This article discusses the conundrum faced by an environmental auditor who is retained by his client to perform an audit. During the audit, the consultant uncovers certain serious environmental violations that clearly pose imminent harm to the public and the environment. What are this auditor’s duties to report?

Case Study

Consider this likely scenario. An environmental auditor performs an in-depth assessment of his client’s operations under a contract that contains a confidentiality clause. The confidentiality clause specifically forbids the auditor from disclosing any information he finds during the course of the audit unless the disclosure is required by law.

During the audit, the consultant determines that his client is storing numerous drums of highly toxic wastes in a warehouse. The storage time of the drums has far exceeded the allowable 90/180/270-day accumulation time that would exempt the client from having to obtain a Resource Conservation and Recover Act (RCRA) Part B permit as a hazardous waste treatment, storage, and disposal facility. This is potentially a criminal act under RCRA Section 3008(d). To make matters worse, the auditor finds out that the client has ordered his staff to dispose of the wastes gradually by pouring a couple of drums a day into a ditch just outside the warehouse. A public drinking water well is located 30 feet down-gradient from the ditch.

What should the consultant do?

He now has personal knowledge that several illegal acts are taking place at the direction of his client. Everything in the auditor’s training tells him that it will be a matter of days before the drinking water supply will be contaminated with his client’s toxic waste.

Should the auditor report the findings to a regulatory agency in order to stop the illegal release? What about the auditor’s confidentiality agreement with his client? Should he tell the client to cease and desist? What if the client refuses to heed his advice?

Options

There are two schools of thought on this matter. The conventional wisdom is that the auditor should report his findings only to his client because the confidentiality clause in his contract forbids him from disclosing his findings to anyone else unless required by law. There is no specific language in any environmental statute or regulation that legally requires the auditor to report to the agency since he is neither the owner nor the operator of the facility. Therefore, the only way the auditor is required to disclose his findings is in response to a subpoena or court order. According to this school of thought, once the auditor has advised his client to stop the illegal act, the auditor’s obligations are fulfilled.

The other school of thought is that the auditor should tell his client to stop the illegal dumping immediately, and the auditor should report it to the agency if the client refuses to stop or report the release. The auditor would be violating the terms of his confidentiality clause in the contract and might be subject to legal action from his client, but he will have stopped the commission of a crime and the imminent harm to the users of the drinking well who could have been affected by the release.

If the auditor complies with the confidentiality clause, he may be exposing himself to another form of personal liability. What will the people who consume the contaminated drinking water think of his failure to take affirmative action to stop the imminent harm? Bear in mind that the auditor is not just an innocent bystander who happens to witness the commission of a crime. He is a trained professional with knowledge of the harm that the discharge will cause. Although the auditor is neither the owner nor the operator of the facility, he has a relationship as an expert with the person who is committing the crime.  The auditor has inside knowledge. He has more persuasive power and sway than a bystander in terms of influencing the decision of the owner or operator. The question is this: If he turns a blind eye to the ongoing criminal act, is he actually abetting the crime?

What about the auditor’s fiduciary duty to his client? Doesn’t the auditor have a duty to act in the “best interest” of his client?

Resolution

In terms of best interest, there are two possible outcomes when the client refuses to stop the illegal act and ignores the auditor’s advice to report:

1. The auditor walks away after informing the client of the illegal act, the discharge continues, and the drinking water supply is contaminated. The agency finds out a few months later and launches a criminal investigation. The client is prosecuted and convicted of environmental crimes and sent to prison for five years. The client’s company pays a million dollar fine, and the company faces a multi–million dollar lawsuit from the people who have been harmed by the illegal dumping.
2. The auditor reports his findings to the agency when his client refuses to act. The agency moves in, stops the discharge in time, and fines the owner a US$ 100,000 civil fine. There is no contamination of the drinking well.

Which of these two possible outcomes is better for the client from a fiduciary duty standpoint? Is the client’s interest better served when the auditor discloses to the agency in spite of the confidentiality agreement? Or does the auditor’s fiduciary duty end after he informs his client of the illegal act?

What if the auditor is an attorney? Does he not have a duty as an officer of the courts to disclose the illegal act?

There have been two conflicting court decisions on this subject. The Supreme Court of New Jersey ruled in May 1996 in the case of Carvalho v Toll Brothers that

an engineer has a legal duty to exercise reasonable care for the safety of workers on a construction site when the engineer has a contractual responsibility for the progress of the work, but not for safety conditions, yet is aware of working conditions on the construction site that create a risk of serious injury to workers.

Even though the engineer was not hired to monitor safety conditions, the court ruled that he had a duty to report a known unsafe condition.

Yet a case in 2011 in the Superior Court of Pennsylvania ruled that

an engineering firm retained by its client to monitor toxic emissions from a beryllium plant had no duty to report findings that beryllium particulate emissions belching from the plant “significantly exceeded” EPA limits to either the EPA or to members of the public.

This ruling flies in the face of the New Jersey Supreme Court ruling. Note that the Superior Court in Pennsylvania is often the last arbiter of legal dispute since the Supreme Court of Pennsylvania rarely rules on its findings.

We therefore, on this subject, have a state Supreme Court decision in conflict with a state Superior Court ruling.

Clearly, there are no black and white answers to this dilemma.

About the Author

Norman Wei is the founder of Environmental Management and Training, LLC, a training firm based in Cape Coral, Florida, USA. He performs environmental audits for companies and also conducts training on environmental compliance throughout the country. More than 2,000 environmental professionals have attended his seminars. He maintains a blog at http://normanswei.wordpress.com.

Photograph: A View of the Ruin by Bev Lloyd-Roberts, Denmark.

Return to the EHS Journal Home Page

Tablet computers and smartphones are not appropriate work tools for every professional or for every task; it really depends on what you do for a living. For auditors on the go, however, new generations of tablet devices, especially Apple’s iPad and iPhone, are proving to be essential working tools. Savvy auditors find plenty of ways to get more out of these devices than browsing the Internet and compiling photo slide shows.

Although tablets have been around for a while, the Microsoft Windows-based stylus devices lacked the intuitive interfaces that Apple has perfected. When you can touch the screen, use your fingers, and quickly navigate through information, the device makes your job a whole lot easier.

No doubt, tablets can be a handy e-mail machine when you’re away from the office, and their calendar features work well for anyone who spends time on the road. There’s much more, though. Increasingly, a growing number of features and apps are very useful to the auditor who spends significant time on-site at the client’s facility.  Here are a few:

• Tablets, the iPad and iPhone in particular, support a wide range of data capture; you can take quick notes, photos, video, and audio related to findings.
• Typing your notes directly on the iPad increases the efficiency of your audits.
• It’s easy to collect data and export them into Word and Excel documents.
• There are many affordable applications for various tasks, and new apps are continually being created.
• It’s simple to pull up legislation, corporate standards, and other documents you need on-site.
• Multiple auditors can collaborate on one audit.

Tablet computers can be very useful devices in all forms of site auditing, particularly when they are used to document audit activities and prepare reports. The key is not only to embed the device and software in your normal workflow but to leverage its data capture capabilities to make your job easier, more efficient, and more powerful.

About the Author

Jonathan Brun is the founder of Nimonik.ca, a web-based service to help you track EHS legislation in North America and audit in the field with your iPad and iPhone. A former EHS consultant, Jonathan has extensive experience helping clients stay in compliance with laws, regulations, ISO standards, and corporate directives.

Nimonik inc. offers the iPad and iPhone apps for performing audits. More information on the top-selling App for audits and verifications is available here.

Related Article in the EHS Journal

Using the iPad for EHS Auditing by Patrick Doyle, Lawrence Heim, and Robert Bray.

Tips for Tracking EHS Legislation by Jonathan Brun.

Image: Vector Background by Asif Akbar, Mumbai, India.

Return to the EHS Journal Home Page

Establishing how often to carry out environmental, health, and safety (EHS) audits at sites and facilities considered to be part of the auditable universe can be a trying exercise.  Auditing high-risk operations too infrequently can lead to unwanted surprises because of the lack of oversight and governance.  On the other hand, auditing too frequently can be costly, can lead to a feeling of unbearable oversight by the audited community, and can eventually compromise the effectiveness of the program, to say nothing of how it affects the reception given to audit teams when they arrive at a site.

On one environmental audit some years ago at a large chemical plant in California, U.S.A., at the start of the opening meeting, the plant manager stated, “I can’t believe we’re being audited yet again.  Do you know that we’ve been audited or inspected over 75 times this quarter alone?”  The team leader (and the company) had failed to recognize that this site, a major military contractor for the U.S. government, was receiving regular “attention” from the corporate audit group, customers, and regulators on topics such as finance, security, environment, health and safety, process safety, transportation, and so forth.

So, what’s the right frequency, and where can one go for guidance?  This article attempts to help answer these questions.  Discussions include

• Expectations of regulatory agencies and professional organizations
• Assigning risk factors to auditable sites to establish frequency
• Examples of how nine companies have addressed audit frequency

Although there is no perfect solution that applies to all cases, the general approach and following examples from nine companies can be used to develop a solution.

Audit Frequency Expectations

No agency or professional organization prescribes exact frequencies for EHS audits.  Some that do address the subject say that audit frequency should be based on risk (Auditing Roundtable, Board of Environmental, Health and Safety Auditor Certifications [BEAC], and The Institute of Internal Auditors [IIA]), whereas others say the frequency should be “periodic” (ANSI/AIHA Z10, ISO 14001, OHSAS 18001, U.S. Environmental Protection Agency [EPA], and U.S. Sentencing Commission) (see Figure 1).  Although most of the external guidelines are silent on specific quantitative expectations for audit frequency, the commonly held expectation is that major facilities will be audited no less frequently than once every two to three years.

Figure 1 – Audit Frequency Expectations of Regulatory Agencies and Professional Organizations

Risk Factors and Audit Frequency

There are, of course, many approaches to ranking facilities by risk and by other factors and subsequently setting frequencies based on these rankings. Generally, there are two types of site risk factors: inherent and external. The inherent risks of operation include the materials handled, the age of the facility, and the complexity of the process.  These risks are important but perhaps more controllable than the external risks, which may include the company’s compliance history, the community and environmental setting, and the state or local agency’s regulatory stringency.

If one views these two classes of risk in concert, as in Figure 2, a facility-by-facility risk evaluation can be conducted.  We can find fairly large facilities, such as facility A, that pose high risks, and efforts can be undertaken to reduce both inherent and external risks and move this facility into either a relatively safe or a controllable situation.  Such efforts might include increasing measures to reduce noncompliance (i.e., increased audit frequency) or investigating the possibility of materials substitution.  For another facility, such as facility B, which poses only a modest inherent risk but is in so unstable an external environment that it is vulnerable to unwanted surprises, a public relations or compliance improvement program can be developed that will move the facility to the “relatively safe” category.

Figure 2 – Assessing Risk in a Multi-Plant Environment

Figure 3 – Establishing Audit Frequencies

* – Based on incident history, materials handled, complexity and environmental setting

Figure 3 can also be used as a resource planning tool. Once the company’s inventory of facilities to be audited is established and a frequency, audit duration, and team size are assigned to each facility, the manpower loading for field audits can be determined for any given year. Further, if the number of field hours is increased by 50 percent or so to account for audit preparation and report writing, the result should indicate full labor cost accounting for the program, except for management and administration time.  Compiling this information on a spreadsheet will allow the program manager to manipulate critical factors, such as audit frequency, to determine the financial or budgetary impacts of increasing or decreasing the frequency. 

Audit Frequency Case Studies

Provided below are specific examples of how nine companies establish audit frequencies.  This information is taken from actual corporate audit procedures.  It is clear that “no one size fits all.”  The idea is to present some options that allow an organization to design a tailored program, drawing from the most applicable attributes of each example.

A Large Pharmaceutical Company

No facility within the audit “pool” is to be evaluated at a frequency of longer than four years.  Schedules are set by using a “criticality matrix,” which evaluates the relative risk of facilities using criteria such as employee population, regulatory climate, complexity of operations, facility location, accident rates, site EHS resources, extent of facility self-assessments, and the like.  Nominally, audit frequency is established using the schedule presented in Figure 4.

Figure 4 – Audit Frequency Schedule Based on Risk

Each site within the auditable pool is assigned an initial audit frequency.  This frequency is adjusted annually and at the conclusion of each audit, depending on a reassessment using the criticality matrix.  Based on the established frequency and the number of sites in the pool, the program should be conducting about 27 evaluations annually.  This analysis is shown in Figure 5 below.

Figure 5 – Number of EHS Evaluations Required Each Year Using the Criticality Matrix

A Medium-Sized Mining and Minerals Processing Company

The audit program director will develop the audit schedule for each year and assign audit team leaders from the staff of managers.  The frequency at which a site is audited, how long the audit will take, and how many auditors will participate is based on the perceived risks of the site.  An evaluation of these parameters is made by the end of each year by the audit program director in consultation with group EHS coordinators, based on the criteria presented in Figure 6.  The criteria are used as a guide, not as a quantitative scoring system.  Thus, a site does not necessarily have to have all of the characteristics associated with a category I site to be classified as category I.  The site may have only one characteristic, or it may have more characteristics to be classified as such.  Based on the coordinators’ evaluations, in December of each year the audit program director publishes an annual schedule and distributes it to corporate and group management. Site and group management may request to have any site audited more, but not less, frequently than as determined by the annual program schedule.

Figure 6 – Risk Factors Used in Assigning Site Audit Frequency

A Large Construction Company

Audits are scheduled using a formal risk ranking tool, which is completed for each site every two years.  This aids substantially in prioritizing sites based on risk.  Facilities that fall in the high-risk category are audited once every five years.  Medium-risk sites are audited once every ten years.  Low-risk sites are audited if a request is made by the facility, business unit, or law department; if the site is near high- or medium-risk sites that are to be audited; or if all high- and medium-risk sites have been audited within the last five- to ten-year cycle.  Generally, the company relies on the site self-assessment process to address low-risk sites.

A Medium-Sized Chemical Company

The company has developed a site assessment frequency algorithm based on risk.  Classes of facilities are assigned frequencies ranging from once every two years to once every ten years, based on relative risk.  Major facilities are generally assigned a frequency of every two to three years.  The audit frequency for a particular facility type is defined based on several criteria, including

• Relative issue impact or exposure in the operations
• Hazard analysis or risk assessment results
• Prior assessment results
• Accident or incident experience
• Compliance history
• Corporate requirements 

A Large Chemical Company

EHS audits are to be conducted at least every three years unless the regional program manager extends audit frequency to four years for a particular site or process unit.  Audit frequency is based on the following factors:  

• The existence of an effective first-party EHS audit program
• Legal or regulatory requirements
• Performance on EHS metrics and prior audits
• Potential hazards
• Type of site or process unit (e.g., office or warehouse)
• Management-of-change considerations (e.g., turnover of EHS and management personnel and processes)

A Medium-Sized Agricultural Products Company

The frequency and scope of the periodic audits are defined by corporate EHS management and depend on facility size, complexity, performance information, regulatory compliance history, and other appropriate risk factors.  The frequency is documented in a rolling five-year audit plan, which is reviewed and revised annually by corporate EHS management

A Public Power Authority

Audits of the authority’s operating projects are conducted according to the following schedule:

Figure 7 – Audit Frequency by Project Type

Audits of any authority facility can be conducted more or less frequently than shown in the above schedule, on the basis of certain risk factors. These risk factors include

• Results of the previous audit
• Results of environmental performance metrics
• On-time closure of audit action items
• Extent of change (e.g., people, equipment, regulatory requirements) at the operation

A Large Electric Utility

The audit program has established a ranking system to determine the required audit frequency.  This system is based on the size and complexity of the site, degree of EHS risk, history of compliance, financial liability, and results of prior audits.  The major sites are audited approximately once every two to three years, and low-priority sites are audited approximately every four or more years.  The frequency criteria are adequately defined and communicated, and stakeholders agree that the audits occur according to an appropriate schedule.

A Major Oil and Gas Company

Audits are to be conducted at the business unit level.  Audits must address compliance with the requirements of each process in each subsidiary organization, and they take place at the following frequencies:

Figure 8 – Audit Frequency by Process Risk

The business unit, including each subsidiary, may elect to increase audit frequency.

The design of an audit plan and audit frequencies may take into account any scheduled or completed external audits that adequately address process verification.  These external audits could come from regulatory agencies, joint ventures or other partners, or certification bodies. 

About the Author

Lawrence B. Cahill, CPEA, is a Technical Director at Environmental Resources Management in Exton, Pennsylvania, U.S.A.  He has over 30 years of professional EHS experience with industry and consulting.  He is the editor and principal author of the widely used text, Environmental, Health and Safety Audits, published by Government Institutes, Inc. and now in its 9th Edition.  He contributed four chapters in the 1995 book Auditing for Environmental Quality Leadership, published by John Wiley & Sons, Inc.  Mr. Cahill has published over 50 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.

Other Articles by Lawrence Cahill in the EHS Journal

Measuring the Success of an EHS Audit Program

EHS Audits – Have We Lost Our Way?

Statistically Representative Sampling on EH&S Audits: Expectations Established by Third Parties

Outsourcing EHS Audits: Does it Make Sense?

Photograph: Sunset in Paris by by Vladimir Fofanov, Moscow, Russia.

Return to the EHS Journal Home Page

Environmental, health, and safety (EHS) audits are an effective compliance assurance tool for many organizations.  They are designed to verify whether sites, facilities, and operations are meeting the expectations of applicable regulatory requirements, corporate policies and standards, and good risk management practices.  As such, EHS audits are an important part of corporate governance. 

The audit function can take a variety of forms depending on the nature and history of the organization and on available resources.  These forms can include

• A corporate audit function with full-time corporate auditors
• A corporate audit function with part-time auditors selected from business units, divisions, plants, and third-party organizations
• A small corporate oversight group with delegation of the program to the business units or divisions
• A small corporate oversight group and the use of external, independent auditors

In the past few years, substantial debate has occurred over whether it makes sense to outsource the audit function entirely.  In fact, many organizations have done just that.  The decision to outsource is typically not an easy one, and many factors come into play in making it. This paper discusses both the advantages and the challenges of outsourcing the corporate EHS audit program.

Advantages of Outsourcing EHS Audits

Outsourcing can achieve any number of important objectives for an EHS audit program.  Among the advantages of outsourcing are readily available functional expertise, local knowledge, greater independence, a fresh set of eyes, and less disruption of routine EHS functions.

Readily Available Functional Expertise

In utilizing third parties to conduct the audits, one can typically draw from a large pool of available functional experts and experienced auditors.  This situation is often not the case when internal staff members are used and the same functional experts are routinely relied on to conduct the audits.  These are staff members who, because of their knowledge and expertise, have other organizational responsibilities and can ill afford to allocate too much of their time to auditing.  Often substantial tension exists between the needs of the audit program to staff the audits adequately and the needs of the functional EHS managers, who must develop and implement compliance programs. The internal staff is often spread too thin, and staff members find themselves in a no-win situation.  The use of third-party experts can help to relax this tension.

Local Knowledge 

Multinational companies have the challenge of operating in multiple, if not numerous, jurisdictions.  Although English-language international audit protocols are available for purchase, use of these protocols by corporate auditors is sometimes not enough to ensure that applicable regulatory requirements are evaluated comprehensively.  Further, in countries where English is not the official language, it is advantageous to utilize local third-party auditors, who speak and read the language fluently and who know the customs and mores of the country. When local auditors are not used, the audit team is often required to hire a translator or to have site staff translate the contents of permits, plans, and other documents during the course of the on-site visit.  Neither of these two options results in a very efficient or illuminating process.  As the story goes, there once was an auditor who was interviewing a site environmental coordinator through an interpreter.  The auditor asked a fairly direct, short question, which was then translated.  The response from the coordinator took about five minutes.  At the conclusion of the coordinator’s rather extended monologue, the auditor asked eagerly of the translator, “What did he say?” “Yes,” replied the translator. Maybe something was lost in the translation.

Greater Independence

Because of a number of events (e.g., the Enron and Arthur Andersen scandals) and the regulatory responses to these events (the Sarbanes-Oxley Act of 2002), the financial auditing profession is under increased scrutiny.  In the EHS auditing field, too, there is now a greater expectation that auditors be truly independent and objective.  While the use of third parties does not meet a full test of independence (e.g., the company can discontinue the use of the third party or refuse payment if the results of an audit are not considered “acceptable”), this approach is generally considered more independent than the use of internal auditors.  It can also eliminate conflict-of-interest situations where internal, corporate auditors are asked to audit programs or procedures that they helped to develop.

Fresh Set of Eyes

Many times, simply having a fresh set of eyes on an audit team can help to identify issues and instances of noncompliance that have been “in the background” for years. Moreover, to use an analogy, the Sarbanes-Oxley Act makes it unlawful for lead third-party financial auditors to provide that service for more than five consecutive years.  They are required to sit out an audit at least once every five years.  There is a sense in the audit community that auditors can become stale or all too familiar with the operations they are reviewing.  

The Finding of the Audit

A wonderful example of the need for a fresh set of eyes is depicted in the accompanying photograph, which was taken at a site in Australia. A maintenance technician at the site had arrived at a unique solution for the disposal of small quantities of waste solvent.  He welded a pipe with a funnel onto the roof drain of the building, which discharged to a nearby creek.   This practice had not been identified on any previous audits, until one year a new auditor asked, “What is this thing?”  It became the “finding of the audit.”

Less Disruption of Routine EHS Functions

In most cases in which internal staff members are used as auditors, these assignments are only temporary.  These staff members typically have other responsibilities that must be managed almost as an afterthought during the audit week. If a crisis at home distracts the auditor, then the audit suffers.   Either way, this can be disruptive to the EHS function.  The use of third parties eliminates this issue.  The third-party auditor is assigned full time to the audit during the course of the audit.

Challenges of Outsourcing

To be fair, outsourcing of an EHS audit program is not without its challenges.  Some of the more significant challenges are highlighted below, with thoughts on how best to address them.

Reduced Retention of Knowledge

A legitimate concern with outsourcing an EHS audit program is that the knowledge gained by the auditors may be lost to the organization if third auditors are used.  Each audit is a true learning experience in which both noncompliance trends and best management practices are identified.  If third parties are used, a formal mechanism should be put in place to ensure that strategic observations, which go beyond what is included in the audit reports, are communicated periodically to corporate EHS management.  This might involve a semiannual or annual meeting with senior management where the following topics are discussed:

• Highlights of liabilities most affecting the corporation
• Analysis of trends in the types of noncompliance findings, to identify potential corporate-wide issues
• Trends in the number of repeat and Level I (high priority) findings
• Identification of best practices worthy of incorporation by all sites

As an added benefit, this reporting to senior management is very consistent with the expectations of the U.S. Federal Sentencing Commission’s November 2004 guidance on mitigating factors. The guidance states that for a compliance and ethics program to be effective, a company’s “governing authority” (i.e., board of directors) must be informed, no less than annually, about the status of the company’s compliance.

Cost

There is no denying that the using a third party to conduct audits will result in costs for both auditor labor and travel expenses.  However, the use of internal staff results in comparable charges, although the labor costs are often not directly visible to management. That is, these internal auditors often don’t bill their time directly to the audit; the time is incorrectly viewed as a “free good.”  In fact, were true cost accounting to be used, an argument could be made that an outsourced program might actually be cheaper.  The third party will be expected to maintain trained auditors, updated protocols, and other program tools at its expense.  Further, use of a third party can minimize travel expenses, as the intent is to utilize third-party staff in the country or state in which the site is located.  This practice eliminates the need to send corporate EHS staff halfway around the world to conduct audits.

Need to Communicate Organizational Nuances

Every organization is unique, and there is no doubt that internal auditors understand the uniqueness of their company better than third parties do.  With a certain amount of effort, however, organizational nuances can be communicated to third-party auditors.  Some of the issues that need to be communicated for an EHS audit program include the following:

• What is the history of EHS auditing in the company?  Does the program have the organizational clout and top management support it needs?
• Are there corporate EHS standards and guidelines that must be evaluated on the audits?  Which are considered mandatory?
• How will the legal department be involved?
• What can be left behind with the site at the end of the audit?  Nothing, a summary of the findings, a draft report?
• How will repeat findings be handled?
• Will findings be classified by significance or priority?
• Will sites be scored? If so, how?  Is there a pass-fail threshold?
• If there is a disagreement on a finding between the site and the audit team, who will arbitrate?
• What are the records retention and destruction policies for audit working papers and reports?

Attention to these details up front will ensure a better program and a more informed and savvy third-party auditor.

Lack of Auditor Familiarity with Operations 

One of the principal concerns with the use of third-party auditors is that these auditors are not always sufficiently familiar with the operations of a given company or industry to understand the subtleties involved in achieving compliance.  Mining is different from power production, which is different from pharmaceutical manufacturing, and so forth.  To some extent, there is a certain amount of truth to this concern.  On the other hand, quite often a lack of full familiarity results in an auditor’s asking that one “naïve” question (e.g., “Why exactly is that sump not considered a confined space?”) that strikes at the heart of an issue not previously identified.  In any event, there are two solutions to this challenge.  One, third-party auditors can be taught about the unique aspects of a business.  It is something that can be learned.  Two, the pool of third-party auditors is very large; people with knowledge of a particular business can almost always be identified.

Why Not a Blend?

One solution used by numerous organizations is to design and implement a program that utilizes a blend of internal and external resources.  That is, internal auditors are used where feasible, and they are supplemented by third-party auditors when local knowledge and presence or a particular expertise (e.g., process safety management) is needed.  This approach has some very distinct technical and cost advantages.  It also adds a layer of independence that would not exist if only internal resources were utilized.

About the Author

Lawrence B. Cahill, CPEA, is a Technical Director at Environmental Resources Management in Exton, Pennsylvania, U.S.A.  He has over 30 years of professional EHS experience with industry and consulting.  He is the editor and principal author of the widely used text, Environmental, Health and Safety Audits, published by Government Institutes, Inc. and now in its 8th Edition.  (The ninth edition will be released in the Fall of 2010.) He contributed four chapters in the 1995 book Auditing for Environmental Quality Leadership, published by John Wiley & Sons, Inc.  Mr. Cahill has published over 50 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.

Other Articles by Lawrence Cahill in the EHS Journal

Measuring the Success of an EHS Audit Program

EHS Audits – Have We Lost Our Way?

Statistically Representative Sampling on EH&S Audits: Expectations Established by Third Parties

Images: 

Balloon 5 by Doug Paul, Reno, Nevada, U.S.A.

The Finding of the Audit provided by Lawrence Cahill.

Return to the EHS Journal Home Page

BP Stock Price Following the Deepwater Horizon Incident

Massey Energy Stock Price Following the Coal Mine Explosion

The year 2010 has reminded us once again that management of environmental, health and safety (EHS) responsibilities can have a substantial impact on people, the environment, and a company’s bottom line.  On April 5^th of this year Massey Energy experienced an explosion in its West Virginia coal mine that killed 29 miners.  That tragedy has been compounded by a drop in the company’s stock price of more than 40 percent over the subsequent two months.  (See chart)  Similarly, on April 20^th BP experienced an explosion and oil spill at its Deepwater Horizon oil platform in the Gulf of Mexico that killed 11 workers.  Since that event, BP’s stock price has dropped about 50 percent.  (See chart)  Also, the financial impacts (e.g., no quarterly BP stockholder dividend, the setting up of a USD 20 billion victims’ fund) go well beyond the drop in stock price and loss in market capitalization.

What impact might these catastrophic events have on EHS compliance and audit programs?  A substantial impact, one would hope.  Audit programs for decades have focused on achieving compliance with detailed administrative requirements.  Particularly in the United States, this is not surprising.  Currently, there are more than 25,000 pages of EHS regulations at the federal level (Titles 29 and 40 of the Code of Federal Regulations [CFR]) to say nothing of state and local requirements; the number of CFR pages has grown by 3,000 in the past 5 years alone.  So the requirements are not only substantial but changing and becoming more stringent all the time.  It is no wonder that audit programs focus on these regulatory requirements, with penalties as high as USD 25,000 per day or more per violation per occurrence.

Although assessing compliance with detailed regulatory requirements such as inspections, permits, plans, manifests, MSDSs, reports, written procedures and the like is important for achieving and maintaining compliance, recent events suggest that ignoring real EHS risks can truly affect a company’s bottom line.  One would think that these potential impacts and outcomes should impact how audits are conducted now and in the future.  In practice this would beg the question, should one be more concerned about

• A wastewater discharge that has had periodic, minor exceedances of pH or the fact that the underground sewers are 50 years old and have never been surveyed with a camera to determine their integrity.
• The exact height of the containment wall of an above ground storage tank that is two inches too short or the fact that the tank has not been tested for integrity in the last 40 years.
• The lack of an expiration date for a single confined space entry permit or the fact that attendants at an entry are not always focused on the entry itself.
• Failure to set the guarding on a seldom-used grinder in the maintenance shop to the precise gap defined by the regulations or the fact that operators on the production line are routinely clearing debris from working equipment without first shutting down the equipment.

In each of the cases posed above, most traditional compliance audits would focus on the former issue, not the latter, even though the latter in each case poses a higher risk.  This is mostly because clear and precise requirements are associated with the first, but not so much with the second, scenario.

A New Approach to Auditing?

It might be time to take a hard look at the objectives and philosophies of our audit programs.  Achieving compliance with regulations is quite important, especially in the United States, but identifying, assessing, and managing EHS risks should also be at the core of any audit program.  Maybe one way to do this is not to rely so much on detailed compliance audit protocols containing thousands of questions but to identify potential high risk activities in each compliance area (e.g., air, water, confined space, lockout/tagout, etc.) that should be reviewed in detail on each and every audit, and to provide guidance on how that review should be conducted.  For example, for a given audit one would identify up front any high risk activities (e.g., ammonia refrigeration, hazardous materials storage tanks and transfer systems, work areas where respirators are required, flammable storage buildings, high production areas requiring significant operator oversight, etc.) in need of special attention and then develop a specific audit plan on how to review that activity.  This does not mean that the more mundane activities and operations are ignored.  It simply means that there is a defined approach on how to audit individual high risk operations within the context of the larger audit.

After reviewing hundreds of audit reports over the years, I am personally dismayed that we might have lost our way.  When I review a finding that tells me that “one weekly inspection of a hazardous waste accumulation point was missed in the past six months” or that “two of two hundred fire extinguishers did not have updated monthly inspections,” I truly wonder whether our audits are helping to protect people and the environment.  This is not to say that a more risk-based audit approach would have prevented the Massey Energy or BP tragedies, but maybe it’s worth a try.

About the Author

Lawrence B. Cahill, CPEA, is a Technical Director at Environmental Resources Management in Exton, Pennsylvania, U.S.A. 

Mr. Cahill has over 30 years of professional EH&S experience with industry and consulting.  He is the principal author of the widely used text, Environmental, Health and Safety Audits, published by Government Institutes, Inc. and now in its 8th Edition.  He contributed four chapters in the 1995 book Auditing for Environmental Quality Leadership, published by John Wiley & Sons, Inc.  Mr. Cahill has published over 50 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.

Images:  Provided by Lawrence Cahill.

Return to the EHS Journal Home Page.

This expectation by OSHA caused me to evaluate the following third-party auditing standards for statements related to sampling on audits:

• The Board of Environmental, Health and Safety Auditing Certifications (BEAC) Standards, 2008
• ISO 19011 Auditing Guidelines, 2002
• Auditing Roundtable Standards, 1993
• U.S. Environmental Protection Agency (USEPA) Auditing Policy, 1986, 2000
• Institute of Internal Auditors Standards, 1997

A review of the above standards strongly suggests that only “appropriate sampling” or something comparable is the recommended practice.  The language in each standard that applies to the use of sampling techniques on EH&S audits is provided below.

This audit initiative by OSHA, a small part of a very significant enforcement action, could mean the beginnings of more rigorous sampling expectations on EH&S audits.  Or not.  My belief is that presently very few, if any, companies use formal statistically representative sampling on EH&S compliance audits.  Times could be changing; stay tuned.

BEAC Standards

“When conducting an audit, EH&S auditors shall use due care in examining and evaluating information they gather.  This information shall be sufficient, complete, relevant and useful to provide a sound basis for audit findings and recommendations.”  (Section III.8)

“Performance and Program Standards for the Professional Practice of Environmental, Health and Safety Auditing,” Board of Environmental, Health and Safety Auditor Certifications (BEAC), 2008

ISO 19011 Auditing Guidelines

“Audit evidence is verifiable. It is based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. The appropriate use of sampling is closely related to the confidence that can be placed in the audit conclusions.”  (Section 4(e))

“During the audit, information relevant to the audit objectives, scope and criteria, including information relating to interfaces between functions, activities and processes, should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence should be recorded.  The audit evidence is based on samples of the available information. Therefore there is an element of uncertainty in auditing, and those acting upon the audit conclusions should be aware of this uncertainty.”  (Section 6.5.4)

“Guidelines for quality and/or environmental management systems auditing,” International Organization for Standardization, ISO 19011:2002(E)

Auditing Roundtable Standards

“While on site, auditors must gather information necessary to fulfill the audit objectives. The information collected must be relevant, accurate, and sufficient to support findings, conclusions, and recommendations. Appropriate sampling schemes should be utilized in selecting samples.”  (Section II (C) (3))

“Minimum Criteria for the Conduct of EH&S Audits,” The Auditing Roundtable, 1993

U.S. EPA Auditing Policy

“A process which collects, analyzes, interprets and documents information sufficient to achieve audit objectives.”  (Appendix, Section V)

“Environmental Auditing Policy Statement,” US Environmental Protection Agency, July 9, 1986

Institute of Internal Auditors Standards

“Information should be sufficient, competent, relevant, and useful to provide a sound basis for audit findings and recommendations.

1. Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor.
2. Competent information is reliable and the best attainable through the use of appropriate audit techniques.
3. Relevant information supports audit findings and recommendations and is consistent with the objectives of the audit.
4. Useful information helps the organization meet its goals.

Audit procedures, including the testing and sampling techniques employed, should be selected in advance, where practicable, and expanded or altered if circumstances warrant.”  (Sections 420.2 and 420.3)

 Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, 1997

About the Author

Lawrence B. Cahill, CPEA, is a Technical Director at Environmental Resources Management in Exton, Pennsylvania, U.S.A. 

Mr. Cahill has over 30 years of professional EH&S experience with industry and consulting.  He is the principal author of the widely used text, Environmental, Health and Safety Audits, published by Government Institutes, Inc. and now in its 8th Edition.  He contributed four chapters in the 1995 book Auditing for Environmental Quality Leadership, published by John Wiley & Sons, Inc.  Mr. Cahill has published over 50 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.

Photograph:  Blue Butterfly by Pigi Vigi, Tartu, Eesti, Estonia.

Return to the EHS Journal Home Page.