Why flexible audit programs and skilled auditors are key to effective compliance and improvement
Author’s note: This is the 5th in a series of articles on safety auditing and audit management. The content for these articles, which can be used to assist in the development of your own internal audit training content, is from the recently published book, Health, Safety, Environmental and Quality Auditing, by Terri Andrews and Wayne Pardy, published by Rowman and Littlefield.
Typical HSEQ audit programs
HSEQ audit programs and management systems typically exhibit the same basic structure. That said, individual program approaches are usually tailor-made to meet the objectives, opportunities, organizational realities and constraints of the sponsoring organization. Thus, one can find distinctly different audit programs in the same basic industry. But that's a positive thing as it can help ensure those developing the programs are critical in their thinking and have designed their programs around their needs and realities. Over time, one can even find a dramatically changed program in the same company. The changes can occur due to reorganization, changes in staff, midcourse program evaluations, or, in these days of mergers and acquisitions, a major restructuring of business lines, or in fact the entire business itself.
Program name
While many organizations use the word “audit” to describe the nature of the program, as we've seen, others use surrogate terms, such as “assessment,” "evaluation", "measurement", “surveillance,” and “systems review.” Some of the reasons given for using surrogates are that:
(1) audits can connote a more rigorous approach (vis-à-vis financial audits) than is typically the case,
(2) the word “audit” (meaning “to examine, verify, or correct accounts, records, or claims”) has an accusatory tone, and
(3) HSEQ audits are more than the paperwork exercises that financial audits imply.
There has also been some commentary made about the actual use of the word audit in some cases and the negative perception by some of the work audits can bring. In our experience this is in part due to negative audit experiences, where the auditee found that the audit experience wasn't a positive one. And in many of those instances, from our experience, they marked that perception down to the personal characteristics and professionalism and experience of the auditor, not the audit process per se.
Take two exactly the same structured audit plans and put them in the hands of an experienced and inexperienced auditor and you might get two completely different products. The technical aspects of the audit aside (audit scope, auditor training, etc.) in the hands of an individual who cares little for the product of their activities or is using the audit to further their own ego or self-gratification, an audit can be a very negative or punishing experience. But we’ll elaborate further on this.
Purpose
More often than not, the stated purpose of the audit program is to attain and maintain compliance with any or all applicable regulatory requirements or conformance to the stated requirements of the organization to the Standard or process in question. Many organizations also state explicitly the objective of meeting good management practices and corporate policies and procedures.
In the past few years, widespread development of corporate HSEQ standards and guidelines has emerged in part to take the guesswork and judgment out of good management practices. This has helped to improve the rigor of HSEQ audits, especially in some Third World countries where there are, generally speaking, still fewer HSEQ regulations compared to more developed countries. While most companies recognize there are other benefits (e.g., technology transfer, increased awareness, HSEQ 'culture' improvement or enhancement), they are typically seen as the “icing on the cake.”
Many companies have redesigned their corporate HSEQ audit programs to emphasize the output of the reviews of their HSEQ management systems as well. This focus attempts to remedy the underlying causes of noncompliance and is consistent with many of the ISO management systems standards, such as ISO 14001, 9001 and 45001. Yet, even more recently, some companies that placed a principal emphasis on systems reviews at the corporate level, leaving detailed compliance audits to the businesses or sites, have pulled back from this approach. They have found that management system reviews alone have contributed to some relapse of noncompliance or nonconformance performance at the sites. Independent audits of actual compliance with HSEQ and related regulatory obligations remain an important part of the current trend towards corporate HSEQ assurance programs.
Program organization
A certain amount of independence is seen as an essential element of a program, so almost every organization has established a corporate audit function responsible for the program. This function is usually housed in the corporate HSEQ department. Other options include a function in the financial department (where the financial auditing function is located) or in the legal department (ostensibly to provide as much protection from report discovery as possible). Or there may be some strategic partnerships developed between these groups to reflect a holistic approach to any internal audit theme.
The size of the corporate audit staff varies considerably. In some companies, one or two people on staff provide an oversight function, drawing on a pool of facility and plant staff and consultants to conduct the audits. In other cases, a small group (two to five) of corporate staff conduct the audits, but with help from division and staff people. Finally, in a few cases, companies have a corporate staff of as many as twenty to thirty whose responsibility is to run the program and conduct the audits (without assistance). In all cases, however, audit teams comprise staff who are organizationally independent of the plant or site audited.
Program scope
Many organizations have focused on their head office facilities initially, then broadened the program to all facilities worldwide. That said, some never get out to the "colonies". Many organizations develop checklists and protocols in the native language of their head office location and then expand those audits checklists and protocols to other languages and branch locations. Other organizations have left the implementation of the overseas audit program to regional audit coordinators; audit teams are selected from trained staff within the particular region. This approach can minimize cultural and language barriers.
Other companies conduct all their overseas audits using their head office staff who feel are most familiar with the requirements of the "mothership" and any satellite offices. And still others use local consultants to bolster a mostly local or facility-based audit team. And the proliferation of organizations having integrated and multi-discipline audit teams is growing, helping facilitate true integrated audit teams with functional and technical expertise from several operational areas.
The great number of organizations do perform multimedia HSEQ audits (i.e., hazardous wastes, PCBs, etc.) and health and safety audits (i.e., worker safety, occupational health, process safety, ergonomics, etc. ), and have integrated them with key quality management system processes (customer product or service, customer satisfaction, etc.), but as the programs have evolved and facilities have been audited several times, there has been a tendency to refine the scope of the audit to those media or issues that present the greatest risk or liability at that facility.
Audit program methodology
A “standard” audit methodology, used by many organizations, has evolved over time. It typically involves the three phases shown in the figure below:
|
Phase |
Steps |
|
I. Pre-Audit |
- Organize the audit team - Assign responsibilities - Notify the site - Review relevant regulations - Review the last audit, protocols, and pre-audit questionnaire |
|
II. Audit |
- In-brief site management - Meet with HSEQ staff - Participate in orientation tour - Review records and management systems - Interview site personnel - Inspect facilities - Brief site daily - Debrief site management |
|
III. Post-Audit |
- Draft audit report - Respond to reviews - Submit final audit report - Enter report findings into follow-up tracking system - Close-out audit |
With some variations and exceptions, in the experience of the authors, organizations with existing audit programs typically use this approach. Some of the more significant exceptions can include the following:
- Surprise audits (used by some companies where situations warrant them)
- Ranking of facilities based on a scoring system (used by some companies)
- Vendor/supplier audits (normally the plant’s responsibility, but occasionally done by the audit team as well)
- Emergency-response drills during an audit
