Checking the health of your internal audit programme
Many internal audit programmes operate at a sub-optimal level, without this being clear to the Environmental Management Representative and business management, until an external certification raises non-conformances against the process. Internal audit is a vital part of ISO 14001, providing the “self healing” in the system, and constitutes a core part of the Plan-Do-Check-Act cycle for continual improvement. The Internal Audit Service offer an audit health check service for businesses, where one of our consultants will intensively review your existing audit schedule, reports and corrective action programme, and make recommendations for improvement and enhancement. Examples of what a typical internal audit review might find include:
- Evaluation of Legal Compliance patchy – audits often do not undertake enough in-depth legal compliance checks to satisfy both that no potential legal breaches are occurring, and to ensure compliance with clause 4.5.2 of the standard. IAS offer an Evaluation of Compliance service which can assist with this part of your audit programme.
- Audit programme of schedule – often audit programmes do not run to schedule as availability of audit resource stretches businesses, IAS offer a useful audit programme recovery service which can help plug any gaps which might occur – remember, delayed or incomplete audit programmes can result in non-conformance at external certification
- Report presentation – it is important that audit findings are reported in a clear and consistent manner. Internal auditors should utilise standardised forms, provided within the EMS for this purpose
- Audit checklist quality – audit checklists can be a useful addition to the overall audit process, but the quality, depth and consistency of these checklists should be monitored. Remember that a good audit will look at three types of evidence: Testimonial (questioning of auditees), Physical (examination and inspection) and Documentary (records and data)
- Raising & tracking NCRs – there is no benefit in auditors raising non conformances if these are not followed up with corrective and preventative action plans. Use of a Non Conformance Log (can be as simple as an Excel Spreadsheet) to track NCRs raised, expected resolution dates, and closure of items is vital to a well functioning audit programme
- Procedure version control & changes – internal audits will sometimes discover that “on the ground” process is divergent from that specified in a relevant EMS procedure. But rather than raise this as an NCR, this is fed back into the EMS procedure revision process. Whilst feedback of this sort is encouraged, these instances should still be recorded as non-conformances, with revision of the process as the corrective outcome. Processes should be system led rather than the other way round
What these examples show is that whilst an internal audit can be seen to be operational, it is often not fully effective with the EMS. Review by an external agency, outside of the external certification process, can reduce the likelihood of non-conformances arising from ineffective internal audit. Often, this process can go hand-in-hand with refresher training programmes for internal audit staff, to ensure that they are aware of current legal requirements and regulations, and developments in the overall internal audit delivery programme.