World-Class Compliance Assurance Program Part 4: Audit Program Best Practices
April 18, 2017 - Kestrel Management
This is the fourth in a series of five articles on developing and maintaining a world-class compliance assurance program.
Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.
There are a number of third-party auditing standards that offer guidelines for ensuring accurate, complete, and reliable EHS audits, including:
- The Board of Environmental, Health, and Safety Auditing Certifications (BEAC) Standards, 2008
- ISO 19011 Auditing Guidelines, 2002
- Auditing Roundtable Standards, 1993
- USEPA Auditing Policy, 1986, 2000
- Institute of Internal Auditors Standards, 1997
Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:
Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.
Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., management systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.
Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.
Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide better return on investment of assessment resources.
Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
Most common options for compliance audit team design include the following:
- Facility-based EHS Team
- Advantages – awareness of operations and specific facility EHS regulated activities
- Disadvantages – lack independence and objective outside perspective; may have some responsibilities for activities audited; likely to have limited regulatory expertise needed; likelihood of significant inconsistencies and variability from facility to facility
- Best use – routine and frequent inspections and monitoring, including progress checks on completion of corrective actions arising from other audits; desirable to have staff from other facilities participate on audit team; auditors should not audit their own departments or operations; may conduct and submit to corporate annual facility compliance self-assessments and assurance statements by facility management
- Independent Inside EHS Team
- Typically, from corporate headquarters (may include facility EHS representatives from other facilities)
- Advantages – improved independence from operations; likely to provide regulatory know-how and multi-facility perspective; consistency in audit methods and content likely across facilities
- Disadvantages – can be subject to limited independence and internal business pressures; may have limited perspective on best industry practices from outside organization; may not have up-to-date regulatory requirements awareness
- Best use – dedicated corporate EHS lead auditor(s) supported by subject matter experts on audit team; EHS personnel from other facility(s) participate on team for cross-facility learning; audit protocols maintained to be current; audits conducted annually at higher risk facilities; team review of facility self-assessments at lower risk facilities
- Third-Party Independent Audit Team
- Advantages – organizational independence; outside perspective and experience with compliance practices of other companies; auditor credentials and up-to-date awareness of audit methods and regulatory requirements; ability to bring specialized know-how, as needed; must meet client expectations for deliverable quality and timeliness
- Disadvantages – may not have organizational standing to ensure necessary cooperation and openness of auditees
- Best Use – periodic audit of the company’s audit program and process (5-year cycle); periodic compliance audits of selected facilities (3-year cycle), including auditing the completion of corrective actions initiated as a result of internal audits by corporate team; audits of company’s management system as part of compliance audits; done under attorney-client privilege
Audit frequency. There are several levels of audit frequency, depending on the type of audit:
- Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
- Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
- As needed: For issue follow-up
- Infrequent: Comprehensive, independent – conducted every three to four years
Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.
Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.
Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations.
Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).
Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. Analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.
Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
Action item closure. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections.
Training. Training should be done throughout the entire organization, across all levels:
- Auditors are trained on both technical matters and program procedures.
- Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
- Line operations are trained on compliance procedures and company policy/systems.
Communications. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Communications should be done in business language—with business impacts defined in terms of risks, costs, savings, avoided costs/capital expenditures, benefits. Those accountable for performance need to be provided information as close to “real time” as possible, and the Board of Directors should be informed routinely.
Leadership philosophy. Senior management should exhibit top-down expectations for program excellence. EHSMS quality excellence goes hand-in-hand with operational and service quality excellence. Learning and continual improvement should be emphasized.
Roles & responsibilities. Clear roles, responsibilities, and accountabilities need to be established. This includes top management understanding and embracing their roles/responsibilities. Owners of findings/fixes also must be clearly identified.
Funding for corrective actions. Funding should be allocated to projects based on significance of risk exposure (i.e., systemic/preventive actions receive high priority). The process should incentivize proactive planning and expeditious resolution of significant problem areas and penalize recurrence or back-sliding on performance and lack of timely fixes.
Performance measurement system. Audit goals and objectives should be nested with the company business goals, key performance objectives, and values. A balanced scorecard can display leading and lagging indicators. Metrics should be quantitative, indicative (not all-inclusive), and tied to their ability to influence. Performance measurements should be communicated and widely understood. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review.
Degree of business integration. There should be a strong link between programs, procedures, and methods used in a quality management program—EHS activities should operate in patterns similar to core operations rather than as ancillary add-on duties. In addition, EHS should be involved in business planning and MOC. An EHSMS should be well-developed and designed for full business integration, and the audit program should feed critical information into the EHSMS.
Accountability. Accountability and compensation must be clearly linked at a meaningful level. Use various award/recognition programs to offer incentives to line operations personnel for excellent EHS performance. Make disincentives and disciplinary consequences clear to discourage non-compliant activities.
Deployment plan & schedule. Best practice combines the use of pilot facility audits, baseline audits (to design programs), tiered audits, and a continuous improvement model. Facility profiles are developed for all top priority facilities, including operational and EHS characteristics and regulatory and other requirements.
Relation to best practices. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training. The figure illustrates an audit program that goes beyond the traditional “find it, fix it, find it, fix it” repetitive cycle to one that yields real understanding of root causes and patterns. In this model, if the issues can be categorized and are of wide scale, the design of solutions can lead to company-wide corrective and preventive measures. This same method can be used to capture and transfer best practices across the organization. They are sustained through the continual review and improvement cycle of an EHSMS and are verified by future audits.
In our fifth and final article in this series, we talk about compliance program best practices and what it takes to maintain an ongoing world-class compliance assurance program.
Read the other articles in this series:
- Part 1: Enterprise and Compliance Risk Management
- Part 2: Management Systems and their Importance to Compliance Assurance
- Part 3: Compliance Risks and Compliance Program Assessment
- Part 5: Maintaining a Compliance Assurance Program
Submitted by: Tom Kunes