Audit, Compliance and Risk Blog

Management of chemicals by your organization raises a host of environmental health and safety (EH&S) issues.  Some of those issues are represented by legal and regulatory compliance requirements, others by formal but non-binding programs that range from company policies to ISO certifications.  In response, organizations adopt and implement a wide variety of EH&S programs, including very broad ones (e.g., compliance with the Hazard Communication Standard) as well as very narrow ones (e.g., programs for managing entry into Confined Spaces).  Organizations with sufficient resources and the will to organize themselves will create systematic programs to evaluate EH&S issues to ensure they’re addressed, and to design and coordinate programs in ways that do so effectively and efficiently. (In 2013-2014 I prepared a series of e-books that outlined EH&S regulatory requirements triggered by chemicals - click here to download).

How does an organization evaluate whether these programs are “working?” this involves some sort of evaluation or audit, which may be performed by:

• Personnel associated with activities being reviewed—self-review or self-audit.

• Personnel from elsewhere in the organization (similar line groups or a dedicated audit unit)—self-audit.

• Outside program evaluators or auditors—third-party audit.

Use of different types of personnel involves trade-offs including those between direct knowledge (and possible subjectivity) of targeted operations versus “benchmark” judgments from disinterested outsiders, and continuity between the personnel making audit findings versus the personnel who respond with corrective actions.  In this note I don’t address those important considerations, but instead focus on design of EH&S audit activities.

1.     Set Audit Objectives and Scope

First, you need to decide what activities are to be audited, and for what.  The physical and organizational scope may be broad (e.g., entire organization, a significant division, or a large and complex facility) or it may be narrow (e.g., particular fabrication line, warehouse, or hazardous materials storage facility).  This is typically a straightforward question. 

It’s potentially more complicated to determine the best scope for an audit, since many requirements and policies overlap.  So an audit might address one program (hazardous waste management, perhaps), or a collection of overlapping requirements (EH&S training or emergency planning, for example), or might audit a program which is itself supposed to cross-cut requirements (ISO 14001 environmental management systems, or ISO 19001 quality management, for example).

In addition, if the scope is large, the lead auditor may need to determine whether all associated locations, personnel and records will be addressed, or establish a sampling plan sufficient to provide reliable audit results while reducing resource demands.

2.     Determine Audit Team Qualifications and Select Team Members

Based on the objectives and scope, the organization will need to determine the professional expertise and experience, and perhaps organization-specific awareness needed by the audit team. The “team” may be a single individual, or multiple professionals who collectively have the necessary qualifications.  Multi-person audit teams typically consist of:

• Lead auditor (audit team leader).

• One or more auditors with specified qualifications – who may be members of the internal/external audit unit, and may include one or more outsiders with necessary qualifications.

• One or more technical or subject matter experts, if necessary (e.g., process engineers who can evaluate Risk Management Programs or Process Safety Management Standard  implementation programs, or someone fluent in a language spoken by workers who will be interviewed). 

Some audit units also provide for peer review by non-team members as an additional check, and/or schedule internal review by more senior personnel in the audit unit. Although such reviewers aren’t part of the actual audit team, it would be necessary to confirm their availability.

3.      Establish Communication

Most EH&S audits are highly interactive, with personnel from the auditee unit responsible for collecting and providing requested documents (see below), hosting tours, and helping to schedule interviews with appropriate personnel. In addition, most audits begin with a formal Opening Meeting, some have end-of-day interim meetings to confirm logistics for the following day, and most end with a formal Closing Meeting. Initial contacts generally are arranged between the Lead Auditor and the primary contact from the auditee unit, after which these two may continue to coordinate inter-group communications or portions may be delegated to individuals assigned to elements of the audit.

During these communications, the auditors must ensure that the auditee unit understands the following:

• Audit scope and objective.

• Type of audit report to be prepared—overall evaluation of audited activities or report of exceptions found; basis for findings (clear non-compliance, failure to demonstrate compliance, specific shortfalls and/or indications of systemic weaknesses); findings only or findings plus suggested corrective actions; degree of regulatory or other citations; etc.

• Audience(s) for the report—auditee management structure; general counsel and/or risk manager; etc.

4.      Provide Pre-Audit Information Requests

Once the audit scope has been established, audit teams need to provide the auditee unit with requests for appropriate documentation. Some auditors prefer to review at least some information before reaching the subject facilities, in which case there are likely to be at least two series of requests:

• Background information about the facility(ies) and unit(s) being audited, such as site maps and organization chart

• Basic documentation appropriate to the scope: 

• Permits and other required approvals and/or enforcement orders - if compliance with legal requirements is being evaluated.

• Voluntary policies and procedures (including those related to ISO or other certifications)—if these activities are being evaluated.

• Key programmatic documents appropriate to the scope, such as:

• EH&S programs for compliance with regulatory requirements from OSHA, EPA and/or other appropriate agencies.

• Environmental Management System (EMS) program, quality assurance program, etc.

• Training program(s).

• Purchasing and inventory management programs.

• Relevant contracts with suppliers and service providers

• Once these documents are reviewed—before the audit or as one of the first activities during the audit—the audit team is likely to generate follow-up requests for more detailed documentation. These might include records of monitoring, process management, training, etc. They will also inform the audit team’s onsite activities—documentation provides the “paper reality” or “virtual reality” of the audit target, which the audit team compares against the physical reality.

5.      Establish Audit Plan, Including Schedule and Logistics

By the time the first four elements have been accomplished, the auditors should be ready to translate the audit’s object and scope into concrete activities necessary to provide an effective audit. In coordination with the auditee unit, the auditors can now establish the schedule of onsite audit activities, including which auditors will pursue document reviews, site inspections and interviews necessary to accomplish their assigned tasks.

And Then It’s Time For The Audit…

These activities provide the map for the audit, which is likely to diverge in some respects from the plan.  For example, the auditors will find information that lead to additional follow-up, the auditee facility may experience unrelated operational issues that complicate logistics, and/or one or more important individuals may get sick or experience other unexpected circumstances.

Self-assessment Checklist

Does my organization provide for EH&S audits of its activities?

• By operational unit staff (operators and/or EH&S personnel)

• By an in-house organizational audit unit

• By third party auditors

Do audits attempt to cover all EH&S issues in each audit, or are multiple audits conducted with narrower scopes?

Is each audit developed using formal procedures to establish:

• Audit scope

• Audit objectives

• Audit team skills and resources

Does the organization establish clear responsibilities for personnel in units performing audits and in units being audited?

Does the organization prescribe the scope and presentation of audit findings, and for auditee units’ corrective actions?

Where can I go for more information?

• Professional organizations of auditors

• Institute of Internal Auditors 

• Auditing Roundtable 

• EPA webpage with information about the agency’s Audit Policy 

• OSHA Voluntary Self-Audit Policy webpage 

STP publishes a wide range of auditing guides including the following:

• Environmental Auditing: Federal Compliance Guide

• Greenhouse Gas Auditing of Supply ChainsGreenhouse Gas Auditing of Supply Chains

• Environmental Auditing: Integrated Federal & California Compliance Guide

• A range of MACT Standards and International Audit Protocols

• For the full range of Audit guides click here

About the Author

photo credit: Audit via photopin (license)