Embed Size (px)
Citation preview
12/1/99
1-
Standards for the
Professional Practice of Environmental, Health and Safety Auditing
Board of Environmental,Health&Safety Auditor Certifications 247 Maitland Avenue
Altamonte Springs, Florida 32701-4201
12/1/99
2-
Translation or Adaptation of the Standards for the Professional
Practice of Environmental, Health and Safety Auditing and Other Standards-Related Pronouncements
The Board of Environmental,Health&Safety Auditor Certifications (BEAC) is an international association dedicated to advancing the professional development of the individual environmental, health and safety auditor and the environmental, health and safety auditing profession. Copyright © 1999 by the Board of Environmental,Health&Safety Auditor Certifications, 249 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. Under copyright laws and agreements, no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. To obtain permission to translate, adapt, or reproduce any part of this document, contact: Karen H. Constantine Board of Environmental, Health & Safety Auditor Certifications 247 Maitland Avenue Altamonte Springs, Florida 32701-4201 Phone: (407) 831-7727 FAX: (407) 830-7495 Comments and Proposals for Changes or Additions to Standards Pronouncements Nothing in this statement should preclude any individual or organization from commenting or proposing changes or additions to any of the BEAC’s Standards pronouncements. Suggestions of this nature should be submitted to the BEAC in writing directed to the Chairman of the BEAC Standards Board.
12/1/99
3-
Foreword In 1997, the Board of Environmental,Health&Safety Auditor Certifications (BEAC) was established as a joint venture of the Institute of Internal Auditors (IIA) and the Environmental Auditing Roundtable (EAR) to provide certification programs for the professional practice of environmental, health and safety (EH&S) auditing. The BEAC is solely committed to the advancement of the individual EH&S auditor and the EH&S auditing profession worldwide as demonstrated through the BEAC certification programs and Certified Professional Environmental Auditor (CPEA) professional designations. The original joint venture agreement between the IIA and EAR envisioned early development and adoption of EH&S auditing standards to support the BEAC certification programs. Recognizing the need for those having attained the BEAC professional certification(s) to practice their profession in accordance with high standards, the BEAC considers standards essential. In addition, establishment of generally accepted EH&S audit criteria is a vital component of gaining greater acceptance by others of EH&S audit work. The BEAC established a Standards Board in 1998. The BEAC Standards Board studied a number of standards issued by other professional organizations from around the world and concluded that the Standards for the Professional Practice of Internal Auditing developed by the IIA and the Standards for the Professional Practice of Environmental Auditing developed by EAR were thorough and best suited as the references for the development of standards for the BEAC certification programs. Accordingly, if one compares the standards of the two parent organizations to these Standards for the Professional Practice of Environmental, Health and Safety Auditing (Standards), they will observe significant similarity and consistency. The BEAC recognizes the IIA and the EAR leadership for their outstanding support, guidance, and assistance in the development of these Standards. In establishing the Standards, the following matters were considered:
♦ Boards of directors are being held accountable for the adequacy and effectiveness of their organizations’ systems of EH&S control and quality of performance.
♦ Members of senior management are relying upon EH&S auditing as a means of supplying
objective analyses, appraisals, recommendations, counsel, and information on the organization’s controls and performance.
♦ Auditors use the results of previous audits to complement their work when suitable
evidence of independence exists and adequate, professional audit work is performed. In the light of such matters, the purposes of the Standards are to:
1. Impart an understanding of the role and responsibilities of EH&S auditing to all levels of management, boards of directors, public bodies, external auditors, and related professional organizations.
2. Establish the basis for the guidance and measurement of EH&S auditing performance. 3. Improve the practice and advance the profession of EH&S auditing.
Some important points about these BEAC Standards for the CPEA are:
12/1/99
4-
1. An EH&S audit is defined as an activity directed at verifying a site’s or organization’s
environmental, health, or safety status with respect to specific, predetermined audit criteria. An EH&S audit is distinct from other evaluation methods that may involve conclusions based on professional opinion or limited evaluation, or unique instances not associated with specific audit criteria.
2. Through this document, “audit” and “auditor” mean EH&S audit or EH&S auditor.
3. These Standards apply to audit program processes, implementation and activities that
take place within the scope of an audit engagement. 4. These Standards apply to all EH&S auditing professionals whether they are employed by
organizations internally or as external contractors/consultants functioning in an EH&S auditing role.
5. These Standards define what is required to conduct a competent audit.
This document, issued by the BEAC Standards Board, represents the first codification of the Standards for the Professional Practice of Environmental, Health and Safety Auditing (Standards) and Statements on Environmental Auditing Standards (SEAS). It is not intended to serve as a legal analysis of liability issues or as legal advice. As EH&S auditing adapts to the continuous changes in organizations and in society, these Standards will be modified by the issuance of SEASs. SEASs are issued by the BEAC Standards Board, the technical committee of the BEAC responsible for promulgating and monitoring these Standards and other standards pronouncements on a worldwide basis. Standards, as used in this document, means the criteria by which the operations of an EH&S auditing function are evaluated and measured. They are intended to represent the practice of EH&S auditing as it should be, as judged and adopted by the Board of Directors of the BEAC. The Standards are meant to serve the entire profession in all types of organizations where EH&S auditors are found. An EH&S audit program can help an organization determine if established EH&S programs are effective. It can also help assure senior management that the organization is operating in a manner consistent with its regulatory policy and requirements. These objectives can be accomplished either directly, through detailed reviews of the organization’s operations, or indirectly, through reviews of those management systems that are intended to ensure conformance with established requirements. Organizations performing EH&S audits, or planning to start up this function, are urged to subscribe to and conform with these Standards as a basis for development and operation of their EH&S audit programs.
12/1/99
5-
ACKNOWLEDGEMENT
The BEAC is very appreciative of the dedication and commitment of the following individuals for their efforts in developing the Standards:
BEAC Standards Board
Environmental Auditing Roundtable
Institute of Internal Auditors
BEAC Headquarters Staff
__________________________________ _______________________________________ James C. Ball James A. Hooper Chairman Chairman of the Board BEAC Standards Board BEAC
12/1/99
6-
Framework
Purpose This section establishes the framework for the Standards for the Professional Practice of Environmental, Health and Safety Auditing (Standards) and sets forth the final approval authority required by the BEAC to promulgate the Standards and other standards-related pronouncements (Standards Pronouncements). Framework The Framework for the Standards for the Professional Practice of Environmental, Health and Safety Auditing includes the following:
Standards Pronouncements
Final Approval Authority
Description
Statement of Responsibilities of Environmental, Health and Safety Auditing
BEAC Board of Directors Provides in summary form a general understanding of the responsibilities of environmental, health and safety auditing
Code of Ethics BEAC Board of Directors Sets forth standards of conduct for members of the BEAC and CPEAs.
Standards for the Professional Practice of Environmental, Health and Safety Auditing
BEAC Board of Directors Describes the criteria by which the operations of an environmental, health and safety auditing function are evaluated and measured.
– General Standards BEAC Board of Directors States the five General Standards which shall be followed to conform with the Standards.
– Performance Standards BEAC Board of Directors States the specific Performance Standards which should be followed to conform with the General Standards.
– Performance Practices BEAC Standards Board Describes suitable means of meeting the General and Performance Standards
Statements on Environmental Auditing Standards (SEASs)
BEAC Board of Directors Provides authoritative interpretations of the Standards. SEASs are used to add or change existing Standards
Professional Standards Practice Release
BEAC Standards Board Chairman
Addresses questions resulting from the application of the BEAC’s Standards or Practices.
12/1/99
7-
Introduction EH&S auditing is an independent appraisal function undertaken by an organization to examine and evaluate its activities. The objective of EH&S auditing is to provide information to those in management in support of decision making and to assist members of the organization in the effective discharge of their responsibilities. To this end, EH&S auditing may furnish the organization with analyses, appraisals, recommendations, counsel, or information concerning the activities reviewed, the adequacy and effectiveness of the organization’s system of EH&S control, and the quality of performance. The information furnished to different members of the organization may vary in format and detail, depending upon the requirements and requests of those commissioning the audit(s). Throughout the world EH&S auditing is performed in diverse environments and within organizations which vary in purpose, size, and structure. In addition, the laws and customs within various countries differ from one another. These differences may affect the practice of EH&S auditing in each environment. The implementation of these Standards, therefore, will be governed by the environment in which the EH&S auditing function carries out its assigned responsibilities. Conformance with the concepts enunciated by the Standards is essential before the responsibilities of EH&S auditors can be met. As stated in the BEAC Code of Ethics, members of the BEAC and CPEAs shall adopt suitable means to conform with the Standards. It is understood that external contractors/consultants may not be in a position to influence the design and function of an organization’s audit program. While this may preclude conformance with certain Standards, EH&S auditors are required to conform to all Standards within their control. Deviations from these Standards should be documented. An organization may choose to establish an ongoing program of EH&S audits (hereinafter referred to as the “audit program”). Such an audit program would function under the policies established by senior management and the organization’s board of directors. The statement of purpose, authority, and responsibility for the EH&S audit program, approved by senior management and accepted by the board, should be consistent with these Standards. The audit program description should make clear the purposes of the EH&S auditing function, specify the scope of work, and describe how auditor independence will be achieved. These Standards are intended to cover a wide range of audit programs, implemented for a variety of purposes, and involving a variety of relationships between the auditor and the organization for which the audit program is being implemented. These Standards are intended to provide a basis for promoting consistency and quality in the performance of EH&S audits. To that end, these Standards outline the basic elements to be included in audit programs. Key requirements and best practices are defined, but detailed implementation steps are intentionally not prescribed. This document is divided into three sections including General Standards, Performance Standards, and Performance Practices. General Standards are short and precise and are mandatory. Performance Standards are a means of conformance with the General Standards. Although not mandatory, Performance Practices are useful and a suitable means of meeting a General or Performance Standard. The Standards encompass:
12/1/99
8-
1. The independence of the EH&S auditing function from the activities audited and the objectivity of EH&S auditors.
2. The proficiency of EH&S auditors and the due professional care they should exercise. 3. The performance of EH&S auditing assignments. 4. The scope of EH&S Auditing Programs. 5. The management of the EH&S auditing function. The General Standards, Performance Standards, and the accompanying Performance Practices employ terms given meanings in the context of the Standards. These terms are included in the Glossary.
General Standards
Performance Standards
Performance Practices
General Standards are required for the CPEA. They provide specific guidance and are mandatory.
Performance Standards provide outcome strategies. They are a suitable means of meeting the General Standards.
Performance Practices are recommended, but are not mandatory. They provide methodologies for implementation of the General and Performance Standards.
12/1/99
1-
General Standards For the Professional Practice of Environmental, Health & Safety Auditing I. INDEPENDENCE
ENVIRONMENTAL, HEALTH AND SAFETY AUDITORS SHALL BE OBJECTIVE AND INDEPENDENT OF THE ACTIVITIES THEY AUDIT, FREE OF CONFLICT OF INTEREST IN ANY SPECIFIC SITUATION, AND NOT SUBJECT TO INTERNAL OR EXTERNAL PRESSURE TO INFLUENCE THEIR FINDINGS.
II. PROFESSIONAL PROFICIENCY
ENVIRONMENTAL, HEALTH AND SAFETY AUDITS SHALL BE PERFORMED WITH PROFICIENCY AND DUE PROFESSIONAL CARE.
III. PERFORMANCE OF AUDIT WORK
AUDIT WORK SHALL INCLUDE PLANNING THE AUDIT, EXAMINING AND EVALUATING INFORMATION, AND COMMUNICATING RESULTS.
IV. SCOPE OF AUDIT PROGRAM
THE SCOPE OF THE ORGANIZATION’S ENVIRONMENTAL, HEALTH AND SAFETY AUDIT PROGRAM SHALL ENCOMPASS THE EXAMINATION AND EVALUATION OF THE ADEQUACY AND EFFECTIVENESS OF ENVIRONMENTAL, HEALTH AND SAFETY CONTROLS.
V. MANAGEMENT OF THE ENVIRONMENTAL, HEALTH AND SAFETY AUDITING FUNCTION
THE DIRECTOR OF ENVIRONMENTAL, HEALTH AND SAFETY AUDITING SHALL PROPERLY MANAGE THE ENVIRONMENTAL, HEALTH AND SAFETY AUDITING FUNCTION.
12/1/99
2-
Performance Standards for the Professional Practice of Environmental, Health & Safety Auditing General Standards are required for the CPEA. Following the five General Standards are Performance Standards which are a means for conforming with the General Standards. I. INDEPENDENCE
ENVIRONMENTAL, HEALTH AND SAFETY AUDITORS SHALL BE OBJECTIVE AND INDEPENDENT OF THE ACTIVITIES THEY AUDIT, FREE OF CONFLICT OF INTEREST IN ANY SPECIFIC SITUATION, AND NOT SUBJECT TO INTERNAL OR EXTERNAL PRESSURE TO INFLUENCE THEIR FINDINGS.
♦ EH&S Auditors should be free from personal or organizational bias, and internal or
external influences on their judgment or authority, whether implied or direct. ♦ Conflicts of interest should be communicated to the appropriate personnel. ♦ Objective EH&S auditors should base findings on observed, measurable, and
verifiable evidence. ♦ Internal EH&S audit functions should have a reporting relationship to the board of
directors that is independent of the auditee. II. PROFESSIONAL PROFICIENCY
ENVIRONMENTAL, HEALTH, AND SAFETY AUDITS SHALL BE PERFORMED WITH PROFICIENCY AND DUE PROFESSIONAL CARE. ♦ Auditors should have adequate qualifications, technical knowledge, training, and
proficiency in the discipline of auditing to perform their assigned audit tasks. Proficiency is the responsibility of the organization managing auditing activities and of each individual auditor. Qualifications of the assigned audit team should be commensurate with the objectives, scope, and complexities of the audit assignment.
♦ Organizations and individuals responsible for planning the audit engagement should
establish suitable educational and professional experience criteria for auditors. Auditor proficiency and professional experience should be adequate to achieve audit objectives and may include any or all of the following:
a. Auditing processes, procedures, and techniques. b. Characteristics and analysis of management systems. c. Regulatory requirements and EH&S policies. d. EH&S protection systems and technologies. e. Facility operations.
12/1/99
3-
f. Potential EH&S impacts and hazards/risks associated with the types of facilities and operations to be audited.
♦ Auditors should have demonstrated abilities in areas needed to perform audits,
including, but not limited to: a. Interpersonal and communication skills. b. Work scheduling and planning. c. Analytical abilities to evaluate potential deficiencies noted during the audit.
♦ Auditors should exercise due professional care in performing EH&S audits.
III. PERFORMANCE OF AUDIT WORK
AUDIT WORK SHALL INCLUDE PLANNING THE AUDIT, EXAMINING AND EVALUATING INFORMATION, AND COMMUNICATING RESULTS. ♦ The EH&S auditor is responsible for planning and conducting the audit assignment,
subject to supervisory review and approval. ♦ When conducting an audit, the following should be incorporated in the audit work
process: a. The audit planning process involves establishing goals, audit work schedules,
staffing plans, and activity reports. b. EH&S auditors should use due care in examining and evaluating information
they gather. This information should be sufficient, complete, relevant and useful to provide a sound basis for audit findings and recommendations.
c. As the audit progresses, EH&S auditors should communicate results, including findings and recommendations, to appropriate levels of management.
d. Before issuing a final report, an exit conference should be held with management to discuss the auditor’s findings and recommendations.
e. A signed, written report should be issued at the conclusion of the audit. f. Timely follow-up audits should be conducted to ensure appropriate corrective
action on any audit findings remaining unresolved at the end of the audit. g. A signed, written report should be issued on the results of the follow-up audit.
IV. SCOPE OF AUDIT PROGRAM
THE SCOPE OF THE ORGANIZATION’S ENVIRONMENTAL, HEALTH AND SAFETY AUDIT PROGRAM SHALL ENCOMPASS THE EXAMINATION AND EVALUATION OF THE ADEQUACY AND EFFECTIVENESS OF ENVIRONMENTAL, HEALTH AND SAFETY CONTROLS. ♦ The audit program objectives should articulate senior management’s and the board’s
expectations for the audit program. It is the responsibility of the director to establish a scope that achieves the program objectives. The scope should address:
a. Geographic and/or business system focus of audit activity. b. Subjects or topics to be audited.
12/1/99
4-
c. The thoroughness or depth of audit activity. d. Scheduling and frequency of audits. e. General criteria against which audits will be conducted and findings
established.
♦ Senior management and the board provide general direction as to the scope of work and the activities to be audited. The director should obtain concurrence from senior management that the audit program objectives meet their expectations.
♦ The scope of EH&S auditing work, as specified in these Standards, encompasses
what audit work should be performed. ♦ The scope of an individual EH&S audit should be defined in advance, and the audit
criteria selected and agreed upon prior to beginning the audit. Agreement on required audit resources is part of the scope. Audit scope may include but is not limited to the following:
a. Determining whether the organization is in compliance with regulatory requirements and laws, such as permits, reporting requirements, and consent orders.
b. Evaluating the effectiveness of the EH&S management and control systems that are in place to manage the organization’s risks.
c. Identifying opportunities where waste can be minimized and pollution eliminated at the source.
d. Reviewing the means of protecting physical assets through loss prevention measures.
e. Assessing and managing the risk of receiving, buying, or selling real estate or making loans secured by real estate.
f. Assessing the hazardous material and waste management practices of an organization’s contract operators.
g. Protecting worker health and safety.
♦ EH&S auditors perform evaluations at specific points in time but should be alert to actual or potential changes in conditions which affect the ability to provide assurance from a forward-looking perspective. In those cases, EH&S auditors should address the risk that performance may deteriorate.
♦ An audit program should include provisions for timely follow-up to ensure appropriate
corrective action on any audit findings remaining uncorrected at the end of the audit.
V. MANAGEMENT OF THE ENVIRONMENTAL, HEALTH AND SAFETY AUDITING FUNCTION
THE DIRECTOR OF ENVIRONMENTAL, HEALTH AND SAFETY AUDITING SHALL PROPERLY MANAGE THE ENVIRONMENTAL, HEALTH AND SAFETY AUDITING FUNCTION. ♦ Senior management and the board of directors should articulate a clear statement
of program expectations for an audit program to be effective. They should commit sufficient resources, not only to implement and maintain the program, but also to
12/1/99
5-
correct nonconformities in an appropriate and timely manner. Senior management sets the tone for the success of an audit program by:
a. Directing that managers at all levels cooperate fully with audit teams. b. Showing interest in the results of audits. c. Insisting on timely correction of nonconformities identified in the course of
audits.
♦ The director of EH&S auditing is responsible for properly managing the function so that:
a. Audit work fulfills the general purposes and responsibilities accepted by senior management and the board.
b. Resources of the EH&S auditing function are efficiently and effectively employed.
c. Audit work conforms to the Standards. d. Audit work is coordinated between internal and external audit efforts.
♦ An audit program should have written policies and/or procedures (hereafter referred to only as procedures) to describe the scope and operation of the program and individual audit activities. The mechanism for initiating, approving, updating, distributing, and retaining these program procedures should also be documented. The procedures should be consistent with these Standards, the organization’s written policies, the board of directors’ and senior management’s expectations, and actual practice.
♦ Procedures should be documented in a program description. Any departure from
these Standards should be documented in the program description and discussed with senior management. An audit program should include the following key elements:
Audit Program Objective and Scope: Describes the objectives and scope of the
audit program, including any departure from the Standards. Audit Program Organization: Describes the organization, staffing, authority,
minimum qualifications and training of audit program personnel, and the composition and selection of audit team members.
Selection of Audit Sites, Subjects and Frequency: Describes the rationale and
methodology for selecting and scheduling sites and subjects to be audited. Protocols, Checklists and Guides: Establishes the development, approval, usage,
updating and retention of audit protocols and questionnaires. Pre-Audit Activity: Describes the timing and content of pre-audit activities,
including scheduling and information-gathering mechanisms.
On-Site Activity: Establishes procedures and identifies audit activities that take place at the facility.
Audit Reporting and Document Management: Defines the purpose, content, use,
review, approval, access, distribution and retention period of each type of audit program document produced.
12/1/99
6-
Post-Audit Activity: Describes the procedures, responsibilities and timing for development and implementation of action plans and follow-up mechanisms to correct nonconformities.
Quality Assurance: Describes quality assurance mechanisms that are built into the
audit procedures. Defines responsibility for each quality assurance function.
12/1/99
7-
Standards for the
Professional Practice of Environmental, Health and Safety Auditing
*Performance Practices Section Only*
Performance Practices are suggested methodologies for the implementation of the Standards and are not mandatory. These Performance Practices are provided for guidance and are not the only possible method for implementing the Standards.
BOARD OF ENVIRONMENTAL,HEALTH&SAFETY AUDITOR CERTIFICATIONS 249 Maitland Avenue
Altamonte Springs, Florida 32701-4201
12/1/99
8-
Performance Practices Performance Practices are suggested methodologies for the implementation of the Standards and are not mandatory. These Performance Practices are provided for guidance and are not the only possible method for implementing the Standards.
I. INDEPENDENCE A. Organizational Status EH&S auditors should have the support of senior management and of the board so that they can gain the cooperation of auditees and perform their work free from interference.
a. The director of the EH&S auditing function should be responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations.
b. The purpose, authority, and responsibility of the EH&S auditing function should
be defined in a formal written document (charter). c The director should regularly communicate with the board to assure
independence and provide a means for the board t be informed on maters involving environmental performance.
d. The director of EH&S auditing should submit an annual summary of the
function’s audit activities, staffing plan and budget to senior management for approval and to the board for its information. Audit activities, staffing plans, and budgets should be included to inform senior management and the board of the scope of EH&S auditing and of any limitations placed on that scope.
e. The director of EH&S auditing should submit activity reports to senior
management and to the board at least annually. Activity reports should summarize significant audit findings and recommendations and should inform senior management and the board of any significant deviations from approved audit work schedules, staffing plans, and budgets, and the reasons for them.
f. The board should concur in the appointment or removal of the director of the
EH&S auditing function. g. The director, audit team leaders and auditors may or may not be members of
the organization for which the audit program is being implemented. While this may preclude conformance with certain standards, EH&S auditors are required to conform to all standards within their control. Deviations should be documented.
12/1/99
9-
B. Objectivity
1. Objectivity is an independent mental attitude which EH&S auditors should maintain in performing audits. EH&S auditors are not to subordinate their judgment on audit matters to that of others.
2. Objectivity requires EH&S auditors to perform audits in such a manner that they
have an honest belief in their work product and that no significant quality compromises are made. EH&S auditors are not to be placed in situations in which they feel unable to make objective professional judgments.
a. Staff assignments should be made so that potential and actual conflicts of
interest and bias are avoided. The director should periodically obtain from the EH&S auditing staff information concerning potential conflicts of interest and bias.
b. EH&S auditors should report to the director any situations in which a conflict of
interest or bias is present or may reasonably be inferred. The director should then reassign such auditors.
c. Staff assignments of EH&S auditors should be rotated periodically whenever it
is practicable to do so. d. EH&S auditors should not assume operating responsibilities. But if on occasion
senior management directs EH&S auditors to perform non-audit work, it should be understood that they are not functioning as EH&S auditors. Moreover, objectivity is presumed to be impaired when EH&S auditors audit any activity for which they had authority or responsibility. This impairment should be considered when reporting audit results.
e. Persons transferred to or temporarily engaged by the EH&S auditing function
should not be assigned to audit those activities they previously performed until a reasonable period of time has elapsed. Such assignments are presumed to impair objectivity and should be considered when supervising audit activities and reporting audit results.
f. The results of EH&S auditing activities should be reviewed before the related
audit report is released to provide reasonable assurance that the activity was performed objectively.
3. The EH&S auditor’s objectivity is not adversely affected when the auditor
recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, and operating systems are not audit activities. Also, the drafting of procedures for systems is not an appropriate audit activity. Performing such activities is presumed to impair audit objectivity.
4. The director should assure that the audit team leader and auditors are
independent of the audit site and activity to be audited, free of conflict of interest in any specific situation, and not subject to internal or external pressures to influence the findings. Auditors should neither report to nor derive their compensation directly from the site being audited.
12/1/99
10-
II. PROFESSIONAL PROFICIENCY
The EH&S Auditing Function A. Staffing
1. The director of EH&S auditing should establish suitable criteria for education and experience for filling EH&S auditing positions, giving due consideration to scope of work and level of responsibility.
2. Reasonable assurance should be obtained as to each prospective auditor’s
qualifications and proficiency.
B. Knowledge, Skills and Disciplines
1. The EH&S auditing staff should collectively possess the knowledge and skills essential to the practice of the profession within the organization. These attributes include proficiency in applying EH&S auditing standards, procedures, and techniques.
2. The EH&S auditing function should have employees or use outside service
providers who are qualified in disciplines such as auditing, environmental sciences, health and safety, industrial hygiene, information technology, engineering, law, other sciences, and other such areas as needed to meet the function’s audit responsibilities. Each member of the function, however, need not be qualified in all disciplines.
3. The director should ensure that auditors and audit team leaders are properly
trained and have the experience necessary to carry out their assigned roles. The composition of audit teams, the rationale for selection of team members, and their roles on the team should be defined.
4. The director should promote auditor competence and ensure that each auditor
consistently demonstrates knowledge of auditing procedures and methods, and a current understanding of applicable criteria. A program of continuing training is recommended. Audit program management should observe, review and evaluate auditor performance. Auditors that do not meet minimum standards should be retrained or moved to other assignments.
C. Supervision 1. The director of EH&S auditing is responsible for ensuring that appropriate audit
supervision is provided. Supervision is a process which begins with planning and continues throughout the examination, evaluation, report, and follow-up phases of the audit assignment.
2. Supervision includes:
a. Ensuring that the auditors assigned possess the requisite knowledge and skills.
12/1/99
11-
b. Providing appropriate instructions during the planning of the audit and approving the audit program.
c. Seeing that the approved audit program is carried out unless changes are both
justified and authorized. d. Determining that audit working papers adequately support the audit findings,
conclusions, and reports. e. Ensuring that audit reports are accurate, objective, clear, concise, constructive,
and timely. f. Ensuring that audit objectives are met. g. Providing opportunities for developing EH&S auditors’ knowledge and skills.
3. Appropriate evidence of supervision should be documented and retained. 4. The extent of supervision required will depend on the proficiency and experience of
EH&S auditors and the complexity of the audit assignment. Appropriately experienced EH&S auditors may be utilized to review the work of other EH&S auditors.
5. All EH&S auditing assignments, whether performed by or for the EH&S auditing
function, remain the responsibility of its director. The director is responsible for all significant professional judgments made in the planning, examination, evaluation, report, and follow-up phases of the audit assignment. The director should adopt suitable means to ensure that this responsibility is met. Suitable means include policies and procedures designed to:
a. Minimize the risk that professional judgments may be made by EH&S auditors,
or others performing work for the EH&S auditing function, that are inconsistent with the professional judgment of the director such that a significant adverse effect on the audit assignment could result.
b. Resolve differences in professional judgment between the director and EH&S
auditing staff members over significant issues relating to the audit assignment. Such means may include: (a) discussion of pertinent facts; (b) further inquiry and/or research; and (c) documentation and disposition of the differing viewpoints in the audit working papers. In instances of a difference in professional judgment over an ethical issue, suitable means may include referral of the issue to those individuals in the organization having responsibility over ethical matters.
6. Supervision extends to staff training and development, employee performance
evaluation, time and expense control, and similar administrative areas.
The Environmental, Health and Safety Auditor
A. Compliance with Standards of Conduct
The Code of Ethics of the Board of Environmental,Health&Safety Auditor Certifications sets forth standards of conduct and provides a basis for enforcement. The Code calls for
12/1/99
12-
high standards of honesty, objectivity, diligence, and loyalty to which EH&S auditors should conform.
B. Knowledge, Skills, and Disciplines
1. Each EH&S auditor should possess certain knowledge and skills as follows: a. Proficiency in applying EH&S auditing standards, procedures, and techniques is
required in performing EH&S audits. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance.
b. Proficiency in EH&S principles and techniques is required of auditors who work
extensively with EH&S records and reports. c. An understanding of management principles is required to recognize and
evaluate the materiality and significance of deviations from good business practice. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions.
d. An appreciation is required of the fundamentals of such subjects as auditing,
environmental sciences, health, and safety, industrial hygiene, information technology, engineering, law, and other sciences. An appreciation means the ability to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained.
2. At a minimum, auditors should have completed secondary education and
preferably a college degree. They should have training to the extent necessary to ensure competency in the skills required for carrying out their roles in audits. Audit team leaders should have the skills and knowledge required to manage audits. Competence in the following areas is particularly relevant.
a. Knowledge and understanding of the criteria (e.g., policies, statutes,
regulations, agency guidelines, internal standards, etc.) and the management systems and operations being audited.
b. Techniques for examining, interviewing, verifying, evaluating and reporting. c. Communication (both written and oral) and interpersonal skills. d. For team leaders, the skills of planning, organizing and directing.
3. Additional auditor qualifications are outlined in the BEAC certification program requirements.
C. Human Relations and Communications
1. EH&S auditors should understand human relations and maintain satisfactory relationships with auditees.
12/1/99
13-
2. EH&S auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as audit objectives, evaluations, conclusions, and recommendations.
D. Continuing Education
EH&S auditors are responsible for continuing their education in order to maintain their proficiency. They should keep informed about improvements and current developments in EH&S auditing standards, procedures, and techniques. Continuing education may be obtained for example through membership and participation in professional societies; attendance at conferences, seminars, college courses, and in-house training programs; and participation in research projects.
E. Due Professional Care
1. Due professional care calls for the application of the care and skill expected of a reasonably prudent and competent EH&S auditor in the same or similar circumstances. Professional care should, therefore, be appropriate to the complexities of the audit being performed. In exercising due professional care, EH&S auditors should be alert to the possibility of errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. They should also be alert to those conditions and activities where non-compliance is most likely to occur. In addition, they should identify inadequate controls and recommend improvements to promote conformance with acceptable procedures and practices.
2. Due care implies reasonable care and competence, not infallibility or extraordinary
performance. Due care requires the auditor to conduct examinations and verifications to a reasonable extent. Accordingly, EH&S auditors cannot give absolute assurance that non-compliance does not exist.
3. When an EH&S auditor suspects a potentially serious issue, the senior management within the organization should be informed. The EH&S auditor may recommend whatever investigation is considered necessary in the circumstances. Thereafter, the auditor should follow up to see that the EH&S auditing function’s responsibilities have been met.
4. Exercising due professional care means using reasonable audit skill and judgment
in performing the audit. To this end, the EH&S auditor should consider:
a. The extent of audit work needed to achieve audit objectives. b. The relative materiality or significance of matters to which audit procedures
are applied. c. The adequacy and effectiveness of EH&S controls.
5. Due professional care includes evaluating established operating standards and determining whether those standards are acceptable and are being met. When such standards are vague, authoritative interpretations should be sought. If EH&S auditors are required to interpret or select operating standards, they should seek agreement with auditees as to the standards needed to measure operating performance.
12/1/99
14-
6. Due professional care is the application of diligence and skill in performing audits. Exercising due professional care means assuring accuracy, consistency, and objectivity in the performance of audits; using good judgment in choosing tests and procedures; developing conclusions and, if necessary, recommendations; and preparing reports.
• Auditors should conscientiously complete audits in conformance with these
auditing standards. • Auditors should apply established auditing standards consistently, and should
seek authoritative interpretations when such standards are conflicting or vague.
• Auditors should conclude that sufficient and reasonable evidence exists to
allow formation of opinions.
7. The relationship between the audit team members and the client should be one of confidentiality and discretion. Unless required by law, the audit team members should not disclose information or documents obtained during the audit or the final report to any third party without the express approval of the client, and where appropriate, with approval of the auditee.
III. PERFORMANCE OF AUDIT WORK A. Planning the Audit
1. Audits should be based on use of systematic plans and procedures that provide
uniform guidance in audit preparation, field work, and reporting. Explicit written plans and procedures promote consistency and uniformity of approach.
2. The objectives of an audit should be clearly established and fully communicated
beforehand to the auditee. The objectives of specific audits should be consistent with the needs of intended recipients of audit results and the provisions of these standards.
3. Pre-audit planning is an essential part of an effective audit. The audit objective,
scope and general methodology should be conveyed to the auditee, as this will establish appropriate expectations for the roles and involvement of site personnel. Pre-audit planning can facilitate arrangements for on-site meetings, file reviews, tours and interviews. Furthermore, advance research and information requests concerning on-site conditions, activities and obligations, can enable the audit team to properly focus and maximize productivity during its time on-site. The program design should establish the timing and content of pre-audit communications information gathering activities.
4. Protocols, checklists and/or guides that reflect the scope of the audit should be
used when auditors review operations against audit criteria, in order to ensure consistency and reliability. The program should address the need to keep such materials up-to-date, to ensure that they address changes in regulations, organizational policy, operational activities, or any other criteria about which the
12/1/99
15-
program is intended to provide assurance. Procedures for the development, approval, retention and use of such audit protocols, checklists and/or guides should be established.
5. Planning should be documented and should include:
a. Establishing audit objectives and scope of work.
(1) Audit objectives are broad statements developed by EH&S auditors and define intended audit accomplishments. Audit procedures are the means to attain audit objectives. Audit objectives and procedures, taken together, define the scope of the EH&S auditor’s work.
(2) Audit objectives and procedures should address the risks associated with
the activity under audit. The term risk is the probability that an event or action may adversely affect the activity under audit.
(3) EH&S auditors should assess risk for individual audit assignments as
outlined in Section V of these Performance Practices. (4) The purpose of the risk assessment during the planning phase of the audit
is to identify significant areas of the auditable activity.
b. Obtaining background information about the activities to be audited. (Pre-Audit) (1) A review of background information should be performed to determine the
impact on the audit. Such items include:
• Objectives and goals. • Policies, plans, procedures, laws, regulations, and contracts which could
have a significant impact on operations and reports. • Organizational information, e.g., number and names of employees, key
employees, job descriptions, and details about recent changes in the organization, including major system changes.
• Operating information and EH&S data of the activity to be audited. • Prior audit working papers. • Results of other audits, including the work of external auditors,
completed or in process. • Files to determine potential significant audit issues. • Authoritative and technical literature appropriate to the activity.
(2) Other requirements of the audit, such as the audit period covered and estimated completion dates, should be determined. The final audit report format should be considered, since proper planning at this stage facilitates writing the final audit report.
c. Determining the resources necessary to perform the audit.
(1) The number and experience level of the EH&S auditing staff required should be based on an evaluation of the nature and complexity of the audit assignment, time constraints, and available resources.
12/1/99
16-
(2) Knowledge, skills, and disciplines of the EH&S auditing staff should be considered in selecting EH&S auditors for the audit assignment.
(3) Training needs of EH&S auditors should be considered, since each audit
assignment serves as a basis for meeting developmental needs of the EH&S auditing function.
(4) Consideration of the use of external resources in instances where
additional knowledge, skills, and disciplines are needed. d. Communicating with all who need to know about the audit.
(1) Meetings should be held with management responsible for the activity
being examined. Topics of discussion may include:
• Planned audit objectives and scope of work. • The timing of audit work. • EH&S auditors assigned to the audit. • The process of communicating throughout the audit, including the
methods, time frames, and individuals who will be responsible. • Business conditions and operations of the activity being audited,
including recent changes in management or major systems. • Concerns or any requests of management. • Matters of particular interest or concern to the EH&S auditor. • Description of the EH&S auditing function’s reporting procedures and
follow-up process.
(2) A summary of matters discussed at meetings and any conclusions reached should be prepared, distributed to individuals, as appropriate, and retained in the audit working papers.
e. Performing, as appropriate, a pre-audit survey to become familiar with the
activities and controls to identify areas for audit emphasis, and to invite auditee comments and suggestions.
(1) A survey is a process for gathering information, without detailed
verification, on the activity being examined. The main purposes are to:
• Understand the activity under review. • Identify significant areas warranting special emphasis. • Obtain information for use in performing the audit. • Determine whether further auditing is necessary.
(2) A survey permits an informed approach to planning and carrying out audit work, and is an effective tool for applying the EH&S auditing function’s resources where they can be used most effectively.
(3) The focus of a survey will vary depending upon the nature of the audit. (4) The scope of work and the time requirements of a pre-audit survey will
vary. Contributing factors include the EH&S auditor’s training and experience, knowledge of the activity being examined, the type of audit being performed, and whether the survey is part of a recurring or follow-
12/1/99
17-
up assignment. Time requirements will also be influenced by the size and complexity of the activity being examined, and by the geographical dispersion of the activity.
(5) Working papers may involve use of the following:
• Discussions with the auditee. • Interviews with individuals affected by the activity, e.g., users of the
activity’s output. • On-site observations. • Review of management reports and studies. • Analytical auditing procedures. • Flowcharting. • Functional “walk-thru” (tests of specific work activities from beginning to
end). • Documenting key control activities.
(6) A summary of results should be prepared at the conclusion of the survey. The summary should identify:
• Significant audit issues and reasons for pursuing them in more depth. • Pertinent information developed during the survey. • Audit objectives, audit procedures, and special approaches such as
computer-assisted audit techniques. • Potential critical control points, control deficiencies, and/or excess
controls. • Preliminary estimates of time and resource requirements. • Revised dates for reporting phases and completing the audit. • When applicable, reasons for not continuing the audit.
f. Writing the audit work plan.
The audit work plan should:
• Document the EH&S auditor’s procedures for collecting, analyzing, interpreting, and documenting information during the audit.
• State the objectives of the audit. • Set forth the scope and degree of testing required to achieve the audit
objectives in each phase of the audit. • Identify technical aspects, processes, and transactions which should be
examined. • State the nature and extent of testing required. • Be prepared prior to the commencement of audit work and modified, as
appropriate, during the course of the audit. g. Determining how, when, and to whom audit results will be communicated.
The director of EH&S auditing is responsible for determining how, when, and to whom audit results will be communicated. This determination should be documented and communicated to management, to the extent deemed practical, during the planning phase of the audit. Subsequent changes which affect the timing or reporting of audit results should also be communicated to management, if appropriate.
h. Obtaining approval of the audit work plan.
12/1/99
18-
(1) Audit work plans should be approved in writing by the director of EH&S
auditing or designee prior to the commencement of audit work. (2) Adjustments to audit work plans should be approved in a timely manner.
i. Fieldwork should be properly planned, implemented, and supervised, to foster
efficiency and consistency and to achieve audit objectives. Effective supervision and leadership are necessary parts of EH&S auditing.
• A team leader should supervise fieldwork performed by members of the audit team. • Audit fieldwork should be conducted in accordance with a prepared protocol and an
established audit plan. • While on-site, auditors should gather information necessary to fulfill the audit objectives.
The information collected should be relevant, accurate, and sufficient to support findings, conclusions, and recommendations. Appropriate sampling schemes should be utilized in selection samples.
B. Examining and Evaluating Information
1. The process of examining and evaluating information is as follows:
a. Information should be collected on all matters related to the audit objectives and scope of work.
(1) Audit evidence should be collected through interviews, examination of
documents and observation of activities and conditions, such as facility and equipment inspections. Indications of non-conformity to the audit criteria should be recorded.
(2) Information gathered through interviews should be verified by acquiring
supporting information from independent sources, such as observations, records and results of existing measurements. Non-verifiable statements should be identified as such.
(3) The audit team should examine the basis of relevant sampling programs
and the procedures for ensuring effective quality control of sampling and measurement processes used by the auditee as part of its activities.
b. EH&S auditors use auditing procedures when examining and evaluating
information.
(1) Auditing procedures are performed by studying and comparing relationships among both EH&S and non-EH&S information.
(2) The application of auditing procedures is based on the premise that, in the
absence of known conditions to the contrary, relationships among information may reasonably be expected to exist and continue. Examples of contrary conditions include unusual or nonrecurring documentation or events; organizational, operational, EH&S, and technological changes; inefficiencies; ineffectiveness; errors; or irregularities.
12/1/99
19-
(3) Auditing procedures provide EH&S auditors with an efficient and effective means of making an assessment of information collected in an audit. The assessment results from comparing such information with expectations identified or developed by the EH&S auditor.
(4) Auditing procedures are useful in identifying, among other things:
• Differences that are not expected. • The absence of differences when they are expected. • Potential errors. • Potential irregularities. • Other unusual or nonrecurring documentation or events.
(5) Auditing procedures may include:
• Comparison of current period information with similar information for prior periods.
• Study of relationships of EH&S information with the appropriate non-EH&S information.
• Study of relationships among elements of information • Comparison of information with similar information for other
organizational units. • Comparison of information with similar information for the industry in
which the organization operates. (6) Auditing procedures assist EH&S auditors in identifying conditions which
may require subsequent auditing procedures. (7) Auditing procedures should also be used during the audit to examine and
evaluate information to support audit results. EH&S auditors should consider the following factors in determining the extent to which analytical auditing procedures should be used:
• The significance of the area being examined. • The adequacy of the system of internal control. • The availability and reliability of EH&S and non-EH&S information. • The precision with which the results of analytical auditing procedures can
be predicted. • The availability and comparability of information regarding the industry
in which the organization operates. • The extent to which other auditing procedures provide support for audit
results. After evaluating the aforementioned factors, EH&S auditors should consider and use additional auditing procedures, as necessary, to achieve the audit objective.
(8) When auditing procedures identify unexpected results or relationships, EH&S auditors should examine and evaluate such results or relationships.
(9) The examination and evaluation of unexpected results or relationships
from applying auditing procedures should include inquiries of management and the application of other auditing procedures until EH&S auditors are satisfied that the results or relationships are sufficiently explained.
12/1/99
20-
(10) Unexplained results or relationships from applying auditing procedures
may be indicative of a significant condition such as a potential error, irregularity, or illegal act.
(11) Results or relationships from applying auditing procedures that are not
sufficiently explained should be communicated to the appropriate levels of management. EH&S auditors may recommend appropriate courses of action, depending on the circumstances.
c. Information should be sufficient, competent, relevant, and useful to provide a
sound basis for audit findings and recommendations.
(1) Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor.
(2) Competent information is reliable and the best attainable through the use
of appropriate audit techniques. (3) Relevant information supports audit findings and recommendations and is
consistent with the objectives of the audit.
d. Audit procedures, including the testing and sampling techniques employed, should be selected in advance, where practicable, and expanded or altered if circumstances warrant.
e. The process of collecting, analyzing, interpreting, and documenting information
should be supervised to provide reasonable assurance that the auditor’s objectivity is maintained and that audit goals are met.
2. Working papers that document the audit should be prepared by the auditor and
reviewed by the management of the EH&S auditing function. These papers should record the information obtained and the analyses made and should support the bases for the findings and recommendations to be reported.
a. Audit working papers generally serve to:
• Provide the principal support for the EH&S audit report. • Aid in the planning, performance, and review of audits. • Document whether the audit objectives were achieved. • Facilitate third-party reviews. • Provide a basis for evaluating the EH&S auditing function’s quality
assurance program. • Provide support in circumstances such as EH&S claims cases, and
lawsuits. • Aid in the professional development of the EH&S auditing staff. • Demonstrate the EH&S auditing function’s compliance with the
Standards for the Professional Practice of Environmental, Health and Safety Auditing.
12/1/99
21-
b. The organization, design, and content of audit working papers will depend on the nature of the audit. Audit working papers should, however, document the following aspects of the audit process:
• Planning. • The examination and evaluation of the adequacy and effectiveness of
the system of EH&S control. • The auditing procedures performed, the information obtained, and the
conclusions reached. • Review. • Reporting. • Follow-up.
c. Audit working papers should be complete and include support for audit conclusions reached.
d. Among other things, audit working papers may include:
• Planning documents and audit programs. • Control questionnaires, flowcharts, checklists, and narratives. • Notes and memoranda resulting from interviews. • Organizational data, such as organization charts and job descriptions. • Copies of important contracts and agreements. • Information about operating and EH&S policies. • Results of control evaluations. • Letters of confirmation and representation. • Analysis and tests of transactions, processes, and programs. • Results of auditing procedures. • The audit report and management’s responses. • Audit correspondence if it documents audit conclusions reached.
e. Audit working papers may be in the form of paper, disks, diskettes, films, or other media. If audit working papers are in the form of media other than paper, consideration should be given to generating backup copies.
f. If EH&S auditors are reporting on EH&S information, the audit working
papers should document whether the records agree or reconcile with such information.
g. Some audit working papers may be categorized as permanent or carry-
forward audit files. These files generally contain information of continuing importance.
h. The director of EH&S auditing should establish policies for the types of
audit working paper files maintained, stationery used, indexing and other related matters. Standardized audit working papers such as questionnaires and audit programs may improve the efficiency of an audit and facilitate the delegation of audit work.
i. The following are typical audit working paper preparation techniques:
• Each audit working paper should contain a heading. The heading usually
consists of the name of the organization or activity being examined, a
12/1/99
22-
title or description of the contents or purpose of the working paper, and the date or period covered by the audit.
• Each audit working paper should be signed (or initialed) and dated by the EH&S auditor.
• Each audit working paper should contain an index or reference number. • Audit verification symbols (tick marks) should be explained. • Sources of data should be clearly identified.
j. All audit working papers should be reviewed to ensure that they properly support the audit report and that all necessary auditing procedures have been performed. Evidence of supervisory review should be documented in the audit working papers. The director of EH&S auditing has overall responsibility for review but may designate appropriately experienced members of the EH&S auditing function to perform the review.
k. Evidence of supervisory review should consist of the reviewer initialing and
dating each working paper after it is reviewed. l. Other review techniques that provide evidence of supervisory review
include completing an audit working paper review checklist and/or preparing a memorandum specifying the nature, extent, and results of the review.
m. Reviewers may make a written record (review notes) of questions arising
from the review process. When clearing review notes, care should be taken to ensure that the working papers provide adequate evidence that questions raised during the review have been resolved. Acceptable alternatives with respect to disposition of review notes are as follows:
• Retain the review notes as a record of the questions raised by the
reviewer and the steps taken in their resolution. • Discard the review notes after the questions raised have been resolved
and the appropriate audit working papers have been amended to provide the additional information requested.
n. Audit working papers are the property of the organization. o. Audit working paper files should generally remain under the control of the
EH&S auditing function and should be accessible only to authorized personnel.
p. Management and other members of the organization may request access
to audit working papers. Such access may be necessary to substantiate or explain audit findings or to utilize audit documentation for other business purposes. These requests for access should be subject to the approval of the director of EH&S auditing.
q. Occasionally, EH&S and external auditors grant access to each other’s
audit working papers. Access to audit working papers by external auditors should be subject to the approval of the director of EH&S auditing.
r. There are circumstances where requests for access to audit working
papers and reports are made by parties outside the organization other
12/1/99
23-
than external auditors. Prior to releasing such documentation, the director of EH&S auditing should obtain the approval of senior management and/or legal counsel, as appropriate.
s. The director of EH&S auditing should develop retention requirements for
audit working papers. These retention requirements should be consistent with the organization’s guidelines and any pertinent legal or other requirements.
C. Communicating Results
1. Clearly defined reporting procedures should be in place to ensure that reports communicating audit findings are accurate, complete, objective, clear, concise and timely. Audit reports should be prepared without prejudice.
2. Reports should be prepared for all audits as part of a formal process designed to
ensure full disclosure of audit findings consistent with the recipients specified in the audit program. The perspectives and needs of all recipients should be considered in the preparation of reports. Audit results should be reported to appropriate levels of management in a manner that is easily understood by recipients.
3. Report content should be consistent with the purpose and scope of the audit.
Where conclusions and recommendations are required as a part of the audit report, they should be based on sufficient, valid and documented evidence. Oral reports may be presented as a supplement to the formal written report.
At a minimum, written report should contain the following basic information:
(a) Purpose, date and scope of the audit, including site description. (b) Identity of the auditee(s) and the auditor(s). (c) A description of criteria utilized in performing the audit. (d) Any disclaimers, including any deviation from this standard or the
established audit scope. (e) Audit findings and all matters of concern noted by the audit team which
indicate non-conformance with the predefined set of audit criteria. (f) General instructions for response and/or follow-up.
4. Audit reports should be issued within the time period specified by the audit
program description or the audit program manager. Written reports should be handled in a manner consistent with the written document management procedures. The format of the audit reports should be consistent within a company or other organizational entity.
5. Audit work plans should include written procedures for managing each type of
document used or created during the audit. These procedures should specify each document’s purpose, content, distribution and retention periods which are consistent with legal, administrative and contractual requirements. In addition to audit reports and findings, other audit documentation may include the audit
12/1/99
24-
program description, working papers, plans for corrective action and records of completion of corrective action.
6. A signed, written report should be issued after the audit examination is completed.
Interim reports may be written or oral and may be transmitted formally or informally.
a. Interim reports may be used to communicate information which requires
immediate attention, to communicate a change in audit scope for the activity under review, or to keep management informed of audit progress when audits extend over a long period. The use of interim reports does not diminish or eliminate the need for a final report.
b. Summary reports highlighting audit results may be appropriate for levels of
management above the auditee. They may be issued separately from or in conjunction with the final report.
c. The term signed means that the authorized EH&S auditor’s name should be
manually signed in the report. Alternatively, the signature may appear on a cover letter. The EH&S auditor authorized to sign the report should be designated by the director of EH&S auditing.
d. If audit reports are distributed by electronic means, a signed version of the
report should be kept on file in the EH&S auditing function.
7. EH&S auditors should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports. a. Discussion of conclusions and recommendations is usually accomplished during
the course of the audit and/or at post-audit meetings (exit interviews). Another technique is the review of draft audit reports by management of the auditee. These discussions and reviews help ensure that there have been no misunderstandings or misinterpretations of fact by providing the opportunity for the auditee to clarify specific items and to express views of the findings, conclusions, and recommendations.
b. Although the level of participants in the discussions and reviews may vary by
organization and by the nature of the report, they will generally include those individuals who are knowledgeable of detailed operations and those who can authorize the implementation of corrective action.
8. Reports should be objective, clear, concise, constructive, and timely.
a. Objective reports are factual, unbiased, and free from distortion. Findings,
conclusions, and recommendations should be included without prejudice. (1) If it is determined that a final audit report contains an error, the director of
EH&S auditing should consider the need to issue an amended report which identifies the information being corrected. The amended audit report should be distributed to all individuals who received the audit report being corrected.
12/1/99
25-
(2) An error is defined as an unintentional misstatement or omission of significant information in a final audit report.
b. Clear reports are easily understood and logical. Clarity can be improved by
avoiding unnecessary technical language and providing sufficient supportive information.
c. Concise reports are to the point and avoid unnecessary detail. They express
thoughts completely in the fewest possible words. d. Constructive reports are those which, as a result of their content and tone,
help the auditee and the organization and lead to improvements where needed.
e. Timely reports are those which are issued without undue delay and enable
prompt effective action.
9. Reports should present the purpose, scope, and results of the audit; and, where appropriate, reports should contain an expression of the auditor’s opinion. a. Although the format and content of the audit reports may vary by organization
or type of audit, they should contain, at a minimum, the purpose, scope, and results of the audit.
b. If required, a statement of the confidential nature of the contents should be
included in the report. c. Audit reports may include background information and summaries.
Background information may identify the organizational units and activities reviewed and provide relevant explanatory information. They may also include the status of findings, conclusions, and recommendations from prior reports. There may also be an indication of whether the report covers a scheduled audit or the response to a request. Summaries, if included, should be balanced representations of the audit report content.
d. Purpose statements should describe the audit objectives and may, where
necessary, inform the reader why the audit was conducted and what it was expected to achieve.
e. Scope statements should identify the audited activities and include, where
appropriate, supportive information such as time period audited. Related activities not audited should be identified if necessary to delineate the boundaries of the audit. The nature and extent of auditing performed also should be described.
f. Results may include findings, conclusions (opinions), and recommendations. g. Findings are pertinent statements of fact. Those findings which are necessary
to support or prevent misunderstanding of the EH&S auditor’s conclusions and recommendations should be included in the final audit report. Less significant information or findings may be communicated orally or through informal correspondence.
12/1/99
26-
h. Audit findings emerge by a process of comparing what should be with what is. Whether or not there is a difference, the EH&S auditor has a foundation on which to build the report. When conditions meet the criteria, acknowledgment in the audit report of satisfactory performance may be appropriate. Findings should be based on the following attributes: (1) Criteria: The standards, measures, or expectations used in making an
evaluation and/or verification (what should exist). (2) Condition: The factual evidence which the EH&S auditor found in the
course of the examination (what does exist). (3) Cause: The reason for the difference between the expected and actual
conditions (why the difference exists). (4) Effect: The risk or exposure the auditee organization and/or others
encounter because the condition is not the same as the criteria (the impact of the difference). In determining the degree of risk or exposure, EH&S auditors should consider the effect their audit findings may have on the organization’s EH&S statements.
(5) Reported findings may also include recommendations, auditee
accomplishments, and supportive information if not included elsewhere. i. Conclusions (opinions) are the EH&S auditor’s evaluations of the effects of the
findings on the activities reviewed. They usually put the findings in perspective based upon their overall implications. Audit conclusions, if included in the audit report, should be clearly identified as such. Conclusions may encompass the entire scope of an audit or specific aspects. They may cover, but are not limited to, whether operating or program objectives and goals conform with those of the organization, whether the organization’s objectives and goals are being met, and whether the activity under review is functioning as intended.
10. Reports may include recommendations for potential improvements and
acknowledge satisfactory performance and corrective action. a. Recommendations are based on the EH&S auditor’s findings and conclusions.
They call for action to correct existing conditions or improve operations. Recommendations may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. Recommendations may be general or specific. For example, under some circumstances, it may be desirable to recommend a general course of action and specific suggestions for implementation. In other circumstances, it may be appropriate only to suggest further investigation or study.
b. Auditee accomplishments, in terms of improvements since the last audit or the
establishment of a well-controlled operation, may be included in the audit report. This information may be necessary to fairly represent the existing conditions and to provide a proper perspective and appropriate balance to the audit report.
11. The auditee’s views about audit conclusions or recommendations may be included
in the audit report. As part of the EH&S auditor’s discussions with the auditee, the
12/1/99
27-
EH&S auditor should try to obtain agreement on the results of the audit and on a plan of action to improve operations, as needed. If the EH&S auditor and auditee disagree about the audit results, the audit report may state both positions and the reasons for the disagreement. The auditee’s written comments may be included as an appendix to the audit report. Alternatively, the auditee’s views may be presented in the body of the report or in a cover letter.
12. The director of EH&S auditing or designee should review and approve the final audit report before issuance and should decide to whom the report will be distributed. a. The director of EH&S auditing or a designee should approve and may sign all
final reports. If specific circumstances warrant, consideration should be given to having the auditor-in-charge, supervisor, or lead auditor sign the report as a representative of the director of EH&S auditing.
b. Audit reports should be distributed to those members of the organization who
are able to ensure that audit results are given due consideration. This means that the report should go to those who are in a position to take corrective action or ensure that corrective action is taken. The final audit report should be distributed to management of the auditee. Higher-level members in the organization may receive only a summary report. Reports may also be distributed to other interested or affected parties such as external auditors and the board.
c. Certain information may not be appropriate for disclosure to all report
recipients because it is privileged, proprietary, or related to improper or illegal acts. Such information, however, may be disclosed in a separate report. If the conditions being reported involve senior management, report distribution should be to the board of the organization.
D. Document Management
Audit work plans should include written procedures for managing each type of document used or created during the audit. These procedures should specify each document’s purpose, content, distribution and retention periods which are consistent with legal, administrative and contractual requirements. In addition to audit reports and findings, other audit documentation may include the audit program description, working papers, plans for corrective action and records of completion of corrective action.
12/1/99
28-
E. Following Up
EH&S auditors should determine that corrective action was taken and is achieving the desired results, or that senior management or the board has assumed the risk of not taking corrective action on reported findings.
a. Follow-up by EH&S auditors is defined as a process by which they determine the adequacy, effectiveness, and timeliness of actions taken by management on reported audit findings. Such findings also include relevant findings made by external auditors and others.
b. Responsibility for follow-up should be defined in the EH&S auditing function’s
written charter. c. Management is responsible for deciding the appropriate action to be taken in
response to reported audit findings. The director of EH&S auditing is responsible for assessing such management action for the timely resolution of the matters reported as audit findings. In deciding the extent of follow-up, EH&S auditors should consider procedures of a follow-up nature performed by others in the organization.
d. The board should be informed of senior management’s decision on all
significant audit findings. e. The nature, timing, and extent of follow-up should be determined by the
director of EH&S auditing. f. Factors to be considered in determining appropriate follow-up procedures
include:
(1) The significance of the reported finding. (2) The effort and cost needed to correct the reported condition. (3) The risks that may occur should the corrective action fail. (4) The complexity of the corrective action. (5) The time period involved.
g. Certain reported findings may be so significant as to require immediate action
by management. These conditions should be monitored by EH&S auditors until corrected because of the effect they may have on the organization.
h. There may also be instances where the director of EH&S auditing judges that
management’s oral or written response shows that action already taken is sufficient when weighed against the relative importance of the audit finding. On such occasions, follow-up may be performed as part of the next audit.
i. EH&S auditors should ascertain that actions taken on audit findings remedy the
underlying conditions.
12/1/99
29-
j. The director of EH&S auditing is responsible for scheduling follow-up activities as part of developing audit work schedules.
k. Scheduling of follow-up should be based on the risk and exposure involved, as
well as the degree of difficulty and the significance of timing in implementing corrective action.
l. The director of EH&S auditing should establish procedures to include the
following:
(1) A time frame within which management’s response to the audit findings is required.
(2) An evaluation of management’s response. (3) A verification of the response (if appropriate). (4) A follow-up audit (if appropriate). (5) A reporting procedure that escalates unsatisfactory responses/actions,
including the assumption of risk, to the appropriate levels of management.
m. Techniques used to effectively accomplish follow-up include:
(1) Addressing audit report findings to the appropriate levels of management responsible for taking corrective action.
(2) Receiving and evaluating management responses to audit findings during
the audit or within a reasonable time period after the report is issued. Responses are more useful if they include sufficient information for the director of EH&S auditing to evaluate the adequacy and timeliness of corrective action.
(3) Receiving periodic updates from management in order to evaluate the
status of management’s efforts to correct previously reported conditions. (4) Receiving and evaluating reports from other organizational units assigned
responsibility for procedures of a follow-up nature. (5) Reporting to senior management or the board on the status of responses
to audit findings.
F. Corrective Action Planning and Tracking 1. Senior management should provide for procedures to develop and implement
corrective actions and verify their completion. The audit program description should specify procedures and responsibilities for monitoring the status of action plan implementation. Audit program management will not necessarily be assigned any responsibilities for developing or monitoring the status of corrective actions.
Corrective action procedures should include:
12/1/99
30-
a. Development of a corrective action plan by those responsible for correcting the non-conformities noted. Action plans developed to address audit findings should:
• Describe actions to be taken to correct and prevent the recurrence of all non-conformities
identified in the course of audits; • Identify persons responsible for the actions; and • Identify a target date for completion of each action.
b. Review and approval of the plan by a level of management capable of assuring
corrective action. c. Monitoring mechanisms to verify progress toward the ultimate completion of
the plan.
2. The director should be part of the review process to assure that all non-conformities are adequately addressed. All documents associated with corrective action planning and follow-up should be handled in accordance with written document management procedures.
IV. SCOPE OF AUDIT PROGRAM A. Accomplishment of Established Objectives and Goals for Operations or
Programs
1. Management is responsible for establishing operating or program objectives and goals, developing and implementing control procedures, and accomplishing desired operating or program results. EH&S auditors should ascertain whether such objectives and goals conform with those of the organization and whether they are being met. a. In instances where management has not established criteria, or if the
established criteria, in the EH&S auditors’ opinion, are less than adequate, EH&S auditors should report such conditions to the appropriate levels of management.
b. EH&S auditors may recommend alternative sources of criteria to management,
such as:
(1) Standards in law and government regulations. (2) Acceptable industry standards. (3) Standards developed by professions or associations.
c. If adequate criteria are not established by management, EH&S auditors may
still formulate criteria they believe to be adequate in order to perform an audit, form an opinion, and issue a report on the accomplishment of established objectives and goals.
12/1/99
31-
2. EH&S auditors can provide assistance to managers who are developing objectives, goals, and systems by determining whether the underlying assumptions are appropriate; whether accurate, current, and relevant information is being used; and whether suitable controls have been incorporated into the operations or programs.
3. The scope of an audit should be defined in advance, and the verification
criteria selected and agreed on prior to beginning the audit. Agreement on required audit resources is part of the scope.
4. The purpose of the review for adequacy of the system of EH&S control is to
ascertain whether the system established provides reasonable assurance that the organization’s objectives and goals will be met.
5. The primary objectives of EH&S control are to ensure:
a. The reliability and integrity of information. b. Compliance with policies, plans, procedures, laws, regulations, and contracts. c. Protection of physical assets (loss prevention) d. The accomplishment of established objectives and goals for operations or
programs.
6. EH&S auditors examine and evaluate the planning, organizing, and directing processes to determine whether reasonable assurance exists that objectives and goals are being achieved. Such evaluations, in the aggregate, provide information to appraise the overall system of internal control.
Such evaluations should encompass whether reasonable assurance exists that:
(1) Objectives and goals are being established. (2) Authorizing, monitoring, and periodic comparison activities are being
planned, performed, and documented as necessary to attain objectives and goals.
(3) Planned results have been achieved (objectives and goals are being
accomplished). B. Reliability and Integrity of Information
1. EH&S auditors should review the reliability and integrity of EH&S information and
the means used to identify, measure, classify and report such information. 2. Information systems provide data for decision making, control, and compliance
with external requirements. Therefore, EH&S auditors should examine information systems and, as appropriate, ascertain whether:
a. EH&S records and reports contain accurate, reliable, timely, complete, and
useful information.
12/1/99
32-
b. Controls over record keeping and reporting are adequate and effective.
C. Compliance with Policies, Plans, Procedures, Laws, Regulations, and Contracts Management is responsible for establishing the systems designed to ensure compliance with such requirements as policies, plans, procedures, applicable laws and regulations, and contracts. EH&S auditors are responsible for determining whether the systems are adequate and effective and whether the activities audited are complying with the appropriate requirements. a. Management is responsible for having knowledge of compliance requirements
of all laws, regulations, and contracts applicable to the organization. b. Management is responsible for designing and implementing policies, plans, and
procedures, including those intended to comply with laws, regulations, and contracts.
(1) The policies, plans, and procedures designed and implemented by senior
management should be sufficient to reasonably ensure prevention and/or detection of noncompliance with applicable laws, regulations, and contracts. Significant noncompliance can occur with respect to policies, plans, and procedures in which no law or regulation is involved.
(2) Management is responsible for determining whether noncompliance
brought to its attention by EH&S auditors, or by discovery, may violate laws, regulations, or contractual agreements, and/or constitute illegal acts. In addition, management is responsible for initiating such corrective actions necessary to achieve compliance. This may require reporting by management to the board and appropriate legal, or regulatory authorities.
c. In determining audit objectives, EH&S auditors should make inquiry regarding
specific compliance requirements. EH&S auditors should consider inquiring about significant compliance requirements with:
(1) Organization management having EH&S, operational, and oversight
responsibilities. (2) Internal or external legal counsel. (3) Funding or contracting organizations. (4) Governmental or other regulatory authorities. (5) External auditors. d. EH&S auditors are responsible for establishing objectives that include planning
and performing a scope of work which provides a reasonable basis for reporting on the extent of organization compliance with policies, plans, procedures, laws, regulations, and contracts.
e. EH&S auditors should promptly inform senior management and the board of all
relevant facts when information gathered from the performance of EH&S
12/1/99
33-
auditing procedures indicates the existence of significant noncompliance or an unreasonable exposure to significant instances of noncompliance.
D. Protection of Physical Assets (Loss Prevention)
Environmental, health and safety auditors should review the means used to protect physical assets from various types of losses such as those resulting from contamination, employees, products, fire, improper or illegal activities, and exposure to elements.
V. MANAGEMENT OF THE ENVIRONMENTAL, HEALTH, AND SAFETY AUDITING FUNCTION A. Purpose, Authority and Responsibility
1. The director of EH&S auditing is responsible for seeking the approval and acceptance of senior management and the board of a written document (charter) for the EH&S auditing function.
2. The audit program should be led by the director who is accountable to senior
management and has the responsibility and authority to conduct audits. The audit program director should have a reporting relationship that will ensure independence from operational or staff influence. The director should have access to as many qualified auditors and audit team leaders as necessary to conduct the required audits.
B. Planning
1. These plans should be consistent with the EH&S auditing function’s charter and with the goals of the organization.
2. The planning process involves establishing:
a. Goals. b. Audit work schedules. c. Staffing plans. d. Activity reports.
3. The goals of the EH&S auditing function should be measurable. They should be accompanied by measurement criteria and targeted dates of accomplishment.
4. Audit work schedules should include (a) what activities are to be audited; (b) when
they will be audited; and (c) the estimated time required, taking into account the scope of the audit work planned and the nature and extent of audit work performed by others. Matters to be considered in establishing audit work schedule priorities should include (a) the date and results of the last audit; (b) EH&S exposure; (c) requests by management; and (e) major changes in operations, programs, systems, and controls. The work schedules should be sufficiently
12/1/99
34-
flexible to cover unanticipated demands and special requests on the EH&S auditing function. a. Risk assessment is a process that is crucial to the development of effective
audit work schedules. The risk assessment process includes identification of auditable activities, identification of relevant risk factors, and an assessment of their relative significance.
b. The term risk is the probability that an event or action may adversely affect the
organization. c. The effects of risk can involve:
(1) An erroneous decision from using incorrect, untimely, incomplete, or
otherwise unreliable information. (2) Erroneous record keeping, inappropriate record keeping, fraudulent
regulatory reporting, loss and exposure. (3) Failure to adequately safeguard assets. (4) Customer dissatisfaction, negative publicity, and damage to the
organization’s reputation. (5) Failure to adhere to organizational policies, plans, and procedures, or not
complying with relevant laws and regulations. (6) Acquiring resources uneconomically or using them inefficiently or
ineffectively. (7) Failure to accomplish established objectives and goals for operations or
programs. d. The first phase of the risk assessment process is to identify and catalog the
auditable activities. e. Auditable activities consist of those subjects, units, or systems which are
capable of being defined and evaluated. Risk factors are the criteria used to identify the relative significance of, and likelihood that, conditions and/or events may occur that could adversely affect the organization.
f. The number of risk factors utilized should be limited, but sufficient to provide
the director of EH&S auditing with confidence that the risk assessment is comprehensive.
g. The director of EH&S auditing may decide to weigh the risk factors to signify
their relative significance. The weighing of risk factors reflects the director’s judgment about the relative impact a factor may have on selecting an activity for audit.
h. Risk assessment is a systematic process for assessing and integrating
professional judgments about probable adverse conditions and/or events. The risk assessment process should provide a means of organizing and integrating
12/1/99
35-
professional judgments for development of the audit work schedule. The director of auditing should generally assign higher audit priorities to activities with higher risks.
i. The director should incorporate information from a variety of sources into the
risk assessment process. Such sources include, but are not limited to: discussions with the board and various members of management; discussions among management and staff of the auditing; discussions with external auditors; consideration of applicable laws and regulations; analyses of and operating data; review of prior audits; and industry or economic trends.
j. The risk assessment process should lead the director of auditing to establish
audit work schedule priorities. The director may adjust the planned audit work schedule after considering other information such as coordination with external auditors and requests by management and the board. There should be a periodic assessment of the effect of any major changes in the catalog of auditable activities or related risk factors which have occurred since the audit work schedule was prepared. Such an assessment will assist the director of EH&S auditing in making appropriate adjustments to audit priorities and the work schedule.
k. The risk assessment process should be conducted annually. However, because
conditions change, audit priorities determined through the risk assessment process may be reviewed and updated throughout the year.
5. Staffing plans and operating budgets, including the number of auditors and the
knowledge, skills, and disciplines required to perform their work, should be determined from audit work schedules, administrative activities, education and training requirements, and audit research and development efforts.
6. Activity reports should be submitted periodically to senior management and to the
board. These reports should compare (a) performance with the function’s goals and audit work schedules and (b) expenditures with operating budgets. They should explain the reason for major variances and indicate any action taken or needed.
7. Selection of Audit Sites, Subject and Frequency
a. A site selection and scheduling procedure should be established for the audit program. Site selection and determination of audit frequency are important considerations for organizations with numerous sites since the audit program should provide results which are representative of the organizations activities (except when the objective is to target certain operations), and resources may not enable every facility to be evaluated within a comparatively short time frame.
b. Audit frequency, focus and site selection should be based on existing or
potential EH&S impacts, taking into account factors such as: (1) Level of EH&S risk. (2) Scale and complexity of the operations.
12/1/99
36-
(3) Volume and nature of materials stored, used and/or produced. (4) History of EH&S violations, enforcement actions and other compliance
issues. (5) Any other specific criteria set forth by senior management, and if
applicable. (6) Dates of prior audits, any previous audit findings and the status of
corrective action.
c. A process that accounts for these factors should drive site selection, focus and audit scope, and help identify staffing demands for audits. Usually, sites deemed to pose higher EH&S risk receive more frequent audits. Sites believed to have “medium” and “low” potential impact should be audited as well to obtain perspective on performance across the range of the organization’s operations, and to assure that the perceived risk level is accurate.
8. Surprise audits may be conducted from time to time at the discretion of the
director and in accordance with organizational policy.
C. Policies and Procedures
The form and content of written policies and procedures should be appropriate to the size and structure of the EH&S auditing function. Formal administrative and technical audit manuals may not be needed by all EH&S auditing functions. A small EH&S auditing function may be managed informally. Its audit staff may be directed and controlled through daily, close supervision and written memoranda. In a large EH&S auditing function, more formal and comprehensive policies and procedures are essential to guide the audit staff in the consistent compliance with the function’s standards of performance.
D. Personnel Management and Development The program should provide for:
a. Selecting qualified and competent individuals. b. Training and providing continuing educational opportunities for each EH&S
auditor. c. Appraising each EH&S auditor’s performance at least annually. d. Providing counsel to EH&S auditors on their performance and professional
development. E. Outside Service Providers
1. Outside service providers may be used by the EH&S auditing function in connection with, among other things:
12/1/99
37-
a. Auditing activities where a specialized skill and knowledge are required such as air, water, waste, safety, health, language translations, or to achieve the objectives in the audit work schedule.
b. Evaluations of physical assets such as land and buildings, and complex
EH&S equipment (Loss Control). c. Determination of physical condition of certain assets for compliance
effectiveness. d. Measuring the work completed and to be completed on contracts in
progress. e. Regulatory issues. f. Interpretation of legal, technical, and regulatory requirements. g. Evaluating the EH&S auditing function’s quality assurance program in
accordance with the Standards. h. Mergers and acquisitions.
2. When the director of EH&S auditing intends to use and rely on the work of an
outside service provider, the director should assess the competency, independence, and objectivity of the outside service provider as it relates to the particular assignment to be performed. This assessment should also be made when the outside service provider is selected by senior management or the board, and the director intends to use and rely on the outside service provider’s work. When the selection is made by others and the assessment determines that the director should not use and rely on the work of an outside service provider, then the results of the assessment should be communicated to senior management or the board, as appropriate.
3. The director of EH&S auditing should determine that the outside service
provider possesses the necessary knowledge, skills, and ability to perform the assignment. When assessing competency, the director should consider the following: a. Professional certification, license, or other recognition of the outside
service provider’s competency in their particular discipline. b. Membership of the outside service provider in an appropriate professional
organization and adherence to that organization’s code of ethics (i.e., BEAC, EAR, IIA, AIHA, ASSE…).
c. The reputation of the outside service provider. This may include contacting
others familiar with the outside service provider’s work. d. The outside service provider’s experience in the type of work being
considered. e. The extent of education and training received by the outside service
provider in disciplines that pertain to the particular assignment.
12/1/99
38-
f. The outside service provider’s knowledge and experience in the industry in
which the organization operates. 4. The director of EH&S auditing should assess the relationship of the outside
service provider to the organization and to the EH&S auditing function to ensure that independence and objectivity are maintained throughout the assignment. In performing the assessment, the director of EH&S auditing should determine that there are no organizational, or personal relationships that will prevent the outside service provider from rendering impartial and unbiased judgments and opinions when performing or reporting on the assignment.
5. In assessing the independence and objectivity of the outside service provider,
the director should consider: a. The EH&S interest the provider may have in the organization. b. The personal or professional affiliation the provider may have to the board,
senior management, or others within the organization. c. The relationship the provider may have had with the organization or the
activities being reviewed. d. The extent of other ongoing services the provider may be performing for
the organization. e. Compensation or other incentives that the provider may have.
6. If the outside service provider is also the organization’s public accounting firm and the nature of the assignment is extended audit services, the director should ascertain that work performed does not impair the outside provider’s independence
7. The director of EH&S auditing should obtain sufficient information regarding
the scope of the outside service provider’s work. This is necessary in order to ascertain that the scope of work is adequate for the purposes of the auditing function.
8. The director should review with the outside service provider:
a. Objectives and scope of work. b. Specific matters expected to be covered in the report to be rendered, if
applicable. c. Access to relevant records, personnel, and physical properties. d. Information regarding assumptions and procedures to be employed. e. Ownership and custody of audit working papers, if applicable.
12/1/99
39-
f. Confidentiality and restrictions on information obtained during the assignment.
It may be preferable to have these and other matters documented in an engagement letter or contract.
9. Where the outside service provider performs EH&S auditing activities, the
director of EH&S auditing should specify and ensure that the work complies with the Standards for the Professional Practice of Environmental, Health, and Safety Auditing.
10. In reviewing the work of an outside service provider, the director should
evaluate the adequacy of work performed. This evaluation should include sufficiency of information obtained to afford a reasonable basis for the conclusions reached and the resolution of significant exceptions or other unusual matters.
11. When the director issues an audit report, and an outside service provider was
used, the director may, as appropriate, refer to such services provided. 12. The outside service provider should be informed or, if appropriate, concurrence
should be obtained, prior to making such reference in the report.
F. Quality Assurance
1. The purpose of this program is to provide reasonable assurance that EH&S auditing work conforms with the Standards for the Professional Practice of Environmental, Health, and Safety Auditing, the EH&S auditing function’s charter, and other applicable standards. A quality assurance program should include the following elements:
• Supervision. • EH&S reviews. • External reviews.
a. The reasonable assurance mentioned in this guideline serves the needs of
several constituencies in addition to that of the director of EH&S auditing. These may include senior management, external auditors, the board, and regulatory agencies, each of whom may have reasons to rely upon the performance of the EH&S auditing function.
b. Conformity with applicable standards is more than simply complying with
established policies and procedures. It includes performance of the EH&S auditing function at a high level of efficiency and effectiveness. Quality assurance is essential to achieving such performance, as well as to maintaining the EH&S auditing function’s credibility with those it serves.
c. A key criterion against which an EH&S auditing function should be measured is
its charter. d. The following are examples of other applicable standards and potential
measurement criteria that should be considered in evaluating the performance of the EH&S auditing function:
12/1/99
40-
(1) The Code of Ethics. (2) The EH&S auditing function’s objectives, policies, and procedures. (3) The organization’s policies and procedures that apply to the EH&S auditing
function. (4) Laws, regulations, and government or industry standards which specify
auditing and reporting requirements. (5) Methods for identifying auditable activities, assessing risk, and determining
frequency and scope of audits. (6) Audit planning documents, particularly those submitted to senior
management and the board. (7) The plan of and professional development plans of the EH&S auditing
function.
2. Supervision of the work of EH&S auditors should be carried out to assure conformance with EH&S auditing standards, departmental policies, and audit programs. Adequate supervision is the most fundamental element of a quality assurance program. As such, it provides a foundation upon which internal EH&S and external reviews can subsequently be built.
3. Internal reviews should be performed periodically by members of the EH&S auditing staff to appraise the quality of the audit work performed.
4. External reviews of the EH&S auditing function should be performed to appraise
the quality of the function’s operations. These reviews should be performed by qualified persons who are independent of the organization. On completion of the review, a formal, written report should be issued. The report should express an opinion as to the function’s compliance with the Standards for the Professional Practice of Environmental, Health and Safety Auditing and, as appropriate, should include recommendations for improvement. a. Upon completion of an external review, the review team should issue a formal
report containing an opinion as to the function’s compliance with the Standards. The report should also address compliance with the function’s charter and other applicable standards and include appropriate recommendations for improvement. The report should be addressed to the person or organization who requested the review. The director of EH&S auditing should prepare a written action plan in response to the significant comments and recommendations contained in the report of external review. Appropriate follow-up is also the director’s responsibility.
b. External review is an important element of the program for achieving quality
assurance. However, if resources are limited, or for other reasons previously noted, the EH&S auditing function may be currently unable to obtain an external review. In these circumstances, more emphasis should be placed on supervision, periodic EH&S reviews, and other quality assurance methods that are available to the function. It is the responsibility of the director of EH&S
12/1/99
41-
auditing to annually assess the conditions which restrict an external review. Another interim method is the use of qualified EH&S groups to conduct a review (e.g., former audit directors in the employ of the organization, other audit directors in a decentralized audit organization, or EH&S management advisory personnel). However, such a review should not be expected to achieve all of the objectives of an external review.
c. Audits should undergo quality checks to assure accuracy and encourage
continuous improvement of audit management systems, procedures and implementation. Quality control measures the extent to which an audit is conducted according to the objectives and scope of the audit, and to these standards.
• Quality checks should be conducted to ensure that audit findings are
consistent with evidence recorded by the auditors. • Quality checks should be conducted to ensure that audit findings are
reliably communicated in reports.
d. A report should be prepared for each audit to communicate information, consistent with the audit scope and objectives. Reports should clearly communicate information and findings in a timely manner to the intended recipients, and in sufficient detail and clarity to facilitate corrective action.
• The audit report should describe the audit scope and conduct, and report
the audit results and conclusions, consistent with audit objectives. • Audit findings should be documented and based on relevant, accurate and
sufficient evidence. Audit reports may contain recommendations to correct the deficiencies identified n the audit report. An auditor’s opinion as to the overall status of the facility may also be included, if the opinion is consistent with the defined scope and objectives.
12/1/99
42-
Dictionary of Terms The Standards, Performance Practices and the accompanying Guidelines employ terms given the following meanings in the context of the Standards: Audit is a systematic, documented process of objectively collecting and evaluating factual
information in order to verify a site organization’s environmental, health or safety status with respect to specific, predetermined criteria. Audits encompass both compliance audits, which are directed at verifying a site or organization’s compliance with requirements, and management systems audits, which evaluate the effectiveness of management systems.
Audit Criteria are specific measures or requirements against which the auditor tests and
evaluates the information collected as a part of the audit process. Audit criteria may include but are not limited to: organizational objectives, policies, practices and procedures; industrial and other standards; and legislative and regulatory requirements.
Audit Findings - see definition of Findings. Audit Objectives are broad statements developed and define intended audit accomplishments. Audit Procedures are tasks undertaken for collecting, analyzing, interpreting, and documenting
information during an audit. Audit procedures are the means to attain audit objectives. Audit Program is a management-supported system for providing periodic and objective
evaluation of an organization’s success in meeting established environmental, health and safety objectives and requirements.
Audit Program Manager - see definition of Director of Environmental, Health and Safety
Auditing. Audit Report is a formal document which presents the purpose, scope, and results of the audit.
Results of the audit may include findings, conclusions (opinions), and/or recommendations. Audit Scope refers to the activities covered by an audit. Audit scope includes, where
appropriate: • Audit objectives. • Nature and extent of auditing procedures performed. • Time period audited. • Related activities not audited in order to delineate the boundaries of the audit.
Audit Team Leader is an auditor who is qualified to lead a team of auditors and manage the performance of EH&S audits.
Audit Work Schedules include (a) what activities are to be audited; (b) when they will be
audited; and (c) the estimated time required, taking into account the scope of the audit work planned and the nature and extent of audit work performed by others.
Auditee includes any individual, unit, or activity of the organization that is audited. Auditor - see the definition of Environmental, Health and Safety Auditor.
12/1/99
43-
Board includes boards of directors, audit committees of such boards, heads of agencies or legislative bodies to whom EH&S auditors report, boards of governors or trustees of nonprofit organizations, and any other designated governing bodies of organizations or equivalent authority.
Charter of the EH&S auditing function is a formal written document which defines the function’s
purpose, authority, and responsibility. The charter should (a) establish the function’s position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of audits; and (c) define the scope of EH&S auditing activities.
Code of Ethics sets forth standards of conduct for members of the BEAC and Certified
Professional Environmental Auditors to discharge their responsibilities effectively. The Code of Ethics calls for high standards of honesty, objectivity, and diligence.
Director of Environmental, Health, and Safety Auditing or Director is the person to
whom senior management has delegated the authority to implement the audit program and oversee day-to-day EH&S audit activities.
Environmental, Health and Safety Auditing is an independent appraisal function undertaken
by an organization to examine and evaluate its EH&S activities Environmental, Health and Safety Auditing Function is the collective unit which performs
EH&S auditing activities. Environmental, Health and Safety Auditor is a qualified individual who is assigned the
responsibility of performing EH&S audits. External Auditors refers to contract/consultant audit professionals who perform EH&S auditing
activities on behalf of an organization. Findings are descriptions of the audit team’s evaluation of the auditee’s conformance to the
audit criteria. Follow-up is the process by which EH&S auditors determine the adequacy, effectiveness, and
timeliness of actions taken by management on reported audit findings. Internal Control is a process within an organization designed to provide reasonable assurance
regarding the achievement of the following primary objectives: • The reliability and integrity of information. • Compliance with policies, plans, procedures, laws, regulations, and contracts. • The safeguarding of physical assets (safety). • The economical and efficient use of resources. • The accomplishment of established objectives and goals for operations or programs.
Loss Prevention refers to measures taken to protect physical assets such as material, product, buildings and/or property. Performance Practices are suitable means of meeting the General and Performance Standards
as outlined in the Standards for the Professional Practice of Environmental, Health, and Safety Auditing.
12/1/99
44-
Senior Management refers to the person or persons having management responsibility for the organization and the authority to commit resources to implement the audit program and the correction of nonconformities and to whom the director of EH&S auditing is responsible.
Significant Audit Findings are those conditions which, in the judgment of the director of EH&S
auditing, could adversely affect the organization.
