Outsourcing Corporate EHS Audits: Getting it Right!

May 28th, 2017 | By | Category: Auditing

EHS Journal - Cherry Tree Path by Gabriel Doyle

Over the years there has been substantial debate over whether it makes sense to outsource the conduct of environmental, health and safety audits entirely.  And, in fact, many, but not all, organizations have done just that.  This outsourcing is typically not an easy decision.  There are many factors that come into play.  A previous EHS Journal article discussed those factors, addressing both the advantages and challenges of outsourcing corporate EHS audits.  This article expands upon that previous article by focusing on what needs to be done by both the client and the third party audit provider to “get it right.”  This typically requires two critical initiatives be undertaken.  First, organizational conflicts of interest between the two parties must be identified and addressed, and second, audit processes must be articulated, understood, and communicated among all relevant stakeholders.


Organizational Conflict of Interest

One of the keys to getting it right is to first and foremost identify and resolve any potential organizational conflicts of interest between the two parties.  And, indeed, there is potential for significant real and perceived conflicts, particularly where the third-party auditor is providing other consulting services to the client.  This auditing versus consulting services conundrum has been a longstanding challenge among the “Big 4” accounting firms (Deloitte, EY, KPMG, and PwC). Notably, it was brought to a head by the Arthur Andersen/Enron scandal in 2001 that prompted passage of the 2002 Sarbanes-Oxley Act.  Back then, Arthur Andersen was one of the “Big 5,” but voluntary surrendered its U.S. license to operate when found guilty of criminal charges arising from Enron misrepresentations due principally to conflicts of interest.  The consultancy arm of Andersen then became Accenture.  Interestingly, in March 2017, the Arthur Andersen name has risen from the ashes with the announcement of 26 offices in 16 countries on 5 continents.  Currently, about 50% of the business of the major accounting firms is in advisory services, so the potential for conflicts unfortunately remains for the accounting profession.  And indeed, in recent years the Big 4 firms have settled a number of major lawsuits driven by actions related to conflicts of interest.

How does this COI challenge affect the EHS audit profession if at all?  Major consulting firms, the likely candidates for third-party EHS auditors, have a large footprint among the regulated community in providing services to clients.  Past assignments, current projects, and future opportunities conducted by the consultant can all create conflicts for the audit program.  The consultant could be providing advisory services at the corporate level and/or technical assistance (e.g., regulatory permit/plan preparation) at the local level.  The consequence is that, in some cases, the audit firm could be evaluating work that its staff has completed or, in the extreme case, an individual auditor could be evaluating work products that they prepared.

In the first case, the audit firm would typically be allowed to conduct the review but has to accept the potential consequence of a work product produced by the firm: (1) receiving a cursory and unwarranted favorable review or (2) receiving a thorough review that results in the product being viewed as deficient and not meeting regulatory or corporate requirements, an extremely uncomfortable situation for all concerned.

In the second case of reviewing one’s own work, the auditor faces a direct conflict and should not be allowed to conduct the evaluation.  Here, the auditing firm can create the classic “Chinese wall” and assure in the planning phase that the assigned audit team does not include members who produced site work products.  It should be noted that replacing auditors who have a conflict of interest can be a challenge in countries where third-party auditor resources are limited.  And even in the case where auditors with direct conflicts are replaced, there remains the risk of an undesirable outcome should the work products be found to be deficient by independent auditors.

Ultimately, where the auditing firm has a significant company-wide presence in providing advisory services or technical support to the client, it is probably best for the client to look elsewhere for audit support.  Where there is less of a consulting presence, procedures can be put in place to manage the individual conflicts.  These include the Chinese wall tactic and a pro-active and systemic review of the potential for conflicts on all audits.  And finally, it is the sole responsibility of the third-party auditor to identify and resolve conflicts of interest in advance; the client should never discover a conflict by happenstance on their own.


Defining and Managing the Process

Organizational and program nuances, as discussed in the previous article, need to be addressed when establishing a third-party EHS audit program.  Building on that discussion, and provided below in checklist form, are ten program elements that must be addressed adequately and in advance of the first audit.  Otherwise, the relationship between the client and the third party is ripe for misunderstandings.


  1. Client Internal Communications. Clearly communicating to the audited sites the use of a third party and what this means with respect to accessibility to the site, its people, and documents.
  2. Access to Information Systems. Assuring third-party access to the client’s proprietary data management systems for gathering relevant site information and submitting site audit reports.
  3. Audit Team Structure. Designing the structure of the third-party audit teams.  A core group of auditors, sole use of local auditors, or a blend?
  4. Client Participation. Deciding on who, if anyone, from the client organization might participate on the site audit team and with a clear definition of their role.
  5. Audit Criteria. Defining the audit criteria: regulatory requirements, corporate standards, good management practices/systems?
  6. Findings Priorities. Defining findings’ risk levels and priorities.  Multiple levels of risk?  All findings are created equal?
  7. Escalation Process. Definition of an escalation process when or if disputes arise between the auditors and the site.
  8. Report Reviews. A process for how draft reports get reviewed.  Who in the client organization has the final say when comments conflict with one another?
  9. Confidentiality. Expectations for third-party retention and security of sensitive and/or confidential client information and audit reports.
  10. Payments. Assuring efficient and accurate invoicing and payment, especially where a client’s contracts department is central to the process.


No doubt there are other elements of the audit process that require attention and concurrence.  However, based on experience and previous “hiccups,” those listed above are clearly the top ten.



Third-party EHS audit programs can provide numerous benefits, such as enhanced independence and objectivity, to a major corporation.  In addition, the approach is very consistent with typical corporate social responsibility strategies, driven and expected by shareholders and other stakeholders with vested interests.


About the Author

Lawrence B. Cahill, CPEA (Master Certification) is a Technical Director with Environmental Resources Management (ERM). He has over 35 years of professional EHS experience with industry and consulting.  He is the editor and principal author of the widely used text, Environmental, Health and Safety Audits, 9th Edition and its 2015 follow-up text EHS Audits: A Compendium of Thoughts and Trends, both published by Bernan Press.  He has published over 70 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.  Mr. Cahill has worked in over 25 countries during his career. He holds a B.S. in Mechanical Engineering from Northeastern University where he was elected to Pi Tau Sigma, the International Mechanical Engineering Honor Society.  He also holds an M.S. in Environmental Health Engineering from the McCormick School of Engineering and Applied Science of Northwestern University, and an MBA from the Wharton School of the University of Pennsylvania.  He is a Certified Professional Environmental Auditor, Master Certification.

Photograph: Cherry Tree Path by Gabriel Doyle, San Diego, California, U.S.A.


Return to the EHS Journal Home Page



Tags: , , ,

Leave a Comment