The process of EHS compliance auditing
Peter Duncan walks through the process of third-party environmental and health and safety compliance auditing – from pre-audit prep to the final report
Environmental and health and safety (EHS) auditing is not a legal requirement but a proactive management tool for organisations. Let’s consider third-party EHS audits, with a focus on compliance audits as opposed to management system audits.
Every EHS audit consists of three phases: pre-audit preparation, on-site audit, and post-audit report and follow-up.
Pre-audit preparation is vital to ensure the on-site audit is completed efficiently and effectively. It should apply to both auditee and auditor; if on-site improvements can be driven by the approaching audit, it has already gone some way to achieving its objective.
Preparation should begin at least six weeks before the audit in order to give site personnel time to prepare any necessary pre-audit information, and to ensure they have adequate notice.
A key element of preparation is the information request detailing the documentation required for the audit. Some of the key information can be forwarded ahead of the audit, but at the least the information should be made readily available at the time of the audit. If information is provided by the site in advance, this must be reviewed by the audit team before the audit.
A pre-audit meeting between auditee(s) and audit team should be arranged by the lead auditor, via teleconference where a face-to-face meeting is not practical. The purposes of the meeting are to make introductions and discuss the proposed audit schedule, process and logistics. On-site hazards will be discussed in order to highlight PPE requirements. The audit opening meeting details can be confirmed in terms of attendees and who will be dialling in on the day; this will help to ensure the audit runs smoothly. The meeting is also an opportunity to obtain background information about the site, its operations and processes, and any EHS programmes that are in place.
The on-site audit can be broken down into opening presentation, site orientation tour, audit, and closing presentation.
On arrival, the induction is a good opportunity to get a further perspective of the organisation – in terms of both EHS culture and any particular EHS hazards that are present. The reception area itself can provide a lot of information, as this area often promotes and highlights the company’s history, products, certifications (EMS and health and safety management systems) and EHS policy statements. It is useful to see if the latter documents are in date, for example. The induction process – or lack of one – can be a good indication of EHS commitment and culture.
“Every finding or area of non-compliance must be supported by evidence-based facts”
The opening meeting provides an opportunity for site personnel and the audit team to introduce themselves, and should ideally be attended by senior management and the key personnel who will be participating in the audit process. Many organisations have developed model opening conference presentations that outline the audit process and activities. The meeting also provides a forum for the lead auditor to emphasise that the audit process is to support the organisation in achieving its EHS goals. The lead auditor should emphasise that the audit team should be seen as an extension of organisation’s EHS team, helping to support improvement.
The orientation tour provides an opportunity to walk through the site, observing activities and processes. It also gives the auditor an indication of the EHS culture and the extent to which standards are being met. It is helpful to have a plan of the facility that can be used to note any areas you would like to revisit, making sure the orientation tour does not become too in-depth.
The audit process should be driven by a clearly defined scope that includes the standards or requirements on which the audit is predicated. If the focus of the audit is EHS regulatory compliance, it is important both auditor and auditee understand that regulatory compliance is the standard to be achieved. Other standards or requirements may include management systems, company policies or operating procedures, for example.
There are many techniques to securing a good audit and bringing value. The verification process is key; every finding or area of non-compliance must be supported by evidence-based facts derived from sources including verbal, visual and/or documentary evidence. Without such evidence, the auditor’s credibility can quickly be undermined. It is the auditor’s skills that allow for such evidence to be realised, ensuring areas of greatest risk are given sufficient focus. Audit techniques include the ‘five whys’ of root cause analysis and the ‘who, what, where, when, why’ technique for information gathering. Speculation or assumptions should not be made.
Areas of non-compliance must be communicated with the auditee at the time in order to ensure openness within the process; such findings can be further discussed in a daily debrief, to ensure there are no surprises at the end of the audit.
The closing meeting is important, with the results presented to the auditees and wider management team. If the audit has been programmed by corporate head office, they may dial into the meeting. The closing meeting should be scheduled to allow time to discuss the findings. The findings and related information must be well presented, so the auditor must be given sufficient time to compile the presentation. The presentation should include a description of each finding, a regulatory citation against which the finding is determined, and clearly defined supporting evidence. In addition, the organisation may require recommended actions that will address the finding.
Begin the closing meeting by thanking the auditees for their time and cooperation, as appropriate. Highlight good practice and areas of excellence as well as the identified findings – this will provide a more balanced approach. A copy of the closing presentation can be left with the organisation, and the required formal reporting timescale and subsequent follow-up can be confirmed.
The format of the formal audit report is often determined by the commissioning organisation, as this will readily allow for comparisons across their portfolio of sites. For an EHS compliance audit, a pre-prepared proforma is often preferred, allowing for a concise record of: the regulatory requirement associated with a given finding; a clear description of the finding/non-compliance; the regulatory citation; the level of associated risk; and any other supporting facts based on verified evidence. It is imperative that each finding is written to be clear, concise, closable and standalone. The required reporting style may vary between organisations, but the report’s purpose will remain the same: achieving and maintaining EHS regulatory compliance and continuous improvement, and providing value to the commissioning organisation.
Once the report has been issued, a pre-organised call with the auditee allows for any questions or clarifications to be considered before it is finalised.
Peter Duncan is a principal environmental advisor and specialist discipline lead at Stantec.