Can one auditor audit all three standards in an IMS at the same time?

Yes, provided the auditor holds the relevant qualifications and experience across all standards covered by the IMS. For a system covering ISO 9001, ISO 14001, and ISO 45001, the auditor should ideally hold lead auditor certification in each. If a single auditor does not cover all three, the certification body should assign an audit team whose combined competence addresses every standard. It is reasonable to ask your certification body to confirm auditor qualifications before the audit begins.

How long does an IMS audit take compared to separate audits?

An integrated audit of a combined system typically takes less time than three separate audits conducted independently, because the shared elements such as context, leadership, planning, support, and improvement only need to be audited once. The time saving depends on how genuinely integrated the system is. A well-integrated system can reduce total audit duration by twenty to thirty percent compared to three standalone audits. A poorly integrated system that is essentially three separate systems will not generate the same efficiency.

What is the biggest mistake businesses make when preparing for an IMS audit?

The most common mistake is treating the IMS audit as three separate audits bundled together, rather than as a single audit of one integrated system. This shows up in how businesses prepare their documents, how they brief staff, and how they respond to auditor questions. Businesses that prepare well focus on demonstrating that their processes, people, and records work together across all standards, rather than presenting separate evidence packs for each standard.

Do all ISO standards in an IMS need to be certified at the same time?

No. It is possible to be certified to some standards and not others within an integrated system. Many organisations build an IMS that covers multiple standards but pursue certification progressively, starting with ISO 9001 and adding ISO 14001 and ISO 45001 over time. However, if you want to benefit from a combined certification audit, all standards in scope need to be ready for certification at the same time. Your certification body can advise on the best sequencing for your situation.

How do you handle nonconformances that cut across multiple standards in an IMS?

When a nonconformance affects more than one standard, it is best practice to raise a single corrective action that references all affected standards, rather than creating separate corrective actions for each. The root cause analysis and corrective action should address the underlying system failure that caused the nonconformance, which is usually a failure of integration rather than a failure specific to one standard. Your corrective action register should clearly note which standards are affected so that the resolution can be verified against all of them.

Can an internal auditor audit the parts of the IMS they helped build?

No. The requirement for auditor independence means that internal auditors cannot audit their own work. This is a requirement under ISO 19011 and is reflected in the requirements of ISO 9001, ISO 14001, and ISO 45001. In small organisations where one person manages the whole IMS, this can be a genuine challenge. The solution is usually to either bring in an external auditor for the internal audit, use a cross-functional team where different people audit different areas, or engage a consultant to conduct the internal audit on your behalf.

How to Audit an Integrated Management System

What Makes an IMS Audit Different From a Single-Standard Audit

If you have already been through an ISO 9001 or ISO 45001 audit on its own, auditing an Integrated Management System feels like a different beast entirely. You are not just checking one set of requirements against one process. You are looking at how quality, safety, environmental, and sometimes information security obligations all interact within the same business, at the same time, through the same people and processes.

On this page

The good news is that an IMS audit is not twice the work. Done properly, it is actually more efficient than running separate audits for each standard. The common structure across ISO standards, particularly the High Level Structure (HLS) that underpins ISO 9001, ISO 14001, ISO 45001, and others, means that large portions of your audit overlap naturally. Context of the organisation, leadership, planning, support, performance evaluation, and improvement all share the same framework.

But that shared structure can also create a false sense of security. Auditors who are not careful can end up doing a surface-level check across all three standards without going deep enough on any of them. This article walks you through how to conduct an IMS audit properly, whether you are an internal auditor preparing for your annual programme or a business owner trying to understand what your certification auditor should actually be doing.

If you want a solid grounding in what an IMS actually is before diving into the audit process, the article on Integrated Management Systems explained from an auditor's perspective is a good starting point.

Step One: Plan the Audit Around the Integration, Not the Standards

Most internal auditors make the mistake of planning their IMS audit as three separate audits bundled together. They create a schedule that says Monday is quality, Tuesday is environment, Wednesday is safety. This approach misses the entire point of integration.

When you plan an IMS audit, your starting point should be your business processes, not the clause numbers. Ask yourself which processes in your organisation carry obligations across more than one standard. For most businesses, that list includes:

Procurement and supplier management (quality, environment, and safety all have supplier requirements)
Incident and nonconformance management (all three standards require you to investigate, correct, and learn from failures)
Training and competence (every standard requires demonstrated competence for roles that affect conformance)
Document and records control (a shared requirement across all standards)
Internal audit and management review (common to all standards under the HLS)
Objectives and performance monitoring (each standard has its own objectives but the monitoring mechanism is shared)

Build your audit plan around these shared processes first. When you sit down with the procurement manager, you should be asking questions that cover quality supplier approval, environmental requirements for materials, and safety pre-qualification in a single conversation. That is real integration, and it is far more revealing than ticking boxes under each standard separately.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Step Two: Build a Cross-Reference Matrix Before You Start

Before you set foot in any process area, build a simple cross-reference matrix. This is a table that maps each clause from each standard to the relevant process, procedure, or documented information in your system. It does not need to be elaborate. A spreadsheet with columns for clause number, standard, process owner, relevant document, and last audit date is enough.

This matrix serves two purposes. First, it ensures you do not accidentally skip a clause because you assumed it was covered somewhere else. Second, it helps you identify genuine gaps in your integration. If ISO 14001 Clause 8.1 (operational planning and control) is mapped to your production process but ISO 45001 Clause 8.1 has no corresponding control documented, that is a red flag before the audit even begins.

The matrix also helps you allocate audit time sensibly. Processes with obligations under all three standards deserve more audit time than processes that only touch one. A manufacturing line that generates waste, involves hazardous chemicals, and produces product to customer specification sits at the intersection of all three standards. A purely administrative function might only be relevant to quality and information security.

Step Three: Prepare Your Audit Questions for Integrated Processes

Good IMS audit questions are process-focused rather than clause-focused. Instead of asking “Can you show me your environmental aspect register?” and then separately asking “Can you show me your hazard register?”, a well-integrated audit question might be: “When you introduced this new chemical to the process last year, what was your process for assessing the environmental impact and the safety risks at the same time, and who was involved?”

That single question tests ISO 14001 Clause 6.1.2 (environmental aspects), ISO 45001 Clause 6.1.2 (hazard identification), and potentially ISO 9001 Clause 8.4 (control of externally provided processes) if the chemical is a purchased input. You get three clauses of evidence from one conversation.

Prepare a bank of these integrated questions before your audit. Focus on scenarios and changes, because change is where integrated systems most commonly fail. When something changes in your business, whether it is a new product, a new site, a new supplier, or a new piece of equipment, the IMS should trigger a coordinated review across all relevant standards. If it does not, you will find nonconformances.

Step Four: Conduct the Audit in Process Order, Not Clause Order

The audit itself should follow your processes from end to end. A typical IMS audit for a manufacturing or service business might flow like this:

Start with context and leadership. Review your IMS policy, objectives, and scope. Check that leadership commitment is evident across all three standards, not just quality. Ask the senior manager you interview what the top environmental risks are, not just the quality risks.
Move to planning. Review your risk and opportunity register. Is it genuinely integrated, or are you maintaining three separate risk registers that nobody cross-references? Check that your legal compliance register covers WHS legislation, environmental licences, and quality-related regulatory requirements in one place.
Audit operational processes. This is where you spend most of your time. Follow a product or service from customer order through to delivery. At each step, ask about quality controls, environmental considerations, and safety controls simultaneously.
Check support processes. Competence, training, communication, and document control. These are often where IMS audits find the most nonconformances, because organisations set up their systems for one standard and forget to extend the requirements to the others.
Review performance evaluation. Look at your internal audit programme, management review records, and KPIs. Are environmental and safety performance data being reviewed at management review alongside quality data? Or are they being reviewed in separate meetings that never talk to each other?
Close with improvement. Review your corrective action register. Check whether nonconformances raised under one standard are being assessed for their impact on the others.

For a detailed look at how internal audits should be structured to actually find real problems rather than just confirm what you already know, the article on how to run ISO internal audits that actually find problems covers this well.

Common Nonconformances Found in IMS Audits

After years of auditing integrated systems, certain nonconformances come up repeatedly. Knowing them in advance helps you audit more effectively and helps businesses prepare more honestly.

Siloed Objectives

Each standard requires the organisation to set objectives. In many businesses, the quality team sets quality objectives, the safety team sets safety objectives, and the environment team sets environmental objectives, and none of them know what the others are measuring. The IMS requires these to be coherent and mutually supportive. An organisation that has a quality objective to increase production speed but no corresponding safety review of whether that speed increase creates new hazards has a genuine integration failure.

Incomplete Legal Compliance Registers

ISO 14001 and ISO 45001 both require you to identify and comply with applicable legal and other requirements. Many organisations maintain a WHS compliance register and a separate environmental compliance register, but neither is complete and neither is reviewed regularly. The IMS audit should test whether these registers are current, whether compliance is being evaluated, and whether the results are being reported to management.

Competence Records That Only Cover One Standard

A worker operating a piece of equipment might have quality-related competence records showing they have been trained on the work instruction. But do those records also demonstrate competence in the environmental controls for that process, such as waste segregation or spill response? And do they show WHS induction and task-specific safety training? Incomplete competence records are one of the most common findings in IMS audits.

Management Review That Is Not Truly Integrated

The management review is supposed to be the moment where leadership looks at the whole system and makes decisions about its continued suitability and effectiveness. In practice, many organisations hold three separate management reviews, or hold one meeting where quality gets forty-five minutes and environment gets five minutes at the end. A properly integrated management review covers all standards with equal rigour and produces documented outputs that address the system as a whole.

Internal Audit Programmes That Miss Integration

If your internal audit programme schedules separate audits for each standard, conducted by different auditors who never compare notes, you are not auditing an integrated system. You are auditing three separate systems that happen to share a name. The audit programme itself should be designed to test integration, not just compliance with individual standards.

How to Write Up Findings From an IMS Audit

Writing findings for an IMS audit requires care. When you identify a nonconformance, you need to clearly state which standard or standards are affected. A finding that a corrective action was not completed within the agreed timeframe might be a nonconformance against ISO 9001 Clause 10.2, ISO 14001 Clause 10.2, and ISO 45001 Clause 10.2 simultaneously. You do not need to write three separate nonconformances for what is essentially one system failure, but you do need to make clear which requirements have not been met.

Your findings should also reflect the integrated nature of the system. If the root cause of a nonconformance is that the organisation treats its management systems as separate entities, say that clearly. The corrective action should address the integration failure, not just the surface symptom.

For a clear explanation of the difference between observations and nonconformances in an audit context, the article on what it means when an auditor raises an observation versus a nonconformance is worth reading before you write your report.

Using ISO 19011 as Your Auditing Framework

ISO 19011 is the international standard for auditing management systems, and it applies directly to IMS audits. It covers the principles of auditing, the management of an audit programme, and the competence requirements for auditors. If you are conducting IMS audits internally, your auditors need to be competent across all the standards covered by your system. An internal auditor who only knows ISO 9001 cannot conduct a credible IMS audit that also covers ISO 14001 and ISO 45001.

ISO 19011:2018 provides the internationally recognised guidelines for auditing management systems, including guidance on auditing combined or integrated systems. It is worth having a copy and using it as the basis for your audit programme design.

For a beginner-friendly overview of what ISO 19011 covers and how it applies to your audit programme, the beginner's guide to ISO 19011 and effective auditing of management systems is a useful reference.

Preparing for a Certification Audit of Your IMS

If you are preparing for an external certification audit of your integrated system, the preparation process is similar to what you would do for a single-standard audit, but with additional focus on demonstrating that the integration is genuine and functional. Your certification body auditor will be looking for evidence that your system operates as one system, not three systems with a shared cover page.

Key things to have ready before your certification auditor arrives include a single IMS manual or equivalent documented scope that references all standards, an integrated audit programme with records showing it has been executed, a management review that covers all standards, a combined objectives register with evidence of monitoring, and a corrective action register that captures nonconformances regardless of which standard triggered them.

If you are still in the process of selecting a certification body for your IMS, it is worth checking that the body you choose is accredited to certify all the standards in your system. Not all certification bodies hold accreditation for every standard. The article on how to select the best ISO certification body includes a checklist that covers this point.

A Practical Note on Auditor Competence

One of the most important and often overlooked aspects of an IMS audit is the competence of the auditor. For a certification audit of a system covering ISO 9001, ISO 14001, and ISO 45001, the certification body should either assign a single auditor who holds lead auditor qualifications in all three standards, or assemble an audit team whose combined competence covers all three. It is entirely reasonable to ask your certification body to confirm this before the audit begins.

For internal audits, the same principle applies. If your internal auditor is a quality professional with no environmental or safety background, their IMS audit will have blind spots. Either invest in cross-training your internal auditors or use a team approach where different team members cover different standards but audit together so that integration can be assessed.

Getting Help With Your IMS Audit

Auditing an integrated management system well is a skill that takes time to develop. Many businesses find that their internal audit programme is technically compliant but practically ineffective because auditors are not asking the right questions or are not looking at the system as a whole.

If you are finding that your IMS audits keep coming up clean but your certification audits keep raising findings, that is a sign your internal audit approach needs to change. It might mean bringing in an external consultant to conduct an independent pre-certification review, or to coach your internal auditors on how to audit integration specifically.

If you are looking for experienced IMS auditors or consultants who can help you prepare for or conduct an integrated management system audit, CertBetter connects businesses with verified ISO consultants and accredited certification bodies. You submit one form and receive up to three competing quotes from providers who have been vetted for experience and accreditation. The service is free for businesses seeking help, and it is a practical way to find someone with genuine IMS auditing competence rather than guessing from a website.