OHS Compliance Auditing: Tap into software solutions

By Sara Lipson, M.Sc.


Whether your environmental, health and safety compliance audit plan is an annual pilgrimage or an ongoing program, ensuring compliance with the ever-changing myriad of regulations enforced by US federal and state agencies can be an overwhelming task. Add to those requirements the requirements of local agencies, environment, health and safety management systems such as ISO 14001 and OHSAS 18001, as well as adherence to corporate directives, and the audit plan rapidly expands to become all-encompassing. Fortunately, software solutions such as Conformance Check Inc.’s EHS Auditor increase audit efficiency and effectiveness by integrating the US federal and state requirements at the planning stage, then accumulating audit results for analysis and reporting. In short, since EHS Auditor comes pre-loaded with audit protocols relevant to your federal and state jurisdictions, the time-consuming task of pulling together related federal and state requirements has already been completed. 


Regulatory requirements must be managed at both federal and state levels. Facilities may be subject not only to health and safety regulations at the federal level, but also to state regulations. States may adopt federal legislation by reference with or without state-specific provisions, enact comparable state legislation, or prescribe additional requirements. One method of streamlining audits of state and federal requirements is to integrate federal and state requirements into each question, supplementing a federal requirement with a summary of the appurtenant state requirement. This ensures that the same item will not need to be audited twice, once at the federal level and again at the state level. For example, a federal requirement to maintain an employee record for three years might be accompanied by a notification that the state requires the record to be kept for five years. However, where the scope of state and federal legislation does not overlap, independent audit protocols should be provided for each level. Integrated federal and state requirements save time in assessing regulatory obligations and performing audits, but are difficult to identify initially, as they require an exhaustive comparison of equivalent federal and state legislation and the creation of summary notes.


Finding and organizing regulations, and keeping them up to date, is not easy. Legislation for the federal government and most states is freely available online. However, mining each legislative website to obtain the relevant codes and regulations for each jurisdiction can be a daunting task. Then, once a database of regulations has been built, keeping on top of changes to that material adds another level of complexity. It is necessary to frequently find all changes to the organization’s database of regulatory requirements, implement those changes so that the database is up to date, then review the changes to determine whether they result in modifications in each facility’s obligations due to new, changed, or repealed requirements or alterations in applicability. In addition, the legislative websites must be monitored for new legislative chapters or regulations that might be relevant to the company’s operations. There are a number of update notification services that can be subscribed to, but the notifications that these services provide must then be used to manually update the organization’s database of regulations. In addition, audit protocols are available for sale, but these are typically brief and not customizable to reflect each facility’s operations, and may not be updated often enough.


Each facility has its own array of industry requirements and audit data to manage. Even with access to the latest regulatory requirements, auditors face a considerable task when building and answering audit plans and managing the resulting data. Facility and audit information can be managed by arranging it by department or business unit; all information should be current, searchable, and easily accessible to all auditors. Since each facility has a unique set of legal and other requirements that apply based on its jurisdiction and scope of operations, these requirements are best managed by developing a dynamic database for each facility. Such registries will quickly become irrelevant unless they can be automatically updated and the most recent changes reviewed. Once a registry has been built, it should be possible to create an audit plan from the registry. During the audit, auditors should have access to legislative sections related to applicability and definitions, as well as the sections on which a question is based.


Audit output can teach valuable lessons, if you can ask the right questions of the data and quickly get answers to those questions. The answers to an audit, as well as associated documentation such as recommendations, photos, source documents, and risk assessment data, contain a significant amount of data to be stored, searched, and analyzed. Depending on the size of the organization and audit department, this data could be stored on separate machines, or on a server for access by multiple auditors. Access to the program should be managed to ensure security. Data analysis needs might include production of audit reports and summary data, development of audit scores, and comparison with other audits. To quickly identify and address systemic issues, it is desirable to be able to combine multiple audits for comparison of results across facilities or for evaluation of trends.


All audit software and services are not created equal. First determine your organization’s needs.

·     What resources are you willing to dedicate to the creation and maintenance of a legislative database that reflects your facilities’ operations?

·     How often will you be performing audits or self-assessments?

·     Who will need access to the facility registries, audit protocols, and audit output?

·     What kind of content and format do you want your audit reports to have?

Next, research possible avenues of meeting those needs.

·     Printed lists or spreadsheets are often the first option companies consider for identifying and managing their regulatory obligations, but who will keep the material up to date? How will the differences in legislative requirements be reflected for different facilities? Is it reasonable to use sections of the regulation for audit protocols, or are summary notes or questions desirable? How will audit protocols be produced from the material, and how will audit information be entered, managed, and manipulated?

·     Another strategy for meeting an organization’s compliance assurance needs is a software program developed in-house. These programs will reflect some of the organization’s requirements, but will your company devote the necessary resources to give the program all of the needed features? Who will create the regulatory database and keep it up to date? The business world is full of abandoned in-house audit software programs that were developed with the best of intentions but were not given the attention and resources required to make them functional and relevant.

·     Finally, there are software tools and services available that are designed for environmental, health and safety compliance audits. Ask questions of the providers to ensure that the product will meet your needs. For example:

§    What legislation does the program include?

§    Is comparable federal and state legislation integrated?

§    How often is the legislation updated to reflect regulatory changes?

§    Can a separate registry be created and maintained for each facility, and used to create audit plans?

§    Can regulatory changes be applied automatically to each facility’s registry, and how will we be notified of those changes?

§    Can protocols be customized, and developed from internal procedures?

§    Can our scoring and risk assessment methods be incorporated into the program?

§    Is it easy to build and answer audit plans?

§    In remote locations or flammable environments, is it possible to work offline or using a hard copy of the audit plan?

§    Can supporting information generated in the course of auditing be managed with the audit plan?

§    Can summary and detailed audit reports and graphs be generated?

§    How easy is it to learn to use the program, and will technical support and training be available if needed?

§    Will facility and audit information be secure?


EHS Auditor is a proven audit tool developed to meet organizations’ diverse compliance audit needs. For each state, EHS Auditor's audit protocols contain federal and state legislation arranged in a way that integrates the legal requirements at both levels. Where state and federal requirements are comparable, EHS Auditor provides "state notes," in which a summary of the state requirement accompanies the equivalent federal requirement. Independent audit protocols are provided for each level in cases where the state and federal legislation do not overlap. EHS Auditor's regulatory development team finds the relevant legislation for each subject area and compares corresponding state and federal requirements, then writes summary questions or state notes for each discrete requirement. The audit protocols are kept up to date with the latest regulatory developments, eliminating the need for program users to subscribe to independent update notification services, and can be customized. EHS Auditor also provides tools for managing facility and audit information. The process begins by setting up companies to house that information. In each company, an unlimited number of facilities can be created. A registry of relevant regulatory requirements can be built for each type of facility; this registry can then be applied to facilities of that type and further customized as necessary. With EHS Auditor's one-button Online Update service, registries are automatically revised to reflect any changes and the most recent changes are highlighted. Once a registry has been built for a facility, creating an audit plan is quick and easy because the subject areas are chosen from the facility's registry and no audit questions will appear that are not applicable to the facility. Auditors have access to the legislative text used to create the audit question, as well as definitions and applicability. In addition to "yes/no" or "compliance/non-compliance" answers and detailed descriptions of findings, EHS Auditor allows storage of files in several formats, access to working documents, use of custom scoring systems, development of recommendations and corrective action plans, and analysis of root causes. This data can be stored on individual workstations or on a server. Where security is a concern, access to the program can be controlled and audits can be accompanied by confidentiality notices. EHS Auditor provides tools for generating a variety of reports, from checklists to spreadsheets, that can contain information on facilities and their registries of legal and other requirements as well as audit output (e.g., number of findings, attached images, question scores, finding classification). Multiple audits, from different facilities or from the same facility over time, can be compared. With over 15 years’ history providing compliance audit tools to small and large corporations and incorporating features requested by those corporations, Conformance Check’s EHS Auditor provides solutions to the diverse and considerable needs of companies that are looking for an easier way to assure corporate compliance.


Sara Lipson, M.Sc, is a Senior EHS Compliance Specialist at Conformance Check Inc.  For more information, contact Sara at 416-620-0846 or Slipson@conformancecheck.com.

Home - Products - Partners - Contacts - Web Conference - News and Updates - Site Map
© Conformance Check Inc., 2011.