Summary of "Sesión 2 Auditor Interno CITEmadera"

Business / management focus (what the session was about)

This session trains internal auditors on how to map ISO management system requirements—specifically ISO 9001, ISO 14001, and ISO 45001—into an auditable structure (e.g., correspondence matrix / audit routes). It then introduces an ISO 19011-based internal audit methodology, including:

audit criteria
roles
audit program planning

A workshop exercise is also included to help participants identify which ISO clauses support given statements.

Core frameworks / “audit routes” / playbooks highlighted

Cross-standard clause mapping (correspondence approach)

Begin with the ISO 9001 structure
Add ISO 14001 discipline-specific clauses
Add ISO 45001
Use “shading routes” to define which clauses are audited together—i.e., clauses that are implemented and interviewed together

ISO 45001 risk & opportunity “audit route” (organizational + OSH)

Audits are organized as routes combining clause groups:

Risk & opportunity management audit route (organizational)

Audited together (parallel/interview together):

6.1.1 (Generalities)
6.1.4 (Planning actions)

Additional explicit OSH evaluation requirements (ISO 45001 only)

Split and audited as separate evaluation sub-clauses:

6.1.2 (Risk assessment)
6.1.3 (Opportunity assessment)

Combined “full route” for ISO 45001 “other risks & other opportunities”

Audit 6.1.1 + 6.1.2 + 6.1.3 + 6.1.4

Key distinction emphasized:

In ISO 9001 / ISO 14001, evaluation is often treated as good practice
In ISO 45001, evaluation of “other risks and other opportunities” is explicitly required

Occupational hazard identification & OSH risk/opportunity route (light-blue route)

The mapping is evidence-heavy and built around OSH tools organizations already use:

6.1 (hazards → risks → opportunities → actions) logic
- 61 → hazard identification (via hazard identification matrices / “hyper matrices/registrations”)
- 6.1.2 / 6.1.3 → OSH risk assessment + OSH opportunity assessment
- 6.1.4 → action planning, especially when risk is intolerable (and controls are added)

Audit feasibility guidance:

Can be audited in any process where hazards arise
Audit time should be prioritized
- If time is limited (example approach): Human resources may focus first on competence/roles/awareness
- Higher-risk operational/field processes should focus first on hazard identification + risk assessment application

Clause-auditing in “where to find / where to audit” (process mapping)

The instructor repeatedly emphasizes:

Audit clauses in the process/function where the work is done (and where documentation/records live)

Examples of “audit in parallel / together”:

ISO 45001 legal requirements
- 6.1.3 / 6.1.4 pairing concept
- Parallel logic similar to ISO 14001: audit “identification of legal requirements” together with “planning actions” responding to them
ISO 45001 support clauses (Chapter 7)
- 7.1 at senior management level
- 7.2 competence in the HR function or OSH training function whichever holds training responsibility
- 7.3 awareness via the management system process (and optionally operational/support processes)
  - verify effectiveness via interviews/observation
- 7.4 communications in processes/functions that manage internal/external communications
- documentation control requirements audited in the management system/document control process

Execution & control hierarchy route (ISO 45001 Chapter 8)

8.1 (Execution of planned activities) complements 6.1 / 6.1.4 action planning
8.1 + 8.1.2 (Elimination/minimization of risks to OSH) are audited together with the hazard-to-controls route because they reflect the hierarchy of controls

Change management tie-in:

Hazard identification must remain up to date
Audit change planning (8.1.3 concept) where change management methodology is defined

Purchases / contractors / external contracting (ISO 45001 Chapter 8.4 / similar structure)

Auditors should audit contractor-related requirements in the function that:

selects/contracts suppliers/contractors
manages contractor safety/controls

A specific clarification was given:

Different contractor-related sub-clauses must be audited using the correct ISO clause number
- e.g., selection criteria vs evaluation/monitoring vs type/scope of control

Performance evaluation & improvement (ISO 45001 Chapter 9–10)

Auditing “tool-based” performance evaluation:

9.1 monitoring/measurement/analysis/evaluation
- In OSH, typically via:
  - inspections
  - performance indicators
  - monitoring occupational agents
  - occupational medical examinations
9.2 compliance assessment
- audited with legal requirements identification/planning clauses using parallel logic
9.3 management review
- verify inputs and confirm expected outputs
10.2 corrective action
- includes both:
  - nonconformities
  - incidents in ISO 45001 (near misses + accidents)
- reporting and investigation must occur within the responsible process/function
10.1 & 10.3
- audited where improvement opportunities/projects are proposed (often linked to management review)

KPIs / metrics / targets

No numerical business KPIs (e.g., revenue, churn, CAC) appear in this excerpt
The session focuses on process/controls oriented auditing, such as:
- audits
- documented information
- compliance
- effectiveness

Concrete examples / how to apply internally (actionable)

Competence vs awareness—how auditors should assess them

Competence (ISO 45001 7.2)

Assessed through documented evidence of:

education
training
experience
by job position

Audit where competency records are controlled.

Awareness (ISO 45001 7.3)

Assessed by checking mechanisms such as:

campaigns
contests
workshops
“refusal of unsafe work policy”

Verify effectiveness by:

interviewing/observing workers in scenarios (e.g., being asked to do work at height without required harness/controls)

Key distinction:

awareness = internalizing the management system’s importance (not the level of education/training/experience)

Workshop exercise: auditing precision rules (clause numbering)

Emphasis:

When associating a statement to an ISO requirement, auditors must write the correct clause number
Do not use broader headings/subtitles (e.g., not “8.1” when requirements are specifically 8.1.1 / 8.1.2)

Example provided:

Competence statement → 7.2
“Skills” not listed in current ISO 9001/14001/45001 competency wording (removed since the 2015 version of ISO 9001)

Remote audit feasibility and governance (ISO 19011 context coming next, but discussed here)

Remote audits should not be selected “because it’s cheaper”
Remote audits require a feasibility assessment to maintain audit reliability

Example adoption mentioned:

ISO 9001 audit practice group guide (Apr 2020)
Peruvian adoption (“Guía 123”), referenced as still usable in 2026

Internal audits (ISO 19011) — business execution mechanics

Key definitions and “audit criteria” (how internal audits are run)

Internal audit described as:

systematic
independent
documented

Purpose:

obtain objective evidence vs audit criteria to determine the degree of meeting criteria

Audit criteria (3-part structure)

The ISO standard(s) used to structure the management system (here ISO 9001 / 14001 / 45001)
Organizational management system documents within scope (procedures, manuals, instructions)
Applicable legal requirements within scope

Important note:

Internal audit is sample-based, so it’s not a full compliance assessment, but legal requirements still function as an audit criterion

Objective evidence sources

observe work performed
interview staff
review documentation/records
or a combination of these

Findings

ISO-based findings: conformity vs nonconformity
Organizations may add categories such as observations or opportunities for improvement, but these must be clearly defined

Audit program / audit plan (planning mechanics)

Audit program: arrangements for one or more audits over a time period and for a specific purpose (often a multi-audit schedule)
Audit plan: details of a particular audit (not the full program)
Audit scope: limits of what is audited (cannot exceed the management system scope)
Audit conclusions: results after considering audit objectives and findings

Roles (who does what)

Audit program manager
- manages the internal audit process from planning to follow-up (often system owners/management system managers)
Audit client
- requests the audit; receives the report
Auditee
- process/function being audited
Also mentioned:
- audit team, auditor, technical expert, observers/guides

Audit purpose and philosophy

Purpose: verify conformity and effectiveness (not only “detect nonconformities”)
Framed as transparent and planned
No concept of “unannounced internal audits” in this teaching approach

Audit principles (how auditors should behave)

Seven principles listed:

integrity
fair presentation
due professional care
confidentiality
independence
evidence-based approach
risk-based approach

Risk-based approach is explicitly linked to planning through execution and follow-up.

Scheduling / governance of an audit program

Audit program refinement should consider:

results of previous audits
status and importance of activities
changes affecting the organization

Example:

expanding scope
re-auditing specific services based on prior outcomes

Note on presenters / sources

Subtitles refer to:
- main instructor as “Silvia”
- participant question lines include “Claudio”
Named participants mentioned: Claudio, Paola (in chat), Silvia, Ivan, Hugo
Standards / official sources referenced:
- ISO 9001
- ISO 14001
- ISO 45001
- ISO 19011 (2018) and future ISO 19011:2026 (final draft mentioned)
- ISO/IEC 17021 (certification audit requirements context)
- ISO/TC 176 “Remote Audits” guide referenced as Apr 2020
- Peruvian adoption guide “Guía 123” (Peru, 2020)

Share this summary

Is the summary off?

If you think the summary is inaccurate, you can reprocess it with the latest model.

Summarize another video