Leveraging External Certifications: Impact on Non-Conformances in ASI Audits
Does leveraging external certifications lead to fewer non-conformances in an ASI audit? More information in our Data and Research Article from June 2023
28 June 2023
Data and Research Article, June 2023
Benchmarking and harmonisation activities are increasingly relevant in the context of proliferating standards, initiatives and due diligence regulations. ASI recognises relevant external Standards and Certification Schemes wherever possible and appropriate, in order to enhance collaboration, reduce unnecessary duplication, and inform ASI’s learning and continual improvement. But does leveraging external certifications lead to fewer non-conformances in an ASI audit?
In this analysis, ASI sought to examine whether Entities that leverage an external Standard – particularly ISO 14001 and 45001 – achieve different non-conformance (NCs) outcomes in their ASI Performance Standard (PS) Certification than those Entities not leveraging an external Standard. It found that there were differences in the incidence of NCs for both PS–aligned and related criteria for ISO-Certified and non-ISO Certified Entities.
The analysis reveals that during ASI PS audits, for the relevant harmonised criteria, auditors are diligently assessing the status of existing ISO certifications, evaluating the proper implementation of required corrective actions related to these certifications, and determining their impact on the company’s compliance with the ASI PS criteria. While ASI recognition of external standards and schemes may reduce unnecessary duplication during ASI Audits, non-compliances can still be allocated where ISO Certification elements are identified to be missing or lacking effectiveness or controls. This drives continuous improvement in Entities’ performance.
Which external Standards and Schemes does ASI recognise?
In the Performance Standard V3, ASI recognises 6 external Standards to be equivalent to certain criteria. The two most common are:
- ISO 14001: 2015 – Environmental Management Systems maps out a framework that a company or organization can follow to set up an effective environmental management system and to achieve its intended objectives. Intended outcomes consistent with the organization’s environmental policy include:
- enhancement of environmental performance;
- fulfilment of compliance obligations;
- achievement of environmental objectives.
- ISO 45001: 2018 – Occupational Health and Safety Management Systems specifies requirements for an occupational health and safety (OH&S) management system, and gives guidance for its use, to enable organizations to provide safe and healthy workplaces by preventing work-related injury and ill health, as well as by proactively improving its OH&S performance. Intended outcomes of an OH&S management system consistent with the organization’s OH&S policy include:
- continual improvement of OH&S performance;
- fulfilment of legal requirements and other requirements;
- achievement of OH&S objectives.
ASI also recognises:
- ISO 37001: 2016 – Anti-Bribery Management Systems
- ISO 21930: 2017 – Sustainability in Buildings and Civil Engineering Work
- ISO 14044: 2006 – Environmental Management: Lifecycle Assessment
- NEN-EN 15804 : Environmental Product Declaration
The analysis found that ISO 37001, ISO 14044, EN 15804 were leveraged by relatively few Entities (2-8% of ASI PS Certifications). ISO 21930 was not leveraged by any ASI PS Certifications. As no Non-Conformances were found in aligned criteria, they are not the focus of this analysis.
How do Auditors assess Recognised External Standards and Schemes
Under the ASI Assurance Manual, Auditors apply the equivalency and assign Conformance to the relevant criteria by verifying that the Scope of the Recognised Standard or Scheme applies to the Member’s Certification Scope. This does not normally require additional review of Objective Evidence. However, an Auditor should undertake additional review if there is evidence that a relevant Non-Conformance may exist. For instance, if an Entity has an ISO 45001 certification at a Facility within their Certification Scope that is deemed to be equivalent, but the Auditor sees concerns with health and safety during the site visit, the Auditor may further assess these criteria and, if warranted, a Non-Conformance may be issued to the Entity.
Standards/schemes that were recognised under the 2017 Performance Standard but are no longer recognised in the 2022 Performance Standard are not considered in this analysis. During the 2020-2022 ASI Standards Revision process, the ASI Standards Committee decided that ASI can only recognise Standards that rely on third-party verification. The ASI Standards Benchmarking & Recognition Procedure was updated accordingly to reflect these changes.
To find out whether there are differences between Entities that are leveraging an external Standard and those that aren’t, we looked at:
- Current ASI Certification Audit Reports for both Performance Standard (PS) V2 and V3 between 29 January 2019 and 6 February 2023. Current Certificates are those that are currently active and valid; to avoid double counting issues, the analysis does not review any earlier findings from previous audits.
- In total, 178 ASI Performance Standard Certifications were reviewed.
- Conformance levels for aligned criteria in PS V2 and PS V3, which had Equivalent Standards and Schemes recognised in the ASI Assurance Manual V2:
- Criteria 1.2, 2.3a, 4.1a, 4.1b, 4.1c, 7.1a, 1a, 11.2,
- Conformance levels for other closely related criteria whose conformance outcomes might have been influenced by the following external Standards: ISO 14001:2015 and ISO 45001:2018.
- These two Recognised Standards are management system standards that, if implemented effectively, can affect broader areas of a company’s performance.
- For example, ISO 14001 can address a wide range of environmental-related issues, and ISO 45001 can address an array of OH&S and working conditions-related issues.
ISO 14001: 2015 & ISO 45001: 2018
The most frequently leveraged External Standards in ASI PS Certifications are ISO 14001 and 45001, covering environment and health and safety respectively. As shown in Figure 1, 87% of the ASI PS Certifications leverage at least 14001 (35%) or both (52%). There were no Certificates which leveraged ISO 45001 only.
Next, we reviewed whether Non-Conformances (NCs) were raised with the PS criteria that were recognised as aligned with these External Standards. Figure 2 shows that auditors identified NCs in aligned criteria in 8% of the ASI PS Certifications which leveraged ISO 14001, and 12% which leveraged ISO 45001. This compares to 4% (ISO 14001) and 15% (ISO 45001) for the non-ISO leveraged PS Certifications. Aligned criteria under ISO 14001 are 2.3a on management systems and 4.1a on environmental life cycle assessment; and under ISO 45001 are 11.1a on OH&S management system and 11.2 employee engagement on health and safety.
Reviewing the specific findings for the NCs, examples of which are set out in Table 1 below, reasons include:
- ISO Certificate NCs not yet addressed or closed out.
- Lack of integration or performance of specific ASI PS requirements.
- Indications of lack of effectiveness or controls.
- Sampled evidence identified implementation gaps.
|Example auditor findings for NCs against aligned criteria|
|ISO 14001:2015||ISO 45001:2018|
|Aspects of the ASI Performance Standard were not integrated in the management review of the Environmental Management Systems.||Indication of lack of effectiveness in OHS risk assessment and practices.|
|The ISO Certificate was issued with 6 minor NCs and the Entity is developing corrective action plans to close them||NCs identified under ISO relating to risk control were not addressed before ASI PS Audit.|
|Lack of root cause analysis for an NC identified during internal audit. Management reviews only internal audit results and do not consider other information such as legal law requirements, policies, procedures, etc.||The ISO Certificate was issued with 6 minor NCs and the Entity is developing corrective action plans to close them.|
|4.1a||Required OHS risk assessment is not conducted prior to the temporary repairing/maintenance tasks.|
|LCA covered only gate to gate environmental impacts while impacts from the supply chain were not included. Assessment did not cover wastewater and solid waste generated by processes.||Missing documentation of physical examination reports for 3 employees.|
|Due to Covid-19 pandemic LCA of products was delayed. At the time of ASI PS Certification documentation was still being collected.||During occupational health re-examinations, health review of workers with pre-diagnosed health conditions was not performed.|
|LCA did not consider recent changes in processes.||Limited capacity for all workers to participate in fire drills within 1 year from job commencement.|
|LCA does not cover process differences for product variations.||Lack of evidence demonstrating the workers received required health re-examination as per doctor’s request.|
|The Entity developed Environmental Product Declaration (EDP), however it has not been verified by a third party.||Occupational medical check was not performed preceding job commencement for 1 worker exposed to noise during working hours.|
|LCA was not updated since 2020.||11.1a – No NCs identified.|
Table 1 – Example NC findings for aligned criteria under ISO 14000 and 45001
Finally, the analysis reviewed incidence of NCs for related criteria – those PS criteria that are not designated in the ASI Assurance Manual as ‘aligned’ but have a potential connection to a management systems approach as set out in the ISO Standards.
For ISO 14001, we considered related criteria to include:
- 1b, 2.1c Environmental, Social, and Governance Policy,
- 1b, 4.1c Environmental Life Cycle Assessment,
- 3a Assessment and Management of Spills and Leakage,
- 5a Waste management and reporting,
- 2a, 7.2b Water management,
- 2a, 8.2b Biodiversity management.
For ISO 45001, we considered related criteria to include:
- 6 Emergency Response Plan,
- 5 Communication and engagement,
- 8 Working Time,
- 1b, 11.1c, 11.1d Occupational Health and Safety (OH&S) Policy,
- 3 Employee engagement on health and safety,
- 4 OH&S performance.
Figure 3 shows that for these related criteria, 8% of ASI PS Certifications that leveraged ISO 14001 had NCs and 25% for ISO 45001. This compares to 17% (ISO 14001) and 15% (ISO 45001) for the non-ISO Certified Entities.
- Out of 178 current ASI PS Certifications analysed, 87% leveraged at least ISO 14001:2015 or both with ISO 45001:2018.
- For ASI PS Certifications which leverage ISO 14001:
- For aligned criteria, there was a higher incidence of NCs (8%) than for non-ISO Certified Entities (4%)
- For related criteria, there was a lower incidence of NCs (8%) than for non-ISO Certified Entities (17%)
- For ASI PS Certifications which leverage ISO 45001:
- For aligned criteria, there was a slightly lower incidence of NCs (12%) than for non-ISO Certified Entities (15%)
- For related criteria, there was a higher incidence of NCS (25%) than for non-ISO Certified Entities (15%)
- For aligned criteria, auditor findings highlighted NCs being raised in ASI audits to reflect NCs identified in ISO (or internal) audits that had not been addressed by the time of the audit. For ISO 14001, another key gap area was LCA implementation, which appears to contribute to the higher incidence of NCs for ISO-Certified entities. For ISO 45001, which had a lower incidence of NCs in this cohort, effective risk assessment, implementation and record keeping gaps were identified in auditor findings.
- For related criteria, ISO 14001 appears to support a systematic approach on environmental topics with non-ISO Certified entities recording a higher incidence NCs in these areas. For ISO 45001, where non-ISO Certified Entities recorded a lower incidence of NCs, this could relate to a gap between ISO Certified Entities’ (higher) system and policy settings and (actual) practice.
- For both aligned and related criteria, there was a generally higher proportion of NCs for ISO 45001 then for ISO 14001. This could relate to:
- Relative maturity of the two standards (45001 launched in 2018, superseding OHSAS and other national standards, while 14001 was first launched in 1996)
- OH&S is arguably more highly dependent on human behaviour and NCs can be identified on single incidents which may occur with greater frequency, visibility or likelihood.
- Overall, the analysis shows that during ASI PS Audits, Auditors are showing diligence towards the findings within existing ISO Certifications and implementation of identified corrective actions. While ASI recognition of external standards and schemes can reduce unnecessary duplication during ASI Audits, it can also point to missing elements, lacking effectiveness or controls under ISO Certification, which at the end drives continuous improvement in Entities’ performance.
ASI will take forward the learnings from this analysis in Auditor calibration processes, and as we update the Assurance Manual and review the ASI Benchmarking & Recognition Procedure in the future.
More information on ASI Standards and Benchmarking can be found here.
SHARE THIS ARTICLE