCR states only a conclusion (“training records are incomplete”) without citing evidence. A strong NCR states: “ISO 9001:2015 Clause 7.2 requires documented evidence of competence for personnel performing work affecting product quality. Training records for three of five production operators (Employee IDs 042, 067, and 091) reviewed on [date] contained no evidence of competence assessment for the CNC milling operation. This is classified as a Major Non-Conformance.”

Use the quality control check sheet format to document objective evidence systematically during the field audit phase, making NCR writing faster and more consistent.

Corrective Action Tracking and Follow-Up

An audit is only as valuable as the corrective actions it generates. Too many organizations treat the closing meeting as the end of the audit process — but effective corrective action follow-up is where the real quality improvement happens.

Root Cause Analysis

The auditee must identify the root cause of each non-conformance — not just fix the symptom. Common root cause tools include the 5 Whys, fishbone (Ishikawa) diagram, and fault tree analysis. The corrective action must address the root cause, or the same non-conformance will recur at the next audit.

Corrective Action Plan (CAP)

For each NCR, the auditee submits a written corrective action plan containing: immediate containment action (what was done right away to prevent further non-conformance), root cause analysis, corrective action to eliminate the root cause, and target completion date. The CAP should be submitted within 30 days for minor NCs and 14 days for major NCs.

Evidence of Completion

Corrective actions must be supported by objective evidence of completion — updated procedures, new training records, revised calibration schedules, photographs of physical changes, or system configuration screenshots. “Training was conducted” is not acceptable without a signed training record showing names, dates, and topics covered.

Effectiveness Verification

After the corrective action has been implemented, the auditor or audit team verifies that it was effective. This may be done via a follow-up desk review of submitted evidence or a targeted follow-up audit of the affected area. Effectiveness verification is a requirement of ISO 9001 Clause 10.2 and should be built into the corrective action tracking register.

Corrective Action Register

Maintain a centralized corrective action tracking register listing every open NCR, the assigned owner, the corrective action plan submission date, the target close date, and the current status. Review the register monthly in management meetings. Overdue corrective actions should be escalated to senior management. Pair your audit checklist with a corrective action register built from the same template system.

For safety-related audits, integrate corrective actions with your safety inspection checklist to ensure findings are tracked alongside routine inspection results.

Generate Audit Checklists Free

Create professional audit checklists for ISO 9001, supplier audits, and compliance reviews — export as PDFs.

Create Free Audit Checklist

Frequently Asked Questions

What should an audit checklist include?

Audit scope and objectives, list of criteria referenced to the relevant standard, compliance status column, evidence reviewed, auditor notes, and a summary showing overall compliance status and required corrective actions.

What is an internal audit checklist?

A structured list of questions used to assess whether processes and systems comply with quality management system requirements (like ISO 9001) or regulatory requirements. Conducted by trained internal auditors on a planned annual schedule.

How do I create an audit checklist for ISO 9001?

Review the relevant ISO 9001 clauses, convert each requirement into a specific question, add columns for compliance status and evidence, include findings summary. ISO 9001:2015 has 10 main clauses covering context, leadership, planning, support, operations, evaluation, and improvement.

What is the difference between an internal audit and an external audit?

Internal audits are conducted by company employees (first-party) to assess internal QMS compliance. External audits are conducted by certification bodies (third-party) or customers (second-party). External audits can determine certification status or supplier approval, so stakes are higher and the checklist must align precisely with the standard.

What is a non-conformance report (NCR) in auditing?

An NCR formally records a failure to meet a specified requirement. NCRs are graded minor (isolated lapse), major (systemic failure or complete absence of a required element), or critical (immediate risk). Each NCR must cite the specific requirement violated and the objective evidence found.

How long should corrective actions from an audit be tracked?

Until the root cause is addressed and the corrective action is verified effective — typically 30-90 days for minor NCs and up to 6 months for major NCs. ISO 9001 requires effectiveness review of all corrective actions, which is typically confirmed at the next audit cycle.