EHS Audit Programs: Time for a checkup?
Lawrence B. Cahill, CPEA
August 2, 2020
With the advent of a worldwide pandemic, many corporate environmental, health and safety (EHS) audit programs have been put on full hiatus or modified substantially. The pandemic has also caused organizations to reconsider how audits are conducted. That is, are there ways to decrease the risk exposure of both the auditors and those being audited? Given the current situation, it might be the right time to take a critical look at an audit program, to determine its effectiveness and efficiency, and to explore possible improvements and adjustments.
It should be noted that professionally-recognized audit standards require audit programs undergo periodic assessments. For example, the Board of EHS Auditor Certifications (BEAC®) standards require: “senior management shall at periodic intervals, not less frequently than annually, review the audit program to ensure that it is being fully and effectively implemented consistent with the goals and objectives of the program, that the standards for independence and professional proficiency are being complied with and that appropriate quality assurance procedures are used to ensure the accuracy and thoroughness of each of the audits carried out pursuant to the audit program.” [Board of Environmental, Health & Safety Auditor Certifications, Standards for the Professional Practice of EH&S Auditing, 2008]. In addition, the Institute of Internal Auditors (IIA) requires that for internal audits a “quality assurance and improvement program must include both internal and external assessments.” [Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing, October 2016, Section 1310].
Many mature EHS audit programs have indeed undergone internal and/or external assessments in the past. Any assessment or “check-up” undertaken during this particular time might want to incorporate certain special considerations. Below are 10 topics of inquiry that are based on the results of previous program assessments and a sense of issues currently facing EHS audit programs. The topics are designed to provide useful insights into the effectiveness of an audit program. In responding to the queries an assessor should not only get to the answers, but should also answer the question “How do we know?”
- Management Accountability. Is Executive Management actively involved in the program? Do they see and comment on key performance indicators (e.g., audits conducted as planned, on-time closure of high-priority findings)? Are line executives held accountable for performance of their sites during the audits and in correcting the identified deficiencies?
- Innovation. Is there a provision for conducting virtual audits, especially for remote and/or low-risk sites? Are new technologies being implemented (e.g., Google glasses, GoPro cameras, drones, data management systems, regulatory databases)?
- Defining and managing risk. Are findings prioritized based on the risk posed? Are high-priority findings systematically tracked to closure? Is the adequacy of closure evaluated? Is there a protocol for defining repeat findings in a meaningful way (i.e., evidence of a systemic failure as opposed to a “one-off”)? Do repeat findings receive special attention?
- Audit Fatigue. Are audit results being evaluated for a prevalence of low-risk findings? Has there been an analysis of whether sites are in fact improving or that the audit program might have lost its rigor and become stale? Are new auditors being rotated into the program to provide different perspectives and perhaps re-energize the program?
- Fraudulent Behavior. Have auditors been trained in how to identify fraudulent behavior without alienating those being audited? Are any suspect behaviors escalated appropriately within the organization?
- Audit Frequency. Are sites being audited at a frequency based on the relative risks posed? Are high-risk sites receiving full audits at least once every three years? Are certain low-risk sites not being audited at all? Can low-risk sites be audited virtually?
- Audit Timing. Are sites being audited during normal and/or in-season operations or is timing being altered because a site is “too busy” to accommodate an audit? Are early, late, overnight or weekend operations included in the audit?
- Business Interruption. Does the audit program require auditors to assess Business Interruption plans and how they address potential EHS impacts? Do the Business Interruption plans consider long-term interruptions? Are the plans effectively integrated with other emergency response plans such as PSM Risk Management Plans, Hazardous Waste Contingency Plans, Facility Response Plans, and Spill Prevention Control and Countermeasure Plans?
- Auditor Capabilities and Resources. Are auditor travel risk assessments routinely conducted to assure the safety of the audit team members? Do auditors have the knowledge and capabilities to audit complex topics adequately (e.g., air source permit applicability, PSM Mechanical Integrity)? If not, do auditors have real time access to subject matter experts? Do audit teams have sufficient numbers of qualified auditors? Have the auditors been trained to perform virtual audits and understand the differences between virtual and in-person audits?
- International Audits. Are international sites being audited using auditors that are fluent in the local language? Are country-specific audit protocols available for all international sites? Are international sites expected to meet all relevant corporate standards?
There are of course other topics that could be included in an EHS audit program assessment. One of these might be how the program helps to address the validation of corporate sustainability reporting data. Is there a protocol on how auditors might verify the efficacy of the site data that make up the basis for corporate reporting? Coverage of this activity would seem to be consistent with the goal of most audit programs - assurance of compliance with all applicable EHS regulations and corporate standards. On the other hand, coverage of this topic by an audit team could dilute its other efforts on higher risk topics. Companies must decide where audit resources are best applied to achieve the highest value to the organization.
Suggested Further Reading:
Cahill, L.B., “Innovation in EHS Auditing: Technology Innovations Past and Present,” Knowledge Brief, Institute of Internal Auditors (IIA), Environmental, Health and Safety Audit Center, May 2018.
- Cahill, L.B., “Achieving Sustainability Goals: Seven Simple Ways EHS Audit Programs Can Help Meet Corporate Objectives,” Knowledge Brief, Institute of Internal Auditors (IIA), Environmental, Health and Safety Audit Center, February 2018.
- Cahill, L.B. “Tackling the Potential for Fraud and Other Manipulations on EHS Audits,” Knowledge Brief, Institute of Internal Auditors (IIA), Environmental, Health and Safety Audit Center, September 2017.
Cahill, L.B., Environmental, Health and Safety Audits: A Compendium of Thoughts and Trends, Second Edition, Bernan Press, Lanham, MD, September 2017.
Chapter 3: Environmental Catastrophes: Evaluating Executives’ Commitment to EHS Audit Programs
Chapter 5: Measuring the Success of an EHS Audit Program: What are the Best Metrics?Chapter 6: EHS Audits-Have We Lost Our Way?
Chapter 9: Classic Auditor Failures: How Do Auditors Mess Up?
Chapter 10: Repeat vs. Recurring Findings on EHS Audits: Should Management Treat Them Differently?Chapter 12: Using Risk Factors to Determine EHS Audit Frequency: How to Best Manage Audit Resources
Chapter 13: Driving a Risk-based Approach to EHS Auditing
Chapter 14: An Approach to Calibrating Relative Risks on EHS Audits
Chapter 15: Is Now the Time to Consider Virtual EHS Auditing?
- Cahill, L.B. and R.J. Costello, “Ten Ways to Turn Confrontation into Cooperation,” Knowledge Brief, Institute of Internal Auditors (IIA), Environmental, Health and Safety Audit Center, November 2016.