Chapter 6: Audit Program

Internal audits represent the single largest ongoing cost most manufacturers face after initial ISO certification. They're also the most visible indicator—to registrars, to your audit committee, and to your own operations team—of whether your IMS is truly integrated or just a filing cabinet of separate certifications.

Here's the reality: a manufacturer running three separate annual audit programs is performing the same walk-through three times, asking different questions of the same production supervisors about the same processes.

Your production scheduling team gets audited separately on how they meet delivery commitments (ISO 9001), on whether they've considered environmental impacts in scheduling (ISO 14001), and on how production scheduling affects shift safety and fatigue (ISO 45001). That's three audits of the same process in one year. An integrated audit program does this once, raising the bar on each question.

The financial impact alone justifies the transformation. Here's what we typically see in a 200-person Canadian plant:

• Separate program: Three audit schedules, three audit teams, three reporting cycles, three registrar surveillance audits per year = 240–300 audit-days plus external audit support costs of $12,000–$18,000 annually
• Integrated program: One audit schedule, cross-trained auditor pool, single reporting and corrective action cycle, one combined registrar audit per year = 120–150 audit-days plus external audit costs of $9,000–$12,000 annually
• Net savings: 120–150 audit-days internally (approximately $35,000–$50,000 in labor at a loaded cost of $300/hour) plus $3,000–$6,000 in external audit fees

That's real money. But the efficiency isn't the main reason registrars care about your integrated audit program.

Major registrars now assess your IMS maturity by looking directly at your audit program structure. If your internal audits still run as three separate streams—separate checklists, separate audit teams, separate reports filed by department—a combined surveillance audit will expose what's called "certification fragmentation."

Your quality team passes their ISO 9001 audit, your environmental coordinator passes her ISO 14001 audit, and your safety manager passes her ISO 45001 audit. But when the registrar's combined audit team sits down with your process owners and asks how these standards interact in your purchasing process, your accounts payable procedures, or your production planning, the gaps become visible immediately.

An integrated audit program is your proof that these standards operate as one system. It's also your best preparation for a combined registrar audit.

The core principle of an integrated audit schedule is simple but powerful: map your audit universe by process, not by standard.

Most manufacturers starting an IMS keep their audit schedules organized by ISO standard (Quality, Environment, Safety) and by function (Production, Finance, Warehouse). This creates overlap and missed connections. An integrated schedule is organized around your actual business processes: Order-to-Cash, Plan-to-Produce, Procure-to-Pay, Manage Assets, Develop & Manage Resources, and Manage Risk.

Here's how this works in practice. Take your purchasing process as an example:

• Under ISO 9001, you need to audit supplier evaluation criteria, purchase order controls, incoming material inspection, and records management
• Under ISO 14001, you need to verify that environmental requirements (packaging, transportation emissions, hazardous materials) are included in supplier contracts and evaluated during supplier audits
• Under ISO 45001, you need to confirm that safety hazards associated with purchased items (e.g., contractor equipment safety, hazmat handling) are assessed before purchase and communicated in procurement documents

A traditional three-standard audit program conducts three separate audits of the purchasing department in a year. An integrated program audits purchasing once, with a single audit team asking all three sets of questions in one structured session. The purchasing manager explains his supplier scorecard once. The environmental requirements discussion ties directly to the quality requirements discussion. The safety hazards review connects to both.

The result: deeper audit insight, fewer repeated conversations, and a unified corrective action process that naturally drives integrated improvement.

Building your 12-month integrated audit schedule requires four steps:

Step 1: Process Mapping and Risk Ranking

List all your primary business processes—the ones that directly produce products or services—and all your support processes (Finance, HR, IT, Facilities). For each process, assess the number of ISO 9001, 14001, and 45001 clauses that apply.

For a 200-person Canadian manufacturer, you typically have 8–12 primary processes and 6–8 support processes. A process like "Design and Development" might be heavy on ISO 9001 and ISO 14001 (design for environmental compliance) but lighter on ISO 45001. Production and Warehousing are heavy on all three standards. Finance is heavy on ISO 9001 (records, data security) and ISO 14001 (waste tracking, chemical management if applicable) but lighter on ISO 45001 unless you have isolated hazards like forklift operation or chemical handling.

Step 2: Audit Frequency and Calendar Distribution

ISO 9001, 14001, and 45001 all require that you conduct internal audits with frequency such that all processes are audited at least once every 12 months. Most plants aim to audit critical processes twice per year, significant processes once per year, and minor support processes once per two years.

For a 200-person manufacturer, plan for 8–10 integrated audit events per year, scheduled roughly one per 4–6 weeks. This gives you breathing room between audits, prevents audit fatigue, and allows time for corrective action follow-up before the next audit cycle.

Step 3: Coverage Matrix

Create a matrix (spreadsheet or table) that maps each of your planned 8–10 audit events to the ISO 9001, 14001, and 45001 clauses they cover. This is your proof—to your auditor, to your management team, and to yourself—that you're hitting all three standards systematically.

Here's a simplified example for a 200-person metal fabricator:

This matrix becomes your audit schedule's backbone. It ensures that every standard clause is covered at least once per 12 months (ideally once per certification cycle, which is typically 36 months). When your management team asks, "Are we covering all three standards evenly?" you have a visible answer. When a registrar asks the same question during a surveillance audit, you have documentation.

Step 4: Auditor Assignment and Resource Planning

Once your schedule is set, assign auditors to events based on their multi-standard competency. This is covered in the next section, but the principle here is straightforward: each audit event should have at least one lead auditor who is qualified in all three standards, supported by process specialists as needed.

An integrated audit program requires a different auditor profile than most Canadian manufacturers have developed. Your current quality internal auditors are likely ISO 9001 certified. Your environmental coordinator may have attended a one-day ISO 14001 overview. Your safety manager holds an OHSAS 18001 background (now ISO 45001). None of them is likely equipped to conduct a true integrated audit—one where environmental and safety questions are asked not as separate topics but as integral parts of quality, purchasing, production, and resource management.

The good news: cross-training existing staff is faster, cheaper, and more effective than hiring three separate EHS specialists.

The Auditor Qualification Path

Internal auditor qualification in an IMS environment typically follows this sequence:

1. Individual ISO 9001 Lead Auditor Certification (3–5 days, $2,000–$3,500)

   - Most of your existing internal auditors already hold this through providers like RABQSA-accredited training bodies across Canada - If not, your first step is getting ISO 9001 lead auditor training with a Canadian provider like TQCSI or similar

2. Integrated ISO 9001/14001/45001 Multi-Standard Internal Auditor Course (3–5 days, $2,500–$4,000)

   - This is the critical investment for your core audit team - Look specifically for courses marketed as "integrated" or "combined" auditing—not three separate 2-day courses - Providers include RABQSA-accredited training bodies across Ontario, Quebec, BC, and Alberta - The course should cover not just the technical requirements of each standard, but how they interact: how environmental impacts connect to quality planning, how hazard identification connects to operational controls, how competency requirements overlap across all three standards

3. On-the-Job Competency Verification

- After training, have trainees co-audit with your most experienced auditor on 2–3 integrated audit events before leading independently - Document their competency assessment based on their ability to identify non-conformances across all three standards, ask contextual questions that reveal integration gaps, and write unified findings

Typical Auditor Qualification Timeline

For a 200-person manufacturer planning to run 8–10 integrated audits per year, you need 3–4 fully qualified internal auditors plus 2–3 developing auditors. Here's a realistic timeline:

• Months 1–2: Your most experienced quality internal auditor completes ISO 9001/14001/45001 integrated training (1 person, 5 days in-person or online)
• Months 2–4: This lead auditor co-leads three audit events with your current quality and EHS teams, coaching them on integrated audit technique
• Months 4–6: Your second-most-experienced quality auditor and one EHS staff member complete integrated training (2 people, 5 days each)
• Months 6–9: These two new multi-standard auditors co-lead audits with the first auditor, building competency
• Month 9 onward: You have 3 qualified integrated internal auditors; begin running 8–10 fully integrated audits per year with confidence

Cost-Benefit of Internal Auditor Cross-Training

In a Canadian manufacturing setting, the cost of external audit support for ISO 14001 or ISO 45001 can be likened to the annual expenditure on workplace safety equipment or employee training programs, with a 200-person facility incurring $8,000 to $15,000 in yearly audit costs, which translates to $40 to $75 per employee, reflecting the expense of bringing in specialized consultants at $150–$250 per hour, plus travel expenses, to address specific gaps in internal audit capabilities.

Cross-training three of your existing staff in integrated auditing costs roughly $12,000–$16,000 total (3 people × $4,000–$5,500 per course). This pays back within 12–18 months through reduced external audit support, and the benefit compounds year after year.

Key Consideration: Ensure that your integrated auditor training provider includes a Canadian component or uses Canadian manufacturing case studies. Generic international training doesn't translate well to Canadian regulatory context—your auditors need to understand how CSA (Canadian Standards Association), provincial labor codes, and Canadian environmental regulations interact with ISO 14001 and ISO 45001 requirements.

Trainers should reference Canadian examples: how a Quebec manufacturer handles CNESST requirements in conjunction with ISO 45001, how BC environmental regulations affect ISO 14001 implementation, how Ontario's Occupational Health and Safety Act ties into ISO 45001 audit scope.

Once you've designed and executed an integrated internal audit program, you're ready to leverage the same integration with your certification body—your registrar. And here's where the real efficiency gains compound: a combined registrar audit takes 20–30% fewer days than three separate audits, reducing your certification fees and signaling to stakeholders that your IMS is genuinely unified.

The Combined Audit Advantage

Major Canadian registrars—BSI Canada, Bureau Veritas, SGS Canada, DNV, and TÜV Rheinland Canada—all offer combined audit programs for manufacturers holding simultaneous ISO 9001, 14001, and 45001 certifications. The combined approach works exactly like your integrated internal audits: one audit team, one on-site visit, unified findings and corrective action tracking.

The time savings are significant:

• Three separate annual surveillance audits: 8–12 audit-days per year (typically 3–4 days per standard surveillance at a 200-person plant) plus 2–3 separate opening and closing meetings
• One combined annual surveillance audit: 6–8 audit-days per year, one opening meeting, one closing meeting, integrated audit findings

Over a three-year certification cycle (initial audit plus 2–3 surveillance audits), the combined approach saves 6–10 audit-days, which translates to $9,000–$18,000 in reduced certification fees at typical Canadian rates of $1,500–$2,000 per audit-day.

Selecting and Coordinating with Your Registrar

If you're still deciding which registrar to use for your IMS, prioritize those with demonstrated integrated audit experience. When you request quotes from certification bodies, explicitly ask:

• Do you offer combined ISO 9001/14001/45001 audits, or do you run three separate audits?
• What is the time and cost difference for a combined audit versus three separate audits?
• Do you have auditors holding lead auditor credentials in all three standards, or would your audit team consist of three separate specialists?

Scheduling the Combined Audit (90 Days in Advance)

Once you've selected your registrar and your integrated internal audit program is running smoothly (aim for at least 2–3 complete integrated audit cycles before your first combined registrar audit), formally request a combined audit. Here's the process:

1. Notify your registrar 90 days before your planned audit date (typically your annual surveillance month, or your recertification month in year three)

   - Send an email to your audit coordinator stating clearly: "We are requesting a combined ISO 9001/14001/45001 surveillance audit [or initial audit] scheduled for [month/year]" - Attach your integrated internal audit schedule and coverage matrix (from the previous section) showing how your internal audits cover all three standards

2. Request a combined audit team

   - Ask for a lead auditor holding ISO 9001 lead auditor credentials plus demonstrated competency in both ISO 14001 and ISO 45001 (not three separate auditors) - Request 1–2 technical specialists as backup if your facility has complex environmental or safety hazards, but structure the team so they support the lead auditor, not replace his multi-standard authority

3. Provide detailed audit scope in writing (60 days before)

   - Send the registrar a document listing all your operational processes, production locations, and any outsourced processes (e.g., heat treatment, coating, testing) - Include your integrated audit schedule and internal audit findings from the past 12 months—this helps the registrar understand your risk profile and focus combined audit on high-impact areas - Specify any Canadian regulatory changes or enforcement actions relevant to your facility (e.g., recent provincial labor ministry inspection, environmental compliance order)

4. Conduct the opening meeting with unified scope

   - The opening meeting should frame the audit as one integrated event with three standard components, not three separate audits - Have your quality manager, environmental coordinator, and safety manager present together, demonstrating integrated ownership - Walkthrough your IMS documentation and explain how ISO 9001, 14001, and 45001 integrate at the process level (not just the policy level)

5. Support integrated evidence gathering during the audit

   - When the audit team asks to review purchasing records, have one person present who can discuss quality requirements, environmental requirements, and safety considerations of the same purchase - When reviewing production records, have the process owner ready to explain quality KPIs, environmental compliance, and safety metrics from one unified dataset - If the audit team splits up (lead auditor on production floor, technical specialist in the office), ensure they're following the same integrated audit plan—not three separate plans executed in parallel

6. Unify corrective actions in closing

- Request that all non-conformances and observations be tracked in a single corrective action log with cross-references to all applicable ISO standards - Don't accept separate ISO 9001, 14001, and 45001 corrective action registers—this indicates your IMS is still fragmented

Timing: The Integrated Audit Calendar

Here's how a mature integrated IMS fits into an annual calendar for a 200-person Canadian manufacturer:

• Months 1–11: Run 8–10 internal integrated audits (roughly one per 4–6 weeks)
• Month 11: Compile internal audit findings into a unified management review input (not separate QMS, EMS, OHSMS reports)
• Month 12: Conduct combined registrar surveillance audit (or recertification audit in year three)
• Follow-up: Track and close all registrar non-conformances through your unified corrective action system

This creates a clean, visible audit cadence that demonstrates to your board, your employees, and your customers that your IMS is one system with three regulatory components, not three separate systems with shared paperwork.

IMS Costs, Timelines, and ROI: What Canadian Manufacturers Should Budget in 2026

If you're running separate ISO 9001, 14001, and 45001 systems across your Canadian manufacturing plant, you're bleeding money every month—and most plant directors don't realize how much until they sit down to do the math. The real cost isn't just the three registrar invoices arriving in your inbox each year. It's the duplicate documentation, the triple-layered internal audits, the management review meetings scheduled in three separate windows, and the 15–25% of your quality manager's time spent on administrative busy-work instead of driving operational improvements.

By 2026, the business case for integrating these systems has never been clearer, and the cost-benefit analysis is compelling enough to move integration from "nice to have" to "necessary" for most mid-sized Canadian manufacturers.

This chapter walks you through the real numbers: what separate systems actually cost, what you should budget for an integrated management system (IMS) implementation, what timeline to expect, and how to calculate realistic ROI for your operation. We're not dealing in vague percentages or generic benchmarks—these are numbers grounded in the Canadian market, based on registrar pricing, labour costs in your region, and the specific challenges Canadian manufacturers face when consolidating across multiple ISO standards.