R2 Internal Audit Checklist: Clause-by-Clause Review Guide

Your internal audit is not a formality. It is the last line of defense before an external auditor walks through your facility and writes findings that can delay or cost you your R2v3 certificate. Done right, it surfaces every material gap with enough time to close them. Done wrong — or skipped — it hands your certifying body a list of nonconformances your team had the ability to find first.

R2v3 imposes three distinct internal audit obligations: an annual audit of the entire EHSMS and all R2 requirements under Core 3(b), a periodic audit of your legal compliance plan under Core 4(d)(3), and an annual independent audit of data security and sanitization processes under Core 7(c)(3). Each has its own scope, its own independence requirement, and its own documentation trail. Collapsing them into a single checklist walk-through is itself a nonconformance.

This R2 internal audit checklist is organized clause by clause across all ten Core Requirements. For each core, you will find the purpose of the requirement, the specific checkpoints your auditor should verify, the documentation that must be producible on demand, and the one or two findings that surface most often in SERI-tracked audits. Use this guide to structure your preparation, assign auditor responsibilities, and close findings before they cost you anything.

---

How to Use This Checklist

Before you begin, establish three things: auditor assignments, audit scope, and the audit schedule. Auditors cannot audit their own work — that independence requirement is not advisory, it is mandatory. If your data security manager also runs the Core 7 audit, you have a nonconformance before the audit starts. Map each Core to an auditor who does not have operational responsibility for that area. For smaller facilities, this typically means bringing in an external party for at minimum the data security audit.

Plan to complete the full internal audit 6 to 8 weeks before your Stage 2 certification audit or annual surveillance. That window gives you time to issue corrective actions, verify their effectiveness, and update documentation before the external auditor arrives. An internal audit completed the week before your certification audit is effectively useless — you will have findings with no time to remediate them.

For each Core below, the audit should produce: a completed checklist, auditor interview notes, a findings log that distinguishes observations from minor nonconformances from major nonconformances, corrective action requests (CARs) for each finding, and evidence of remediation. An auditor who asks to see your internal audit records and receives a handful of checked boxes is going to have follow-up questions.

---

Core 1 — Scope of Certification

Purpose: Your scope statement must accurately reflect every process your facility performs. Auditors will triangulate what the scope says against what they observe on the floor, what your inbound and outbound transaction records show, and what employees describe during interviews. Any gap between the scope on paper and the activity in the building is a finding.

Audit Checkpoints

• Does your scope statement list every activity performed at the facility, including collection, renewal, repair, remarketing, disintegration, asset recovery, brokering, and recycling?
• Does the language align with the terminology in R2v3 Code of Practices Section 11.0?
• Are all active processes included? A single hard drive wipe means Appendix B applies and must be in scope.
• Are there activities in the scope that are not yet operational? Future capabilities cannot be included.
• Have any scope changes since the last audit been formally documented and reviewed?

Documentation Required

• Current scope statement as it appears on the certificate
• Any scope change notifications submitted to the certifying body
• Evidence linking scope language to actual facility operations (transaction records, process maps)

Critical Findings to Watch For

Scope gap: Auditors routinely find activities observed on the floor that are not included in the scope statement. Walk every area of your facility before finalizing your internal audit. If something is happening there, it needs to be in scope or formally excluded with documented justification.

Aspirational scope: Including capabilities you plan to add but have not yet operationalized will generate a nonconformance. Your scope must reflect current reality, not business development targets.

---

Core 2 — Hierarchy of Responsible Management Strategies

Purpose: R2v3 requires your facility to prioritize reuse over materials recovery, materials recovery over other recovery, and other recovery over disposal. This hierarchy must be documented as policy, communicated to staff, and reflected in your actual routing decisions. The policy and the practice must match.

Audit Checkpoints

• Is there a written policy that explicitly states the reuse-first hierarchy?
• Does the policy prohibit landfilling and incineration without energy recovery for Focus Materials?
• Can employees articulate the hierarchy when interviewed? A sign-in sheet showing they attended a training session is not the same as demonstrated knowledge.
• Do routing decisions in your transaction records align with the stated hierarchy? Sample at least 10 outbound records and verify the routing rationale.
• Are exceptions to the hierarchy documented with written justification?

Documentation Required

• Written Hierarchy of Responsible Management Strategies policy
• Training records showing policy communication, with competency verification
• Outbound transaction records demonstrating hierarchy-consistent routing
• Documentation of any exceptions and the business or technical rationale

Critical Findings to Watch For

Policy not communicated: Posting a policy in a binder that no one reads does not satisfy Core 2. Your internal audit should include employee interviews at the floor level to verify the hierarchy is understood by the people making routing decisions daily.

Routing inconsistent with hierarchy: If your records show reusable equipment being sent directly for shredding without documented justification, auditors will find it. Pull samples across material categories, not just the ones you are confident about.

---

Core 3 — EH&S Management System

Purpose: Core 3 requires your facility to maintain an EHSMS certified to ISO 14001 and ISO 45001 (or the RIOS:2016 alternative). It also requires process-specific risk assessments, worker exposure monitoring for mercury, lead, beryllium, and cadmium, and the annual internal audit of the EHSMS and all R2 requirements under Core 3(b).

Audit Checkpoints

• Is ISO 14001 certification current, with no lapsed status?
• Is ISO 45001 certification current, with no lapsed status?
• Are risk assessments process-specific? Generic templates that are not tailored to your facility's actual work operations are a nonconformance.
• Has worker exposure monitoring been conducted for mercury, lead, beryllium, and cadmium for each work operation where exposure is possible?
• Does the annual internal audit scope cover both the EHSMS and all R2 requirements — not just one or the other?
• Are internal auditors competent across EH&S, R2, and data security domains?
• Is auditor independence documented? Who audited what, and what is their relationship to those processes?

Documentation Required

• Current ISO 14001 and ISO 45001 certificates (verify expiration dates)
• Process-specific risk assessments for each work operation
• Worker exposure monitoring records, by substance and work operation
• Internal audit plan, schedule, and completed audit reports
• Auditor qualifications and independence documentation
• Corrective actions from prior internal audit cycles

Critical Findings to Watch For

Generic risk assessment templates: This is a top-five nonconformance across SERI-tracked audits. Your risk assessments must be written for your specific processes, equipment, and chemical exposures. A downloaded template with your company name on the header is not compliant.

EHSMS certification lapsed: Pull the actual certificates and check the expiration dates before your internal audit, not the day before the external audit. A lapsed ISO 14001 or ISO 45001 certificate is a major nonconformance that will halt certification.

---

Core 4 — Legal and Other Requirements

Purpose: Your facility must maintain a documented Legal Register covering all applicable EHS regulations, data privacy requirements, and transboundary shipment rules including Basel Convention compliance. Core 4 also prohibits child labor, forced labor, and discrimination, and requires a periodic internal audit of the legal compliance plan.

Audit Checkpoints

• Is the Legal Register current? Has it been updated to reflect any new material streams, operational changes, or regulatory amendments since the last review?
• Does the Register cover federal, state, and local EHS requirements applicable to your operations?
• Does it address data privacy requirements relevant to the data-bearing devices you handle?
• Are transboundary shipment rules documented, including Basel Convention prohibitions and any applicable OECD exemptions?
• Do export records include documented proof of legality — not just a destination country, but specific regulatory citations?
• Has a periodic internal audit of the legal compliance plan been completed and documented?
• Are labor practice prohibitions (child labor, forced labor, discrimination) documented as policy and communicated to employees?

Documentation Required

• Legal Register with review dates and update history
• Export documentation with regulatory citations for each export type
• Internal audit records for the legal compliance plan
• Labor practice policies and employee acknowledgment records

Critical Findings to Watch For

Legal Register not current: Regulatory requirements change. If your facility started accepting lithium-ion batteries six months ago and the Legal Register has not been updated to capture DOT hazmat regulations for battery shipments, that is a nonconformance. Tie Legal Register review to your new-material-stream onboarding process so updates happen automatically.

Export documentation lacking regulatory citations: Shipping to an OECD country does not by itself establish legality under R2v3. Your export records must document the specific regulatory basis for each export, not just the destination.

---

Core 5 — Tracking Throughput

Purpose: Core 5 requires complete Inbound Transaction Summaries and Outbound Transaction Summaries for all material flows. R2 Controlled Streams cannot be stored more than 12 months without processing. Auditors will cross-reference your inbound and outbound records looking for gaps, missing identifiers, and inventory that has aged past the 12-month limit.

Audit Checkpoints

• Does every inbound record capture supplier name and location, equipment type, quantities, and receipt dates?
• Does every outbound record capture vendor name and location, material type, quantities, shipment dates, and a unique shipment identifier?
• Can you cross-reference inbound records to outbound records for the same material? If an auditor pulls an inbound record and asks where that material went, can your system answer that question?
• Are there any R2 Controlled Streams in storage that have exceeded the 12-month processing limit?
• Are shipment identifiers truly unique across all outbound transactions?

Documentation Required

• Inbound Transaction Summaries for the audit period
• Outbound Transaction Summaries for the audit period
• Inventory aging reports demonstrating no R2 Controlled Streams exceed 12 months
• Cross-reference documentation linking inbound to outbound by material type or lot

Critical Findings to Watch For

Records that do not cross-reference: This is where facilities that handle high volume are most vulnerable. Your inbound and outbound records exist in separate systems, managed by different teams, with no documented linkage. Auditors triangulate across three record types — inbound summaries, outbound summaries, and inventory — and gaps between them generate findings.

Materials stored beyond 12 months: Run an aging report on all R2 Controlled Stream inventory before your internal audit. Any lot that has crossed the 12-month mark needs to be addressed before the external auditor finds it.

---

Core 6 — Sorting, Categorization, and Processing

Purpose: All equipment must be evaluated using the R2 Equipment Categorization (REC) framework — specifically Tables 1 and 2 at receipt and Tables 3 and 4 for reuse candidates. If your facility uses its own categorization system, you must maintain a documented cross-reference to the REC framework. Data-bearing devices must be identified at intake, not later in processing.

Audit Checkpoints

• Is the REC framework applied consistently at the point of receipt?
• If your facility uses a proprietary categorization system, does a documented cross-reference to REC Tables 1–4 exist?
• Are data-bearing devices identified and flagged at intake? Check intake procedures, not just processing records.
• Are items categorized as reusable actually being processed for reuse? If an item is categorized reusable but routed to recycling, is there documented justification?
• Are reuse candidates evaluated against Tables 3 and 4 before a reuse determination is made?

Documentation Required

• REC cross-reference document if a proprietary categorization system is used
• Intake procedures showing data-bearing device identification at receipt
• Categorization records with REC table references
• Documented exceptions where reusable-categorized items were routed to recycling

Critical Findings to Watch For

No REC cross-reference document: If your team uses a legacy WMS or a custom intake process, the absence of a documented mapping to the REC framework is one of the ten most common nonconformances in R2v3 audits. This is a straightforward document to create, but it must exist before the audit.

Data-bearing devices identified late: Identifying a hard drive as data-bearing after it has already moved through parts of your facility creates a chain-of-custody gap. Auditors will ask to see your intake procedure and observe intake operations. If devices are not being flagged at the point of receipt, expect a finding.

---

Core 7 — Data Security

Purpose: Core 7 is the most detailed and most frequently cited section of R2v3. It covers documentation, physical security, sanitization processes, and notifications across four sub-areas (7a through 7d). It requires a media-type-specific Data Security Policy, an authorization-controlled physical access program, 60 days of CCTV coverage for all areas where data-bearing equipment is present, an annual independent third-party data security audit, and independent verification of 5% of logically sanitized devices by attempted data recovery.

Audit Checkpoints — Documentation (7a)

• Is the Data Security Policy media-type specific? It must address HDDs, SSDs, mobile devices, and network equipment separately — a single generic policy does not satisfy this requirement.
• Does the policy identify individual penalties and personal liability for non-compliance?
• Is the policy formally documented, versioned, and communicated to all relevant staff?

Audit Checkpoints — Physical Security (7b)

• Is there a written physical access control program with documented authorization lists?
• Are sign-offs required and recorded for access to data-bearing device processing areas?
• Is CCTV installed in all areas where data-bearing equipment is received, stored, staged, or processed?
• Are CCTV recordings retained for a minimum of 60 days? Verify the actual retention settings in your recording system — documentation of a policy is not the same as footage that actually exists.
• Are CCTV blind spots documented and addressed?

Audit Checkpoints — Process (7c)

• Is there a documented Data Sanitization Plan that specifies the approved method for each media type?
• Are sanitization methods applied consistently in practice? Observe sanitization operations, not just records.
• Is 5% of logically sanitized devices being independently verified by an attempted data recovery — not just a review of sanitization software logs? This is a critical distinction. Software reports alone do not satisfy this requirement.
• Has an annual independent third-party audit of data security processes been completed?
• Are account disconnections from cloud services being performed for devices processed under Appendix B?
• Is sanitization performed in a timely manner after receipt?

Audit Checkpoints — Notifications (7d)

• Are customers notified of data security procedures at intake?
• Are Certificates of Data Destruction (CODs) issued and do they contain all required fields?
• Is there a documented procedure for handling discovered data or data breaches?

Documentation Required

• Media-type-specific Data Security Policy
• Physical access control program with current authorization lists
• CCTV system configuration showing 60-day retention across all covered areas
• Data Sanitization Plan with media-specific methods
• Independent verification records for the 5% sampling program (recovery attempt logs, not just sanitization software output)
• Annual independent third-party audit report
• COD templates and issued certificates
• Cloud account disconnection records

Critical Findings to Watch For

Missing 60-day CCTV footage: This is the single most common nonconformance in R2v3 audits. Facilities that have cameras often discover during the audit that their retention settings only keep 14 or 30 days, or that one camera covering a receiving dock was not configured correctly. Verify actual recorded footage exists for 60 days across every covered area — do not rely on the IT team's assurance that settings are correct.

Independent verification using only software reports: Core 7(c)(3) requires that 5% of logically sanitized devices be verified by an actual attempted data recovery — meaning someone attempts to recover data from the sanitized device and documents the result. Handing the auditor a sanitization software report without evidence of a recovery attempt does not satisfy this requirement.

---

Core 8 — Focus Materials

Purpose: Core 8 requires a Focus Materials Management Plan for each type of Focus Material (FM) managed at your facility. Focus Materials include CRT glass, batteries, mercury-containing devices, circuit boards, and whole units containing these materials. Each FM must be traced via a downstream flowchart to its final disposition or to the first R2-certified vendor in the downstream chain, and all downstream vendors managing FM must be qualified under Appendix A.

Audit Checkpoints

• Does a documented Focus Materials Management Plan exist for every FM type handled at your facility?
• Does each plan include FM-specific procedures — not generic language that applies to all Focus Materials equally?
• Is there a downstream flowchart for each FM type that traces the material to final disposition or to the first R2-certified vendor?
• Does the flowchart stop at the first R2-certified vendor, or does it extend further? Flowcharts that terminate at a non-R2 vendor without SERI registration are a nonconformance.
• Have all downstream vendors managing Focus Materials been qualified under Appendix A?
• When new FM streams are added, is the FM Management Plan updated before processing begins?

Documentation Required

• Focus Materials Management Plans for each FM type (separate plans, not a single combined document with generic coverage)
• Downstream flowcharts per FM type with vendor qualification status noted
• Appendix A qualification files for all downstream FM vendors
• SERI downstream chain registration records where applicable

Critical Findings to Watch For

Flowchart stops at non-R2 vendor without SERI registration: If your flowchart ends at a vendor who is not R2-certified and is not registered in the SERI chain, you have an unqualified downstream vendor. This is one of the most common Core 8 findings and requires either registering the chain through SERI or qualifying the vendor through the Appendix A documentation process.

New FM streams not captured: When a facility starts accepting a new material type — say, server room battery backups after previously only handling consumer batteries — the FM Management Plan must be updated before those materials are processed. Check your inbound records for new material types and verify the FM Plan has been updated accordingly.

---

Core 9 — Facility Requirements

Purpose: Core 9 requires that all R2 Controlled Streams be stored with weather protection, legal storage compliance, unauthorized access prevention, and clear labeling. It also requires a written Closure Plan with financial cost estimates, appropriate insurance coverage, and financial assurance for closure costs.

Audit Checkpoints

• Are all R2 Controlled Streams stored in a weather-protected area?
• Are storage areas clearly labeled by material type and status (R2 Controlled, Focus Material, etc.)?
• Is unauthorized access to storage areas prevented through physical controls?
• Does a written Closure Plan exist? Does it address remaining inventory, operational risks, and a financial cost estimate for closure?
• Has the Closure Plan been updated following any scope changes or facility modifications?
• Is general liability insurance current? Is workers’ compensation current?
• If your facility handles negative-value streams under Appendix A(2)(a) or operates as an Appendix E facility, is pollution liability insurance in place?
• Is financial assurance for closure costs documented and adequate?

Documentation Required

• Current insurance certificates (general liability, workers’ comp, pollution liability if applicable)
• Written Closure Plan with current financial cost estimate
• Evidence of financial assurance (bond, letter of credit, or other mechanism)
• Storage area labeling and layout documentation

Critical Findings to Watch For

Closure Plan not updated after scope changes: Every time your facility adds a new process, new material stream, or new physical area, the Closure Plan must be reviewed and updated. Facilities that completed initial certification two years ago often have Closure Plans that do not reflect current operations. Pull your scope change log and verify the Closure Plan has been updated for each change.

Insurance expired: This sounds obvious, but it surfaces regularly during audits. Verify expiration dates on all insurance certificates before the internal audit, not during it.

---

Core 10 — Transport

Purpose: Core 10 requires DOT, IATA, and IMDG compliance as applicable to your shipments. Data-bearing devices must be secured during transport in locked vehicles or tamper-evident containers. Reusables must be packaged to prevent damage. Hazardous materials — including batteries, mercury-containing devices, and CRT glass — require proper shipping papers.

Audit Checkpoints

• Are data-bearing devices transported in locked vehicles or tamper-evident containers? Pull recent transport records and verify.
• Are reusable devices packaged to prevent damage in transit?
• Are hazmat shipping papers present for all regulated material shipments (batteries, mercury devices, CRT glass)?
• Do hazmat papers contain all required fields under DOT 49 CFR?
• Are DOT shipping classifications current and accurate for each material type?
• If applicable, are IATA or IMDG requirements being met for air or sea shipments?

Documentation Required

• Transport procedures covering data-bearing devices and hazmat materials
• Sample hazmat shipping papers from recent shipments
• Carrier agreements addressing secured transport for data-bearing devices
• DOT classification records by material type

Critical Findings to Watch For

Hazmat papers incomplete: Auditors pull actual shipping documents from your files and check them against DOT requirements. Missing proper shipping names, UN numbers, hazard class designations, or quantity information generates a nonconformance. Review a sample of outbound hazmat shipment papers as part of your internal audit — do not assume your shipping team is populating every required field.

Data-bearing devices in unsecured transport: If your carrier agreement does not specify secured transport or if you cannot demonstrate that data-bearing devices are in locked or tamper-evident containers during transit, expect a Core 10 finding.

---

Key Process Appendices

Beyond the ten Core Requirements, your internal audit scope must cover any Process Appendices that apply to your operations.

Appendix A (Downstream Recycling Chain): Verify that all downstream vendors are either R2-certified or have complete Appendix A qualification files. The single most common Appendix A nonconformance is failing to register the downstream recycling chain with SERI. SERI chain registration simplifies your tracking obligation significantly — if it is not done, document why and verify the alternative qualification approach is complete for every non-R2 vendor.

Appendix B (Data Sanitization): If your facility performs logical sanitization, verify the media-specific Data Sanitization Plan, the 5% independent verification program, cloud account disconnection procedures, and the annual independent audit. These are the same requirements as Core 7(c) with Appendix B specificity added.

Appendix C (Test and Repair for Reuse): Requires ISO 9001 or RIOS certification, a documented R2 Reuse Plan, and a one-year processing deadline for reuse candidates. Verify certification currency and that your Reuse Plan reflects current operations.

Appendix E (Materials Recovery/Shredding): If your facility shreds or otherwise mechanically processes electronics, pollution liability insurance is required. Verify coverage is current.

Appendix H (Batteries): Verify fire prevention controls, spill containment equipment, DOT compliance for shipments, and storage time limits are all documented and practiced. Battery-related findings have increased as lithium-ion volumes have grown.

---

Corrective Action Management

An internal audit that produces findings but does not drive corrective action is compliance theater. Every finding from your internal audit must receive a formal corrective action request (CAR) that includes a root cause analysis, a proposed corrective action, an assigned owner, a due date, and a method for verifying effectiveness.

Root cause analysis is where most facilities cut corners. Stating that the root cause of a gap in your Legal Register is "staff oversight" is not root cause analysis — it is description. The actual root cause is probably that no one owns the Legal Register update process, there is no trigger that prompts review when operations change, and there is no management review of register currency. Those structural gaps are what corrective actions need to address.

Track your CARs in a format that an auditor can review. External auditors will ask to see your corrective action log and will verify that major findings from your internal audit have been closed before the certification audit. If a major finding is still open when the auditor arrives, it becomes their finding as well.

---

Scheduling Your Internal Audit Cycle

R2v3 imposes a three-year certificate cycle: initial certification, followed by annual surveillance audits in Years 1 and 2, and full recertification in Year 3. Surveillance audits may be conducted remotely for low-risk scopes, but Stage 2 certification audits are always on-site.

Your internal audit schedule should be structured around this cycle with the following timing:

• 6 to 8 weeks before each Stage 2 audit: Complete the full annual internal audit covering all Core Requirements and applicable Appendices under Core 3(b).
• At least quarterly: Review the Legal Register for updates, and document the review under Core 4(d)(3). A periodic internal audit of the legal compliance plan is required — quarterly reviews satisfy this requirement and prevent the register from becoming stale.
• Annually: Complete the independent data security audit under Core 7(c)(3). Schedule this with an external auditor who has no operational relationship to your data security program.
• Following any scope change: Conduct a targeted internal audit of the affected processes, update the Closure Plan, and update the Legal Register before resuming affected operations.

Audit competency must span EH&S, R2 requirements, and data security. No single internal auditor is likely to carry all three domains adequately. Build an audit team or supplement with external expertise, and document the competency basis for each auditor before the audit begins.

---

Work With an R2 Expert Before Your Audit

An R2 internal audit checklist gives your team a structured framework. What it cannot do is supply the judgment that comes from having sat across the table from R2 auditors at dozens of facilities and knowing exactly how they interpret contested requirements, which documentation gaps they are willing to accept as minor observations versus major nonconformances, and where your specific operation is likely to be most vulnerable.

If your facility is preparing for initial R2v3 certification, a scheduled surveillance audit, or recertification, a pre-audit gap assessment conducted by an experienced R2v3 consultant is the most cost-effective investment you can make. The cost of a pre-audit review is a fraction of the cost of a failed audit, a follow-up visit, and the business disruption that comes with delayed or suspended certification.

Ready to go into your audit without surprises? At Certify Consulting, we have guided more than 200 electronics recyclers to R2 certification with a 100% first-time pass rate. Learn about our R2 audit preparation services or schedule a free consultation to talk through your specific situation.

---

Last updated: April 9, 2026

Jared Clark is the Principal Consultant at Certify Consulting and has guided 200+ electronics recyclers to R2 certification. He holds a JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, and RAC. Learn more at certify.consulting.