Integrated Management System (IMS) Audit
Audit as per ISO 45001:2018 is “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”.
IMS audits are just like an open book examination. The questions are already existing in the form of clauses. The only requirement is to integrate clause requirements in the organisation's own processes. When implementing IMS for the first time, integrating its requirements into organisation’s own systems might be a lengthier process, may require similar as project planning and tracking but once it’s done, it’s a continual improvement journey for the organisation. One has to improve on existing processes and integrate new processes in line with requirements. To ensure the laid-out system is as per the IMS clauses and with minimal gaps in new process alignment, audits play a significant role.
Audits are an integral part for testing the effectiveness of the management systems. Most commonly two types of audits exist:
-
Internal Audits
-
External Audits
Internal Audit
Internal audit in IMS is crucial as it provides a chance for organisation to reflect and implement actions that can reduce the gaps in the external audit. Internal audits are conducted by organisation’s own team who have undergone “Certified Internal Audit Training” by a competent agency. Internal Audits are conducted by trained and certified Internal Auditors. Organisations do get their internal team members across functions to undergo the Certified Internal Auditor Training programme for a standard. This enables for smooth compliance of the requirement as per standard. But when the organisation is too large or too small, that’s when organisations take help of external agencies.
Usually, the competent agency who provides training and who audits are different to ensure no clash of interests. Periodicity of the audits differ in each organisation. Few do in once a year; some do in twice a year. Nonetheless, one cycle of internal audit must be done every year. Usually, organisations reduce the periodicity depending on the criticality of the operation. More critical are the operations, less periodicity of the audit i.e. it can be twice or thrice in a year. It is also under the jurisdiction of the organisation and its intent. The ultimate goal in effective implementation of IMS and conducting internal audit as per the standard clause.
The scope of internal audit is same as the IMS certification/recertification audit. The aim is to cover all clauses and entire scope to review the implementation in depth. This enables to recognize any gaps in the system. When gaps are identified, non-conformity is raised and sent to respective department in charge in the non-conformity format and in return, the respective department in charge has to provide the corrective actions that it intends to undertake along with timelines to the auditor and IMS coordinator.
Periodic reviews are conducted post Internal Audit, this is to
a. Review the progress of internal audit non conformities
b. Review the challenges for implementation
c. Discuss on the new ways to improve the management system
External Audit
External audits are the categorised into Surveillance, Certification and Recertification Audits conducted by auditing agency. These audits are to be conducted by agencies who are recognised by IRQA. Only then the audits will remain valid.
Periodicity of these category of audits also vary. Certification audit is the audit where organisation gets certified for the first time after a standard is implemented. Once certified, it is mandatory for the organisation to undergo surveillance audit every year and then a recertification audit in the third year. Usually, Certification and recertification audit are done in-depth and reviews all clauses and departments whereas surveillance audits are conducted on sample basis.
Irrespective of the type of external audit, outcomes are issued to respective organisation in the form of non-conformities i.e. major, minor and opportunities for improvement (OFIs). All major and minor non-conformities need to be provided with a corrective action plan and implementation within a month of issuance. In case of failure to do so, certification may go hold. OFIs implementation is at the discretion of the organisation, it may or may not choose to implement.
The corrective action plan submitted to the auditing agency must be monitored thoroughly for a period of time and horizontally deployed across operations. This is important to understand. In the consequent surveillance or certification audits that are conducted, in case the same NC is raised that of last audit, a minor NC automatically changes to major NC and an OFI to minor. This also raises questions on the clause of monitoring and measurements of processes in the organisation.
Overall, the most crucial part of any type of audit is transparency. If processes and systems are not transparent, the purpose of the audit system fails. This is applicable to either internal or an external audit. This will not allow true gaps to be identified, even though certification or recertification may happen but in the longer run, organisation may run into issues of regulatory concerns or customer conflicts sooner or later. This would also raise questions on the organisation’s integrity in the way it conducts its business.
To overcome, all the above ensure that
● All internal auditors are well trained by authorised agencies
● Authorised agencies are engaged in the certification or recertification audits
● Training service provider and auditing agencies must be different to avoid conflict of interest
● Sign a non-disclosure agreement with agency conducting external audit to ensure data protection
● Remain transparent
● Accept the gaps. No IMS can be 100% complied in a dynamic work scenario, so any gap identified is an effort to improve the organisation’s processes rather than a failure of any personnel.
● Take the opportunity to learn from auditors since most of them audit wide range of business sectors thus can provide the best advice suiting the scenario. Audits are not just a problem finding process but indeed a fact-finding process. In this process of fact findings, gaps, opportunity for improvements are identified and thus a win-win scenario for the organisation.