Even it is not in the auditing programs or scope, possible major catastrophical events like solvent or dust explosion, long term or immediate environmental pollution or contamination, delay or long term accumulative effect on human health etc., the auditor should at the first opportunity, bring it to the attention of the site owner for his/her consideration for any further actions, where appropriate.

A primary driver to do Auditing is to provide assurance – cover your……self, if you will. It stands to reason that Auditing would also be undertaken to provide cover. Contracts being what they are (and the risk/ consequence of dissatisfaction or litigation being what it is), they are also written to provide cover. In auditing, it’s all about the procedures, documentation, and reporting on everything that was done. I supported financial audit procedures for a Big 4 accounting firm for ~6 years. These folks know procedures! If the procedures call for looking through fire extinguisher and waste accumulation areas, then that’s’ what you’ll get. If you find two gaps out of two hundred, the auditor is duty-bound to report them.

I like Larry’s four examples, and would expand on his other two audit findings. Fire extinguishers are perhaps my favorite litmus test of a company’s EHS program. I’m always amazed at the inspection tags being up to date – but the fire extinguishers are obstructed, used as a coat hook, or placed directly over the stove so you would have to stick your arms through flames in order to retrieve it. Or that 80% of the people in the area don’t know where they are (ever notice those red arrows?) and nobody has the foggiest idea how to use one. The area coordinator has dutifully completed 25 of 26 inspections. Does s/he know what s/he is looking for? Could these inspections be combined with three other inspections done in this area to reduce costs?

If it’s not “compliance”, it doesn’t make the scope. If it’s not amenable to repeatable procedures, it doesn’t get audited. This is where we sell ourselves and our profession short. The examples show shortcomings, and the need to avoid the obsession on compliance. the examples illustrate how useful it would be to add elements of performance, operations, business continuity, efficiency/ effectiveness, and risk management. And good old-fashioned common sense (which isn’t all that common!). These business advisory perspectives are at least as valuable to clients as detailed compliance audits.

In the case of outsourced audits, the folly often begins with the RFP. Selection criteria is driven by detailed scopes of work, standardized/ detailed output, and unit costs per auditor or per audit. Cost-cutting reigns supreme – and not just in the EHS auditing world. Savvy auditors often make the kind of observations that are “missing in action” in the examples above – but the framework of the report can limit or prohibit the auditor from telling the client. I’ve been in meetings where Legal would advise “that observation is out of scope. if you tell the client ONE observation like this, they could make the case that you were looking for EVERYTHING with this type of risk….. and did you? were we paid to? what if something else happens that you DIDN’T tell them about – we’ll get sued. So stick to the audit finding about those two fire extinguishers”

The skill sets that are necessary to assess a broader array of risks and opportunities are a suite of business advisory techniques that cannot be fully conveyed in a proposal, and for which there is no standardized unit cost. The qualifications can’t be cut from one proposer, given to a lower-cost provider with the instruction to “do it like this person” – even with another $hundreds per audit.

The freedom to set sights higher can begin with the Auditing Program Manager. S/he may need support in conveying the value of this new approach to senior management – and the risks of taking the same old same old approach. In scoping audits (should we use another word?) and selecting resources, s/he should build in flexibility and contingent budget. RFPs should be issued, and contracts written to encourage this perspective, and the open, trusting relationship that fosters thoughtful procedures and communications. Furthermore, the Auditing Program Manager should be agile (see EHS Journal article on this – another good one) as to what elements of the report get communicated to whom, and how.

In sum, I agree with Larry Cahill’s premise that, in some ways, EHS auditors have lost our way. But we didn’t get their by ourselves. As any EMS or Enterprise Risk Management framework would say, it all begins with tone at the top. “The Top” may only know what we tell them. Let’s all work on it.

The major food label who proudly shaved the cost of audits of subcontract food processor to $1,500/ea realized that $1,500/ea was wasted when a salmonella outbreak (at a recently audit subcontractor) resulted in a national product recall and a PR disaster for the food label. Rat and pigeon droppings observed in the rafters didn’t register as a black and white risk to the peanut processing line below, so the auditor decided against raising such a Henny-Penny finding.

Company executives and board members should reconsider whether their compliance audit programs are capable of delivering information of suitable quality to assess whether risks (beyond the administrative) are managed within acceptable limits. What are the top 10 EHS risks to the corporate enterprise? Is the audit program designed to probe these issues? Are professionals capable of assessing those risks involved in the process and signatories to audit reports? If the answers to these questions aren’t known, the audit program may have lost its way.