OHS Compliance Auditing: Tap into
By Sara Lipson, M.Sc.
Whether your environmental, health and
safety compliance audit plan is an annual pilgrimage or an ongoing program,
ensuring compliance with the ever-changing myriad of regulations enforced by US
federal and state agencies can be an overwhelming task. Add to those
requirements the requirements of local agencies, environment, health and safety
management systems such as ISO 14001 and OHSAS 18001, as well as adherence to
corporate directives, and the audit plan rapidly expands to become all-encompassing.
Fortunately, software solutions such as Conformance Check Inc.’s EHS Auditor
increase audit efficiency and effectiveness by integrating the US federal and
state requirements at the planning stage, then accumulating audit results for
analysis and reporting. In short, since EHS Auditor comes pre-loaded with audit
protocols relevant to your federal and state jurisdictions, the time-consuming
task of pulling together related federal and state requirements has already
Regulatory requirements must be
managed at both federal and state levels. Facilities may be subject not only to health and safety regulations at
the federal level, but also to state regulations. States may adopt federal
legislation by reference with or without state-specific provisions, enact
comparable state legislation, or prescribe additional requirements. One method
of streamlining audits of state and federal requirements is to integrate
federal and state requirements into each question, supplementing a federal
requirement with a summary of the appurtenant state requirement. This ensures
that the same item will not need to be audited twice, once at the federal level
and again at the state level. For example, a federal requirement to maintain an
employee record for three years might be accompanied by a notification that the
state requires the record to be kept for five years. However, where the scope
of state and federal legislation does not overlap, independent audit protocols
should be provided for each level. Integrated federal and state requirements
save time in assessing regulatory obligations and performing audits, but are
difficult to identify initially, as they require an exhaustive comparison of
equivalent federal and state legislation and the creation of summary notes.
Finding and organizing regulations,
and keeping them up to date, is not easy. Legislation for the federal government and most states is freely
available online. However, mining each legislative website to obtain the
relevant codes and regulations for each jurisdiction can be a daunting task.
Then, once a database of regulations has been built, keeping on top of changes
to that material adds another level of complexity. It is necessary to frequently
find all changes to the organization’s database of regulatory requirements,
implement those changes so that the database is up to date, then review the
changes to determine whether they result in modifications in each facility’s
obligations due to new, changed, or repealed requirements or alterations in
applicability. In addition, the legislative websites must be monitored for new legislative
chapters or regulations that might be relevant to the company’s operations. There
are a number of update notification services that can be subscribed to, but the
notifications that these services provide must then be used to manually update
the organization’s database of regulations. In addition, audit protocols are
available for sale, but these are typically brief and not customizable to
reflect each facility’s operations, and may not be updated often enough.
Each facility has its own array of
industry requirements and audit data to manage. Even with access to the latest regulatory
requirements, auditors face a considerable task when building and answering
audit plans and managing the resulting data. Facility and audit information can
be managed by arranging it by department or business unit; all information
should be current, searchable, and easily accessible to all auditors. Since
each facility has a unique set of legal and other requirements that apply based
on its jurisdiction and scope of operations, these requirements are best
managed by developing a dynamic database for each facility. Such registries will
quickly become irrelevant unless they can be automatically updated and the most
recent changes reviewed. Once a registry has been built, it should be possible
to create an audit plan from the registry. During the audit, auditors should
have access to legislative sections related to applicability and definitions,
as well as the sections on which a question is based.
Audit output can teach valuable lessons,
if you can ask the right questions of the data and quickly get answers to those
questions. The answers to an audit,
as well as associated documentation such as recommendations, photos, source
documents, and risk assessment data, contain a significant amount of data to be
stored, searched, and analyzed. Depending on the size of the organization and
audit department, this data could be stored on separate machines, or on a
server for access by multiple auditors. Access to the program should be managed
to ensure security. Data analysis needs might include production of audit
reports and summary data, development of audit scores, and comparison with
other audits. To quickly identify and address systemic issues, it is desirable
to be able to combine multiple audits for comparison of results across
facilities or for evaluation of trends.
All audit software and services are
not created equal. First determine
your organization’s needs.
· What resources are you willing to dedicate to the
creation and maintenance of a legislative database that reflects your
· How often will you be performing audits or
· Who will need access to the facility registries, audit
protocols, and audit output?
· What kind of content and format do you want your audit
reports to have?
Next, research possible avenues of
meeting those needs.
Printed lists or spreadsheets are
often the first option companies consider for identifying and managing their
regulatory obligations, but who will keep the material up to date? How will the
differences in legislative requirements be reflected for different facilities? Is
it reasonable to use sections of the regulation for audit protocols, or are
summary notes or questions desirable? How will audit protocols be produced from
the material, and how will audit information be entered, managed, and
Another strategy for meeting an
organization’s compliance assurance needs is a software program developed
in-house. These programs will reflect some of the organization’s requirements,
but will your company devote the necessary resources to give the program all of
the needed features? Who will create the regulatory database and keep it up to
date? The business world is full of abandoned in-house audit software programs
that were developed with the best of intentions but were not given the
attention and resources required to make them functional and relevant.
Finally, there are software tools
and services available that are designed for environmental, health and safety
compliance audits. Ask questions of the providers to ensure that the product
will meet your needs. For example:
What legislation does the program
Is comparable federal and state
How often is the legislation
updated to reflect regulatory changes?
Can a separate registry be created
and maintained for each facility, and used to create audit plans?
Can regulatory changes be applied
automatically to each facility’s registry, and how will we be notified of those
Can protocols be customized, and
developed from internal procedures?
Can our scoring and risk
assessment methods be incorporated into the program?
Is it easy to build and answer
In remote locations or flammable
environments, is it possible to work offline or using a hard copy of the audit
Can supporting information
generated in the course of auditing be managed with the audit plan?
Can summary and detailed audit
reports and graphs be generated?
How easy is it to learn to use the
program, and will technical support and training be available if needed?
Will facility and audit
information be secure?
EHS Auditor is a proven audit tool
developed to meet organizations’ diverse compliance audit needs. For each state, EHS Auditor's audit protocols contain
federal and state legislation arranged in a way that integrates the legal
requirements at both levels. Where state and federal requirements are
comparable, EHS Auditor provides "state notes," in which a summary of
the state requirement accompanies the equivalent federal requirement.
Independent audit protocols are provided for each level in cases where the
state and federal legislation do not overlap. EHS Auditor's regulatory
development team finds the relevant legislation for each subject area and
compares corresponding state and federal requirements, then writes summary
questions or state notes for each discrete requirement. The audit protocols are
kept up to date with the latest regulatory developments, eliminating the need
for program users to subscribe to independent update notification services, and
can be customized. EHS Auditor also provides tools for managing facility and
audit information. The process begins by setting up companies to house that
information. In each company, an unlimited number of facilities can be created.
A registry of relevant regulatory requirements can be built for each type of
facility; this registry can then be applied to facilities of that type and
further customized as necessary. With EHS Auditor's one-button Online Update
service, registries are automatically revised to reflect any changes and the
most recent changes are highlighted. Once a registry has been built for a
facility, creating an audit plan is quick and easy because the subject areas
are chosen from the facility's registry and no audit questions will appear that
are not applicable to the facility. Auditors have access to the legislative text
used to create the audit question, as well as definitions and applicability. In
addition to "yes/no" or "compliance/non-compliance" answers
and detailed descriptions of findings, EHS Auditor allows storage of files in
several formats, access to working documents, use of custom scoring systems,
development of recommendations and corrective action plans, and analysis of
root causes. This data can be stored on individual workstations or on a server.
Where security is a concern, access to the program can be controlled and audits
can be accompanied by confidentiality notices. EHS Auditor provides tools for
generating a variety of reports, from checklists to spreadsheets, that can
contain information on facilities and their registries of legal and other
requirements as well as audit output (e.g., number of findings, attached
images, question scores, finding classification). Multiple audits, from
different facilities or from the same facility over time, can be compared. With
over 15 years’ history providing compliance audit tools to small and large
corporations and incorporating features requested by those corporations,
Conformance Check’s EHS Auditor provides solutions to the diverse and
considerable needs of companies that are looking for an easier way to assure
Sara Lipson, M.Sc, is a Senior EHS
Compliance Specialist at Conformance Check Inc. For more information, contact
Sara at 416-620-0846 or Slipson@conformancecheck.com.