Integrated ISO Management System Audits
If your organization is looking at implementing an integrated management system, such as a QMS, EMS and OHSMS, having a single audit may be beneficial for you. Many organizations implement each of these management systems separately rather than together, which wastes times and money. Today, ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 50001:2018 and AS91XX standards now have the same high-level structure, common terms and the same core requirements allowing organizations to more easily combine management systems.
ISO 19011:2018, Guidance for auditing management systems, defines a combined audit as an audit that is carried out by a single auditee on two or more management systems. When more than one management system is integrated into a single management system, the combined audit is then called an “integrated audit.”
When auditing an integrated management system, the basic principles and process are the same. The registrar will indicate if the different ISO systems are to be conducted separately, in combination, or in an integrated manner.
Benefits of an Integrated Audit
Integrated Audits have many benefits. They will provide your organization with lower certification costs, fewer audit interruptions, streamlined process, reduction in documentation and more consistent objectives across multiple systems. Depending on the level of integration and the skills of your audit team, your organization can cut down on time by having a single audit plan, one opening meeting, one closing meeting and a single audit report. Furthermore, when there is an integrated management system, the organization having a single audit will reduce the amount of work interruptions.
Another benefit of integrating multiple systems is that it allows you to better understand the relationship between the processes, which can lead to more in-depth audits. If you do separate audits, you will not see the relationship between the related processes. With an integrated approach, management system audits consider the linkages of processes as a priority, and as a result, may identify critical system failures.
Calculating Integrated Audit Duration
According to the IAF Mandatory Document 11, third- party audits of integrated systems may qualify for up to a 20% reduction of audit time over separate audits of the individual management systems.
Three things that will affect the audit time are:
- the extent the management system and its documentation is integrated;
- the ability of the auditee to respond to questions on multiple management system standards;
- the availability of auditors that can audit more than one management system standard.
Planning an Integrated Audit
When you are planning for an integrated audit, it is necessary that the audit objectives, scope and criteria are appropriate for each discipline. Some disciplines may have a scope that can be implemented throughout the entire organization while others may only have a scope that includes certain areas of your organization.
You will need to develop a single audit plan for your integrated audit. When you are doing so, you should start by creating an audit matrix that shows all the clauses of the different management systems. The audit agenda needs to include all of the processes within the scope of the management systems, and ensure that the applicable standard requirements are addressed during the assessment of all processes.
The length of an integrated audit is almost always shorter than the length of multiple separate audits. The reason the integrated audit is usually shorter than multiple is because of the common requirements throughout the standards, and the common areas not having to be audited multiple times. For integrated audits, work documents should be developed to avoid duplication of audit activities by grouping similar requirements from different criteria and coordinating the content of related checklists.
Managing Integrated Audits
If you are looking to get an integrated audit, you will need to find a registrar that has been established specifically to address integration of multiple management systems. When you are getting ready for an internal audit, the first thing you should consider is what multiple discipline training is available for the auditors. Once you have determined this, then you can move forward with preparing for the integrated audit. One of the first steps you should establish is creating objectives that will direct the planning and conducting of the integrated audits. After you establish the objectives, you should determine the audit program risks and opportunities related to integrated audits. This may look like the risks that could impact the achievement of the audit objectives.
Once your organization is ready to schedule the audit, you need to be aware of the areas that relate to multiple disciplines and that can be assessed once in an integrated manner. When making the plan, lay out the schedule by process areas and not by the clauses of the standards. Another aspect of the plan is to develop the necessary audit procedures and forms, and to make sure that these documents are set up to support an integrated audit rather than an individual audit.
When appointing personnel to manage the audit program, the organization should consider the competence of this individual to ensure that the auditor can deal with risks and opportunities, and handle issues effectively and efficiently.
When appointing audit team members for the integrated audit, you should consider the size and composition of the team. While an integrated audit takes less time than individual audits, the ability to have a productive audit depends on the team’s cross-discipline skills in ISO management systems. When assembling a team, it is imperative that auditors are trained not only on the multiple standards, but also how the standards relate, and how to conduct an audit on multiple standards at a time. Understanding the synergy and interactions between the management systems will allow for a smooth audit.
Integrated Audit Report
After the audit is complete the results should be communicated in a single report. If a nonconformity is found, the report needs to state what management system this nonconformity is arising from. During an audit, it is possible to find nonconformities related to multiple standards and criteria. When an auditor identifies a finding linked to one criterion on an integrated audit, the auditor should address the possibility to affect the corresponding or similar criteria of other management systems. The audit team should consider the impact a nonconformity for one management system may have on another conformity for the other management system(s).