“Don’t audit life. Show up and make the most of it now.”
Regina Brett[1]
6.1 Why Audit
Although there are a few EHS regulations that require you to conduct audits (e.g., Occupational Safety and Health Administration’s (OSHA) Process Safety Management (PSM)[2] and Environmental Protection Agency’s (EPA) Chemical Accident Prevention Program (CAPP)[3] programs), audits can be conducted voluntarily. The typical reason for conducting audits is to identify and correct issues before someone gets hurt, a release occurs, or a regulatory agency discovers an issue. The decision to audit may seem obvious to an EHS professional, but when you look costs and time limitations, you may need to justify this commitment. The following are potential reasons for conducting audits:
- Improve internal programs: It may seem easy to develop programs and policies, but unless you get out and observe how those are implemented (e.g., out in the plant or at the facilities), you do not know if the programs and policies fit and if they are implemented as intended. The audit gives you a chance to see the implementation and improve it if necessary.
- Increase Program Visibility: People naturally focus on items and issues that receive emphasis. They may pay more attention to EHS requirements if they know that they will be audited and held responsible.
- Provide Training: If conducted in a certain manner, the audit can be a learning experience as well as review of compliance. Instead of taking notes and surprising facility personnel with findings at the end of the audit, take the time to point out issues, and discuss the situation and how to address it.
- Build Relationships: Getting out to the field and meeting personnel implementing the EHS policies and programs can help build relationships and improve communication. When they have a question or issue, they may be more comfortable contacting you.
In addition to the reasons identified above, you may also use the audits to potect your company from liability and to limit fines under the following programs:
- Defense against the “Responsible Corporate Officer Doctrine” as part of a compliance program[4]
- The Department of Justice’s Federal Sentencing Guidelines’ Effective Compliance and Ethics Program[5].
- The Environmental Protection Agency (EPA) and some state environmental agency’s Self-Discovery Programs[6].
- Final Policy Concerning the Occupational Safety and Health Administration’s Treatment of Voluntary Employer Safety and Health Self-Audits[7].
Audits are also part of the ‘unavoidable employee misconduct’ defense strategy that companies can use to argue an Occupational Safety and Health Administration (OSHA) citation[8]. If you have an environmental and/or health and safety management system, audits are part of the “plan, do, check, act” process[9].
6.2 Before You Start
6.2.1 Refine the Scope
If you have limited time and resources as most probably do, it is important to know what you want to get out of the audit before you start. This will help you refine the scope, which could include physical areas or operations audited, regulatory areas evaluated, depth of the evaluation and years of records reviewed. I have found that determining the regulatory areas to evaluate and the depth of the evaluation can be the most difficult part of an audit. This was especially frustrating when I was in consulting where it can be difficult to match a client’s expectations with an economically acceptable scope. One way to help you refine the scope is to first conduct a gap analysis. A gap analysis is an audit that is simply attempting to determine what regulations or requirements apply without fulling ascertaining compliance with that particular regulation. Once the gap analysis is completed, you can better refine the scope of a compliance audit.
When defining the scope, I was often concerned that I would leave out a regulation under the assumption that it might not apply. I did not want to waste time evaluating a number of EHS regulations that do not apply, but I was also concerned that I would overlook an activity that we did not know applied. The EHS regulations include requirements that may not be widely applicable to some industries such as the Occupational Safety and Health Administration’s (OSHA) Special Industries regulations (e.g., textiles, bakery equipment, sawmills, etc.). Some of these EHS regulations might be easy to determine if you should include or exclude, but others may not, such as the Environmental Protection Agency’s (EPA) refrigerant recovery and recycling regulation. I have found numerous maintenance shops that were doing various refrigeration system repair unbeknownst to EHS staff personnel. If I left refrigerant recovery and recycling off of the checklist, we might have overlooked this regulation and missed evaluation of those activities, which were often not up-to-code.
The scope needs to include a temporal limit. In other words, how far back are you going to look. The look back period may match your record retention timeframes, may be based on the frequency of the audits (you evaluate records back to the last audit), or for efficiency, you may just establish a set time (e.g., one year). Depending upon available time and resources, you might also want to establish a portion of records reviewed. For example, you may decide to choose 25 percent of the records to audit because you do not have time to check all of them. An audit protocol could go as far as stating the you will review every fourth record or you randomly choose 25 percent of the records to review.
6.2.2 Who Conducts the Audits
The scope and level of audit detail may be dictated by the person or persons conducting the audit. I can make an argument for using in-house and external personnel and have intentionally alternated between these to take advantage of both benefits and limitations.
Internal personnel can include EHS personnel as well as operations and management. You can use operations and management personnel from other sites, departments or lines as an educational endeavor and they can provide input on how they address an EHS issue in their area. Even though non-EHS personnel may not be experienced auditors, I have used this to develop internal bench strength: Once they audit a particular EHS program, they develop a better understanding. An advantage of using internal personnel is they may already be familiar with the company policies and programs, which can be more efficient. Internal personnel may not cost you any money, although they may incur travel costs. One disadvantage of internal personnel is they may have internal bias and preconceived notions about EHS policies and regulations.
Using an EHS consultant has the advantage providing an outside and less biased perspective based on their background and experience. One of the disadvantages of consultants is they may not be familiar with your internal policies and programs and therefore, they may not be as efficient in their audits. The cost associated with EHS consultants can also be prohibitive. However, time constraints might prohibit the use of internal personnel and require the use of EHS consultants.
Another option is to use regulatory agency personnel. Some regulatory agencies have outreach programs and/or personnel who will come out and review your facilities and programs. This audit may be at no cost to you and the auditor likely has the appropriate background and experience. The obvious drawback to this method is the potential for the identification of a regulatory issue and/or violation. These regulatory agency outreach programs may not cite you for a violation if it is properly corrected, but you should verify the regulatory agency policy prior to initiating any site visit.
6.2.3 Audit Checklists
You can find commercially available EHS checklists and checklists from regulatory agencies. For example, Environmental Protection Agency (EPA) audit protocols are on their Compliance Audit Protocols webpage[10]. The Occupational Safety and Health Administration (OSHA) has probram checklists, but I have not located a single location where you can access. Commercially available audit checklists may come at a cost, but also might come with EHS software that will assist with the audits (e.g., provide links to regulations, guidance documents, etc.), compile results and assist with addressing comments. Regulatory agencies have checklists, but in my experience are often program specific, so if you want to address multiple EHS programs, you will need to compile multiple checklists from different regulatory agency sources. Some of these checklists are written for EHS regulatory agency inspectors and some are written for the regulated community.
If you have limited resources, you can develop checklists by simply modifying the regulation’s text into the form of a question. This results in a decent checklist but can lack the depth of commercially available audit checklists.
If you are developing your own checklists, make sure the questions, and answers, are written so the auditor, and potentially others who may need to, can read and understand the question. I often write a question so it is clear and simple and then provide a separate column or section with guidance information and/or a link to where the auditor or others can find more information on the question.
6.2.4 How You Will Address Findings
Back when I was consulting, I conducted my second audit at a client’s facility and realized that they had not corrected a number of the issues identified during the previous audit. I realized at that time that prior to conducting an audit for a company, you should check to see if they have a system in place to address the findings. Without a system in place to correct identified issues, you may not want to conduct an audit: Finding an issue and not correcting it could be worse than not finding it since that could be interpreted as willfully violating a regulation. Prior to starting the audit I make sure they have a system in place that allows tracking audit findings and corrective actions.
6.2.5 How You Will Present the Results
After an audit is completed,audited personnel and upper management may want to know the results of the audit (i.e., an audit score). I have heard valid arguments for and against presenting results. Using a scoring system allows benchmarking and determining if your EHS efforts are improving. However, depending upon how you are scoring the audit, the score may not be representative of the site, department, or group’s EHS efforts. For example, some of the questions may revolve around requirements that are outside of that group’s control. Additionally, if you want the audits more about training and learning and/or finding and fixing issues, an audit score can detract attention from those initiatives.
One option to use when calculating an audit score is to use a weighted scoring system since not every question is equal. For example, if the question involved a missing permit or plan it was 3 points, missing records, inspections, or tests were worth 2 points and violations of internal policies were 1 point. We assigned zero points for questions that we asked just to determine applicability and do not involve regulatory or policy issues. For example, is the site required to prepare Tier 2 reports. A negative answer should not result in an adverse score. The applicable questions were scored, and a percentage of points calculated.
6.2.6 What To Do With the Results
Depending upon the number of audits you have conducted, you may have a critical mass of results to analyze and look for trends. You can look for year-over-year trends or across operating lines, departments of sites as well as repeat issues at a site. You can use this information to focus your efforts on certain programs, policies, training, future audits, and audit questions.
6.3 Protecting Your Company
A company may not want to conduct an audit because they are afraid the results will be used against them. As mentioned in the previous section, if you do not fix identified issues, this could be a problem. If you are willing to correct identified issues, there are policies in place that can prevent EHS regulatory agencies from using some audit reports against a company.
Some EHS regulatory agencies have formally recognized that self-audits may improve compliance as discussed in the pre-amble to the Environmental Protection Agency’s (EPA) “Incentives for Self-Policing” policy which states:
“The purpose of this Policy is to enhance protection of human health and the environment by encouraging regulated entities to voluntarily discover, promptly disclose and expeditiously correct violations of Federal environmental requirements.”[11]
These policies are discussed in the following sections.
Another option is to conduct the audits under attorney client privilege. However, as discussed in Section 5, attorney client privilege may prevent EHS regulatory agencies from obtaining a copy of the audit report but does not protect facts identified in the audit report.
6.3.1 Environmental Protection Agency’s (EPA) Self-Discovery
On April 11, 2000, the Environmental Protection Agency (EPA) issued their Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations[12]. Under this policy, if a company conducts an audit and identifies a regulatory issue, the company can self-disclose under the Environmental Protection Agency’s (EPA) audit privilege and/or state equivalent program[13]. This can protect you from punitive fines, but you may still face fines related to economic advantages you might have benefitted. For example, if you operated without purchasing, installing and operating an air pollutant control device, that was required to be run as part of your air permit, you could still be fined for the cost related to that purchase, installation and operation.
The Environmental Protection Agency’s (EPA) audit policy requires you to meet nine conditions to be eligible for the audit policy benefits[14]:
- You discover the violation through an environmental audit or as part of your environmental management system[15].
- You cannot claim violations that you identified because you were already legally required to monitor, sample, inspect or audit[16]. For example, if you are required to sample your wastewater and discover you have exceeded your permit limits, you cannot use the audit policy and self-disclosure.
- You disclose the violation to the Environmental Protection Agency (EPA) within 21 days of identifying the issue[17]. Identification, or discovery, has been clarified to mean when company personnel have an “objectively reasonable factual basis for concluding that specific violations may have occurred”[18].
- You discover and disclose the issue independently (i.e., without Environmental Protection Agency (EPA) or another environmental regulator agency identifying the violation during and inspection or other investigation)[19]. If you have or had an inspection by a regulatory agency, you cannot conduct an audit at that facility and then self-disclose to protect yourself from the inspection results. The Environmental Protection Agency (EPA) has clarified that you can conduct audits at other facilities, that have not been inspected, to correct similar violations[20].
- You correct and fix the issue within 60 calendar days from the date of identifying the violation[21]. The Environmental Protection Agency (EPA) will allow additional time for some small businesses and for other reasons, but you may have to request an extension and provide the reason for the additional time[22].
- You take measure to prevent recurrence of the violation[23]. This is especially important when you have an issue that you cannot correct or remediate (e.g., you missed a deadline)[24].
- The violations have not occurred at that facility in the past 3 years or within your company, at other facilities, in the past 5 years[25].
- A violation may not be eligible for self-disclosure if it caused serious actual harm, could have caused imminent and substantial endangerment, or violated an administrative or judicial order or consent agreement[26].
- You cooperate with the Environmental Protection Agency (EPA)[27].
Typically, I would consider this for major issues that could result in fine, but did not self disclose for what I would consider minor regulatory issues. Regulated entities that satisfy the conditions above are eligible for Audit Policy benefits. Even if an entity fails to meet the first condition – systematic discovery – it can still be eligible for 75% penalty mitigation, and a recommendation for no criminal prosecution of the violations.
If the facility has been newly acquired, the existence of a violation prior to acquisition does not trigger the repeat violations exclusion. The EPA has a specific self-disclosure policy for new owners[28].
6.3.2 Occupational Safety and Health Administration’s (OSHA) Treatment of Voluntary Employer Safety and Health Self-Audits
On July 28, 2000, Occupational Safety and Health Administration (OSHA) issued a Final Policy Concerning the Occupational Safety and Health Administration’s Treatment of Voluntary Employer Safety and Health Self-Audits, which stated:
“…the Agency will not routinely request self-audit reports at the initiation of an inspection, and the Agency will not use self-audit reports as a means of identifying hazards upon which to focus during an inspection. In addition, where a voluntary self-audit identifies a hazardous condition, and the employer has corrected the violative condition prior to the initiation of an inspection (or a related accident, illness, or injury that triggers the Occupational Safety and Health Administration (OSHA) inspection) and has taken appropriate steps to prevent the recurrence of the condition, the Agency will refrain from issuing a citation…”[29]
In addition to the policy provisions identified in the paragraph above, the policy has a safe-harbor provision where Occupational Safety and Health Administration (OSHA) will not use the self-audit as evidence of a willful violation[30]. Occupational Safety and Health Administration (OSHA) will consider self-audit and adequate correction as evidence of an employer’s good-faith effort that can provide up to 25% penalty reduction[31].
6.4 Miscellaneous Audit Information
When you have a consultant conduct services for you, such as developing a Spill Prevention Control and Countermeasures (SPCC) plan, preparing an air operating permit, or conducting industrial hygiene testing, they might identify deficiencies as part of the process. Depending upon your risk tolerance, you could have this work prepared as an audit, so you have the option of disclosing it as part of the audit privilege if desired.
If you conduct audits at multiple sites, you should consider creating separate reports for each site: if an audit is requested as part of legal proceedings, you do not need to disclose documents for each site or redact portions for the other sites.
I had a supervisor that did not like the term “audit”, he felt it had a negative connotation, so we referred to them as assessments instead.
6.5 References
[1] “Wise Sayings” website, quotes on audits, accessed August 16, 2022 (https://www.wisesayings.com/audit-quotes/)
[2] 29 Code of Federal Regulations Code of Federal Regulations (CFR) 1910.119(o) Compliance Audits
[3] 40 Code of Federal Regulations Code of Federal Regulations (CFR) 68.58 and 68.79 Compliance Audits
[4] “The Resurgence of the Responsible Corporate Officer Doctrine” Added by Michelle Gustavson on June 14, 2012 Hawley-Troxell Attorneys and Counselors (http://www.hawleytroxell.com/2012/06/the-resurgence-of-the-responsible-corporate-officer-doctrine-2/)
[5] Department of Justice’s Federal Sentencing Guidelines’ Annotated 2018 Chapter Eight – Sentencing Of Organizations 8B2.1. Effective Compliance and Ethics Program (b)(5)(A) (https://www.ussc.gov/guidelines/2018-guidelines-manual/annotated-2018-chapter-8)
[6] “EPA’s Audit Policy” Environmental Protection Agency (EPA) Website, accessed August 6, 2022 (https://www.epa.gov/compliance/epas-audit-policy)
[7] “Final Policy Concerning the Occupational Safety and Health Administration’s Treatment of Voluntary Employer Safety and Health Self-Audits”, Occupational Safety and Health Administration, July 28, 2000 (https://www.osha.gov/laws-regs/federalregister/2000-07-28 )
[8] “Avoiding Occupational Safety and Health Administration (OSHA) Citations The Best Defense Is Also A Good Offense” Industry Week Magazine by Stefan Borovina
(https://www.industryweek.com/operations/safety/article/21964271/avoiding-osha-citations-the-best-defense-is-also-a-good-offense), December 7, 2014
[9] “Guide to Developing an Environmental Management System – Check” EPA Website (https://www.epa.gov/ems/guide-developing-environmental-management-system-check) accessed February 21, 2021
[10] “Audit Protocols“ Environmental Protection Agency website (https://www.epa.gov/compliance/audit-protocols) accessed April 3, 2021.
[11][11] “Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations; Notice” Federal Register, Volume 65, Number 70, (https://www.govinfo.gov/content/pkg/FR-2000-04-11/pdf/00-8954.pdf), April 11, 2000
[12] “Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations; Notice” Federal Register, Volume 65, Number 70, (https://www.govinfo.gov/content/pkg/FR-2000-04-11/pdf/00-8954.pdf), April 11, 2000
[13] “EPA’s Audit Policy” Environmental Protection Agency website (https://www.epa.gov/compliance/epas-audit-policy), accessed April 4, 2021
[14] Ibid
[15] Ibid
[16] Ibid
[17] Ibid
[18] “EPA’s Audit Policy Program: Frequently Asked Questions”, Office of Civil Enforcement, Office of Enforcement and Compliance Assurance, U.S. Environmental Protection Agency, Washington, D.C. January 2021, page 4 (https://www.epa.gov/sites/production/files/2021-02/documents/epaauditpolicyprogramfaqs2021.pdf
[19] “EPA’s Audit Policy” Environmental Protection Agency website (https://www.epa.gov/compliance/epas-audit-policy), accessed April 4, 2021
[20] “EPA’s Audit Policy Program: Frequently Asked Questions”, Office of Civil Enforcement, Office of Enforcement and Compliance Assurance, U.S. Environmental Protection Agency, Washington, D.C. January 2021, page 5 (https://www.epa.gov/sites/production/files/2021-02/documents/epaauditpolicyprogramfaqs2021.pdf
[21] “EPA’s Audit Policy” Environmental Protection Agency website (https://www.epa.gov/compliance/epas-audit-policy), accessed April 4, 2021
[22] “EPA’s Audit Policy Program: Frequently Asked Questions”, Office of Civil Enforcement, Office of Enforcement and Compliance Assurance, U.S. Environmental Protection Agency, Washington, D.C. January 2021, page 18 (https://www.epa.gov/sites/production/files/2021-02/documents/epaauditpolicyprogramfaqs2021.pdf)
[23] “EPA’s Audit Policy” Environmental Protection Agency website (https://www.epa.gov/compliance/epas-audit-policy), accessed April 4, 2021
[24] [24] “EPA’s Audit Policy Program: Frequently Asked Questions”, Office of Civil Enforcement, Office of Enforcement and Compliance Assurance, U.S. Environmental Protection Agency, Washington, D.C. January 2021, page 6 (https://www.epa.gov/sites/production/files/2021-02/documents/epaauditpolicyprogramfaqs2021.pdf)
[25] “EPA’s Audit Policy” Environmental Protection Agency website (https://www.epa.gov/compliance/epas-audit-policy), accessed April 4, 2021
[26] “EPA’s Audit Policy” Environmental Protection Agency website (https://www.epa.gov/compliance/epas-audit-policy), accessed April 4, 2021
[27] “EPA’s Audit Policy” Environmental Protection Agency website (https://www.epa.gov/compliance/epas-audit-policy), accessed April 4, 2021
[28] “EPA’s Audit Policy” Environmental Protection Agency website (https://www.epa.gov/compliance/epas-audit-policy), accessed April 4, 2021
[29] July 28, 2000 Federal Register volume 65, Number 146, page 46498 (https://www.osha.gov/laws-regs/federalregister/2000-07-28)
[30] July 28, 2000 Federal Register volume 65, Number 146, page 46502 (https://www.osha.gov/laws-regs/federalregister/2000-07-28)
[31] July 28, 2000 Federal Register volume 65, Number 146, page 46502 (https://www.osha.gov/laws-regs/federalregister/2000-07-28)
I am always open to comments and suggestions. You can contact me using the form below.