Whenever I support a company preparing for ISO 22000 or FSSC 22000 certification, I always start with one question: “How strong is your internal audit?” Over the years, I’ve seen this single requirement make or break audit outcomes. A good internal audit gives you a clear view of your risks, weaknesses, and blind spots long before an external auditor walks in. A weak one does the opposite—it hides issues until they show up in the worst moment.
If you’re here, you’re likely looking for a practical checklist you can download and use immediately. Something that covers the requirements, the PRPs, the HACCP plan, and the operational controls your team needs to evaluate. That’s exactly what this guide gives you.
Now that we’re aligned on the goal, let’s walk through the key sections your internal audit must cover—and how to use the checklist effectively.
Internal Audit Planning Essentials (Scope, Frequency, and Audit Program)
One thing I’ve noticed is that many companies jump straight into the audit without planning. But ISO 22000 expects structure—an audit program, defined responsibilities, and a risk-based schedule.
Here’s what your internal audit setup should include:
A clear audit scope: processes, departments, and boundaries
A yearly audit program based on risk and process importance
Competent internal auditors assigned to each area
A logical sequence that follows your operations
Defined criteria, methods, and reporting expectations
I once worked with a team that only performed an internal audit two weeks before certification. The result? They spent the next two weeks scrambling to fix findings under pressure. A planned, spread-out audit program prevents this.
Pro Tip: Rotate auditors across departments. Fresh eyes catch blind spots.
Common Pitfall: Treating internal audits as a pre-certification exercise instead of an ongoing tool for improvement.
ISO 22000 puts a strong emphasis on leadership and documented information. That means your internal audit needs to confirm more than just the existence of policies—it needs to confirm understanding and implementation.
Audit points include:
Is the Food-Safety Policy communicated and understood?
Are FSMS objectives measurable and monitored?
Are documents approved, version-controlled, and accessible?
Has leadership demonstrated commitment through planning and resource decisions?
I often interview line supervisors during audits. When they can explain the policy in their own words, it tells me leadership has done more than just sign a document.
Pro Tip: Ask staff what the policy means in practice—it reveals both clarity and leadership influence.
Common Pitfall: Beautiful policies posted on walls that no one can explain.
Operational PRPs Checklist (Facility, Hygiene, and GMP Controls)
PRPs are where most internal audits uncover issues, simply because they involve everyday habits and discipline. The internal audit must verify whether hygiene and facility controls match what’s documented.
Check:
Cleaning and sanitation practices
Allergen management
Pest-control implementation
Personnel hygiene compliance
Equipment maintenance
Storage, environmental controls, and layout
Chemical and waste management
I once guided a team through an internal audit where everything looked great on paper—but a quick walkthrough revealed unlabeled buckets, expired cleaning logs, and dusty vents. These small details become big findings during certification.
Pro Tip: Combine a floor walkthrough with a record review. One without the other misses half the story.
Common Pitfall: Assuming PRPs are “simple” and need less attention. They’re often the biggest source of NCs.
Hazard Analysis, CCP/OPRP Verification & HACCP Plan Review
Your HACCP plan is the backbone of your FSMS. And your internal audit must verify not just the paperwork, but the logic behind it.
The audit should check:
Accuracy of hazard identification
Risk ranking consistency
Correct assignment of CCPs and OPRPs
Validation evidence for CCPs/OPRPs
Monitoring frequency and completeness
Operator competence at CCP/OPRP points
Corrective actions taken when limits were exceeded
I once interviewed a CCP operator who explained monitoring perfectly—but his completed logs had missing entries. This mismatch instantly became an audit finding.
Pro Tip: Talk to operators. Their understanding often tells you more than the forms do.
Common Pitfall: A hazard analysis updated on paper, but not reflected in actual operations.
Traceability is one of those areas that looks simple until it’s tested. Your internal audit must confirm that your traceability system works under pressure.
Audit points include:
Forward and backward traceability
Supplier lot tracking
Packaging material traceability
Records matching production dates
Mock recall execution and response time
Emergency response procedures and training
A client once discovered during an internal mock test that they couldn’t trace packaging lots accurately. Fixing the issue before certification saved them from a major NC.
Pro Tip: Perform a mini-traceability test during your internal audit—it keeps your system sharp.
Common Pitfall: Only tracking ingredients but forgetting packaging materials.
A mature FSMS doesn’t avoid problems—it manages them well. Your internal audit needs to evaluate how effectively your organization responds to nonconformities.
Verify:
Are nonconformities clearly documented?
Are root causes analyzed beyond “human error”?
Are corrective actions implemented and verified?
Are trends analyzed (complaints, deviations, rework, downtime)?
Are improvements linked to FSMS objectives?
One organization I supported kept closing CAPAs without verifying effectiveness. After three repeated issues, the certification auditor escalated the finding to a major NC. That’s how important this area is.
Pro Tip: Use simple RCA tools—they’re easier to apply and more consistent.
Common Pitfall: Closing CAPAs too quickly just to check the box.
A strong internal audit depends on competent auditors and thorough reporting.
The audit must review:
Auditor training records
Objectivity and independence
Quality and clarity of audit reports
Evidence supporting findings
Follow-up actions from previous audits
I often see teams write findings like “PRP non-compliance identified.” That’s not enough. A useful report explains the evidence, risk, and root cause direction.
Pro Tip: Use a color-coded tracker for open findings—it keeps everyone aligned.
Common Pitfall: Forgetting to verify whether corrective actions from the last audit were actually closed.
Download Instructions: How to Use the ISO 22000 Internal-Audit Checklist Effectively
Once you download the internal-audit checklist, here’s how to get the most from it:
Start with the audit program Assign dates, auditors, and processes.
Use the checklist during walkthroughs and interviews Combine what you see with the records you review.
Document evidence clearly Notes, photos (if allowed), and direct quotes help.
Rate the findings based on risk This guides corrective-action priorities.
Save each completed checklist Certification auditors appreciate seeing a trail of internal verifications.
Pro Tip: Review the checklist with your team before starting—it sets expectations and roles.
FAQs
How often should we perform internal audits under ISO 22000?
At least once a year for the full FSMS, with more frequent audits for high-risk areas.
Can the internal auditor be from the same department?
Yes, as long as they’re not auditing their own work and remain objective.
Do certification auditors review internal-audit results?
Absolutely. They use your internal audits to evaluate FSMS maturity and leadership commitment.
Conclusion: Your Path to a Stronger, More Confident Internal Audit Program
A strong internal audit isn’t about finding faults—it’s about building a food-safety system that works consistently, every day. When the audit is structured, evidence-based, and led by competent auditors, your organization is always a step ahead of certification requirements.
This checklist is your starting point. Use it to run focused, effective audits and build a culture of continual improvement throughout your FSMS.
If you’d like, I can create:
a downloadable PDF or Excel checklist,
an internal-audit training script, or
a complete internal-audit toolkit package for QSE Academy.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
