Ready or Not: Be Prepared for an
ISO 14001 Audit
by Caroline G. Hemenway and Gregory J. Hale
Don't panic: Take a hard look at the standard's requirements
and evaluate your quality system audit materials.
Well, it's over. You've just survived a comprehensive three-day ISO
9000 quality system audit, and the auditor is finally waving goodbye.
For the past six months, you've done nothing but think documentation. You've
asked yourself the same questions over and over: Are the procedures in place?
Do we follow the procedures? Do we have corrective action plans in place?
And so on.
Altogether, you've probably allocated 65 percent of your 14-hour workday
to thinking about how to prepare for the auditor and wondering whether you
will pass the audit on the first try.
As soon as you have escorted the ISO 9000 auditor out the door, the telephone
rings. It's the corporate office calling to tell you to begin preparing
for an ISO 14001 environmental management system audit.
Don't panic. Instead, take a deep breath and evaluate your quality system
audit materials. Ask yourself: "What elements of ISO 9000 can I use
for ISO 14001? We've been preparing for more than a year, but how can we
be sure we're ready?"
Take a hard look at the standard's actual requirements. Preparing for an
audit requires you to think like an auditor. Who knows-you may be that auditor
under ISO 14001 provisions for self-certification!
Hundreds of books and instructional videos cover quality management system
auditing, and several cover environmental management system auditing. But
probably the most immediately useful are the three auditing guidelines specifically
drafted for ISO 14001: ISO 14010, Guidelines for Environmental Auditing-General
Principles on Environmental Auditing; ISO 14011/1, Guidelines for Environmental
Auditing-Audit Procedures-Auditing of Environmental Management Systems;
and ISO 14012, Guidelines for Environmental Auditing-Qualification Criteria
for Environmental Auditors.
The guidelines, created by the International Organization for Standard-ization's
Technical Committee 207, are expected to be published as final by July 1996,
along with ISO 14001, the EMS specification, and ISO 14004, the EMS guidance
on implementation (similar to ISO 9004). A small group of U.S. auditing
delegates is also in the process of developing an auditing protocol document
that may be introduced as an international guidance sometime in 1997.
Experts say you should consider the following four issues as you prepare
for an audit:
An EMS audit is not a compliance audit. "Environmental
management systems audits are the vehicles through which the environmental
aspects of organizations and how they are managed are systematically compared
against the requirements of ISO 14001," says Jean McCreary, a partner
with the Rochester, New York, legal firm Nixon, Hargrave, Devans & Doyle
and the president of the U.S.-based Environmental Auditing Roundtable.
She says the ISO 14001 standard spells out an organization's responsibility
to establish and maintain programs and procedures for periodic EMS audits.
McCreary explains that these programs and procedures have two intended purposes:
·To determine whether the EMS conforms to plans for environmental
management and whether the EMS has been implemented and maintained properly.
·To provide information on audit results to management.
According to ISO 14001, your org-anization's EMS audit program shall be
based on the "environmental importance of the activity concerned"
and the results of previous audits. These audits are viewed as "internal"
to your organization, even if conducted using external resources.
Elizabeth Potts, president of ABS Quality Evaluations Inc., an ISO 9000
and (future) ISO 14001 certification body, explains that "the third-party
registrar will assess how the organization ensures that all applicable regulatory
requirements are identified and incorporated into the EMS and how well the
EMS is functioning. The compliance segment will not focus on whether each
and every regulatory requirement is met to full compliance."
Potts adds that "the emphasis of the compliance-related segment of
the audit will focus on the system and how it functions to satisfy the compliance
commitment of its policy and [to satisfy] the compliance-related objectives
and targets the organization defines. Regulatory compliance auditing responsibility
remains with the organization being audited."
During the early to mid-1980s, the primary focus of most organizations'
environmental auditing programs in the United States was on compliance with
applicable statutory and regulatory requirements, according to Cornelius
"Bud" Smith, director of environmental management services for
ML Strategies, a management consulting firm based in Danbury, Connecticut.
As chairman of the auditing work group of the U.S. Technical Advisory Group
to ISO Technical Committee 207, Smith participated in developing the three
ISO 14000 auditing guidelines and draws a distinct line between compliance
and management system audits.
"In the early years, company environmental compliance auditing programs
often were the only identifiable element of a formal or systematic EMS,"
explains Smith. "Even where more comprehensive systems were evident,
like their early environmental auditing programs, they usually sought only
to preserve the status quo by achieving the absence of a negative."
Following are some typical program purpose statements reflecting this legal
·Avoid fines, penalties and loss of image.
·Satisfy officer and director fiduciary obligations.
·Avoid manager and employee legal liabilities.
·Obtain comprehensive, accurate and objective compliance
·Provide future compliance assurance.
Companies are beginning to realize that sound environmental performance
is an important business issue and not just relegated to the organization's
environmental department, says Smith.
Save money: Build on your quality system.
Experts agree that you can't be entirely sure that the EMS is ready for
third-party certification unless you perform an internal audit.
They say you can save yourself a lot of headaches if you take ISO 9000,
total quality management or any other company quality management system
and adapt the methodologies, coordinators, protocols, schedules, etc. to
meet the ISO 14001 audit. The key is not to duplicate resources that already
exist and work effectively.
"Hewlett-Packard Corp. has been following a systems or processing approach
to environmental and quality management for more than 20 years and expects
to benefit greatly from that approach during ISO 14001 internal audits,"
reports John Pyeha, assurance manager for the corporate environmental management
department in Palo Alto, California.
"One of the company's facilities is starting to integrate ISO 9000
audits with EMS audits, but it is not undertaking the exercise to fulfill
the ISO 14001 requirement," says Pyeha. The facility simply saw a business
advantage in benchmarking from the corporation's ISO 9000 audit system to
conduct environmental audits.
"For example, whenever HP's internal auditors find an environmental
discrepancy in their routine inspection, they document the discrepancy on
a form that looks similar to an ISO 9000 discrepancy report," explains
Pyeha. "Therefore, the supervisors recognize immediately that a discrepancy
exists. Because management is already well-versed in the ISO 9000 management
system infrastructure and mentality, there's no need for them to learn another
Having an ISO 9000 audit program in place provides good grounding in the
root-cause analysis and management review thinking that is necessary for
ISO 14001 auditing, according to Clinton Allen, environmental health and
safety consultant for Bristol Myers Squibb's corporate EH&S department.
Allen explains that company auditors made a transition during the early
1990s from compliance-focused auditing to management system auditing to
cover the gamut of customer requests.
"Our customers with a mature EH&S management system benefit greatly
from a team of auditors that can determine the appropriateness, state of
implementation and system effectiveness of the management system as well
as know the environmental regulations affecting a particular facility,"
says Allen. "For those customers who are not as sophisticated, our
audit teams can focus on compliance aspects and, for example, give senior
management a good idea of where the facility stands in relation to a Resource
Conservation and Recovery Act or waste management audit."
Both Bristol Myers and Hewlett-Packard representatives say that having personnel
versed in ISO 9000 implementation and auditing will allow companies to avoid
many mistakes when it comes to implementing ISO 14001. Bristol Myers is
sending a questionnaire to its business units implementing ISO 9000 asking
facility managers if they would be willing to transfer their systems knowledge
to the environmental area to help implement ISO 14001.
"I visited one of our nutritional facilities in The Netherlands in
early 1996 that is ISO 9001 certified and asked how tough it would be get
ISO 14001 certification," recalls Allen. "The facility managers
said that it would be fairly easy because the systems are in place from
ISO 9000 and, after a gap analysis, the managers speculated they could achieve
certification in three months."
Pyeha adds that Hewlett-Packard will examine the extent of ISO 9000 documentation,
approach to ISO 9000 documentation and how to deal with certifiers before
implementing ISO 14001 in facilities.
Robert Ferrone, technical vice president for the Eco-Efficiency consulting
group based in Washington, D.C., says Hewlett-Packard and Bristol Myers
Squibb are only two of dozens of companies that are realizing how ISO 9000
audits can prepare their companies for ISO 14001 audits.
"These companies understand what it takes to develop a system that
is designed to help them become more efficient and not just to have a certificate
on the wall," explains Ferrone. "An ISO 9000 system provides organizations
with a process that assesses the adequacy of the management system's ability
to meet a set of standards.
"This type of systems audit merely ascertains whether management has
developed a system and uses that system. As a result of this approach, company
managers find that they not only save money but are able to integrate functions
that are duplicative or unnecessary."
Companies that view the ISO 9000 standard from an improved efficiency standpoint
will be well-positioned to implement ISO 14001, says Ferrone. He predicts
that companies with an established ISO 9000 system in place will be among
the first facilities certified to ISO 14001 in the United States.
Know what to expect in an audit. Bristol
Myers EH&S auditors don't have time to look at every procedure of an
EMS and ensure it is implemented to the letter, says Allen. However, auditors
do have time to look very hard at the documentation and selectively sample
and "rigorously test" one or two aspects to ensure the system
is operating properly.
Potts suggests that internal and external auditors will examine an organization's
documents prior to visiting the facility and will look to some of the following
sources for conformance confirmation:
·EMS manual-if the organization chooses to develop one.
·Analysis of environmental aspects and impacts.
·Applicable regulatory requirements.
·Management review minutes.
·Continual improvement plans.
Auditors will collect audit evidence based on the interviews, examination
of documents, observations of activities and conditions, and existing results
of measurements and tests, says McCreary. She notes that audit results will
not always be available immediately following the audit because some audit
findings must be compared with interviews and audit observations collected
from other audit team members.
Allen says companies in a compliance-auditing mode must take a big leap
to reap the benefits involved with collecting management-systems data. He
says evaluating a management system is a simple concept that involves looking
at data on paper, forming some hypothesis about how the elements work and
testing the hypothesis.
For example, take one employee who joined the company 10 years ago and look
to see if his or her training records for the last three years are up-to-date.
Then go and talk to the employee and witness firsthand how he or she does
the job. Ask the employee about his or her responsibilities and if he or
she understands how to identify the environmental impacts of those activities.
If the employee does understand, then the hypothesis is proven and the organization
satisfies one management system element. If the employee does not, then
it could point to a breakdown in the training program, but further evidence
will need to be collected before you make a final determination.
"Auditors need to resist the tendency to dig for details, and look
for the root cause when auditing a management system," suggests Allen.
"When looking for the root cause, it can take days to collect data.
And if you dive for the details, you really don't have the time to develop
a well-grounded conclusion about what you observe."
Know what to look for in an auditor.
Experts agree that EMS auditors will be at a premium for internal and external
assessments as more organizations implement ISO 14001. The degree to which
quality management system auditors will have to fulfill additional requirements
for EMS auditing will depend largely upon the interpretation of ISO 14001
in the marketplace, says Ronald Black, EH&S at BF Goodrich Co. and former
president of the Environmental Auditing Roundtable. The ISO 14012 auditor
qualifications document will be used as a baseline and most organizations
will implement additional requirements for internal and external auditors.
The ISO 9000 auditor guidelines are general and closely parallel general
auditing qualifications of most auditing disciplines, such as health and
safety, financial, etc., notes Black. However, the ISO 14012 guidelines
recommend specific experience in the following areas:
·Environmental science and technology.
·Technical and environmental aspects of facility operations.
·Relevant requirements of environmental laws, regulations
and related documents.
·Environmental management systems and standards.
·Audit procedures processes and techniques.
If the auditor is only responsible for determining if the systems are in
place and conforming to ISO 14001, then most auditors would be eligible
and qualified, says Black. However, if an auditor is to determine if an
organization's systems for identifying and managing environmental aspects
is appropriate, then significant environmental experience should be required.
Black notes that two U.S. organizations-the American National Standards
Institute and the Registrar Accreditation Board, the United States' ISO
9000 accreditation body-will develop criteria for EMS auditor registration
that should set high standards for EMS auditors.
EMS auditors should have extensive environmental knowledge combined with
firsthand experience in business systems, operations, technology, quality
and environmental management, says Thomas Ambrose, president of consulting
firm Health, Safety and Environmental Management. For an organization's
EMS certification or self-declaration to stand up to public scrutiny, auditors
chosen will have to demonstrate competence to do the job, he says. Audit
team members should, at a minimum:
·Be selected from appropriate management backgrounds
to ensure peer review.
·Be multidisciplinary, representing a mix of expertise
ranging from across management systems to control technology, with direct
experience with the relevant type of operation.
·Have direct experience with the type of operations at
·Collectively have appropriate expertise, knowledge and
proficiency in auditing techniques, e.g., verification, observation and
·Be nonbiased and display due diligence. Assessment findings
should be based on factual information gathered during the assessment process
using detailed but selective testing, inspection and interviewing.
Hewlett-Packard has been process- or systems-oriented for so long that the
idea of not following a systems approach is foreign, according to Pyeha.
Hewlett-Packard will look for internal auditors who demonstrate good rapport
with all management levels, from supervisory managers up to senior-level
general managers, and who possess technical expertise in the environmental
EMS auditors must be able to speak in business terms with upper management
and at the same time understand management's concerns, advises Pyeha. The
ideal internal auditor will possess a high level of technical experience
and be able to translate environmental lingo into business language for
management to understand.
"Management systems auditing has a number of layers, like peeling back
the skin of an onion," describes Pyeha. "You can start at the
top and hopefully find major issues using rational techniques of questioning
and discussion. Through this technique, auditors can identify environmental
issues and identify how those environmental issues interact with the rest
of the business."
About the authors . . .
Gregory J. Hale is associate editor of International Environmental Systems
Update, a monthly newsletter on ISO 14000 developments and implications.
Caroline G. Hemenway is vice president and publisher of CEEM Information
Services in Fairfax, Virginia.
CEEM publishes IESU, The ISO 14000 Handbook on implementation and certification,
and other ISO 14000 and management systems products. For more information,
contact CEEM at (800) 745-5565 or (703) 250-5900; fax (703) 250-4117.