In this brief article we’re going to look at five steps to a successful ISO14001 internal audit, including what the standard says about internal auditing, good practice in carrying out the audits, what your options may be in resourcing the audits, and lastly how your audit approach might evolve after certification.
Clause 9.2.1 General
“The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system:
a) conforms to:
1) the organization’s own requirements for its environmental management system;
2) the requirements of this International Standard
b) is effectively implemented and maintained”
So Clause 9.2.1 says that we must perform internal audits and that they must be at planned intervals, but it doesn’t say how often that should be. This allows a certain degree of flexibility in our approach. We need to check that the environmental management system (EMS) is doing what we (and our interested parties) want it to do, and that we are doing everything specified in the standard document. We are also checking to see how well the processes of the EMS are working in practice.
Clause 9.2.2 Internal Audit Programme
“The organization shall plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits.
When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits.
The organization shall:
a) Define the audit criteria and scope for each audit;
b) Select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
c) Ensure that the results of the audits are reported to relevant management;
The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results.”
Clause 9.2.2 requires us to have an audit programme. This must cover when we audit, how we audit, who does it and the reports we must produce. It further says that we should cover the important processes as a priority and go back to those areas we previously found lacking. This clause goes on to require that each individual audit must have its criteria and scope defined, be carried out by impartial people and be correctly reported to management. We must be able to show evidence of the audit programme and the audit reports.
Prior to certification it is common to conduct audits by going through the clauses of the ISO14001 standard in turn, from Clause 4 (Context) to Clause 10 (Improvement).
Now we know what’s required for the ISO14001 internal audit, let’s look at what makes a good audit.
In basic terms there are two options to auditor selection; using inhouse resources or external resources. An inhouse resource could be an existing auditor if your organization is big enough to have one. Alternatively, an existing member of staff could be trained up to be an internal auditor, or one could be recruited. An external resource could also be used, and there are many companies offering internal audit services, of which CertiKit is one.
In terms of the skills of your internal auditor, you’ll need them to have a decent knowledge of the ISO14001 standard version that’s being audited against, so that they understand what’s being asked for, and the language used. It will help if they have done some auditing before and are familiar with the auditing process. They will also need to be able to effectively arrange an audit, including defining the scope, inviting the right people and making sure the timings and logistics work. Being able to listen and explain what is required will be useful skills, along with the ability to handle difficult conversations and encourage cooperation with the audit. The auditor must be able to produce an adequate report that clearly states the conclusions and describes the audit clearly. Lastly, the auditor may need technical knowledge of a specific area, such as specialised hazards, including substances being used within the organization being audited.
There needs to be an overall audit programme that sets out when each audit will happen and what each will cover. For an individual audit, there needs to be a clear definition of its scope (for example “Clauses 4 to 6” or “the product manufacturing process”) and a plan for its timing (which areas will be covered, when and for how long). It’s important that the right people are available at each stage of the audit, and this may need some discussion with the main contact for the audit. It may make sense to obtain key documentation in advance and to review the target areas in preparation. Room bookings or remote meeting arrangements may need to be made, perhaps including the booking of a projector or other equipment.
On the day of the audit, the facilities available will need to be checked to make sure that everything is in place for the audit to proceed as planned. An opening meeting will be held to confirm the scope and the schedule of the audit, and the conventions used. As the audit progresses, it is vital to keep an eye on the time to ensure it keeps to the schedule arranged. The evidence of conformity that is provided should be recorded by the auditor so that it can be quoted in the report. If a nonconformity is to be raised, the auditor should explain this at the time and avoid surprises at the end of the audit. The closing meeting will go through the nonconformities and observations raised and confirm next steps.
The audit report should always include an executive summary at the beginning. This will outline the strengths and weaknesses of the processes in the scope of the audit, and a balanced view of the health of the EMS. The auditor should provide a concise, factual, and easy to read report which includes numbers and details of any audit findings on the first page so that senior management have this information immediately in front of them. The report should always distinguish between nonconformities and auditor observations so it is clear where the problems lie that need fixing immediately, as opposed to things that can be improved later on.
Nonconformance statements need to be concise and directly refer to the standard requirement and/or the internal process or procedural requirement that was found deficient, so they can be easily resolved. Make sure hard evidence findings are attached or referenced too. A list of who was involved at each stage of the audit should be included so that it is clear where the recorded information came from. Even if your audit report has some nonconformances and/or observations, it’s important to take note of the reported positive aspects too and share them among the wider team.
Once the audit has been completed and the report written, the auditees may be given an opportunity to review it and ask any questions they may have. When finalised, the report needs to be submitted to the appropriate layer of management and an action plan requested to address any nonconformities found. The implementation of these actions should be confirmed by the auditor at a later date to ensure that actions are not being ignored. It may be useful to obtain feedback from the people involved in the audit on how they felt it went – was it helpful, fair and was the pace appropriate?
Once you’re certified you have some flexibility in how to structure your audit programme.
There is no right or wrong way in selecting the approach an organization wants to take for performing internal audits. However, it is important that an effective approach is chosen and defined. Typical approaches include:
As well as reviewing each clause in turn, you could decide to look at how a specific business function meets the requirements of the standard. Similarly you could audit a business process that may cross interdepartmental boundaries or decide to audit those areas of greatest risk first.
If you have a balanced internal audit programme then it may actually be a mix of some, or all, of these techniques which are applied to particular circumstances.
Internal auditing is an important part of an environmental management system and without evidence of an effective programme, your organization is unlikely to become certified. The requirements are relatively straightforward and leave a fair degree of choice about how to approach them, both from a resourcing and a method point of view.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, and has helped to implement, operate and audit ISO certifications over a varied 30-year career.
For more guidance on implementing the ISO14001:2015 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.