Establishing how often to carry out environmental, health, and safety (EHS) audits at sites and facilities considered to be part of the auditable universe can be a trying exercise. Auditing high-risk operations too infrequently can lead to unwanted surprises because of the lack of oversight and governance. On the other hand, auditing too frequently can be costly, can lead to a feeling of unbearable oversight by the audited community, and can eventually compromise the effectiveness of the program, to say nothing of how it affects the reception given to audit teams when they arrive at a site.

On one environmental audit some years ago at a large chemical plant in California, U.S.A., at the start of the opening meeting, the plant manager stated, “I can’t believe we’re being audited yet again. Do you know that we’ve been audited or inspected over 75 times this quarter alone?” The team leader (and the company) had failed to recognize that this site, a major military contractor for the U.S. government, was receiving regular “attention” from the corporate audit group, customers, and regulators on topics such as finance, security, environment, health and safety, process safety, transportation, and so forth.

So, what’s the right frequency, and where can one go for guidance? This article attempts to help answer these questions. Discussions include

• Expectations of regulatory agencies and professional organizations
• Assigning risk factors to auditable sites to establish frequency
• Examples of how nine companies have addressed audit frequency

Although there is no perfect solution that applies to all cases, the general approach and following examples from nine companies can be used to develop a solution.

 

Audit Frequency Expectations

No agency or professional organization prescribes exact frequencies for EHS audits. Some that do address the subject say that audit frequency should be based on risk (Auditing Roundtable, Board of Environmental, Health and Safety Auditor Certifications [BEAC], and The Institute of Internal Auditors [IIA]), whereas others say the frequency should be “periodic” (ANSI/AIHA Z10, ISO 14001, OHSAS 18001, U.S. Environmental Protection Agency [EPA], and U.S. Sentencing Commission) (see Figure 1). Although most of the external guidelines are silent on specific quantitative expectations for audit frequency, the commonly held expectation is that major facilities will be audited no less frequently than once every two to three years.

Figure 1 - Audit Frequency Expectations of Regulatory Agencies and Professional Organizations

Organization	Document	Frequency Expectation
American National Standards Institute/American Industrial Hygiene Association (ANSI/AIHA)	Occupational Health and Safety Management Systems Standard (ANSI/AIHA Z10-2005)	“Periodic”
ASTM International	Standard Practice for Environmental Regulatory Compliance Audits (E2107-06)	Silent on the subject
Auditing Roundtable	Standard for the Design and Implementation of an EH&S Audit Program (1996)	Frequency “based on existing or potential EHS impacts, taking into account such factors as level of EHS risk …”
Board of Environmental, Health and Safety Auditor Certifications (BEAC)	Performance and Program Standards for the Professional Practice of EH&S Auditing (2008)	“…facilities which pose the greatest risk to the company are audited earlier in the cycle, or at more frequent intervals, than other facilities which pose less risk.”
Institute of Internal Auditors	Standards for the Professional Practice of Internal Auditing (1997)	Primarily risk based
ISO 14001	Environmental Management Systems (ISO 14001:2004[E])	“Periodic”
ISO 19011	Guidelines for quality and/or environmental management systems auditing (ISO 19011:2002[E])	Silent on the subject
Occupational Health and Safety Assessment Series	Occupational Health and Safety Management Systems Standard (OHSAS 18001:2007)	“Periodic”
U.S. EPA	Environmental Auditing Policy Statement (1986)	“Periodic”
U.S. Sentencing Commission	Sentencing Guidelines Manual, Effective Compliance and Ethics Program (§8B2.1) (2010)	“Periodic”

Risk Factors and Audit Frequency

There are, of course, many approaches to ranking facilities by risk and by other factors and subsequently setting frequencies based on these rankings. Generally, there are two types of site risk factors: inherent and external. The inherent risks of operation include the materials handled, the age of the facility, and the complexity of the process. These risks are important but perhaps more controllable than the external risks, which may include the company’s compliance history, the community and environmental setting, and the state or local agency’s regulatory stringency.

If one views these two classes of risk in concert, as in Figure 2, a facility-by-facility risk evaluation can be conducted. We can find fairly large facilities, such as facility A, that pose high risks, and efforts can be undertaken to reduce both inherent and external risks and move this facility into either a relatively safe or a controllable situation. Such efforts might include increasing measures to reduce noncompliance (i.e., increased audit frequency) or investigating the possibility of materials substitution. For another facility, such as facility B, which poses only a modest inherent risk but is in so unstable an external environment that it is vulnerable to unwanted surprises, a public relations or compliance improvement program can be developed that will move the facility to the “relatively safe” category.

Figure 2 - Assessing Risk in a Multi-Plant Environment

 

Figure 3 - Establishing Audit Frequencies

Type of Operation	Risk Class*	Frequency	Duration	No. of Auditors
Large chemical plant	Very high	Annual	5 days	5
Metal-working and fabricating plant	High	Every 2 years	3.5 days	3
Light assembly plant	Medium	Every 3 years	1.5 days	2
Warehouse	Low	Every 4 years	1 day	1

* - Based on incident history, materials handled, complexity and environmental setting

Figure 3 can also be used as a resource planning tool. Once the company’s inventory of facilities to be audited is established and a frequency, audit duration, and team size are assigned to each facility, the manpower loading for field audits can be determined for any given year. Further, if the number of field hours is increased by 50 percent or so to account for audit preparation and report writing, the result should indicate full labor cost accounting for the program, except for management and administration time. Compiling this information on a spreadsheet will allow the program manager to manipulate critical factors, such as audit frequency, to determine the financial or budgetary impacts of increasing or decreasing the frequency.

Audit Frequency Case Studies

Provided below are specific examples of how nine companies establish audit frequencies. This information is taken from actual corporate audit procedures. It is clear that “no one size fits all.” The idea is to present some options that allow an organization to design a tailored program, drawing from the most applicable attributes of each example.

A Large Pharmaceutical Company

No facility within the audit “pool” is to be evaluated at a frequency of longer than four years. Schedules are set by using a “criticality matrix,” which evaluates the relative risk of facilities using criteria such as employee population, regulatory climate, complexity of operations, facility location, accident rates, site EHS resources, extent of facility self-assessments, and the like. Nominally, audit frequency is established using the schedule presented in Figure 4.

Figure 4 - Audit Frequency Schedule Based on Risk

Relative EHS Risk	Audit Frequency
High	Every 18-24 months
Medium high	Every 26-32 months
Medium low	Every 34-40 months
Low	Every 42-48 months

Each site within the auditable pool is assigned an initial audit frequency. This frequency is adjusted annually and at the conclusion of each audit, depending on a reassessment using the criticality matrix. Based on the established frequency and the number of sites in the pool, the program should be conducting about 27 evaluations annually. This analysis is shown in Figure 5 below.

Figure 5 - Number of EHS Evaluations Required Each Year Using the Criticality Matrix

	Criticality Risk Factors
Factors	Low	Medium low	Medium high	High	Totals
	<1.5	1.5-1.9	2.0-2.5	>2.5
Number of facilities with factor	11	31	35	3	80
Maximum allowed frequency (months)	48	40	32	24	—
Required facilities per year	2.8	9.3	13.1	1.5	~26.7

 

A Medium-Sized Mining and Minerals Processing Company

The audit program director will develop the audit schedule for each year and assign audit team leaders from the staff of managers. The frequency at which a site is audited, how long the audit will take, and how many auditors will participate is based on the perceived risks of the site. An evaluation of these parameters is made by the end of each year by the audit program director in consultation with group EHS coordinators, based on the criteria presented in Figure 6. The criteria are used as a guide, not as a quantitative scoring system. Thus, a site does not necessarily have to have all of the characteristics associated with a category I site to be classified as category I. The site may have only one characteristic, or it may have more characteristics to be classified as such. Based on the coordinators’ evaluations, in December of each year the audit program director publishes an annual schedule and distributes it to corporate and group management. Site and group management may request to have any site audited more, but not less, frequently than as determined by the annual program schedule.

Figure 6 - Risk Factors Used in Assigning Site Audit Frequency

Site Characteristics	Category I (Every 3 Years)	Category II (Every 4 Years)	Category III (Every 5 Years)
Size and type	Major manufacturing, mining, or processing	Minor manufacturing, mining, or processing	Warehouses, real estate, administrative buildings
Employee safety	Lost Workday Case Incident Rate worse than industry average	Lost Workday Case Incident Rate at industry average	Lost Workday Case Incident Rate better than industry average
Process safety	Covered by the Process Safety Management rule	Covered by the Process Safety Management rule	Not covered by the Process Safety Management rule
Chemical exposure	Covered under >10 chemicals listed in 29 CFR 1910.1001-50	Covered under 3-10 chemicals listed in 29 CFR 1910.1001-50	Covered under <3 chemicals listed in 29 CFR 1910.1001-50
Air emissions	Major source of air toxics or significant emissions; multiple permits	Moderate emissions; some air permits	No sources require air permits
Community relations	Major documented problems with the community	Periodic formal complaints	No or isolated complaints
Hazardous materials releases	Has 3 or more Toxic Release Inventory chemicals	Has 1 or 2 Toxic Release Inventory chemicals	Has no Toxic Release Inventory chemicals
Hazardous waste	Large-quantity generator	Small-quantity generator	Conditionally exempt small-quantity generator
Wastewater	Operates on-site treatment or pretreatment plant	Discharges process wastewater to publicly owned treatment works	Discharges sanitary wastewater only or has no discharges
Spill potential	On-site bulk petroleum or hazardous substances storage of >50,000 gallons	On-site bulk petroleum or hazardous substances storage of 1000 to 50,000 gallons	On-site bulk petroleum or hazardous substances storage of <1000 gallons

 

A Large Construction Company

Audits are scheduled using a formal risk ranking tool, which is completed for each site every two years. This aids substantially in prioritizing sites based on risk. Facilities that fall in the high-risk category are audited once every five years. Medium-risk sites are audited once every ten years. Low-risk sites are audited if a request is made by the facility, business unit, or law department; if the site is near high- or medium-risk sites that are to be audited; or if all high- and medium-risk sites have been audited within the last five- to ten-year cycle. Generally, the company relies on the site self-assessment process to address low-risk sites.

A Medium-Sized Chemical Company

The company has developed a site assessment frequency algorithm based on risk. Classes of facilities are assigned frequencies ranging from once every two years to once every ten years, based on relative risk. Major facilities are generally assigned a frequency of every two to three years. The audit frequency for a particular facility type is defined based on several criteria, including

• Relative issue impact or exposure in the operations
• Hazard analysis or risk assessment results
• Prior assessment results
• Accident or incident experience
• Compliance history
• Corporate requirements

A Large Chemical Company

EHS audits are to be conducted at least every three years unless the regional program manager extends audit frequency to four years for a particular site or process unit. Audit frequency is based on the following factors:

• The existence of an effective first-party EHS audit program
• Legal or regulatory requirements
• Performance on EHS metrics and prior audits
• Potential hazards
• Type of site or process unit (e.g., office or warehouse)
• Management-of-change considerations (e.g., turnover of EHS and management personnel and processes)

 

A Medium-Sized Agricultural Products Company

The frequency and scope of the periodic audits are defined by corporate EHS management and depend on facility size, complexity, performance information, regulatory compliance history, and other appropriate risk factors. The frequency is documented in a rolling five-year audit plan, which is reviewed and revised annually by corporate EHS management

A Public Power Authority

Audits of the authority’s operating projects are conducted according to the following schedule:

Figure 7 - Audit Frequency by Project Type

Project Type	Frequency
Power generation	Once every 3 years
Substations	Once every 4 years
Ancillary operations	Once every 5 years

Audits of any authority facility can be conducted more or less frequently than shown in the above schedule, on the basis of certain risk factors. These risk factors include

• Results of the previous audit
• Results of environmental performance metrics
• On-time closure of audit action items
• Extent of change (e.g., people, equipment, regulatory requirements) at the operation

A Large Electric Utility

The audit program has established a ranking system to determine the required audit frequency. This system is based on the size and complexity of the site, degree of EHS risk, history of compliance, financial liability, and results of prior audits. The major sites are audited approximately once every two to three years, and low-priority sites are audited approximately every four or more years. The frequency criteria are adequately defined and communicated, and stakeholders agree that the audits occur according to an appropriate schedule.

A Major Oil and Gas Company

Audits are to be conducted at the business unit level. Audits must address compliance with the requirements of each process in each subsidiary organization, and they take place at the following frequencies:

Figure 8 - Audit Frequency by Process Risk

The business unit, including each subsidiary, may elect to increase audit frequency.

The design of an audit plan and audit frequencies may take into account any scheduled or completed external audits that adequately address process verification. These external audits could come from regulatory agencies, joint ventures or other partners, or certification bodies.

About the Author

Lawrence B. Cahill, CPEA, is a Technical Director at Environmental Resources Management in Exton, Pennsylvania, U.S.A. He has over 30 years of professional EHS experience with industry and consulting. He is the editor and principal author of the widely used text, Environmental, Health and Safety Audits, published by Government Institutes, Inc. and now in its 9th Edition. He contributed four chapters in the 1995 book Auditing for Environmental Quality Leadership, published by John Wiley & Sons, Inc. Mr. Cahill has published over 50 articles and has been quoted in numerous publications including the New York Times and the Wall Street Journal.

Other Articles by Lawrence Cahill in the EHS Journal

Measuring the Success of an EHS Audit Program

EHS Audits – Have We Lost Our Way?

Statistically Representative Sampling on EH&S Audits: Expectations Established by Third Parties

Outsourcing EHS Audits: Does it Make Sense?

Photograph: Sunset in Paris by by Vladimir Fofanov, Moscow, Russia.

Return to the EHS Journal Home Page