8.2 Internal Audit
8.2.1. Internal audit and Energy audit
Internal audit and energy audit are not the same.
Internal audit is a management system audit based on ISO 19011 defined as a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine extent to which audit criteria are fulfilled. It is auditing an organization’s processes and their interactions in relation to one or more management system standards.
Energy audit, on the other hand, is based on ISO 50002 defined as a systematic analysis of energy use and energy consumption with a defined energy audit scope, in order to identify, quantify and report on the opportunities of improved energy performance. Module 9 presents an overview of energy audits. A separate 52-hour mandatory course is required for somebody to become a DOE-Certified Energy Auditor (CEA).
The Performance Evaluation clause of ISO 50001:2018 requires organizations to conduct internal audits of the energy management system at planned intervals to provide information on whether the system:
- Improves energy performance;
- Conforms to the organization’s own requirement for its energy management system;
- Conforms to the energy policy, objectives and targets; and
- Is effectively implemented and maintained.
The organization is also required to:
- Plan and implement audit programs;
- Define audit criteria and scope;
- Assign qualified auditors and conduct audits;
- Ensure objectivity and impartiality of the audit process;
- Ensure audit reports are reported to management;
- Take appropriate corrective actions for improvement; and
- Retain documented information and evidence.
8.2.2. Principles of Auditing
Auditing is a process performed by an auditor by gathering objective evidence which are verifiable and evaluate them against some audit criteria. Based on the evaluation, the auditor makes a decision from which audit findings are derived.
Part of the guidelines of auditing management systems are principles to ensure objectivity of the process.
| Integrity | Foundation of professionalism |
| Fair presentation | Obligation to report truthfully |
| Due professional care | Application of diligence |
| Confidentiality | Security of information |
| Risk-based approach | Considers risks and opportunities |
| Independence | Basis for impartiality |
| Evidence-based approach | Rational method for reaching reliable and repeatable conclusions |
8.2.3. Managing Audit Programs
Audit programs are “arrangements for a set of one or more audits planned for a specific timeframe and directed towards a specific purpose”.
There are three aspects to consider in managing audit programs: objectives of the audit, scope of the audit and audit criteria.
- Objective of the audit
Audit objectives define what is to be accomplished by the audit which can include among others:
| 1 | To identify opportunities for the improvement of the management system and its performance |
| 2 | To evaluate the capability of the auditee to determine its context |
| 3 | Evaluate the capability of the auditee to determine risks and opportunities and to identify and implement effective actions to address them |
| 3 | Conform to all relevant requirements, e.g. statutory, regulatory, codes and standards requirements and compliance commitment |
| 4 | Obtain and maintain confidence in the capability of an external provider |
- Scope of the audit
Scope of the audit defines the activities that needs to be audited. This generally includes a description of the physical location or site, organizational units, activities and processes, as well as time period covered.
- Audit criteria
As discussed earlier, audit criteria is the set of requirements used as a reference against which objective evidence is compared. Examples of audit criteria may be: ISO 50001:2018 standard, EnMS documented information, legal requirements, codes of practice or guidelines, contracts, corporate and operational policies.
8.2.4. Conducting Management Audits
Given the audit program where the scope, objectives and audit criteria are defined, the next steps are:
- Preparing for the audit
Initiating. This typically involves establishing contact with the auditee to if the audit is feasible in terms of availability of the auditees and the processes to be audited. If found feasible, the auditor proceeds to next steps. If not feasible, send feedback to the audit program manager for immediate resolution.
Document review. This involves gathering of information to prepare checklists and detect possible gaps. Typical areas to consider during the document review are:
| 1 | Data whether updated, complete, correct and consistent |
| 2 | Relevant sources of information |
| 3 | Familiarization with relevant parts of the energy management system, processes, instructions and areas to be audited |
| 4 | Priorities – what is important to management |
| 5 | Data analysis: – Do analyses meet with the requirements of the standard? – Do opportunities align with the objectives, targets and action plans? |
| 6 | Previous internal audits (if any): previous nonconformities, corrective actions and follow-ups |
| 7 | Any changes to work activities and control |
| 8 | Preliminary visit, if needed. |
Checklist. This is a documentcreated during the preparation phase. It is basically a list of questionsthe auditor plans to ask the auditee. Its main uses are to:
- Keep the audit objectives clear
- Provide evidence of audit planning
- Maintain the audit pace and continuity
- Reduce work load during the audit
- Reduce risk of auditor bias
It should be noted, however, that while checklists are useful, it loses effectiveness when used purely and tick-sheets or questionnaires because it restricts the extent of audit activities.
Audit sampling. This is a technique the auditor uses when it is not practical to examine all the evidences available during the audit. The objective of audit sampling is to provide information for the auditor to have confidence that the audit objectives will be achieved. The minimum sampling requirement is computed using the formula:
Sample size (s) = square root (√) of total sample size (S)
Create audit plan. This is a description of the activities and arrangements for the audit prepared by the auditor based on the information gathered from the preparatory steps. This document facilitates the effective scheduling and coordination of audit activities to achieve the audit objectives. An audit plan should include the following:
- Audit objectives
- Audit scope
- Audit criteria
- Locations and activities to be audited, including audit date, time and duration
- Audit methods
- Roles and responsibilities
- Resources needed (e.g. guides, interpreter, gadgets, PPE, etc.
- Opening meeting
An opening meeting is communicating that the audit is being conducted and explaining the nature of the audit. Its purpose is to confirm agreement to the audit plan and ensure that all the audit activities can be performed. Other areas covered in the opening meeting are:
- Overview of the audit process;
- Confirmation of the status of the energy management system documentation
- Confirmation of the time and date audit activities
- Any clarifications
- Need of a guide
Opening meetings should be attended by the auditee’s management and those responsible for the functions or process to be audited.
- Collecting, verifying and documenting audit evidences
The onsite audit is focused on collecting, verifying and documenting audit evidences from the energy management process and the energy performance improvements. While conducting the audit, relevant documented information are reviewed to determine conformity to the processes and with audit criteria and information are gathered to support audit activities.
Only information relevant to the audit objectives, scope and criteria should be collected by the auditor. And only information that are verifiable are accepted as audit evidence. It is important to record all audit evidences.
Information must always be clear, retrievable and traceable to origin. Taking notes is useful because an audit can go back to them in instances when accuracy is challenged.
- Generating audit findings
After all evidences are gathered, the auditor is ready to generate findings. This is done evaluating the audit evidences against the audit criteria resulting either to conformities or nonconformities. As defined earlier, nonconformity is non-fulfillment of a requirement. It is good to always be reminded that auditing is not looking for nonconformities but for conformance to audit criteria.
There are instances when the audit cannot easily determine whether nonconformity exist. The general rule is: when in doubt, raise the issue as concern. The team will be able to address such concerns by gathering more audit evidences or seeking more clarification.
It can be recalled that energy management systems require demonstration of improvement both in the energy management system (EnMS) and energy performance (EnP). It follows that the internal audits should also assess both EnMS and EnP to determine if it is achieving its intended outcomes.
- Documenting nonconformities
Nonconformity statements are the focus of the audit result. These are presented to the auditee and its management team during the closing meeting. Nonconformity statements are written with 3 main elements: requirement, evidence and discrepancy.
Requirement. This is basically the audit criteria which can be the organization’s own requirement, a standard or code, a legal requirement or a stakeholder requirement.
Evidence. This refers to the data gathered as audit evidence according to the objectives, scope and criteria defined in the planning stage.
Discrepancy. This refers to the gap between the requirement (criteria) and the audit evidence.
A nonconformity statement form would look like the following:
The trick to an effective nonconformity statement is accuracy, brevity and clarity.
- Audit conclusion
After carefully reviewing all the audit finings coming from the nonconformity statements, the auditor determines the audit conclusions based on the audit objectives. Audit conclusions address the following:
- The extent of conformity with the audit criteria
- Effective implementation, maintenance and improvement of the energy management system
- Achievement of audit objectives and scope
- Opportunities for improvement
Content of audit conclusions should address issues important to management such as identification of risks and effectiveness of actions taken by the auditee to address risks.
- Closing meeting
Closing meetings are conducted to present the audit findings and conclusions. If possible, participants in the opening meeting should also be present in the closing meeting including the management of the auditee and the persons responsible of the processes or area which have been audited.
It is in the closing meeting where timeframe for an action plan to address audit findings are agreed. There is also need to agree on the timeframe for the preparation of the audit report and the people to whom the reports will be sent. The following is the typical agenda of an internal audit closing meeting:
- Attendees
- Extending thanks
- Reconfirming confidentiality
- Objectives, scope, criteria
- Limitations e.g. sampling
- Summary of finding, nonconformities and good points encountered
- Agreement and addressing opinions
- Action plan timeframes
- Audit report timeframe and distribution
- Clarifications, if any
- Closure
8.2.5. Evaluating Competence of Auditors
Auditing is a job that needs specific competence in terms of knowledge, skills and attitude. In order to be effective, an auditor need to possess knowledge and skills in both energy management and management systems.
| Management systems competence | – Management system and reference documents – Organizational context and situations – Organizational processes – Laws, regulations, and other requirements – Audit principles, procedures and techniques |
| Energy management competence | – Energy-specific terminologies, energy units and conversions – Energy data measurements and analysis – Energy management techniques and their application – Energy audit, energy monitoring and targeting techniques – Opportunities to improve performance |
Aside from the knowledge and skills required for auditing, the audit also needs to possess some personal attributes to be successful. ISO 19011:2014 – The Guideline for Auditing Management Systems enumerates the behavior of competent and qualified auditors as:
- Ethical,
- Open-minded,
- Diplomatic,
- Observant,
- Perceptive,
- Versatile,
- Tenacious,
- Decisive,
- Self-reliant,
- Acting with fortitude,
- Open to improvement,
- Culturally sensitive, and
- Collaborative.