Internal audits are one of the most powerful tools in your Safety Management System. Done properly, they catch problems before an external auditor does. Done poorly — or not at all — they become the problem an external auditor finds.
ISM Code Section 12 requires the Company to carry out internal safety audits on board and ashore at intervals not exceeding 12 months. For superyachts, this means at least one full internal audit per year, covering all elements of your SMS. Yet many yacht operators treat internal audits as a box-ticking exercise, rushing through a checklist the week before the external audit. This guide walks you through how to conduct internal audits that actually add value, keep your SMS healthy, and make external audits straightforward.
Who Needs This?
- Designated Persons Ashore (DPA) responsible for organising and overseeing internal audits
- Captains and senior officers participating in or conducting onboard audits
- Management company staff managing ISM compliance across a fleet
- Owners of yachts operating under ISM Code (500GT and above, or voluntary compliance)
- Anyone preparing for an ISM external audit (initial, annual, or renewal)
What the ISM Code Requires
ISM Code Section 12 — Company Verification, Review and Evaluation — lays out the internal audit requirements:
| Requirement | ISM Code Reference | Detail |
|---|---|---|
| Internal audits | Section 12.1 | Company shall carry out internal safety audits on board and ashore |
| Audit interval | Section 12.1 | At intervals not exceeding 12 months |
| Auditor independence | Section 12.2 | Personnel carrying out audits should be independent of the areas being audited (unless impracticable due to company size) |
| Corrective actions | Section 12.3 | Audit findings shall be brought to the attention of relevant personnel, and management shall take timely corrective action |
| Report to management | Section 12.4 | Results shall be brought to the attention of senior management and the DPA |
| Management review | Section 12.5 | The Company shall evaluate the effectiveness of the SMS at defined intervals |
Planning the Audit
A well-planned audit is an effective audit. Start your planning at least four to six weeks before the scheduled audit date.
Annual Audit Schedule
Your SMS should contain an annual audit schedule. For a single-yacht operation, this typically means:
- One full onboard audit covering all SMS elements — scheduled when the yacht is in a port with suitable access for the DPA or auditor
- One shore-side audit covering the Company’s management responsibilities — conducted at the management office
- Timing — Spread audits across the year rather than conducting both immediately before the external audit. This gives you time to address findings.
Define the Scope
Each audit should have a defined scope. A full annual audit covers all sections of the ISM Code:
| ISM Code Section | Audit Area |
|---|---|
| 1 — General | SMS objectives, policies, company responsibility |
| 2 — Safety and environmental policy | Policy awareness, display, crew understanding |
| 3 — Company responsibilities and authority | DPA role, organisational structure, resource provision |
| 4 — Designated Person(s) | DPA access, authority, monitoring function |
| 5 — Master’s responsibility and authority | Master’s overriding authority, SMS reporting |
| 6 — Resources and personnel | Manning, qualifications, training, familiarisation |
| 7 — Shipboard operations | Key operational procedures, checklists, standing orders |
| 8 — Emergency preparedness | Drills, emergency procedures, contingency plans |
| 9 — Non-conformities, accidents, hazardous occurrences | Reporting, investigation, corrective actions |
| 10 — Maintenance of ship and equipment | PMS, critical equipment, spare parts |
| 11 — Documentation | SMS document control, record retention |
| 12 — Verification, review and evaluation | Previous audit findings, management review |
Prepare the Audit Checklist
Build your checklist from the ISM Code sections above. For each area, include:
- Objective questions — “Is there a documented procedure for X?” (Yes/No)
- Evidence questions — “Can you show me the record of the last fire drill?”
- Competence questions — “What would you do if Y occurred?”
- Observation items — Physical checks of equipment, displays, and conditions
Conducting the Audit
Step 1: Opening Meeting
Begin every audit with a brief opening meeting. Attendees should include the Master (for onboard audits), the DPA, and relevant senior officers.
Cover the following:
- Purpose and scope of the audit
- Audit schedule and timing
- Areas and personnel to be audited
- How findings will be recorded and reported
- Confirm access to documentation and crew availability
Keep it brief — 15 to 20 minutes is sufficient. The opening meeting sets the tone. Be professional, be clear that the audit is about improving the SMS (not blaming individuals), and confirm that the crew can speak openly.
Step 2: Document Review
Review SMS documentation for completeness, currency, and relevance. Check:
- Controlled documents — Are they the current versions? Is the document control register up to date?
- Certificates — Are statutory and class certificates valid and not expired?
- Training records — Are STCW certificates, flag state endorsements, and onboard training records current?
- Drill records — Have required drills been conducted at the required intervals?
- Maintenance records — Is the Planned Maintenance System up to date? Are overdue items documented with planned completion dates?
- Log books — Are official and engine room logs completed correctly?
- Previous audit reports — Have corrective actions from the last audit been implemented and verified?
- Non-conformity register — Are all NCRs closed with evidence of corrective action?
- Management review minutes — Has the annual management review been conducted?
Step 3: Crew Interviews
Crew interviews are the most revealing part of any audit. They tell you whether the SMS is a living system or a shelf document.
Interview crew at all levels — Master, officers, engineers, and junior crew. Ask open-ended questions:
- “What is the safety policy on board?” (Can they describe it in their own words?)
- “What would you do if you discovered a fire in the engine room?”
- “How do you report a near-miss or hazardous occurrence?”
- “When was the last emergency drill and what was practised?”
- “How do you know which version of a procedure is current?”
- “What training have you received since joining this vessel?”
Listen for consistency. If the Master describes one procedure but the crew describe something different, that is a finding. If crew cannot describe basic emergency actions, that is a finding.
Step 4: Physical Observations
Walk the vessel with your checklist and your eyes open. Look at:
- Safety equipment — Are fire extinguishers in date? Life raft servicing current? EPIRB registration valid?
- Signage and placards — Muster lists posted? MARPOL placards displayed? Emergency contact information current?
- Housekeeping — Are escape routes clear? Watertight doors operational? Engine room cleanliness?
- Bridge — Charts corrected and up to date? Navigation equipment functional? Standing orders signed?
- Engine room — Alarm systems tested? Bilge levels normal? Oil Record Book completed?
- Environmental compliance — Garbage management records, sewage treatment plant log, OWS maintenance
Compare what you see against what the SMS says should be happening. Discrepancies between documented procedures and observed practice are the most common and most important findings.
Step 5: Closing Meeting
Hold a closing meeting at the end of the audit. Attendees should match the opening meeting.
Present:
- A summary of areas reviewed
- Positive findings (things done well — this matters for crew morale and engagement)
- Non-conformities identified (major and minor)
- Observations and recommendations
- Agreed timescale for corrective actions
- Date for the formal audit report
Be specific about findings. “Drill records are incomplete” is not useful. “Fire drill on 14 January was not recorded in the drill log, and the drill evaluation form was not completed” is actionable.
Categorising Findings
Use a consistent classification system for audit findings:
| Category | Definition | Action Required |
|---|---|---|
| Major Non-Conformity | A failure that poses a serious risk to safety, environmental protection, or SMS effectiveness. Absence of a required SMS element. | Immediate corrective action. Root cause analysis required. Must be closed before next external audit. |
| Non-Conformity | A departure from a SMS requirement that does not pose an immediate serious risk but degrades the effectiveness of the system. | Corrective action within an agreed timeframe (typically 30-90 days). Root cause analysis recommended. |
| Observation | An area where compliance is met but improvement is possible, or a trend that may lead to a non-conformity if not addressed. | Recommended action. Track for follow-up at next audit. |
Corrective Actions
Every non-conformity must have a documented corrective action. Effective corrective actions follow this pattern:
- Describe the finding. What was observed, where, and when.
- Identify the root cause. Why did this happen? Go beyond the immediate cause. If a drill was not recorded, is it because the form is missing, the responsible person was not assigned, or the crew were not trained on the procedure?
- Define the corrective action. What specific steps will be taken to fix the issue and prevent recurrence.
- Assign responsibility. Who will implement the corrective action.
- Set a deadline. When must the corrective action be completed.
- Verify completion. The DPA (or auditor) must verify that the corrective action was implemented and is effective. This verification must be recorded.
The Audit Report
The formal audit report should be issued within two weeks of the audit. It must include:
- Audit date, location, and scope
- Names of auditor(s) and auditees
- Reference to the audit checklist used
- Summary of findings by category
- Detail of each non-conformity with supporting evidence
- Corrective action requests with deadlines and assigned responsibilities
- Observations and recommendations
- Positive findings
- Sign-off by the lead auditor and the DPA
Distribute the report to the Master, the DPA, and company senior management as required by ISM Code Section 12.4. Retain copies in the SMS records for review during external audits.
Common Findings on Superyachts
Based on years of conducting and reviewing ISM audits on superyachts, these are the findings that come up repeatedly:
- Drill records incomplete or missing evaluation. Drills happen but are not properly documented. The drill record should include date, time, participants, scenario, performance assessment, and lessons learned.
- Familiarisation not recorded. New crew join and start work without completing or documenting the onboard familiarisation process required by ISM Code Section 6.3.
- Planned Maintenance System overdue items. Maintenance tasks slipping past due dates without documented justification or rescheduling.
- Non-conformity register not maintained. NCRs raised but never formally closed, or closed without evidence of corrective action.
- Emergency procedures not updated. Contact numbers, shore-side emergency arrangements, or muster assignments outdated after crew changes.
- Master’s review not conducted. ISM Code Section 12.5 requires the Company to evaluate SMS effectiveness. On yachts, this often takes the form of a Master’s review — and it is frequently missed or undocumented.
- Cyber risk not addressed. As discussed in our cybersecurity compliance article, auditors are increasingly checking for cyber risk in the SMS.
Practical Tips for Better Audits
- Audit throughout the year, not just before the external audit. Spot checks and focused mini-audits on specific areas keep the SMS alive.
- Use findings as training opportunities. When you identify a gap, use it to train the crew rather than simply issuing a corrective action.
- Track trends. If the same finding recurs across multiple audits, the root cause analysis is not going deep enough.
- Keep it proportionate. A 45m yacht with 10 crew does not need the same audit programme as a cruise ship. Focus on what matters for your vessel’s risk profile.
- Involve the crew. An audit that feels collaborative rather than adversarial produces better results. Crew who understand the purpose of audits will flag issues proactively.
How We Can Help
Our SMS Essentials Package includes internal audit checklists, corrective action request forms, audit report templates, and a management review framework — all designed for superyacht operations. For yachts operating under a simplified ISM framework, our Mini ISM package includes proportionate audit tools that match the scale of smaller operations while meeting flag state requirements.
Frequently Asked Questions
Can the Captain conduct the internal audit?
ISM Code Section 12.2 states that auditors should be independent of the areas being audited, unless impracticable due to company size. On a single-yacht operation, complete independence is often impracticable. The typical arrangement is for the DPA to audit onboard operations, and the Captain to audit shore-side management arrangements. If the Captain must audit onboard areas, they should not audit their own direct responsibilities (e.g., bridge operations). Document why full independence was not achievable.
How long does an internal audit take on a superyacht?
For a full annual audit covering all ISM Code sections, allow one to two days on board. This includes the opening meeting, document review, crew interviews, physical walkthrough, and closing meeting. Smaller yachts with simpler SMS may be completed in one day. Larger yachts or vessels with extensive findings from previous audits may need two full days. Shore-side audits typically take half a day to one day depending on the complexity of the management arrangements.
What happens if we find a major non-conformity during an internal audit?
Finding a major non-conformity during your own internal audit is actually a sign that your audit process is working. Address it immediately: implement interim corrective measures to manage the risk, conduct a thorough root cause analysis, define and implement the corrective action, and verify its effectiveness. Document everything. When the external auditor reviews your internal audit records, seeing that you identified and resolved a major NCR demonstrates a mature, functioning SMS — which is exactly what the ISM Code intends.
Related Templates
Mini-ISM Safety Management System
Mini-ISM Safety Management System manual template for superyachts under 500GT. Designed for flag state yacht code SMS requirements. Professional package with SMS manual template, companion guide, implementation checklist, crew brief, and quick reference cards. Survey-proven across Red Ensign Group, Marshall Islands, and Malta.
SMS Essentials Package
Complete Safety Management System documentation for superyachts. A 12-document ISM Code compliant package with manual, companion guide, 13 forms, 6 quick reference cards, and implementation checklist. Survey-proven across Red Ensign Group, Marshall Islands, and Malta flag states.
Related Articles
Yacht SMS Requirements Under 500GT: ISM Code Explained
ISM Code SMS requirements for yachts under 500GT. Mini-ISM vs full ISM, flag state expectations, what your SMS must contain, and practical implementation guidance.
Yacht SMS Requirements: What You Actually Need in 2025
Complete guide to Safety Management System requirements for yachts. Learn what's required for full ISM vs mini-ISM, which flags need what, and how to build an SMS that passes survey.
Risk Assessments and Permits to Work on Superyachts: An ISM Code Guide
A practical guide to risk assessments and permit to work systems on superyachts covering ISM Code Section 7, risk assessment methodology, hot work permits, confined space entry, working at height, and common survey findings.