ISO 14001:2015 for Internal Auditors

Pre-Course Reading

Improving performance,
reducing risk
Pre-course Reading
Introduction

ISO 14001:2015 contains some significant changes that will impact upon internal
auditors. To add value to a management system designed around ISO 14001:2015
auditors may need to focus on different aspects of the management system, and are
likely to adapt the way they plan and conduct audits.

The purpose of this document is to help you prepare for the course, by giving you a
brief overview of the changes in ISO 14001:2015. You will build on this background
knowledge during the course, where you will explore the implications of the changes for
internal auditors, and develop your skills and techniques through practical activities and
discussions.

In addition to general information on the changes to ISO 14001:2015, this document

highlights some of the implications for internal auditors, and these are marked with the
following symbol.

Background to ISO 14001:2015

All Management System Standards (MSSs) are subject to regular review. The last
significant revision to ISO 14001 was in 2004. The 2015 version represents a
comprehensive rewrite to ensure that it supports the changing needs of today’s world
and reflects the increasingly complex environments in which organizations operate.
Many organizations use and are certificated to multiple management system standards
(MSSs), e.g. environment, quality, health and safety, information security, etc. As an
internal auditor, you may be auditing a range of different management systems, or
conducting internal audits of integrated management systems. The differences between
the various management systems standards have not supported integration and
arguably have caused confusion and inconsistent understanding and implementation.
In order to deliver consistent and compatible management system standards in the
future the ISO Technical Management Board produced a common framework for all
1
MSSs. This common framework is referred to as “Annex SL ”. Essentially, Annex SL
describes how all management standards will be structured. The first standard to adopt
this structure was the Business Continuity Management standard (ISO 22301).
Ultimately, the MSSs for environment, quality and health and safety will reflect this
framework.
There will be a three-year transition period for existing accredited ISO 14001:2004
certifications, giving a deadline of late 2018 for organizations to migrate their
environmental management system to ISO 14001:2015.

1:Specifically: Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2013

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 1 of 10
Pre-course Reading
© LRQA Training 2015
Pre-course Reading

ISO 14001 Transition timeline

Octobes Jumy 2114 Teptenbes Decenbes Jumy Teptenbes Psopotee

2114 2114 2114 2115 15ti 2115 Tsaotitioo
DIT Pesioe
ITO 14111: FDIT ITO 14111:
ITO 14111: Pubmitiee Setumtt of
2115 DIT fos pubmitiee 2115 4 yeast
2115 Pubmitiee DIT vote fson
Connittee conneot pubmitiee
io Eogmiti (pott ttaoease
Dsaft 2 pubmicatioo
tsaotmatioo)

Transition Timeline (dates subject to change).

The changes and what they mean
The significant changes will be:
• Structure of the standard in line with Annex SL.
And main areas of change:
• Process thinking.
• Context of the organization.
• Leadership.
• Risk and opportunities (including life cycle perspective and outsourcing).
The following outlines these significant changes and what they might mean for internal
auditors.
Structure of the standard in line with Annex SL
Annex SL prescribes the following high level structure:
0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 2 of 10
Pre-course Reading
© LRQA Training 2015
Pre-course Reading
The Annex SL structure is still based around the PDCA cycle, so this continues to provide
a useful framework for you in conducting internal audits:
“An effective management system is usually based on managing the organization’s
processes using a Plan-Do-Check-Act approach in order to achieve the intended
outcomes.” (Annex SL). If you want a reminder of the PDCA cycle, please see Appendix
1.
Many of the terms will also be familiar to you, for example, internal audit and
management review. So, for these topics, the existing processes within your current
EMS may well already address the new requirements since they have largely only been
re-arranged to fit in with the Annex SL structure. Other familiar terms of the current ISO
14001 also reappear with subtle changes and/or enhancements. For example, there is a
greater emphasis on interested parties and also in planning the EMS.

Because all MSSs follow this structure, and use common terminology, if you are auditing
across different management systems this should make it easier for you to locate
requirements and cross reference findings. It should also enable the streamlining of
integrated systems, and so make audits of integrated systems more straightforward.

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 3 of 10

Pre-course Reading
© LRQA Training 2015
Pre-course Reading
Process thinking
ISO 14001:2015 places more emphasis on process thinking. Organizations are required
to determine processes needed and their interactions when establishing, implementing,
maintaining and continually improving the EMS. Throughout ISO 14001:2015,
reference is made to processes and less to procedures as in ISO 14001:2004.

Appendix 2 shows the process model.

Internal auditors will need to audit all aspects of processes, and the process model will
be an essential tool for an auditor. In particular you will need to audit the arrangements
for controlling, monitoring, measuring and evaluating processes, so there will be more
emphasis on whether processes are effective in achieving the intended results, and
possibly less on conformance with documented procedures.

Context of the organization

Section 4 dedicates itself to the “organizational context”.
This section is divided into four sub clauses:
4.1 Understanding the organization and its context.
4.2 Understanding the needs and expectations of interested parties.
4.3 Determining the scope of the environmental management system.
4.4 Environmental management system.
The latter two of these find counterparts in section 4.1 - General of the current standard
but the former two are new requirements and they require an organization to think
about the issues that can affect it as well as the parties that have an interest in it
including how to manage these parties’ relevant requirements.
Understanding the organization and its context
ISO 14001:2015 uses the term “context of the organization”, referring to external
factors in the business environment, and also internal factors, such as organizational
structure and culture.
Organizations are required to identify, monitor and review internal and external issues
that are relevant to its purpose and that affect its ability to achieve the intended
outcome of its EMS.
Understanding the needs and expectations of interested parties
ISO 14001:2015 requires organizations to go through a process initially to identify these
groups and then to identify their requirements that are relevant to the organization’s
environmental management system.
Relevant interested parties are groups or individuals who have the ability to impact (or
potentially impact or be impacted by) the organization’s ability to enhance its
environmental performance and compliance obligations. Regulators, neighbours,
shareholders, board members and employees would all fit into this classification.

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 4 of 10

Pre-course Reading
© LRQA Training 2015
Pre-course Reading
The design of the environmental management system and its processes should reflect
the context of the organization and the relevant needs of interested parties.

As an internal auditor you may need to explore how information about the
organizational context and needs of interested parties is captured and how it flows
down into the processes you are auditing. You might need to see how plans are
cascaded down into specific actions and processes. You may find you need more
preparation time to identify any relevant issues and incorporate these into your audit
plan.

Leadership
Section 5 dedicates itself to “Leadership”
This section is divided into three sub clauses:
5.1 Leadership and commitment.
5.2 Environmental policy.
5.3 Organizational roles, responsibilities and authorities.
This clause of ISO 14001:2015 calls for the organization’s top management to
demonstrate their involvement and engagement with the environmental management
system through direct participation in, for example:
• Taking accountability for the effectiveness of the environmental management system.
• Promoting continual improvement.
• Supporting other relevant management roles to demonstrate their leadership.
Thus, the top management assume an active role in the EMS by taking accountability for
its success themselves (and not leaving it to the management representative – which, by
the way, is no longer explicitly called for in the new version). The leaders must also
integrate the EMS into the organization’s processes; so the process approach is more
prominent in the new standard.

As an internal auditor you will be expected to look for tangible evidence of the results of
leadership activities in the process(es) you are auditing. For example, you might see
actions raised at management review being implemented in the process you are
auditing. You might look at improvement goals and the resources provided to deliver
these. You might examine communications from top management to see if consistent
messages are communicated about their commitment to the EMS.

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 5 of 10

Pre-course Reading
© LRQA Training 2015
Pre-course Reading
Risk
The concept of risk is not new to environmental management systems, (identifying
significant environmental aspects); however ISO 14001:2015 places more emphasis on it
and requires an organization to include the context of the organization and the needs of
interested parties. Clause 6 of the standard includes significant environmental aspects,
compliance obligations, risks and opportunities and planning to take action.
Risk and opportunities are included throughout the standard. The term preventive
action has disappeared.

Internal audit processes that meet the requirements of ISO 14001:2004 will already take
account of risks in developing a programme of audits and in the way auditors select
samples, and this will not change. But auditors will need to consider risk more explicitly,
and will need to factor in identified risks and opportunities and actions into their audit
plans to assess how these are being implemented and integrated into processes.

Other changes
Most of the requirements of ISO 14001:2004 are carried forward to ISO 14001:2015.
Many are substantially unchanged, although throughout the standard, revision to
improve consistency of interpretation and understanding and aid translation is evident.
There are other changes where aspects of a management system are more clearly
described because the Annex SL format has a clause to address it, such as:
• Policy
• Evaluation of compliance
• Communication
• Documented information
• Continual improvement
This ensures that there is commonality with other management system standards and so
you will be able to see the same headings in ISO 9001:2015 and ISO 45001 (the
replacement for OHSAS 18001 when it is published) and group what you do for them
together in your management system.

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 6 of 10

Pre-course Reading
© LRQA Training 2015
Pre-course Reading
Changes to the Model of an environmental management system
The new version of the standard brings with it an updated version of the model,
including the relevant clause numbers.

PDCA versus the ISO 14001:2015 framework

Internal and Context of the organization Needs and

external issues expectations of
Scope of the Environmental Management System interested
parties
Pmao

Planning

Support
Adu Improvement Leadership and Ep
operation

Performance
evaluation

Difdl

Intended outcomes of the EMS

(Reproduced from ISO 14001:2015)

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 7 of 10

Pre-course Reading
© LRQA Training 2015
Pre-course Reading
Appendix 1
The Plan-Do-Check-Act Cycle

ACT PLAN

CHECK DO

This is the “Plan-Do-Check-Act” cycle. You may hear it called the PDCA cycle.

• Plan - establish objectives, identify potential risks and plan ways of working.

• Do - do what you planned to do.

• Check - check the results against expectations.

• Act - act to address any shortfall, learn from experience and identify
improvement opportunities.

PDCA and management systems

In simple terms a management system is a system for managing ways of working, to

minimise opportunities for things to go wrong and identify improvement opportunities.

The Plan-Do-Check-Act cycle is a very simple example of a management system, and it is

a structure that underpins the more detailed requirements of ISO 14001.

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 8 of 10

Pre-course Reading
© LRQA Training 2015
Pre-course Reading
Appendix 2
Processes
By definition, a process is a “Set of interrelated or interacting activities which
transforms inputs into outputs.” For example, a production process turns raw materials
into hardware product.

Processes use resources to transform the inputs into the outputs. People and equipment
are examples of resources.

Process model diagram

It is useful to be able to represent a process by a simple diagram. The Integrated
Definitions for Functional Modelling process model (IDEF-0) shown below is one way of
doing this and it will be used in the course.

CONTROLS

INPUTS PROCESS OUTPUTS

RESOURCES

For example - Consider an Environmental Incident Process

Input
Environmental incident has occurred.
• e.g. Spillage.
Output
The environmental incident has been addressed.
• e.g. The spillage has been cleaned away and waste has been disposed of in the
correct manner. Incident forms have been completed and logged.

Controls
Controls or constraints applied to the process or output.
• e.g. environmental compliance obligations, incident procedures have been followed.

Resources
Resources or mechanisms used to carry out the process.
• e.g. Competent people to addressed the spill, appropriate spill kits available,
equipment to report the incident.

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 9 of 10

Pre-course Reading
© LRQA Training 2015
Pre-course Reading
An organization should control its processes in ways that help to manage associated
risks. For example:
• Financial – controls that prevent unauthorised trading.
• Security – controls that maintain confidentiality of information.
• Environmental – controls that enhance environmental performance.
• Quality – controls that ensure product meets customer requirements.
• Health and Safety – controls that prevent injury and ill health at work.

ISO 14001:2015 for Internal Auditors Version 1 – Revision 2.0 Page 10 of 10

Pre-course Reading
© LRQA Training 2015