Management system audits are an integral part of every management system. All of the management system specification standards – including ISO 9001, ISO 14001 and OHSAS 18001 – require that an organization establish and implement an internal audit program.
I have been involved in auditing for over 30 years.
In the 1980’s – I conducted EHS audits world-wide for Bristol-Myers as part of the corporate audit team.
In the 1990’s – I started the decade reviewing a wide range of audit and assessment reports. As an attorney for U.S. EPA, I evaluated assessments for the purposes of undertaking enforcement actions. Then, as an attorney in private practice, I helped companies establish internal audit programs. I also used audit reports prepared by others for advising clients on mergers, acquisitions, commercial loans and property development activities. In 1997, I shifted my focus to assisting organizations with management system implementation and became a certified EMS Lead Auditor in 1999.
In the 2000’s – I turned my focus to management system audits and the development of audit standards. I developed and taught numerous auditor training courses – from Lead Auditor Training to customized internal auditor training courses covering multiple disciplines (quality, environmental, OS&G, food safety, security etc.). I also helped develop international auditing standards and participated as one of the U.S. Experts in the revision of ISO 19011.
I am pleased to announce that I have launched a new website that is based on my extensive experience in auditing:
This website focuses on providing useful information and resources to help auditors and audit program managers develop expertise in management system auditing. In the blog associated with this site, I will be answering questions about establishing an audit program and providing insight into the intent underlying the language of the ISO standards that set out auditing requirements.
© ENLAR Compliance Services, Inc. (2012)
I received the following question from a reader last week –
When it comes time for our company to be audited on the OHSAS 18001 system, our auditor usually says, “Your Company has not identified ALL the hazards at your facility.”
… I don’t believe that every potential hazard needs to be identified in order to be compliant. I always explain this to the auditor, and address what it states in 4.3.1:
“The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.”
… I don’t feel our auditor is correct in saying we are not compliant because we have not identified all potential hazards.
I really would appreciate your thoughts on this matter.
You are correct in your analysis of the requirement in Section 4.3.1 of OHSAS 18001. What is required – and what auditors should be looking for – is a process NOT perfection.
This is an important distinction and a fundamental principle underlying all of the ISO management system standards and OHSAS 18001. It is one of the 14 Points for Management that Deming emphasized in his 1982 book, Out of the Crisisand it is what the plan-do-check-act (PDCA) approach is all about.
To illustrate the difference, consider how one goes about controlling a manufacturing line making widgets. There are 2 different approaches that can be used to ensure quality widgets – an inspection approach and a management system approach.
In previous posts, I discussed the relative importance of management system standards and company culture on OH&S performance. This discussion was based on the paper entitled The Limits of Management Based Regulation by Neil Gunningham and Darren Sinclair.
One of the conclusions set out in this paper is that the “accountability mechanisms” common to management system standards can have a negative impact on OH&S performance.
The authors suggest that many of the fundamental requirements of management system standards – establishing accountability, performance tracking and internal auditing – are “antithetical to measures that our findings suggested had a positive impact on OHS.” They go on to discuss social science research that finds that accountability mechanisms can decrease trust and, as a result, negatively impact performance.
What does this mean for OHSMS internal audit programs?
First, it is important to recognize that internal audit programs have a purpose. That purpose is best summed up by the phrase – “Trust – but Verify.” That is why OHSAS 18001 includes an internal audit program requirement.
I am pleased to announce that ENLAR has launched a new blog – www.managementsystemexpert.com.
The purpose of this blog is to provide real-world practical advice to assist you in establishing, documenting, implementing and maintaining an integrated management system.
This website provides information and resources to help you understand the requirements of the various management system standards – ISO 9001, ISO 14001, OHSAS 18001, etc. In addition, it provides an opportunity for you to post your questions and comments on a variety of management system topics.
An integral part of this blog is the monthly FREE teleseminar that ENLAR will be hosting. These monthly “conversations with experts” will provide a unique opportunity for you to BOTH listen to experts on a variety of management system topics AND ask questions for them to answer in their calls.
Click here to check out this new blog. While you are there, check out the upcoming teleseminars on –
- Revision of ISO 19011 – The Challenge of Drafting a Generic Auditing Standard
- Five Steps for Achieving Employee Engagement
Thanks! I hope you like this new site.
© ENLAR® Compliance Services, Inc. (2009)
In a previous blog, I discussed the difference between competency and awareness in an occupational health and safety management system (OHSMS). In that blog, I used the ISO 9000:2000 definition of competence as “demonstrated ability to apply knowledge and skills” since OHSAS 18001:2007 does not include a definition.
It seems that the appropriate definition of competence is now subject of some debate within ISO and may be subject to being “re-defined.”
Competency is a significant component of at least four standards currently under development within ISO –
- ISO 10018 – Quality management: Guidelines on people involvement and competencies
- ISO 14066 – Greenhouse Gases – Competency requirements for greenhouse gas validators and verifiers
- ISO 17021 Part B – Conformity assessment – Requirements for third-party certification auditing of management systems
- ISO 19011 (revision) – Guidelines for management system auditing
Interestingly, each of these standards has apparently rejected the dictionary definition, as well as the ISO 9000 definition, and each ISO Technical Committee appears to be in the process of developing its own concept of competence.
ISO 10018 is apparently focusing on how “human factors” impact the effective functioning of management systems with the definition of competency being passed to a subcommittee. ISO 14066 is structured to set out detailed lists of the skills and knowledge that must be possessed by GHG verification and validation teams – with the focus on team rather than individual competency. The initial committee draft of ISO 17021 defined competence as “personal attributes and ability to apply knowledge and skills” with a heavy focus on personal attributes and generic audit skills but essentially no guidance as to the needed discipline-specific knowledge (e.g. quality, environmental, OH&S). The revision of ISO 19011 has just begun; however, the issue of auditor competency has already been identified as one of the “hot-button issues” associated with revision of this standard.
A review of the various standards and other reference materials appear to set out three different, and distinct, attributes that underlie competency:
- Attitude and personality traits –who you are
- Knowledge – what you know
- Skills – what you can do
Where the ISO standards seem to diverge is in the relative importance to be given to each attribute (personality vs. knowledge vs. skill) as well as in the specifics of what is actually required and how it should be demonstrated.
What do you think? What is competency?
© ENLAR® Compliance Services, Inc. (2008)