A recap of Saladin Consulting’s webinar – Are Your Systems Truly Integrated? A Practical Look at IMS Audits

Integrated Management System Audits: What Genuine Integration Actually Looks Like

Most organisations have ISO 9001, ISO 14001, and ISO 45001. Very few have an Integrated Management System.

That was the central provocation behind Saladin Consulting’s second webinar in its HSEQ practitioner series, and by the end of ninety minutes, it was clear the distinction matters more than most organisations realise.

The session brought together Inkutatash Seid, Founder and CEO of Synergy Corp and a certified ISO lead auditor with over a decade of implementation experience across Ethiopia and East Africa, and Musa Wesutsa, Director at Saladin Consulting and a serial entrepreneur known for technology-driven approaches to risk management. The conversation was facilitated by Hilda Njeru, General Manager at Saladin Consulting.

Integrated Management System Audits: What Genuine Integration Actually Looks Like

Here is what they said, and what every HSEQ practitioner in the room needed to hear.

The IMS Problem Is Organisational, Not Technical

The first thing Musa said reframed the entire conversation.

When organisations end up with siloed management systems despite claiming integration, the problem is almost never the standards. It is the organisation itself.

“Integration becomes a challenge because you’re looking at there’s an existing department called safety. They run the safety side. There’s an existing department for environmental issues. They run the environmental side. There’s an existing department for quality. Because the organisation itself is structured that way, when they try to pull in the management systems, the management systems have no choice but to follow that structure.”

In other words: your IMS mirrors your culture. If your organisation operates in silos, your management system will too. The standards did not create the problem. They made it visible.

Inkutatash clarified what genuine integration requires: “An integrated management system means one management system. It is not three or four systems talking to each other during an audit or during document control or during management review. It is one management system that cuts across different aspects.”

What Auditors Look for Before They Ask a Single Question

Both speakers were asked to name the things they check first when auditing an IMS, the signals that tell them immediately whether integration is real or cosmetic.

Documentation was the first answer from both. Independently.

Inkutatash described a running joke among auditors: “We have a professional hazard. Whenever we go somewhere, even personal things, a hotel maybe, and we see one documentation, we judge. These guys do not have a system.”

The audit, she said, begins at the gate. The form you sign when you enter the premises. The way documents are handled. Whether what is visible in the physical environment matches what is documented.

Musa identified three specific signals:

First – Policy. “If you have an integrated management system but a quality policy standing on its own, an environmental management policy standing on its own, a safety policy on its own, what is going on here? Where really is the integration?” A genuinely integrated organisation has one policy. One document. Three commitments inside it.

Second – Scope. If the business continuity scope is facing left, the HSEQ scope is facing right, and quality is facing north, integration will break under audit pressure. A single, unified scope is foundational.

Third – Roles and committees. “If you have a quality management committee standing on its own, a committee for environmental issues standing on its own, you can already tell they are just trying to achieve integration. The best they have probably done is a combined audit plan. They do not really have an integrated management system.”

The physical environment matters too. Musa recounted visiting a facility whose health and safety procedures required PPE at all times, with a well-maintained register to prove it. “When you walk around, most of them didn’t have their PPE on.” The document described the system. The operations revealed the truth.

Integrated Management System Audits Expose What Separate Audits Miss

This is the insight that should make every compliance team uncomfortable.

An organisation can pass three separate ISO audits, one for quality, one for environmental, one for occupational health and safety, and still fail an integrated management system audit. Because separate audits assess separate requirements in isolation. An IMS audit looks at how they function together.

The most revealing signal is Clause 8. Both speakers agreed: operational requirements are where the integration challenge becomes most acute, because each standard has unique, non-overlapping requirements at this clause. Clause 8 of ISO 9001 looks different from Clause 8 of ISO 14001, which looks different from Clause 8 of ISO 45001.

“It gets very interesting when you reach Clause 8,” Inkutatash said. “Because each standard would have, even if it is the same name, a different focus that is specific to that standard.”

An IMS auditor must evidence conformance with each standard’s specific Clause 8 requirements. Finding that evidence requires more than combined documentation, it requires demonstrated integration of processes at the operational level. And that is exactly where most organisations show their gaps.

The Risk Register Question, One or Many?

Integrated Management System Audits: What Genuine Integration Actually Looks Like

One of the most practical questions of the session came from the audience: how does a risk register look in a genuinely integrated IMS? Does it have sections for each standard?

Inkutatash’s answer was direct: one risk register. “I would say in my implementation strategy and the best practice is one integrated risk assessment and risk management process that covers all the management system requirements in the organisation.”

The structure, she recommended, should follow processes rather than standards. When a process owner assesses risk in their process, they should be identifying quality risks, environmental risks, and health and safety risks simultaneously, in one document, in one activity.

“Each process would have quality risks. Each process would have environmental risk. Each process may have health and safety risk. The risk management process could be one integrated risk management process, but it needs to make sure that each requirement, each focus of each management system standard is covered.”

For organisations also integrating ISO 27001, Musa noted the one exception: the Statement of Applicability is a unique requirement that will always stand on its own. But the risk assessment methodology itself can, and should, be integrated, with information security risks identified through the same process as other organisational risks, differentiated by their focus on confidentiality, integrity, and availability of information assets.

Integration Has Levels – and That Is Acceptable

One of the most useful frameworks to emerge from the session was Musa’s concept of integration levels, the idea that integration is not binary.

“You can actually say that I’m going to integrate 25%. You can say I’m going to integrate 50%. You can say I’m going to integrate 100%.”

He broke this down into components:

  • Level 1 – Integrate documentation and document control. One system. One register. One version control process.
  • Level 2 – Integrate internal audits. One audit plan, one audit cycle, one set of findings covering all three standards.
  • Level 3 – Integrate management reviews. One meeting, one agenda, all three standards discussed and decided upon together.
  • Level 4 – Integrate roles and responsibilities. One functional unit owns all three management systems. No more separate quality, environmental, and safety departments each maintaining their own system.
  • Level 5 – Integrate risk management. One risk process, one register, covering all standards.

The key is having a roadmap, and communicating that roadmap to your certification body early. Not at the end of implementation. At the beginning.

“Talk to them early,” Musa said. “The certification body needs to understand what you’re trying to achieve. If you’re trying to go for integration, explain that. Once you do, you will get guidance on what the minimum evidence requirements are for the level of integration you’re attempting.”

Where Leadership Fits – and Why 70% Is Not an Exaggeration

Inkutatash put a number on it: more than 70% of successful IMS implementation depends on leadership commitment. Musa built on this with something more nuanced.

The issue with leadership is not usually that they refuse to be involved. It is that they are sold the wrong thing.

“When you come in as an auditor and you’re meeting leadership and then you ask why did you go for integration, they thought this is what they would achieve, but they don’t really understand what was promised.”

The HSEQ manager who builds the business case and gets the budget approved by promising efficiency gains, but does not link those gains explicitly to organisational strategy, creates a leadership team that approved the investment but does not own it. And a management system that leadership does not own is one that only runs when someone is watching.

The prescription: “Take time to understand the organisation’s strategy. Then do the hard work of aligning what you’re doing with a strategic initiative or a strategic goal. Because if you don’t, you get an approval, but they don’t really understand what you’re promising them.”

During a certification audit, auditors will ask leadership directly. They need to demonstrate not just awareness, but strategic understanding of why the system exists and what it is achieving.

The IMS Audit Capability Question

An audience member asked whether an auditor certified in one standard can audit an integrated management system. Both speakers gave the same answer.

No, not adequately.

“If it is an integrated audit, the auditors should have competency in all integrated management system standards,” Inkutatash said. “That is the right way to go.”

Musa added the practical context: organisations that want to achieve integrated certification need auditors who understand the implementation requirements of each standard within the IMS, not just the audit methodology. “For you to be a good auditor, you have to be a good implementer. You are auditing the implementation. If you are not a good implementer, you end up in an audit not knowing. You just regurgitate what is written in the standard.”

What Comes Next

The webinar closed with Hilda noting that Saladin’s post-webinar work is practical, not just conversational. Hands-on IMS training programmes are being designed to support teams in implementation, gap assessment, and integrated audit capability development.

The recording of this session is available – link in the email sent to all registrants. Details of the next session in the series will be shared on Saladin’s LinkedIn page and via email.

For organisations that want to understand where their IMS currently sits, genuinely integrated, partially integrated, or aspirationally integrated, the Saladin team is available for a no-pressure scoping conversation.

📩 info@saladinglobal.com | 📞 +254 729 127 702 | 🌐 saladinglobal.com

Saladin Consulting Ltd provides HSEQ advisory, ISO gap assessments, internal audit support, ESIA, and PECB-aligned training across East Africa. ISO 9001, ISO 14001, ISO 45001, ISO 50001.