In this article, I am going to cover clause 9.2 Internal audit. I’m going to break this clause down and turn it into something you can all understand. You’ll then be able to apply this to your own organization's system and understand what the requirements will look like for you.
This clause starts off with sub-clause 9.2.1 General where it states...
The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system:
a) conforms to:1) the organizations own requirements for its environmental management system;
2) the requirements of this International Standard;
b) is effectively implemented and maintained.
This subclause is spelling out what our internal audits should be conducted against – which is normally referred to as the criteria. Your planned audits should ensure that there are 2 criteria areas that you audit against, and will look something like this:
We then move on to the second subclause of 9.2.2 Internal audit program where it states that...
The organization shall establish, implement and maintain (an) internal audit program (s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits.
When establishing the internal audit program, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits.
Fantastic! This is pretty clear that we are required to develop an audit program (sometimes referred to as an audit schedule). The audit program should be for all of the audits planned over a period of time – normally within businesses you see this over a period of 12 months.
For myself, as a certification auditor, my audit programs for clients are over 3 years as this ties in with the 3-year certification cycle. It is up to the business to determine what timeframe the audit program is developed for. The audit program should include some key areas, which are:
This audit program might have the organization's processes and activities listed and when they are to be audited and by whom. A major part of this is determining which procedures should be audited first or more often as they are high risk. This could be new procedures or procedures related to a new process or location or product.
You can see that this audit program should be a risk-based tool that you use to monitor key parts of the business with a focus on the high-risk areas. It is more important to conduct audits on areas of higher risk than auditing absolutely everything, even the areas that are low-risk and have never had any issues or changes.
And then finally, when developing your audit program, you should consider the results of previous audits. If there were nonconformances raised in an audit this month for example, then this should prompt a review of the audit program, to ensure that this process or area that attracted the nonconformance is included in the audit cycle again. This ensures that high-risk areas (those that have had previous nonconformances) are picked up and reviewed or revisited sooner, rather than later.
Make sure that your audit program is a living, breathing tool that you use to benefit your business.
Before I move on to point a) I want to skip ahead to the final sentence where it states that...
The organization shall retain documented information as evidence of the implementation of the audit program and the audit results.
This clause requirement confirms that we need a documented audit program – it can’t just be in your head. So everything I have talked about so far regarding an audit program, is in documented form, whether it’s hard copy, electronic, or a software program. Then we also require documented information to be retained as evidence of the audit results. So, this means we need to see documented evidence of the outcomes of the audits conducted. This could be as simple as an audit report which you need to ensure includes as per this point...
a) define the audit criteria and scope for each audit.
So, in your audit report, you would include a field to document the audit criteria, which is what you are auditing against, which could be a particular ISO clause or even a specific activity or procedure, and then also include a field for the scope of the audit. The scope of the audit is the extent and boundaries. So, this could be specific locations, activities, departments, and so on.
Then finally we have points
b) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management; and
To summarise these 2 final points:
Now that you have a better understanding of these requirements, it's time to take action and implement them in your own organization and ISO 14001 Environmental management system.
If you're itching to expand your knowledge on ISO 14001, make sure to check out our other articles on the topic, starting with a comprehensive breakdown of ISO 14001 What is ISO 14001:2015 Environmental Management Systems?
But if you're more of a visual learner, head over to our ATOLTV ISO 14001 playlist on YouTube; and if you're ready to become an expert in ISO 14001 Environmental management systems, take a look at our range of courses and qualifications today.