The internal audit is a well-established feature of all management system specifications and ISO 14001:2004 is no exception. Certification bodies (or Registrars) take the internal audit seriously – they are required to. It is an obligatory feature for consideration at every certification or maintenance audit that they carry out on their certificated companies. Certification body auditors would prefer to ‘ride on the back’ of the internal audit and assess how capably the organisation can discover its own non-conformities and improvement opportunities.
This is the ideal situation but too many organisations unnecessarily restrict themselves and do not fully appreciate the freedom and imagination they can exercise. For example, internal audit programmes too often appear to be framed on clauses of the standards or specifications. This is too abstract and diffuse – organisations and their constituent processes are not (and should not be) based on clauses of standards even though they may be meeting the requirements written within them. Also, clause-based auditing tends to leave auditors without adequate focus and direction. Furthermore, there appears to be a restrictive folklore that prevents internal auditors from determining whether the requirements of environmental continual improvement or legal compliance are being fulfilled. There must be a better view. More about this later but firstly, why is the internal audit so important?
The importance of being earnestly audited
The specification for environmental management systems ISO 14001:2004 requires that there should be procedures for internal auditing such that it is possible to determine whether the environmental management system conforms to planned arrangements for environmental management, has been properly implemented and maintained and that these procedures are such that the information on the results of these audits can be provided to management.
Leaving aside the standard-speak, common sense presents the internal audit as the primary device for checking the effectiveness of delivery of performance regarding risks to environmental management. Basic risk management requirements have it that significant risks (or undesired conditions) should be: 1) identified, 2) effectively managed and 3) that the effectiveness of the management should be monitored.
It is within the third requirement – monitoring the effectiveness of management - where the internal audit comes into its own. It is the main opportunity to determine whether adopted or obligatory procedures and planned arrangements are adequate and are being complied with. These being the procedures and planned arrangements used to manage and minimise the risks and undesired conditions (the second requirement). The importance of the internal audit is self-evident but much depends on how well it is planned, administered and performed.
All things relevant and auditable
As mentioned above, there is a mysterious folkloric tendency to be ‘clausal’ and avoid getting better value when deciding on individual audit scopes. There is a need to get more from the internal audit and in order to do this we need to look at what matters.
An environmental management system should be capable of delivering continual improvement and regulatory compliance. A big picture slogan here would be ‘to manage the environmental impact of the organisation’.
With these needs in mind the internal audit could take on the following approaches:
Issue audits: environmental issues are many and depend on the circumstances of the organisation. They can include discharges to the aquatic environment, waste, atmospheric emissions, resource usage, nuisance, effects on habitats etc. An issue audit would take one or more of these issues as a theme across all of the relevant units or departments of the organisation, as appropriate. Alternatively, geographical or other limitations may promote the idea of covering several issues at one unit (or department) at a time. The choice is to be made.
Licence-based audits: many organisations are confronted by significant environmental risks to the point where they are carefully regulated by the use of documented ‘licence’ arrangements. For environmental legal control in the UK these licences include discharge consents issued by water companies and permits and authorisations issued by regulators in accordance with legislation. All of these documents are very auditable by virtue of their clear stipulations. Furthermore they are worth occasional internal auditing for compliance given that any environmental management system worthy of the term should be capable of ‘delivering regulatory compliance’. Also, ISO 14001:2004 (clause 4.5.2) demands that an "organisation shall establish, implement and maintain a procedure(s) for periodically evaluating compliance with applicable legal requirements". Why not consider the licence arrangements as applicable legal requirements and why not let the internal audit be the required procedure for periodically evaluating compliance with them?
Code audits: many of the larger organisations have their own self-imposed corporately-driven codes, principles or criteria regarding environmental management. Often they are harmonious with the requirements of the ISO 14001 specification. Similarly, other organisations aim to work to industry sector codes of practice, for example Responsible Care to which members of the Chemical Industries Association subscribe and the Forest Stewardship Principles and Criteria which apply to those with an interest in forest management. The internal audits in these cases could interrogate all planned arrangements (i.e. procedures, instructions etc) that are meant to serve the environmental management system supporting compliance with these codes. Auditing against these codes would again be consistent with the requirements of ISO 14001:2004 (clause 4.5.2) which requires the organisation to "evaluate compliance with other requirements to which it subscribes".
Policy statement audits: environmental policy statements can vary in content from the detailed to the general. The former category is more amenable to an internal audit. As the policy statement for an ISO 14001-based management system is the only document to be made available to the public on a mandatory basis, it would seem sensible to periodically determine whether there is any possibility of misleading the public. The internal audit could reveal this, especially in the case of the more detailed statements.
Special activity audits: There are activities in environmental management systems that have a special status. Maintenance management is a good example. Who could argue that inadequate maintenance of particular types of hardware (e.g. relief valves, pipework and ducting, abatement hardware, monitoring equipment etc) would not ultimately compromise an organisation’s credentials? An internal audit of the maintenance management regime (and reacting to any findings arising) would be beneficial. Another example is the approval and on-going evaluation of contracted services (e.g. haulage, engineering services, outsourced laboratory services etc). A good internal audit would reveal inadequacies having the potential to harm the organisation's track record in environmental performance. Other special activities worthy of mention in this category are processes for employee competence assurance and emergency preparedness and response.
Given this catalogue of existing procedures, instructions, contracts, ‘licences’, ‘issues’, ‘codes’ and whatever else, there would appear to be a mountain to audit. Not so. It is fully appreciated that the internal audit resource (i.e. available audit man-hours) is limited and that some things are more important than others. So priorities must be set.
Risk and performance – nothing else really matters!
There is a piece of folklore that says that all of the management system should be internally audited within a period of time, often quoted as one year. Really? What is the basis of this? Certainly, ISO 14001:2004 does not support this. It demands that the organisation’s audit programme shall be based on "the environmental importance of the operation(s) concerned and the results of previous audits".
Thankfully and sensibly, it would seem that internal audit priorities and therefore programmes should be based on what is important. So how is importance determined? Two factors matter – the inherent risk and the actual performance of activities, processes, business units, departments etc.
The determination of inherent risk is an integral part of a management system standard. The ISO 14001 specification requires the organisation to identify the environmental aspects of its activities and that those that are more significant be determined.
Performance is assessed through actual experience such as results of previous internal audits, non-conformities arising outside of internal audit, breaches or near–breaches of licence conditions, neighbourhood complaints, incidents, near misses and other indications.
Figure 1 shows the various combinations of the risk-performance relationship. For example, Zone 1 has high risk/good performance situations while Zone 2 contains those of high risk/poor performance and so on to Zone 4. This model, or a more sophisticated refinement of it, could be used to prioritise activities in an audit programme.
Each organisation has its own agenda to consider but based on this approach, it would be reasonable to accept that at least 50 per cent of the audit would be spent in Zone 2, 40 per cent variably split between Zones 1 and 3 with ten per cent or less being spent in Zone 4. Obviously if it is felt that there is not enough to be covered within Zone 2 then the remaining available resource can be devoted to Zones 1 and 3. How much effort should be split between Zones 1 and 3 respectively depends on circumstances. Even though activities, processes and departments in Zone 1 may exhibit good performance the mere fact that they have high risk may be enough to justify primary effort.
On the other hand Zone 3 activities and departments may present low risk but the poor performance may result in more serious propagated or knock-on effects. There may be political reasons for wanting to devote ten per cent and more resource in Zone 4 – the areas, processes and activities concerned may not be in the environmental management front-line but it may be felt that personnel relevant to these areas ought to know that a management system exists. However this should be limited so as not to draw precious resource away from what really matters. This is a simple depiction but it should serve to make the point that internal auditing should be directed to that which is important.
To be taken seriously
The foregoing can only be a limited attempt at putting the case that internal auditing should be taken seriously and that to underestimate its power and usefulness would be a self-disservice. For many management systems the internal audit has been the major contributor to improvement but for others better usage could be made of it. It is important for primary custodians of management systems to feel free about what should be included and of course what is not necessary for coverage by the internal audit, based on importance. It is only in this way that an organisation can fully meet any aims regarding its management system in protecting and enhancing its environmental performance.
(Article as seen in The Environmentalist.)
Figure 1. can be found in the downloads section on the right hand section of this page.
