Integrated Audits

Organizations implement management systems to support their quality, environmental, and health and safety activities. These systems are often implemented as separate systems instead of as an integrated system, resulting in reduced overall efficiency and effectiveness. 

ISO 9001:2015 (quality), ISO 14001:2015 (environmental), and ISO 45001:2018 (health and safety) now have the same high-level clause structure, many common terms, and the same core requirements, making implementation of an integrated management system much easier.

For more information on implementing an integrated management system, see my article on Integrated Systems (and the ISO Handbook: The Integrated Use of Multiple System Standards).

Integrated Audits

ISO 19011:2018, Guidance for auditing management systems, defines a “combined” audit as one carried out at a single auditee on two or more management systems of different disciplines. If these management systems are integrated into a single management system, the combined audit of that system would be called an “integrated” audit.

The basic principles and processes of auditing are the same for individual audits, combined audits, and integrated audits. The audit program would indicate if the quality, environmental, and health and safety audits are to be conducted separately, in combination, or in an integrated manner.  

Managing an Integrated Audit Program

Conducting integrated audits requires an audit program that has been specifically established to address multiple management system standards during combined audits. One of the first steps should be to establish the audit program objectives that will direct the planning and conducting of the integrated audits.

With the program objectives set, you’re ready to determine the audit program risks and opportunities as related to integrated auditing. For example, what are the risks that might impact the achievement of the integrated audit program objectives? 

The level of audit integration possible will depend on the degree of management system integration and the multiple discipline training of the auditors.   

When scheduling the audits, be aware of the areas that relate to multiple disciplines and that can be assessed once in an integrated manner. Remember to lay out the audit agenda by process areas, not by the clauses of the applicable standards. 

Part of establishing an audit program is to develop the necessary audit procedures and forms. Ensure these documents are created or revised to support integrated audits.

The person managing the audit program should have the necessary competence to administer the program, deal with risks and opportunities, and handle issues effectively and efficiently. That person should have knowledge of audit principles, methods, and procedures, as well as, the multiple management system standards that are part of the integrated system.

When selecting audit team members for an integrated audit, consider the size and composition of the team. While an integrated audit may require fewer auditors on the team, the level of audit integration achieved will depend on the team’s cross-discipline skills. For example, auditors trained on ISO 9001, ISO 14001, and ISO 45001 would provide more flexibility in forming the audit team.          

The expanded use of integrated management systems has resulted in the need to train auditors not only on the multiple standards, but also on how to conduct integrated audits. When auditing multiple disciplines, the audit team members should understand the interactions and synergy between the different management systems. Audit team leaders should understand the requirements of each management system standard being audited and recognize the limits of their competence in each discipline.

Planning an Integrated Audit

When more than one discipline is being audited at the same time, it is important that the audit objectives, scope, and criteria be appropriate for each discipline. Some disciplines may have a scope that reflects the whole organization, while others may have a scope that only includes a subset of the whole organization.

To conduct an integrated audit, develop a single audit plan. Begin by creating an audit matrix that indicates all the clauses of the involved standards and the responsible process owners. The audit agenda should include all the processes within its scope and ensure that the applicable standard requirements are addressed during the assessment of each process.  

The overall duration of an integrated audit is usually shorter than the overall duration of multiple separate management system audits. The reduced length of an integrated audit is due primarily to the common, integrated areas only having to be audited once across multiple disciplines

For integrated audits, work documents should be developed to avoid duplication of audit activities by clustering similar requirements from different criteria and coordinating the content of related checklists.

Conducting an Integrated Audit

An integrated audit should have one opening meeting and one closing meeting.

All applicable elements of each management system standard relevant to the scope of the combined audit visit should be adequately assessed. Ensure that the internal audit requirements stated in clause 9.2 of the multiple standards are also fully addressed.

Samples relevant to each applicable standard within the integrated management system should be audited, e.g., corrective actions related to quality, environment, and health and safety.  

Although the auditors may be trained on multiple standards, each auditor should still be assigned their specialty to make the audit more effective. For example, the auditor with environmental skills would audit waste water, the auditor with a safety focus would audit the use of personal protection devices, and the quality-oriented auditor would audit the product test procedures.

Processes that are basically common across the standards could be assigned simply based on auditor availability, e.g., documented information, internal audits, corrective actions, and management reviews.

Reporting an Integrated Audit

The results of an integrated audit should be communicated in a single report.

Each nonconformity raised in the report should be traceable to the applicable management system standard. Separate nonconformities should be raised for each management system standard unless specific findings are applicable to the requirements of more than one standard.

During an audit, it is possible to identify findings related to multiple criteria. Where an auditor identifies a finding linked to one criterion on an integrated audit, the auditor should consider the possible impact on the corresponding or similar criteria of the other management systems.

Depending on the arrangements with the audit client, the auditor may raise either separate findings for each criterion; or a single finding, combining the references to multiple criteria.

The audit team should consider the impact that a nonconformity found for one of the system standards has on the conformity of the management system with the other standards.

Calculating Integrated Audit Duration

According the IAF Mandatory Document 11, “Application of ISO 17021 for Audits of Integrated Management System Audits”, third-party audits of integrated systems may qualify for up to a 20% reduction of audit time over separate audits of the individual management systems.    

Factors for reducing the duration of an integrated audit, compared to separate audits of management systems, include:

1. extent to which the management system and its documentation is integrated; 

2. ability of the auditee to respond to questions on multiple management system standards; and

3. availability of auditors that can audit more than one management system standard.   

Benefits of Integrated Audits

An integrated audit can bring many benefits to your organization, such as lower certification costs, fewer audit interruptions to the organization, streamlined processes, reduced documentation, and more consistent objectives across multiple systems.

Based on the integration level of your system, and the qualifications of the audit team, time can be saved in an integrated audit by having one audit plan, one opening meeting, one audit of common processes, one closing meeting, and one audit report.

According to the ISO  Handbook, “The Integrated Use of Multiple System Standards”, when there is an integrated management system, the organization can combine its internal audits. As a result, there may be fewer work interruptions and less time needed for the audits.

Linkages between the processes are better understood and managed in an integrated management system, which can lead to more in‐depth audits. Separate management system audits tend to drive a functional response to the findings, and often these findings do not identify linkages between related processes.

With an integrated approach, management system audits consider the linkages of processes as a priority, and as a result, may identify critical system failures.