This guide gives internal auditors a clause-mapped checklist framework covering three core audit domains: Prerequisite Programs, HACCP plan implementation, and ISO 22000:2018 management system clauses 4–10. It also covers how to plan, conduct, and close out findings in a way that actually strengthens your FSMS.
TL;DR
- ISO 22000 Clause 9.2 requires internal audits at planned intervals — frequency must be risk-justified, not arbitrary
- Your checklist must cover PRPs, HACCP/OPRPs, and all management system clauses 4–10
- Objective evidence includes records, observations, and interviews, not policy documents alone
- The most common nonconformities are gaps between documented procedures and actual floor-level practice
- Verify corrective actions are effective — marking them closed is not the same as confirming they worked
What Is an ISO 22000 Internal Audit?
ISO 22000:2018 Clause 9.2 requires organizations to conduct internal audits at planned intervals to confirm the FSMS conforms to both the standard's requirements and the organization's own requirements — and that it is effectively implemented and maintained.
This is a first-party activity. Under ISO 19011:2018, internal audits are classified as first-party audits, meaning they are conducted by or on behalf of the organization itself. That makes them fundamentally different from the certification audit your registrar conducts.
Scope and Auditor Independence
The audit scope must cover the full FSMS — not just the production floor or your HACCP documentation folder. This includes:
- All processes that affect food safety
- Outsourced functions within the certification boundary
- Every physical site included in the scope
- Support processes including purchasing, maintenance, and HR
Auditor independence from the area being audited is a hard requirement under Clause 9.2.2. An auditor cannot audit their own work.
Why the Quality of Audit Evidence Matters
Internal audit findings feed directly into:
- Corrective action (Clause 10.1 and 10.2)
- Management review inputs (Clause 9.3)
- The next audit program cycle (Clause 9.2)
Weak evidence collection leads to findings that miss root causes — and corrective actions that fail to prevent recurrence. External auditors look for exactly this gap when they review your internal audit records.
What Must Your ISO 22000 Audit Checklist Cover?
Prerequisite Programs (PRPs)
PRPs are the foundational conditions your facility must maintain before hazard control measures can function. ISO 22000 Clause 8.2 defines the categories your checklist must address:
- Construction and layout of buildings and utilities
- Air, water, energy, and other utility supplies
- Waste and sewage disposal
- Equipment suitability and maintenance accessibility
- Supplier approval and assurance
- Cross-contamination prevention
- Cleaning and sanitizing procedures
- Pest control
- Personnel hygiene practices
Your checklist must verify that PRPs are implemented, monitored, and verified as effective — not just documented. Pull maintenance logs, post-clean swab records, and pest control visit reports as objective evidence. A policy binder proves nothing on its own.
Hazard Analysis and the HACCP Plan
HACCP audit questions must go beyond confirming a plan exists. Key verification points:
- Has a complete hazard analysis covered biological, chemical, physical, and allergenic hazards?
- Are CCPs and OPRPs correctly identified and scientifically justified?
- Are critical limits validated, not just estimated or assumed?
- Do monitoring records match the frequency specified in the HACCP plan?
- Are calibration records current for all CCP monitoring equipment?
- When deviations occurred, did they trigger the defined corrective action procedures?
- Do verification activities confirm the HACCP system is working as designed?
Each item on that list carries a different evidentiary weight depending on whether you're auditing a CCP or an OPRP. ISO 22000 Clause 8.5 requires measurable critical limits for CCPs and measurable or observable action criteria for OPRPs, so the audit questions and evidence you collect for each should reflect that distinction.
Management System Clauses 4–10
Map your checklist across the ISO High Level Structure:
| Clause | Key Audit Checkpoints |
|---|---|
| 4 | FSMS scope defined; organizational context documented |
| 5 | Food safety policy communicated; food safety team appointed and competent; top management demonstrably engaged |
| 6 | Risks and opportunities identified; FSMS planning addresses them |
| 7 | Resources adequate; competence records current; communication channels functioning; documented information controlled |
| 8 | Traceability systems operational; withdrawal/recall procedures tested; hazard control plan implemented |
| 9 | Monitoring and measurement results analyzed; internal audit programme followed; management review conducted |
| 10 | Nonconformities root-cause analyzed; corrective actions verified as effective — not simply marked closed |
Clause 8 carries the heaviest food-safety-specific load, but don't let it overshadow Clause 5.3. That clause requires top management to formally assign responsibility and authority for the food safety team leader. It's an ISO 22000-specific leadership requirement, not a generic management placeholder, and registrars check it.
How to Plan Your ISO 22000 Internal Audit Programme
Building a Risk-Based Annual Schedule
Clause 9.2.2 requires your audit program to consider process importance, FSMS changes, and results from prior monitoring, measurement, and audits. In practice, this means:
- Higher frequency: CCPs, OPRPs, high-risk PRPs, processes affected by recent changes, areas with prior nonconformities
- Lower frequency: Low-risk support processes with stable performance history
- Full cycle coverage: Every FSMS clause and every physical area within the certification boundary must be covered within each certification period
The program must be formally documented and approved by top management to satisfy Clause 9.2.
Triggers for Unscheduled Audits
Reactive auditing is a sign of a mature FSMS, not a failure. Trigger additional audits when:
- Significant process changes or new equipment is introduced
- A supplier changes or is added
- A food safety incident, near-miss, or product withdrawal occurs
- A new product category is launched
- Previous corrective actions were not fully closed or verified
Getting Outside Help to Build the Program
Organizations building their ISO 22000 internal audit program for the first time often spend considerable time creating checklist frameworks and audit procedures from scratch — time that could be directed toward actually improving food safety controls.
Synergistic Systems implements ISO 22000 as an add-on module within an Integrated Management System built on the ISO 9001 foundation. The 10-step engagement includes internal auditor training and a system-wide internal audit, supported by a cloud-based intranet that hosts controlled documents, audit records, corrective actions, and management reviews. For food and beverage manufacturers in the Dallas Metroplex, Gulf Coast, and Northwest Arkansas regions, this gives internal audit teams a proven starting structure instead of a blank page.
How to Conduct an ISO 22000 Internal Audit: Step by Step
Step 1 — Pre-audit preparation Confirm auditor independence and competence. Before entering the facility, gather and review:
- Food safety policy and HACCP plan
- PRP procedures and CCP monitoring records
- Previous audit reports and corrective action logs
Customize the checklist to the specific scope, processes, and product categories being audited.
Step 2 — Opening meeting Brief all area owners on audit scope, objectives, evidence collection methods, and timeline. Frame the purpose clearly: system improvement, not fault-finding. Auditor credibility and auditee cooperation both depend on getting this right.
Step 3 — On-site execution Collect objective evidence through three methods:
- Document and record review
- Direct observation of operations and conditions
- Structured interviews with process owners
On the floor, inspect CCPs, PRP areas, storage conditions, and hygiene practices. Take photos and record document reference numbers — these details strengthen the evidence trail and support defensible findings.
Step 4 — Documenting findings Classify each finding as:
- Nonconformity: A requirement is not met
- Observation: A potential weakness not yet a nonconformity
- Opportunity for improvement: A positive suggestion
Precise findings drive action. Compare these two versions:
- ❌ "CCP monitoring records are incomplete"
- ✅ "CCP monitoring log for Pasteurizer 2 shows no entries for three consecutive production shifts on [dates X, Y, Z]"
Vague findings generate disputes. Specific findings with clause references generate corrective actions.
Step 5 — Closing meeting and report Present findings to the food safety team leader and management before leaving. Issue a written audit report within an agreed timeframe — ISO 19011:2018 does not prescribe a fixed number of days, but most organizations target 5–10 working days.
The report must include audit scope, criteria, evidence reviewed, all findings with clause references, and required corrective action timelines.
Most Common ISO 22000 Internal Audit Nonconformities
HACCP Plan Failures
The most frequently cited cluster involves HACCP plan documentation gaps:
- Critical limits that are assumed rather than scientifically validated
- CCP monitoring records with unexplained gaps or incomplete entries
- Corrective action procedures that exist on paper but have never been tested in practice or trained to the team
- HACCP plans not updated after process changes or new product introductions
FDA warning letters illustrate how these gaps appear in enforcement practice. A 2025 FDA warning letter to Chaohu Daxin Foodstuffs cited the firm's failure to list required critical limits in their HACCP plan. A 2024 warning letter to Procesadora Vikingo cited HACCP plan monitoring and corrective action deficiencies.
PRP Implementation Gaps
PRP audits regularly surface the same three failure patterns:
- Cleaning and sanitizing procedures documented but never verified as effective (no post-clean swab records or scheduled verification activity)
- Pest control programs where the contractor's visit logs are held by the contractor and never reviewed internally
- Supplier approval records that are out of date or missing for currently active suppliers
Management System Clause Failures
The three most frequent clause-level findings:
- Traceability exercises that have never been run — organizations assume their traceability system works but have no timed exercise records to prove it
- Competence records that show training was delivered but not evaluated — attendance signatures do not demonstrate competence
- Corrective actions closed with a statement of intent ("procedure will be updated") rather than verified evidence of implementation
All three of these findings share the same root: the documented FSMS describes a system that doesn't match what happens on the floor. Finding that gap is the internal auditor's primary job. Reviewing procedures won't surface it — observation and interviews are required evidence collection methods, not optional ones.
Frequently Asked Questions
How often should ISO 22000 internal audits be conducted?
ISO 22000:2018 Clause 9.2 requires audits at "planned intervals" without mandating a fixed frequency. Most certified organizations complete a full-cycle annual audit programme, with higher frequency for CCPs, OPRPs, and high-risk areas. Additional audits are triggered by process changes, incidents, or prior findings.
What is the difference between an ISO 22000 internal audit and a certification audit?
An internal audit is a first-party evaluation conducted by or on behalf of the organization to verify FSMS effectiveness. A certification audit is conducted by an accredited third-party registrar to issue or maintain the ISO 22000 certificate. Internal audits feed corrective action before the registrar arrives.
Who is qualified to conduct an ISO 22000 internal audit?
Auditors must be competent in food safety principles, HACCP methodology, and ISO 22000:2018 requirements, and must be independent of the area being audited. Both competence and independence are mandatory requirements under Clause 9.2.2 and ISO 19011 Clause 7 — formal ISO 22000 Internal Auditor training plus practical FSMS experience satisfy the competence standard.
What documents and records should an auditor review?
Key categories include: the FSMS manual and food safety policy, HACCP plan and hazard analysis, PRP procedures and monitoring logs, CCP monitoring records and corrective action logs, training and competence records, supplier approval documentation, traceability records, and findings from previous audits.
Can an ISO 22000 internal audit checklist also prepare for FSSC 22000 certification?
An ISO 22000 checklist covers the foundational layer of FSSC 22000 but must be supplemented with sector-specific PRP requirements (the ISO/TS 22002 series) and FSSC Version 6 additional requirements to be fully applicable for FSSC 22000 gap analysis. Those additional requirements include food safety culture, food defense, food fraud mitigation, allergen management, and environmental monitoring.
What happens after the audit is completed?
The audit report is issued, nonconformities are assigned to owners with root-cause analysis and corrective action timelines, and actions are implemented and verified as effective. Findings then feed into the next management review, which informs planning for the following audit programme period.
