Most Common ISO 14001 Nonconformities
Introduction
What Common ISO 14001 Nonconformities Are Identified During 3rd Party CB Audits?
Maintaining an effective Environmental Management System (EMS) is more than meeting the minimum requirements of ISO 14001. Organizations must be able to provide evidence that their EMS is effectively implemented and maintained.
Even mature environmental management systems sometimes receive common nonconformities during Certification Body (CB) audits. Understanding these common nonconformities is one of the most practical steps an organization can take to strengthen its EMS, reduce audit findings, and improve overall environmental performance.
This article breaks down the most frequent ISO 14001 nonconformities and highlights what effective EMS programs do differently.
Internal Audit Issues
Maintaining an effective Environmental Management System requires more than maintaining required documents. CB auditors repeatedly note that many internal audits fail to assess the EMS as a system of inter-related processes. When auditors do not examine risks, process interactions, or environmental performance outcomes, it results in overlooking the issues that later appear as CB nonconformities.
Some Internal audit programs require internal auditors to use clause-by-clause checklists instead of utilizing risk-based thinking and process approach auditing techniques. As a result, internal audits may not effectively identify weaknesses, strengths, risks and opportunities for improvement. The result is 3rd Party auditors identifying and reporting common nonconformities.
What This Article Covers
- The most common ISO 14001 nonconformities found during 3rd Party audits
- How effective internal auditing can prevent findings during 3rd Party audits
- Practical tips for strengthening risk-based and process-focused audit skills
By understanding where organizations typically struggle and how robust EMS programs avoid these issues you can improve your internal audit program, reduce EMS risks, and improve the overall performance of the environmental management system.
Most Common Audit Findings Identified by Certification Body Auditors
| Clause | Clause Title | Nonconformities |
|---|---|---|
| 4.1 | Understanding the Organization & Its Context | Context not updated; missing environmental conditions; weak link to aspects or risks. |
| 4.2 | Needs & Expectations of Interested Parties | Interested parties incomplete; risks and opportunities related to external requirements not identified. |
| 4.3 | Determining Scope of EMS | Scope boundaries unclear. |
| 4.4 | EMS & its Processes | EMS Process interactions unclear. |
| 5.1 | Leadership & Commitment | Top management not demonstrating commitment and involvement. Resources not provided. |
| 5.2 | Environmental Policy | Policy does not meet ISO 14001 requirements. |
| 5.3 | Organizational Roles & Responsibilities | Responsibilities unclear; environmental roles not formally assigned; contractors excluded. |
| 6.1.1–6.1.2 | Aspects & Impacts | Aspects register incomplete; aspect rating criteria unclear; lifecycle stages missing; functions and activities not included. |
| 6.1.3 | Compliance Obligations | Register outdated; missing local, state, regional levels; methods to review changes to obligations not clear. |
| 6.1.4 | Planning to Take Action | No documented action plans for significant aspects or compliance obligations; controls not aligned with risks. |
| 6.2 | Environmental Objectives & Planning | Objectives not measurable; no action plan; Objective targets missing. |
| 7.1 | Resources | Resources inadequate to meet objectives; missing environmental monitoring resources; understaffed EMS roles, training needs not defined. |
| 7.2 | Competence | Training records missing; missing training effectiveness evaluations; contractors not assessed. |
| 7.3 | Awareness | Employees unaware of environmental aspects or objectives in their areas of responsibility. |
| 7.4 | Communication | Lack of method for handling external communications; no evidence of external reporting; internal communication inconsistent. |
| 7.5 | Documented Information | Procedures outdated; missing control of revisions; uncontrolled forms; lack of retention of key environmental records. |
| 8.1 | Operational Planning & Control | Missing or ineffective controls for significant aspects; poor chemical/waste handling and storage; inadequate contractor controls. |
| 8.2 | Emergency Preparedness & Response | Emergency plans outdated; not all emergency plans tested; employees are unsure of emergency response actions. |
| 9.1.1 | Monitoring & Measurement | Missing measurement methods; incomplete calibration; monitoring compliance obligation is not effectively maintained. |
| 9.1.2 | Evaluation of Compliance | Compliance evaluation frequency not established; missing actions for findings; lack evaluator competency. |
| 9.1.3 | Analysis & Evaluation | Lack of trend analysis; environmental performance not evaluated. |
| 9.2 | Internal Audit | Audit program objectives, risks and criteria not defined; auditor competency issues; missing audit evidence to support results. |
| 9.3 | Management Review | Inputs missing; management review frequency not established; lacking evidence of decisions/actions; environmental performance not reviewed. |
| 10.2 | Nonconformity & Corrective Action | Root cause analysis incomplete; repeat issues; corrective action not implemented or verified; unclear nonconformity statement. |
Why Do Most of These Issues Occur – Weak Internal Auditor Training
Most internal auditors are technically competent, and many are highly experienced but they are not trained in the auditing techniques and approaches as defined in the ISO 19011 (Guidelines for Auditing Management Systems) requirements that include:
- Risk-based thinking approach to auditing
- Process-approach auditing
- Auditing EMS performance, not just documents
Without these skills, internal audits become box-checking exercises that overlook actual EMS effectiveness and performance.
Let’s explore two of the most significant competencies required to audit an environmental management system effectively.
A. Risk-Based Thinking: The Foundation of Effective EMS Auditing
ISO 14001 is built on the principle of risk-based environmental management. Internal auditors must evaluate not only whether environmental significant risk controls exist—but whether they effectively implemented to reduce or eliminate environmental impacts.
Internal auditors must learn to ask:
- What environmental risks are associated with this process?
- Has the organization identified these risks?
- What risk controls are implemented and how effective are the controls?
- How is EMS performance monitored and when?
- When new risks are introduced from infrastructure changes, new products, new processes, contractor activities, waste streams, or changes (material, designs, personnel etc.) how are they evaluated and how are controls established to address environmental impacts?
Risk-based internal auditing shifts focus from:
“Does a procedure exist?”
to
“Does this process prevent environmental harm and ensure compliance?”
When process risks are not evaluated during internal audits, the effectiveness of the audit is in question.
B. Process-Approach Auditing: Beyond Documents and Checklists
Competent EMS auditors use the process approach, meaning they audit how work flows through the processes of an EMS not just how documents or records are managed.
Instead of starting with a checklist, sound internal audit planning includes mapping or evaluating existing process(es) of the EMS. Although many organizations utilize an audit checklist to ensure all requirements of ISO 14001 are audited, checklists should act as a guide for auditors and not replace process approach auditing. Consideration of process activities include:
- Inputs (materials, chemicals, waste, data, requirements)
- Activities (planning, operations, controls, sampling, inspections)
- Outputs (waste discharged, emissions, product, records)
- Risks & environmental aspects (including processes, functions and activities)
- Required process and environmental aspect controls
- Compliance obligations (global to local)
- Monitoring & performance evaluations and data
This creates an understanding of how the process affects the EMS and its performance.
Process-approach audit questions include:
- “Walk me through how this waste is handled from point of generation to disposal.”
- “Show me what environmental aspects were identified or updated after this equipment was installed.”
- “How do you verify that this operational control is working in this process?”
- “Is there evidence of compliance for this permit condition?”
CB auditors normally use the process-approach because it reveals system effectiveness, weaknesses and strengths. Internal audits must evolve from template-driven checklist exercises to risk-based, process-approach auditing techniques to effectively audit the EMS.
How Successful EMS Programs Approach Internal Auditing Differently
Organizations that achieve successful certification audits all share the same key characteristics – Management is committed to providing the necessary resources to ensure internal auditors are competent. They achieve this through effective internal auditor training to ensure:
- Auditing processes not just documented information.
- Apply risk-based thinking to the audit activities
- Verify EMS controls are effective not just existent.
- Understand environmental regulations applicable to the organization and verify conformance.
- Evaluate the EMS as a system of inter-related processes.
- Produce findings that drive improvement, risk and cost reduction and EMS performance effectiveness.
- To achieve this level of auditor competency, organizations need to provide effective, structured training aligned with ISO 19011.
What Certification Body Auditors Pay Special Attention To
- Whether compliance obligations are actively tracked at the state and local level.
- Whether compliance evaluations are completed, actions taken for compliance issues and frequency of evaluations.
- Internal auditors’ competencies (see ISO 19011:2018).
- Do audit reports provide evidence of process approach and risk-based thinking.
- Evidence that audit findings are addressed in a timely manner.
- Evidence that managers responsible for areas of audit findings are promptly notified of the nonconformity and included in the root cause analysis and corrective action process.
- Evidence showing environmental performance is improving or at least effectively controlled.
- Evidence of decisions or actions taken when environmental performance does not meet the established objectives and targets.
- Top management involvement—actual, not ceremonial.
- Whether the EMS actually prevents issues and identifies areas for improvement OR is simply a paperwork exercise.
Summary — Internal Auditors Are the EMS’s First Line of Defense
Most ISO 14001 nonconformities found during certification audits have one main root cause: “The Internal Audit Program and Audits are not effective”
As environmental risks evolve, regulations change, and operations become more complex, the internal auditor’s role is more critical than ever. Organizations that train auditors to think in terms of risk, process flow, and system performance consistently outperform those that rely on traditional checklist auditing.
But as well as addressing the internal auditors ensure commitment by top management with providing the resources needed to ensure competent auditing practices (training, time to conduct the audits, other management support, audit program requirements, etc.). ISO 14001 Clause 5.1
An effective internal audit program does more than prepare an organization for a 3rd Party Certification audit—it strengthens the EMS, improves environmental performance, and reduces environmental risk
Elcometer Education Institute – Internal Audit Solutions
For companies looking to elevate performance, confidence, and consistency of their internal audits, Elcometer Education Institute (EEI) provides a comprehensive, end-to-end solution to develop auditor competence across multiple ISO-based management systems.
Competency-Driven ISO Auditor Training
EEI courses are designed around the process approach, risk-based thinking, and evidence-driven auditing, equipping internal auditors with the skills they need to add value—not merely meet the minimum requirement. Training options include:
- Exemplar Global Certified ISO 9001, ISO 14001, ISO 45001, ISO 17025, IATF 16949, and ISO 42001 training.
- Understanding, Internal Auditor, and Lead Auditor competencies
- Delivered on-site, virtual instructor-led, or on-demand (self-study)
Auditors learn how to evaluate process inputs, outputs, risks, performance indicators, and the effectiveness of controls using practical, real-world scenarios.
EEI Courses are designed to include:
- Real life audit case studies
- Process Approach auditing training
- Root cause thinking audit techniques
- Nonconformity statement development to system related issues not symptoms
- Audit report writing with clarity and accuracy
Lead the Future with EEI Management System Auditor Training
EEI’s Exemplar Global certified courses help your organization:
- Gain recognized competency as an ISO Internal or Lead Auditor.
- Develop the skills to assess management system risks, controls, and effectiveness.
