by Andy Hofmann
The other day a client asked me, “What are you looking for when you look at our internal audits?” In a rush to respond, I provided the short answer that we are looking for evidence that the audit system satisfies the standard and then that it has been used to determine how well the rest of the management system is operating. The client looked at me and asked, “Is that all?” Well, no, not really. I didn’t mention audit effectiveness. Having had time to reflect on it, I should have responded as follows.
ISO 50001 states the following:
“The organization shall conduct internal audits at planned intervals to ensure that the EnMS:
- Conforms to planned arrangements for energy management including the requirements of this International Standard;
- Conforms with the energy objectives and targets established;
- Is effectively implemented and maintained, and improves energy performance.
An audit plan and schedule shall be developed taking into consideration the status and importance of the processes and areas to be audited as well as the results of previous audits. The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Records of the audit results shall be maintained and reported to top management.”
I reference the requirement from ISO 50001 because it represents the latest wording from the International Organization for Standardization (ISO) on the internal audit requirement. For completeness and comparison, ISO 9001:2008 states:
“The organization shall conduct internal audits at planned intervals to determine whether the quality management system:
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained. An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency, and methods shall be defined. The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.
A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results. Records of the audits and their results shall be maintained (see 4.2.4).
The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2).
Note: See ISO 19011 for guidance.”
There are interesting parallels between these requirements, although perhaps ISO 50001 wins the contest for word optimization. Notice that ISO 50001 does not require a “documented procedure.” This is because there are few organizations these days that need to be explicitly directed as to when a documented procedure is necessary. Most have already applied considerable common sense to the matter: When there are inconsistent results from simply training team members, some kind of written method is necessary.
There is an interesting and important dichotomy between ISO 9001 and ISO 50001. Although ISO 9001 requires an audit to determine whether a quality management system (QMS) conforms to planned arrangements, an ISO 50001-compliant internal audit ensures that the objectives and targets set are supported by the environmental management system. It’s this difference that we should have probably discussed in more detail with my, “Is that all?” client. Here’s why.
For some time now, external audits have been focused on the ability of the audited management system to achieve its objectives and targets. We audit not just the content and execution of the various procedures, instructions, and forms but if the combination of these can actually achieve the goals that have been set.
Many of us are aware of organizations we audit that fall short of their objectives and targets year after year. I’m not speaking of just a little deviation from one or two of the usual set of targets; this is chronic underperformance. What’s worse, internal audits for these organizations often show that everything in the system conforms. Because these audits are focused on individual processes, procedures, forms, and instructions, they seldom—if ever—indicate that anything is amiss.
The example that I like to use is a football game. Both teams have a plan (planned arrangements) that they have practiced for the week leading up to the match. Both teams have the same target: to win. They go out on the field and execute their respective plans. Coaches and monitors on both sides determine if the individual tasks that make up the plan are being executed by the players. They provide feedback to the offensive players and defensive players concerning how well they are performing, much the way audits examine conformance with procedures and instructions.
Here is where the similarity ends. No team continues to execute a plan unchanged when the systems audit—the score—tells them it’s not working.
Here is another example. A few Super Bowls ago at Super Bowl XLIV, New Orleans was losing to the favorite Indianapolis Colts at the half 10 to six. What was worse was that in this tight match, after halftime New Orleans faced the task of kicking the ball to the Colts and giving arguably the best offense in the league a three- to 10-minute possession advantage. What they did was change the plan.
Instead of kicking the ball away, New Orleans tried a high-risk, large-reward approach of using a side kick to turn the tide in their favor. It worked and they won the championship, and not by just a little bit. They defeated the favorites 31 to 17.
How does this apply to auditing? Continuing to audit procedures and finding them executed as planned but not achieving their objectives suggests the need for change. A “side kick,” if you will. Albert Einstein said that continuing to do the same things in the same manner and expecting different results is the definition of insanity. Same with auditing.
What ISO 50001 introduced to its set of requirements is that such an internal audit would not be acceptable. Where goals are not achieved, the internal audit must determine the process or processes that have contributed to the underachievement. It’s not sufficient to keep playing the game in the same manner and expecting the outcome to change.
Now more than ever we are looking for internal audits to change their focus based on the ability of the system to achieve its objectives. The processes that regularly achieve their objectives should be paid less attention. Those that are not need the full attention of an audit to determine why there is a problem.
Next time you are performing an internal or external audit, look for the “side kick.” Organizations should recognize where goals aren’t being achieved and devote audit and other resources to find out why they’re not doing what they’re supposed to do. Certainly, ISO 50001 makes this a clear requirement; other standards can benefit from this best practice.
About the author
Andy Hofmann has been involved with management systems for more than 30 years. He has audited more than 2,500 systems, giving him a unique opportunity view of organizations that are performing well and those that struggle. A regular contributor to American Society for Quality management systems conferences and publications, Hofmann’s intellectual property has received wide acceptance. Currently the president of ICS Certification Services, Hofmann continues to work with management systems professionals throughout North America. He has an MBA from the University of Toronto and is a Certified Engineering Technologist.