I recently completed an integrated audit that addressed multiple standards (RC14001, ISO 9001, FSSC 22000, RSPO, and HALAL). Auditing this way is especially valuable for organizations that operate under more than one framework, because it helps reduce duplicated effort, save resources, and create better alignment across business goals, without making the management system feel like a burden to the people using it
In a recent webinar, I discussed how to run a more effective management review, and why an integrated approach can give leadership the kind of insights and decision-ready information they actually value. In this article, I’ll build on that theme by sharing practical strategies for integrated audits and how organizations can use them to stay compliant, improve performance, and keep multiple standards working together as one system.
Why Organizations Integrate Management System Audits
Management systems are a great way to bring structure to how a business operates. Without that structure, it can often feel like the organization is constantly fighting multiple fires. A process-based approach helps bring order to the chaos by making it easier to understand the context the business operates in, set clear goals, identify risks, and put plans in place that can be implemented, monitored, and reviewed.
For many organizations, the push to implement multiple management systems is mainly market-driven. Customers, regulators, or industry schemes may require certification as a condition of doing business. A smaller number of companies adopt management systems simply because they recognize the value, even when certification isn’t required. The problem is that management systems are often implemented in a piecemeal way, as new requirements arise. For example, a company may already have ISO 9001 in place, then a new requirement for ISO 45001 comes along. Instead of integrating the new standard into the existing system, a separate ISO 45001 “system” gets built alongside it.
When integrated management systems are implemented well, the benefits are significant. They reduce duplication, improve alignment, and make the system easier for people to use. And when the system is easier to implement and maintain, it naturally improves buy-in and strengthens commitment across the organization.
Common Structures Across ISO 9001, 14001 & 45001
What makes the ISO standard easier to implement is the harmonized structure used by ISO in developing the standards. This approach starting in 2013 has made it easier to integrate owing to the similar unified clause structure. The standards now also follow the flow of the PDCA cycle with the standards laid out in the plan – implement – performance evaluation and improvement approach.
The common clause structure allows for a better integrated manual without the need for a cross-reference matrix. Additionally organizations can now maintain a common risk register, conduct integrated audits, plan a common management review, have one policy (ensures no conflicts with other policies) and a common documentation approach.
Planning an Integrated Audit Program
Planning an integrated audit program may at first seem challenging especially with finding resources that can audit to the multiple standards in one audit. Let us first look at the approach to a good audit program.
A good audit program goes beyond meeting the minimum requirements. Often I come across organizations that do audits just once a year. The justification is that there is QC in place, site walk-throughs by safety, operational inspections and regulatory/customer audits. Organizations must keep in mind that the scope of each of these may be different from that of an internal audit. While it may appear that various inspections and audits are being performed, the lens through which the system is being looked at may be very different.
For example in an inspection the focus is only on the output of a process and whether the output is conforming or not. In regulatory audits the focus is on regulatory requirements and compliance not necessarily on the process performance. Internal audits focus on process effectiveness and move beyond conformity. Based on the risks associated with a process the leadership must determine the interval at which they want to audit each process.
For internal audits it is best to audit a few processes every month or every other month and then to conduct a system audit once a year.
Process-Based vs Clause-Based Integration
The ISO standards promote a process-based and risk-based approach to internal audits. While it may seem easier, or even more logical at first, to conduct a clause-based audit, it is often not very effective. The main reason is simple: it doesn’t paint the whole picture.
When we audit a process, we can assess conformity to multiple clauses at the same time, within the real flow of work. That is where integration becomes practical. There are a few situations where a clause-based approach may still make sense, such as when auditing leadership commitment to the system, or when reviewing how documented information is created, updated, and controlled across the organization.
A process-based approach allows the auditor to connect the dots between contextual risks, the planning done to address those risks, the controls and actions implemented, and the evaluation of effectiveness. Building on this, auditors can also assess how well the process is actually working in practice, not just whether the organization can point to a procedure that says it exists.
Risks of Poorly Integrated Audits
As stated at the start of this article, one of the biggest challenges in conducting integrated audits is having the internal resources who are competent across multiple standards. Many of our clients, especially those working with smaller budgets, find themselves trying to hire that one person who understands everything, and can audit everything. In reality, that’s a unicorn find.
Organizations generally have two options to address this.
The first is to outsource internal audits to an auditing organization or auditor who already has experience across multiple standards. In many cases, the provider will assign a team of auditors with the competence to cover the relevant requirements. Depending on the scope, this could be a team of two, or even four. Of course, the more auditors involved, the higher the cost.
The second option is to build internal capability by training the organization’s own audit team across the required standards. This does involve investment in the individuals selected, but it also creates long-term value. QMII typically recommends training a minimum of 10% of the workforce as internal auditors, up to a total of 10 auditors. This creates a strong pool to choose from and also supports more objective and impartial auditing.
QMII’s modular training approach helps organizations build audit capability quickly, without needing to put people through a full 4–5 day lead auditor course for every standard. Running an in-house auditor course can also create economies of scale and allows the training to be more customized to the organization’s own processes and risks.
Building Integrated Audit Capability
Integrated audits don’t fail because the standards are difficult. They fail because the organization does not have enough people who can confidently audit across the scope. The key to building integrated audit capability is to stop thinking of auditors as “ISO 9001 auditors” or “ISO 14001 auditors” or “ISO 45001 auditors” and start developing auditors who understand process performance, risk-based thinking, and system effectiveness. Once that foundation is strong, adding additional standards becomes far easier.
The goal is not to create a team of “super auditors.” The goal is to build a pool of competent internal auditors who can look at a process and understand how it supports quality outcomes, environmental controls, and worker safety all at the same time. When an organization can do that, integrated auditing becomes practical, consistent, and sustainable.
A good way to start is by building capability around the process approach. This means training auditors to follow the workflow, understand inputs and outputs, ask the right questions, and confirm that controls are working as intended. In many organizations, this is where the biggest value is gained, because audit conversations move beyond “show me a procedure” and into “show me how the process is managed.” This is exactly where QMII adds value. Our training is designed to build real audit skill, not just theoretical knowledge of clauses.
Ultimately, when audit capability is built the right way, integrated audits stop being a burden and start becoming a value adding tool. They provide leadership with better insight, stronger confidence in controls, and a clearer view of where the system needs to improve before problems grow into incidents, complaints, or nonconformities.
