Ready or Not: Be Prepared for an
ISO 14001 Audit

by Caroline G. Hemenway and Gregory J. Hale

Don't panic: Take a hard look at the standard's requirements
and evaluate your quality system audit materials.

Well, it's over. You've just survived a comprehensive three-day ISO 9000 quality system audit, and the auditor is finally waving goodbye.

For the past six months, you've done nothing but think documentation. You've asked yourself the same questions over and over: Are the procedures in place? Do we follow the procedures? Do we have corrective action plans in place? And so on.

Altogether, you've probably allocated 65 percent of your 14-hour workday to thinking about how to prepare for the auditor and wondering whether you will pass the audit on the first try.

As soon as you have escorted the ISO 9000 auditor out the door, the telephone rings. It's the corporate office calling to tell you to begin preparing for an ISO 14001 environmental management system audit.

Don't panic. Instead, take a deep breath and evaluate your quality system audit materials. Ask yourself: "What elements of ISO 9000 can I use for ISO 14001? We've been preparing for more than a year, but how can we be sure we're ready?"

Take a hard look at the standard's actual requirements. Preparing for an audit requires you to think like an auditor. Who knows-you may be that auditor under ISO 14001 provisions for self-certification!

Hundreds of books and instructional videos cover quality management system auditing, and several cover environmental management system auditing. But probably the most immediately useful are the three auditing guidelines specifically drafted for ISO 14001: ISO 14010, Guidelines for Environmental Auditing-General Principles on Environmental Auditing; ISO 14011/1, Guidelines for Environmental Auditing-Audit Procedures-Auditing of Environmental Management Systems; and ISO 14012, Guidelines for Environmental Auditing-Qualification Criteria for Environmental Auditors.

The guidelines, created by the International Organization for Standard-ization's Technical Committee 207, are expected to be published as final by July 1996, along with ISO 14001, the EMS specification, and ISO 14004, the EMS guidance on implementation (similar to ISO 9004). A small group of U.S. auditing delegates is also in the process of developing an auditing protocol document that may be introduced as an international guidance sometime in 1997.

Experts say you should consider the following four issues as you prepare for an audit:
An EMS audit is not a compliance audit. "Environmental management systems audits are the vehicles through which the environmental aspects of organizations and how they are managed are systematically compared against the requirements of ISO 14001," says Jean McCreary, a partner with the Rochester, New York, legal firm Nixon, Hargrave, Devans & Doyle and the president of the U.S.-based Environmental Auditing Roundtable.

She says the ISO 14001 standard spells out an organization's responsibility to establish and maintain programs and procedures for periodic EMS audits. McCreary explains that these programs and procedures have two intended purposes:
·To determine whether the EMS conforms to plans for environmental management and whether the EMS has been implemented and maintained properly.
·To provide information on audit results to management.

According to ISO 14001, your org-anization's EMS audit program shall be based on the "environmental importance of the activity concerned" and the results of previous audits. These audits are viewed as "internal" to your organization, even if conducted using external resources.

Elizabeth Potts, president of ABS Quality Evaluations Inc., an ISO 9000 and (future) ISO 14001 certification body, explains that "the third-party registrar will assess how the organization ensures that all applicable regulatory requirements are identified and incorporated into the EMS and how well the EMS is functioning. The compliance segment will not focus on whether each and every regulatory requirement is met to full compliance."

Potts adds that "the emphasis of the compliance-related segment of the audit will focus on the system and how it functions to satisfy the compliance commitment of its policy and [to satisfy] the compliance-related objectives and targets the organization defines. Regulatory compliance auditing responsibility remains with the organization being audited."

During the early to mid-1980s, the primary focus of most organizations' environmental auditing programs in the United States was on compliance with applicable statutory and regulatory requirements, according to Cornelius "Bud" Smith, director of environmental management services for ML Strategies, a management consulting firm based in Danbury, Connecticut.

As chairman of the auditing work group of the U.S. Technical Advisory Group to ISO Technical Committee 207, Smith participated in developing the three ISO 14000 auditing guidelines and draws a distinct line between compliance and management system audits.

"In the early years, company environmental compliance auditing programs often were the only identifiable element of a formal or systematic EMS," explains Smith. "Even where more comprehensive systems were evident, like their early environmental auditing programs, they usually sought only to preserve the status quo by achieving the absence of a negative."

Following are some typical program purpose statements reflecting this legal compliance emphasis:
·Avoid fines, penalties and loss of image.
·Satisfy officer and director fiduciary obligations.
·Avoid manager and employee legal liabilities.
·Obtain comprehensive, accurate and objective compliance dates.
·Provide future compliance assurance.

Companies are beginning to realize that sound environmental performance is an important business issue and not just relegated to the organization's environmental department, says Smith.
Save money: Build on your quality system. Experts agree that you can't be entirely sure that the EMS is ready for third-party certification unless you perform an internal audit.

They say you can save yourself a lot of headaches if you take ISO 9000, total quality management or any other company quality management system and adapt the methodologies, coordinators, protocols, schedules, etc. to meet the ISO 14001 audit. The key is not to duplicate resources that already exist and work effectively.

"Hewlett-Packard Corp. has been following a systems or processing approach to environmental and quality management for more than 20 years and expects to benefit greatly from that approach during ISO 14001 internal audits," reports John Pyeha, assurance manager for the corporate environmental management department in Palo Alto, California.

"One of the company's facilities is starting to integrate ISO 9000 audits with EMS audits, but it is not undertaking the exercise to fulfill the ISO 14001 requirement," says Pyeha. The facility simply saw a business advantage in benchmarking from the corporation's ISO 9000 audit system to conduct environmental audits.

"For example, whenever HP's internal auditors find an environmental discrepancy in their routine inspection, they document the discrepancy on a form that looks similar to an ISO 9000 discrepancy report," explains Pyeha. "Therefore, the supervisors recognize immediately that a discrepancy exists. Because management is already well-versed in the ISO 9000 management system infrastructure and mentality, there's no need for them to learn another system."

Having an ISO 9000 audit program in place provides good grounding in the root-cause analysis and management review thinking that is necessary for ISO 14001 auditing, according to Clinton Allen, environmental health and safety consultant for Bristol Myers Squibb's corporate EH&S department. Allen explains that company auditors made a transition during the early 1990s from compliance-focused auditing to management system auditing to cover the gamut of customer requests.

"Our customers with a mature EH&S management system benefit greatly from a team of auditors that can determine the appropriateness, state of implementation and system effectiveness of the management system as well as know the environmental regulations affecting a particular facility," says Allen. "For those customers who are not as sophisticated, our audit teams can focus on compliance aspects and, for example, give senior management a good idea of where the facility stands in relation to a Resource Conservation and Recovery Act or waste management audit."

Both Bristol Myers and Hewlett-Packard representatives say that having personnel versed in ISO 9000 implementation and auditing will allow companies to avoid many mistakes when it comes to implementing ISO 14001. Bristol Myers is sending a questionnaire to its business units implementing ISO 9000 asking facility managers if they would be willing to transfer their systems knowledge to the environmental area to help implement ISO 14001.

"I visited one of our nutritional facilities in The Netherlands in early 1996 that is ISO 9001 certified and asked how tough it would be get ISO 14001 certification," recalls Allen. "The facility managers said that it would be fairly easy because the systems are in place from ISO 9000 and, after a gap analysis, the managers speculated they could achieve certification in three months."

Pyeha adds that Hewlett-Packard will examine the extent of ISO 9000 documentation, approach to ISO 9000 documentation and how to deal with certifiers before implementing ISO 14001 in facilities.

Robert Ferrone, technical vice president for the Eco-Efficiency consulting group based in Washington, D.C., says Hewlett-Packard and Bristol Myers Squibb are only two of dozens of companies that are realizing how ISO 9000 audits can prepare their companies for ISO 14001 audits.

"These companies understand what it takes to develop a system that is designed to help them become more efficient and not just to have a certificate on the wall," explains Ferrone. "An ISO 9000 system provides organizations with a process that assesses the adequacy of the management system's ability to meet a set of standards.

"This type of systems audit merely ascertains whether management has developed a system and uses that system. As a result of this approach, company managers find that they not only save money but are able to integrate functions that are duplicative or unnecessary."

Companies that view the ISO 9000 standard from an improved efficiency standpoint will be well-positioned to implement ISO 14001, says Ferrone. He predicts that companies with an established ISO 9000 system in place will be among the first facilities certified to ISO 14001 in the United States.
Know what to expect in an audit. Bristol Myers EH&S auditors don't have time to look at every procedure of an EMS and ensure it is implemented to the letter, says Allen. However, auditors do have time to look very hard at the documentation and selectively sample and "rigorously test" one or two aspects to ensure the system is operating properly.

Potts suggests that internal and external auditors will examine an organization's documents prior to visiting the facility and will look to some of the following sources for conformance confirmation:
·EMS manual-if the organization chooses to develop one.
·Analysis of environmental aspects and impacts.
·Applicable regulatory requirements.
·Audit reports.
·Organization charts.
·Training program.
·Management review minutes.
·Continual improvement plans.

Auditors will collect audit evidence based on the interviews, examination of documents, observations of activities and conditions, and existing results of measurements and tests, says McCreary. She notes that audit results will not always be available immediately following the audit because some audit findings must be compared with interviews and audit observations collected from other audit team members.

Allen says companies in a compliance-auditing mode must take a big leap to reap the benefits involved with collecting management-systems data. He says evaluating a management system is a simple concept that involves looking at data on paper, forming some hypothesis about how the elements work and testing the hypothesis.

For example, take one employee who joined the company 10 years ago and look to see if his or her training records for the last three years are up-to-date. Then go and talk to the employee and witness firsthand how he or she does the job. Ask the employee about his or her responsibilities and if he or she understands how to identify the environmental impacts of those activities. If the employee does understand, then the hypothesis is proven and the organization satisfies one management system element. If the employee does not, then it could point to a breakdown in the training program, but further evidence will need to be collected before you make a final determination.

"Auditors need to resist the tendency to dig for details, and look for the root cause when auditing a management system," suggests Allen. "When looking for the root cause, it can take days to collect data. And if you dive for the details, you really don't have the time to develop a well-grounded conclusion about what you observe."
Know what to look for in an auditor. Experts agree that EMS auditors will be at a premium for internal and external assessments as more organizations implement ISO 14001. The degree to which quality management system auditors will have to fulfill additional requirements for EMS auditing will depend largely upon the interpretation of ISO 14001 in the marketplace, says Ronald Black, EH&S at BF Goodrich Co. and former president of the Environmental Auditing Roundtable. The ISO 14012 auditor qualifications document will be used as a baseline and most organizations will implement additional requirements for internal and external auditors.

The ISO 9000 auditor guidelines are general and closely parallel general auditing qualifications of most auditing disciplines, such as health and safety, financial, etc., notes Black. However, the ISO 14012 guidelines recommend specific experience in the following areas:
·Environmental science and technology.
·Technical and environmental aspects of facility operations.
·Relevant requirements of environmental laws, regulations and related documents.
·Environmental management systems and standards.
·Audit procedures processes and techniques.

If the auditor is only responsible for determining if the systems are in place and conforming to ISO 14001, then most auditors would be eligible and qualified, says Black. However, if an auditor is to determine if an organization's systems for identifying and managing environmental aspects is appropriate, then significant environmental experience should be required. Black notes that two U.S. organizations-the American National Standards Institute and the Registrar Accreditation Board, the United States' ISO 9000 accreditation body-will develop criteria for EMS auditor registration that should set high standards for EMS auditors.

EMS auditors should have extensive environmental knowledge combined with firsthand experience in business systems, operations, technology, quality and environmental management, says Thomas Ambrose, president of consulting firm Health, Safety and Environmental Management. For an organization's EMS certification or self-declaration to stand up to public scrutiny, auditors chosen will have to demonstrate competence to do the job, he says. Audit team members should, at a minimum:
·Be selected from appropriate management backgrounds to ensure peer review.
·Be multidisciplinary, representing a mix of expertise ranging from across management systems to control technology, with direct experience with the relevant type of operation.
·Have direct experience with the type of operations at hand.
·Collectively have appropriate expertise, knowledge and proficiency in auditing techniques, e.g., verification, observation and information analysis.
·Be nonbiased and display due diligence. Assessment findings should be based on factual information gathered during the assessment process using detailed but selective testing, inspection and interviewing.

Hewlett-Packard has been process- or systems-oriented for so long that the idea of not following a systems approach is foreign, according to Pyeha. Hewlett-Packard will look for internal auditors who demonstrate good rapport with all management levels, from supervisory managers up to senior-level general managers, and who possess technical expertise in the environmental field.

EMS auditors must be able to speak in business terms with upper management and at the same time understand management's concerns, advises Pyeha. The ideal internal auditor will possess a high level of technical experience and be able to translate environmental lingo into business language for management to understand.

"Management systems auditing has a number of layers, like peeling back the skin of an onion," describes Pyeha. "You can start at the top and hopefully find major issues using rational techniques of questioning and discussion. Through this technique, auditors can identify environmental issues and identify how those environmental issues interact with the rest of the business."

About the authors . . .
Gregory J. Hale is associate editor of International Environmental Systems Update, a monthly newsletter on ISO 14000 developments and implications. Caroline G. Hemenway is vice president and publisher of CEEM Information Services in Fairfax, Virginia.

CEEM publishes IESU, The ISO 14000 Handbook on implementation and certification, and other ISO 14000 and management systems products. For more information, contact CEEM at (800) 745-5565 or (703) 250-5900; fax (703) 250-4117.