Friday, November 5, 2010
The Difference Between Compliance Auditing and Systems Auditing In ISO 14001
Often however, there is confusion between regulatory compliance auditing and EMS auditing. This is because there are many elements of regulatory compliance that overlap with the EMS. Recall that the criteria in a compliance audit are the applicable regulations, whereas the criteria in an EMS audit would be ISO 14001. But does not ISO 14001 address compliance? The answer is yes, but from a system standpoint, not performance.
In other words, the standard requires that certain procedures exist regarding identification of legal and other requirements, that periodic compliance assessments be performed, that legal requirements be considered in setting objectives and targets, and that there be a commitment to compliance. However, actually being in compliance is a performance issue, and out of the purview of ISO 14001.
Of course, a system that is constantly out of compliance or does not identify and initiate action to correct noncompliances, will eventually fail due to system failure. The subtle, yet important point is that during an EMS audit, identified regulatory noncompliances are relevant only to the extent that they reflect a potential system problem. The finding therefore is not that the site is out of compliance with a given regulation, but that the noncompliance means some EMS element is not conformed to. For example, a regulatory noncompliance can be related to a problem with training, recordkeeping, or monitoring and measurement.
The EMS auditor is not to do a compliance audit as part of the EMS audit. If, as part of the statistical sampling to verify EMS element requirements, the auditor identifies a regulatory noncompliance, he or she treats it as any other evidence.
This point has been difficult to accept, especially in U.S. industry because of our long history of regulatory enforcement. The EMS auditor needs to constantly remember that compliance auditing is being done separately as part of the EMS requirements itself (4.5.1, paragraph 3) and to stay focused on the criteria at hand – ISO 14001 and the site’s EMS. There may be legal requirements regarding noncompliances encountered during the EMS audit, but this should be decided and addressed in the audit plan.
In summary, the goal of the compliance audit is to verify compliance with regulations, whereas the EMS audit’s goal is to verify that the EMS conforms to planned arrangements, including ISO 14001.