Pass Your ISM Internal Audit — the Yacht Checklist Where Every Line Ties to a Retrievable Record

The audit fails on retrieval, not on effort

The internal audit is the part of the Safety Management System a yacht runs on itself. Under the ISM Code, the company has to verify that safety and pollution-prevention activities comply with the SMS — and do it at intervals that, in normal practice, means once a year for each vessel [1]. On most boats the work has been done. The services were carried out, the defects were addressed, the certificates are valid. What goes wrong is narrower and more frustrating: when the auditor points at a line item and says "show me," the record takes twenty minutes to find, lives on someone's phone, or turns out to have been quietly overwritten three rotations ago.

That is the gap a non-conformity is written into. Not "you didn't maintain the generator," but "you cannot demonstrate that you maintained the generator." The two are very different on paper, and only one of them is the auditor's concern.

So the useful way to prepare is not to re-do the work. It is to walk the SMS and ask, line by line, a single question: if the auditor asks for this, what exactly do I hand them, and how long does it take to find? The checklist below is built around that question. Every line names the record it depends on.

What the ISM Code actually requires you to show

It helps to be precise about which clauses an internal audit checks, because the wording tells you what evidence to have ready. Section 10 requires the company to establish procedures to ensure the vessel is maintained and that inspections are held at appropriate intervals, with non-conformities reported and corrective action taken [2]. Section 11 requires documents and data relevant to the SMS to be controlled — valid, available where needed, and obsolete versions removed. Section 9 covers the reporting and analysis of non-conformities, accidents and hazardous occurrences, and the corrective action that follows. Section 12 is the internal audit itself [1].

Read together, these say something simple: the Code asks that records exist, are current, and can be produced. It does not ask that they be searchable, connected to one another, or transferable to the next crew. That is exactly the space where an audit that should pass turns into a scramble — and where most of the avoidable findings sit.

The checklist — by SMS area, each line tied to a record

1 · Maintenance and equipment (ISM s.10)

• Planned maintenance is up to date and the overdue list is explained. → The work order, with its running-hours or calendar schedule, completion date, and the engineer who closed it.
• Critical equipment has been identified and tested. → The record showing the test was carried out, by whom, and when — not a recollection that "we do that monthly."
• Defects are logged, tracked, and closed out. → The fault record and the work order that resolved it, so the auditor can follow one to the other.
• Spares for critical systems are accounted for. → The part record: stock against minimum, location on board, and the purchase order if it is on its way.

The line that catches yachts out is the second one — proving the test happened. A planned-maintenance system records that a task was marked complete. It rarely holds the surrounding context: that a workaround was used because the original part is discontinued, or which official procedure was followed. A work order that carries its own paperwork — the SOP, the relevant ISM procedure, the class certificate for the equipment — answers the auditor without anyone leaving the page.

2 · Certificates and surveys (ISM s.10, s.13)

• Statutory and class certificates are valid, with surveys in window. → The certificate record with its expiry and survey window, and the source PDF attached.
• Crew certificates of competency and medicals are current. → The per-holder document list, showing current, expiring, and expired at a glance.
• Nothing expires between now and the next time anyone looks. → A view of what lapses inside the audit window, before the auditor finds it first.

Certificates are not a headline item, but they are the easiest finding to avoid: keep them tracked to expiry, with renewal dates and the source PDF attached, and let alerts surface as expiry approaches. A certificate that is current and findable on inspection day is one line the auditor ticks and moves past.

3 · Non-conformities and corrective action (ISM s.9)

• Previous findings have been closed with evidence. → The corrective-action record: what was found, what was done, who signed it off, and when.
• The analysis behind the fix is visible, not just the fix. → The fault record with its corrective-action narrative and the records related to it.
• Recurrence is addressed. → Prior occurrences of the same fault, surfaced alongside the current one — the history that shows the problem was understood, not just patched.

This is where retrieval matters most. A corrective action that reads "valve replaced, see work order" is weak evidence on its own. Open the fault and what's related surfaces beside it — the work order, the equipment, the warranty claim — so the engineer can follow one thread to every record connected to it. The auditor sees that the finding was closed against the actual work, not against a sentence.

4 · Drills, familiarisation, and handover (ISM s.6, s.8)

• Drills were held and recorded. → The dated drill record, with who took part.
• New crew were familiarised before taking on duties. → The familiarisation record tied to the individual and the date they joined.
• The last engineering handover is on file and signed. → The handover, reviewed and signed by both the outgoing and incoming engineer, each signature timestamped.

Handover is the quiet one. An auditor asking "how did the current crew learn the state of this vessel?" wants a document, not an assurance. A handover that was captured as the engineer worked — one tap from each closed record into the draft — is reviewed and signed at the rotation, then locked after dual signature. It is evidence that the operational state of the vessel transferred, rather than walking off on a Tuesday flight.

5 · Documentation control (ISM s.11)

• SMS documents are the valid version, available where needed. → The controlled document on the record it applies to, not a PDF in a folder three crews deep.
• Obsolete versions are not in circulation. → A trail showing what changed and when, so superseded documents are visibly superseded.
• Records cannot have been quietly edited. → An append-only history: nothing overwritten, corrections recorded as new entries that reference the original.

Audit prep is retrieval, not assembly

Look back at the checklist and notice what every line has in common: the work isn't the issue, the evidence is. The vessel that passes cleanly is not the one that worked harder in the week before the audit. It is the one that can answer "show me" in plain language and land on the actual record — the fault, the work order, the certificate, the signed handover — with who acted, what they did, when, and which record was affected.

That is the difference between assembling a binder the night before and retrieving a record in the room. When every action — logging a fault, creating a work order, signing a handover — is attributed and timestamped, and the trail is append-only, audit prep stops being a project. It becomes a search.

The ledger above is the mechanism: a day-by-day activity record where every change is attributed to a person and a time, nothing is ever overwritten, and deleted rows are struck through rather than purged. The trail is the trail. Open any record and read its full history — which is precisely what an internal audit, and the external one behind it, is asking you to be able to do.

Where this leaves the next audit

None of this replaces the engineer's judgement or the DPA's procedures. The work, the analysis, and the sign-off stay with the people who own them. What changes is whether the by-product of that work stays with the vessel in a form you can produce on demand.

CelesteOS is built for exactly that: records captured as the crew works, connected to one another, searchable in plain language, and attributable when someone asks who did what and when. It runs alongside the existing planned-maintenance system and SMS — nothing to replace, nothing to migrate — and your existing PMS keeps its class society approvals. On the compliance line itself, CelesteOS is aligned with the ISM Code, sections 10 and 11; it is audit evidence, not class approval of the software. Every record it holds is independently verifiable at verifier.celeste7.ai, and you can search the vessel's records and manuals in plain language, the way an auditor's question actually arrives. For the deeper case on how an append-only audit trail stands up under inspection, see the companion piece.

Frequently asked questions

Summary

• Internal ISM audits usually fail on evidence, not effort — the work was done, but the record can't be produced on demand.
• The Code (sections 9, 10, 11, 12) asks that records exist, stay current, and can be produced; it does not ask that they be searchable or connected.
• Run the checklist by SMS area and tie every line to the record you would hand the auditor: work order, fault, certificate, corrective action, signed handover, controlled document.
• The retrieval test is the one that matters: open any record, read its full history, and see who acted, what they did, and when.
• An append-only trail turns audit prep from an assembly job into a search — and a record that can be retroactively modified cannot serve as evidence.

CelesteOS keeps a yacht's maintenance and compliance records with the vessel — connected, searchable, attributed, and independently verifiable — so an internal ISM audit becomes retrieval, not assembly. Learn about the pilot.