Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur eleifend tortor nec augue pretium
In the previous article (Transform, Aug/Sep 2024, p36), we discussed mindset and approaches to auditing, and I highlighted a different approach to provide success.
However, what are these audits up against and how can they provide value to businesses?
An organisation may have to use a certain standard for its own business needs or to comply with a customer requirement.
But why do we need to use standards and to be audited against them? Standards can have a positive impact on an organisation as they can be used:
As a framework on which to base the quality management system
To increase customers and business
To provide a due diligence defence and to meet permitting requirements for a management system.
However, the use of standards can also have a negative impact on the organisation, because:
Implementation of any standard takes time, money and resources
Different people have different interpretations of the requirements of standards, so auditors may have a different view of a clause from the person who installed the system
It can encourage bureaucracy and increase paperwork.
We all know about first-, second- and third-party audits, but when is an audit an inspection and vice versa? ISO 19011 defines an audit as: a systematic, independent, and documented process for obtaining audit evidence [records, statements of fact or other information, which are relevant to the audit criteria and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [set of policies, procedures, or requirements] are fulfilled.
An audit could be against the procedures and policies in place, but is more likely to be against a standard. An inspection is more a careful examination or scrutiny of something. Therefore, when, for example, you are testing for noise or odour for nuisance or pollution levels, this would be an inspection. Ensuring that this is completed at the appropriate frequency and standard as detailed in the environmental permit for a site would be an audit. Both systems are key and must be documented, but we need to ensure that audits meet the definition above.
Let’s look at the basic requirements for compliance and what standards are needed to audit against. The basic level is always the legal requirements.
The Companies (Strategic Report) (Climate-related Financial Disclosure) Regulations 2022 and The Limited Liability Partnerships (Climate-related Financial Disclosure) Regulations 2022 require companies that are listed on the Stock Exchange, have more than 500 employees and an annual turnover of more than £500m to publish a Task Force on Climate-Related Financial Disclosures (TCFD) report as part of their annual report. The Companies (Directors’ Report) and Limited Liability Partnerships (Energy and Carbon Report) Regulations 2018 stipulate that companies listed on the Stock Exchange and large companies (over 250 employees, with a turnover of £36m or more, or £18m or more on the balance sheet) in the UK must report their location-based emissions (scopes 1 and 2).
Therefore, we need to ensure that the data that is used for these reports is accurate and verified. This leads to carbon emissions auditing. As we know, carbon emissions need to be reported and calculated against the Greenhouse Gas (GHG) Protocol. These can be audited using PAS 2060, ISO 14064-1 and ISO 14064-3.
However, EU Directive 2024/825, released on 28 February 2024, prevents companies from claiming, for example, that they are carbon-neutral without supplying the full verification report, audit and publicly available data. This may make these standards a thing of the past, as companies stop making such claims. However, the data used for TCFD carbon reporting will still have to be audited through insurance and financial organisations when it is reported through annual reports. Where ISO 50001 is used to cover energy management systems, data and reductions, the internal and external audits against this standard will ensure that the data is audited using suitable methods and by trained auditors.
“Ensuring that [an inspection] is completed at the appropriate frequency and standard would be an audit”
Moving away from the basic legal requirements, we come to voluntary standards. We are all familiar with ISO 14001 – environmental management systems. The Annex SL framework of the ISO standards makes the possibility of integrated management systems more appealing, as section 9.2 will always be internal audits, regardless of the standard being installed and audited against. This is increasingly seen as the basic requirement for environmental management.
We are starting to see more companies being approved against the B Corp certification standard from B Lab. Just like the ISO standards, this standard is available to all organisations, regardless of their size and what they are doing. B Corp certification requires changing the legal structure of a company to ensure that it includes people and planet as well as profit within its decision-making. It also requires a company to say what actions it is taking to reduce, eliminate and improve its impact on the environment and the social status of its workers and the local community. This is completed against a framework that covers Governance, Workers, Community, Environment and Customers in relation to social and environmental practices. Although there is no requirement for internal audits against the B Corp standard, the system is audited by B Lab, which can take up to 12 months as all the data input into the system needs to be independently verified.
Of course, there are other standards that have not been detailed here – as the list is long. For example, there are standards around how to generate a life cycle assessment for GHG (PAS 2050 and ISO 14044) and for sustainable finance (ISO 32210). The latter provides guidance on the application of sustainable principles in the financial sector.
In the final instalment of my series on auditing, I will discuss the value of and the challenges around auditing and will look more into how audits can help with the continual improvement section of the PDCA (plan, do, check, act) cycle.
Garry Warhurst AIEMA is the founder of Warhurst Associates, a consultancy supporting businesses on their compliance journeys
