Standards for the Professional Practice of Environmental, Health and Safety Auditing

Transcription

1 Standards for the Professional Practice of Environmental, Health and Safety Auditing Board of Environmental,Health&Safety Auditor Certifications 247 Maitland Avenue Altamonte Springs, Florida

2 Translation or Adaptation of the Standards for the Professional Practice of Environmental, Health and Safety Auditing and Other Standards-Related Pronouncements The Board of Environmental,Health&Safety Auditor Certifications (BEAC) is an international association dedicated to advancing the professional development of the individual environmental, health and safety auditor and the environmental, health and safety auditing profession. Copyright 1999 by the Board of Environmental,Health&Safety Auditor Certifications, 249 Maitland Avenue, Altamonte Springs, Florida All rights reserved. Printed in the United States of America. Under copyright laws and agreements, no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission of the publisher. To obtain permission to translate, adapt, or reproduce any part of this document, contact: Karen H. Constantine Board of Environmental, Health & Safety Auditor Certifications 247 Maitland Avenue Altamonte Springs, Florida Phone: (407) FAX: (407) Comments and Proposals for Changes or Additions to Standards Pronouncements Nothing in this statement should preclude any individual or organization from commenting or proposing changes or additions to any of the BEAC s Standards pronouncements. Suggestions of this nature should be submitted to the BEAC in writing directed to the Chairman of the BEAC Standards Board. 2-

3 Foreword In 1997, the Board of Environmental,Health&Safety Auditor Certifications (BEAC) was established as a joint venture of the Institute of Internal Auditors (IIA) and the Environmental Auditing Roundtable (EAR) to provide certification programs for the professional practice of environmental, health and safety (EH&S) auditing. The BEAC is solely committed to the advancement of the individual EH&S auditor and the EH&S auditing profession worldwide as demonstrated through the BEAC certification programs and Certified Professional Environmental Auditor (CPEA) professional designations. The original joint venture agreement between the IIA and EAR envisioned early development and adoption of EH&S auditing standards to support the BEAC certification programs. Recognizing the need for those having attained the BEAC professional certification(s) to practice their profession in accordance with high standards, the BEAC considers standards essential. In addition, establishment of generally accepted EH&S audit criteria is a vital component of gaining greater acceptance by others of EH&S audit work. The BEAC established a Standards Board in The BEAC Standards Board studied a number of standards issued by other professional organizations from around the world and concluded that the Standards for the Professional Practice of Internal Auditing developed by the IIA and the Standards for the Professional Practice of Environmental Auditing developed by EAR were thorough and best suited as the references for the development of standards for the BEAC certification programs. Accordingly, if one compares the standards of the two parent organizations to these Standards for the Professional Practice of Environmental, Health and Safety Auditing (Standards), they will observe significant similarity and consistency. The BEAC recognizes the IIA and the EAR leadership for their outstanding support, guidance, and assistance in the development of these Standards. In establishing the Standards, the following matters were considered: Boards of directors are being held accountable for the adequacy and effectiveness of their organizations systems of EH&S control and quality of performance. Members of senior management are relying upon EH&S auditing as a means of supplying objective analyses, appraisals, recommendations, counsel, and information on the organization s controls and performance. Auditors use the results of previous audits to complement their work when suitable evidence of independence exists and adequate, professional audit work is performed. In the light of such matters, the purposes of the Standards are to: 1. Impart an understanding of the role and responsibilities of EH&S auditing to all levels of management, boards of directors, public bodies, external auditors, and related professional organizations. 2. Establish the basis for the guidance and measurement of EH&S auditing performance. 3. Improve the practice and advance the profession of EH&S auditing. Some important points about these BEAC Standards for the CPEA are: 3-

4 1. An EH&S audit is defined as an activity directed at verifying a site s or organization s environmental, health, or safety status with respect to specific, predetermined audit criteria. An EH&S audit is distinct from other evaluation methods that may involve conclusions based on professional opinion or limited evaluation, or unique instances not associated with specific audit criteria. 2. Through this document, audit and auditor mean EH&S audit or EH&S auditor. 3. These Standards apply to audit program processes, implementation and activities that take place within the scope of an audit engagement. 4. These Standards apply to all EH&S auditing professionals whether they are employed by organizations internally or as external contractors/consultants functioning in an EH&S auditing role. 5. These Standards define what is required to conduct a competent audit. This document, issued by the BEAC Standards Board, represents the first codification of the Standards for the Professional Practice of Environmental, Health and Safety Auditing (Standards) and Statements on Environmental Auditing Standards (SEAS). It is not intended to serve as a legal analysis of liability issues or as legal advice. As EH&S auditing adapts to the continuous changes in organizations and in society, these Standards will be modified by the issuance of SEASs. SEASs are issued by the BEAC Standards Board, the technical committee of the BEAC responsible for promulgating and monitoring these Standards and other standards pronouncements on a worldwide basis. Standards, as used in this document, means the criteria by which the operations of an EH&S auditing function are evaluated and measured. They are intended to represent the practice of EH&S auditing as it should be, as judged and adopted by the Board of Directors of the BEAC. The Standards are meant to serve the entire profession in all types of organizations where EH&S auditors are found. An EH&S audit program can help an organization determine if established EH&S programs are effective. It can also help assure senior management that the organization is operating in a manner consistent with its regulatory policy and requirements. These objectives can be accomplished either directly, through detailed reviews of the organization s operations, or indirectly, through reviews of those management systems that are intended to ensure conformance with established requirements. Organizations performing EH&S audits, or planning to start up this function, are urged to subscribe to and conform with these Standards as a basis for development and operation of their EH&S audit programs. 4-

5 ACKNOWLEDGEMENT The BEAC is very appreciative of the dedication and commitment of the following individuals for their efforts in developing the Standards: BEAC Standards Board Environmental Auditing Roundtable Institute of Internal Auditors BEAC Headquarters Staff James C. Ball Chairman BEAC Standards Board James A. Hooper Chairman of the Board BEAC 5-

6 Framework Purpose This section establishes the framework for the Standards for the Professional Practice of Environmental, Health and Safety Auditing (Standards) and sets forth the final approval authority required by the BEAC to promulgate the Standards and other standards-related pronouncements (Standards Pronouncements). Framework The Framework for the Standards for the Professional Practice of Environmental, Health and Safety Auditing includes the following: Standards Pronouncements Statement of Responsibilities of Environmental, Health and Safety Auditing Final Approval Authority BEAC Board of Directors Description Provides in summary form a general understanding of the responsibilities of environmental, health and safety auditing Code of Ethics BEAC Board of Directors Sets forth standards of conduct for members of the BEAC and CPEAs. Standards for the Professional Practice of Environmental, Health and Safety Auditing BEAC Board of Directors Describes the criteria by which the operations of an environmental, health and safety auditing function are evaluated and measured. General Standards BEAC Board of Directors States the five General Standards which shall be followed to conform with the Standards. Performance Standards BEAC Board of Directors States the specific Performance Standards which should be followed to conform with the General Standards. Performance Practices BEAC Standards Board Describes suitable means of meeting the General and Performance Standards Statements on Environmental Auditing Standards (SEASs) Professional Standards Practice Release BEAC Board of Directors BEAC Standards Board Chairman Provides authoritative interpretations of the Standards. SEASs are used to add or change existing Standards Addresses questions resulting from the application of the BEAC s Standards or Practices. 6-

7 Introduction EH&S auditing is an independent appraisal function undertaken by an organization to examine and evaluate its activities. The objective of EH&S auditing is to provide information to those in management in support of decision making and to assist members of the organization in the effective discharge of their responsibilities. To this end, EH&S auditing may furnish the organization with analyses, appraisals, recommendations, counsel, or information concerning the activities reviewed, the adequacy and effectiveness of the organization s system of EH&S control, and the quality of performance. The information furnished to different members of the organization may vary in format and detail, depending upon the requirements and requests of those commissioning the audit(s). Throughout the world EH&S auditing is performed in diverse environments and within organizations which vary in purpose, size, and structure. In addition, the laws and customs within various countries differ from one another. These differences may affect the practice of EH&S auditing in each environment. The implementation of these Standards, therefore, will be governed by the environment in which the EH&S auditing function carries out its assigned responsibilities. Conformance with the concepts enunciated by the Standards is essential before the responsibilities of EH&S auditors can be met. As stated in the BEAC Code of Ethics, members of the BEAC and CPEAs shall adopt suitable means to conform with the Standards. It is understood that external contractors/consultants may not be in a position to influence the design and function of an organization s audit program. While this may preclude conformance with certain Standards, EH&S auditors are required to conform to all Standards within their control. Deviations from these Standards should be documented. An organization may choose to establish an ongoing program of EH&S audits (hereinafter referred to as the audit program ). Such an audit program would function under the policies established by senior management and the organization s board of directors. The statement of purpose, authority, and responsibility for the EH&S audit program, approved by senior management and accepted by the board, should be consistent with these Standards. The audit program description should make clear the purposes of the EH&S auditing function, specify the scope of work, and describe how auditor independence will be achieved. These Standards are intended to cover a wide range of audit programs, implemented for a variety of purposes, and involving a variety of relationships between the auditor and the organization for which the audit program is being implemented. These Standards are intended to provide a basis for promoting consistency and quality in the performance of EH&S audits. To that end, these Standards outline the basic elements to be included in audit programs. Key requirements and best practices are defined, but detailed implementation steps are intentionally not prescribed. This document is divided into three sections including General Standards, Performance Standards, and Performance Practices. General Standards are short and precise and are mandatory. Performance Standards are a means of conformance with the General Standards. Although not mandatory, Performance Practices are useful and a suitable means of meeting a General or Performance Standard. The Standards encompass: 7-

8 1. The independence of the EH&S auditing function from the activities audited and the objectivity of EH&S auditors. 2. The proficiency of EH&S auditors and the due professional care they should exercise. 3. The performance of EH&S auditing assignments. 4. The scope of EH&S Auditing Programs. 5. The management of the EH&S auditing function. The General Standards, Performance Standards, and the accompanying Performance Practices employ terms given meanings in the context of the Standards. These terms are included in the Glossary. General Standards Performance Standards General Standards are required for the CPEA. They provide specific guidance and are mandatory. Performance Standards provide outcome strategies. They are a suitable means of meeting the General Standards. Performance Practices Performance Practices are recommended, but are not mandatory. They provide methodologies for implementation of the General and Performance Standards. 8-

9 General Standards For the Professional Practice of Environmental, Health & Safety Auditing I. INDEPENDENCE ENVIRONMENTAL, HEALTH AND SAFETY AUDITORS SHALL BE OBJECTIVE AND INDEPENDENT OF THE ACTIVITIES THEY AUDIT, FREE OF CONFLICT OF INTEREST IN ANY SPECIFIC SITUATION, AND NOT SUBJECT TO INTERNAL OR EXTERNAL PRESSURE TO INFLUENCE THEIR FINDINGS. II. PROFESSIONAL PROFICIENCY ENVIRONMENTAL, HEALTH AND SAFETY AUDITS SHALL BE PERFORMED WITH PROFICIENCY AND DUE PROFESSIONAL CARE. III. PERFORMANCE OF AUDIT WORK AUDIT WORK SHALL INCLUDE PLANNING THE AUDIT, EXAMINING AND EVALUATING INFORMATION, AND COMMUNICATING RESULTS. IV. SCOPE OF AUDIT PROGRAM THE SCOPE OF THE ORGANIZATION S ENVIRONMENTAL, HEALTH AND SAFETY AUDIT PROGRAM SHALL ENCOMPASS THE EXAMINATION AND EVALUATION OF THE ADEQUACY AND EFFECTIVENESS OF ENVIRONMENTAL, HEALTH AND SAFETY CONTROLS. V. MANAGEMENT OF THE ENVIRONMENTAL, HEALTH AND SAFETY AUDITING FUNCTION THE DIRECTOR OF ENVIRONMENTAL, HEALTH AND SAFETY AUDITING SHALL PROPERLY MANAGE THE ENVIRONMENTAL, HEALTH AND SAFETY AUDITING FUNCTION. 1-

10 Performance Standards for the Professional Practice of Environmental, Health & Safety Auditing General Standards are required for the CPEA. Following the five General Standards are Performance Standards which are a means for conforming with the General Standards. I. INDEPENDENCE ENVIRONMENTAL, HEALTH AND SAFETY AUDITORS SHALL BE OBJECTIVE AND INDEPENDENT OF THE ACTIVITIES THEY AUDIT, FREE OF CONFLICT OF INTEREST IN ANY SPECIFIC SITUATION, AND NOT SUBJECT TO INTERNAL OR EXTERNAL PRESSURE TO INFLUENCE THEIR FINDINGS. EH&S Auditors should be free from personal or organizational bias, and internal or external influences on their judgment or authority, whether implied or direct. Conflicts of interest should be communicated to the appropriate personnel. Objective EH&S auditors should base findings on observed, measurable, and verifiable evidence. Internal EH&S audit functions should have a reporting relationship to the board of directors that is independent of the auditee. II. PROFESSIONAL PROFICIENCY ENVIRONMENTAL, HEALTH, AND SAFETY AUDITS SHALL BE PERFORMED WITH PROFICIENCY AND DUE PROFESSIONAL CARE. Auditors should have adequate qualifications, technical knowledge, training, and proficiency in the discipline of auditing to perform their assigned audit tasks. Proficiency is the responsibility of the organization managing auditing activities and of each individual auditor. Qualifications of the assigned audit team should be commensurate with the objectives, scope, and complexities of the audit assignment. Organizations and individuals responsible for planning the audit engagement should establish suitable educational and professional experience criteria for auditors. Auditor proficiency and professional experience should be adequate to achieve audit objectives and may include any or all of the following: a. Auditing processes, procedures, and techniques. b. Characteristics and analysis of management systems. c. Regulatory requirements and EH&S policies. d. EH&S protection systems and technologies. e. Facility operations. 2-

11 f. Potential EH&S impacts and hazards/risks associated with the types of facilities and operations to be audited. Auditors should have demonstrated abilities in areas needed to perform audits, including, but not limited to: a. Interpersonal and communication skills. b. Work scheduling and planning. c. Analytical abilities to evaluate potential deficiencies noted during the audit. Auditors should exercise due professional care in performing EH&S audits. III. PERFORMANCE OF AUDIT WORK AUDIT WORK SHALL INCLUDE PLANNING THE AUDIT, EXAMINING AND EVALUATING INFORMATION, AND COMMUNICATING RESULTS. The EH&S auditor is responsible for planning and conducting the audit assignment, subject to supervisory review and approval. When conducting an audit, the following should be incorporated in the audit work process: a. The audit planning process involves establishing goals, audit work schedules, staffing plans, and activity reports. b. EH&S auditors should use due care in examining and evaluating information they gather. This information should be sufficient, complete, relevant and useful to provide a sound basis for audit findings and recommendations. c. As the audit progresses, EH&S auditors should communicate results, including findings and recommendations, to appropriate levels of management. d. Before issuing a final report, an exit conference should be held with management to discuss the auditor s findings and recommendations. e. A signed, written report should be issued at the conclusion of the audit. f. Timely follow-up audits should be conducted to ensure appropriate corrective action on any audit findings remaining unresolved at the end of the audit. g. A signed, written report should be issued on the results of the follow-up audit. IV. SCOPE OF AUDIT PROGRAM THE SCOPE OF THE ORGANIZATION S ENVIRONMENTAL, HEALTH AND SAFETY AUDIT PROGRAM SHALL ENCOMPASS THE EXAMINATION AND EVALUATION OF THE ADEQUACY AND EFFECTIVENESS OF ENVIRONMENTAL, HEALTH AND SAFETY CONTROLS. The audit program objectives should articulate senior management s and the board s expectations for the audit program. It is the responsibility of the director to establish a scope that achieves the program objectives. The scope should address: a. Geographic and/or business system focus of audit activity. b. Subjects or topics to be audited. 3-

12 c. The thoroughness or depth of audit activity. d. Scheduling and frequency of audits. e. General criteria against which audits will be conducted and findings established. Senior management and the board provide general direction as to the scope of work and the activities to be audited. The director should obtain concurrence from senior management that the audit program objectives meet their expectations. The scope of EH&S auditing work, as specified in these Standards, encompasses what audit work should be performed. The scope of an individual EH&S audit should be defined in advance, and the audit criteria selected and agreed upon prior to beginning the audit. Agreement on required audit resources is part of the scope. Audit scope may include but is not limited to the following: a. Determining whether the organization is in compliance with regulatory requirements and laws, such as permits, reporting requirements, and consent orders. b. Evaluating the effectiveness of the EH&S management and control systems that are in place to manage the organization s risks. c. Identifying opportunities where waste can be minimized and pollution eliminated at the source. d. Reviewing the means of protecting physical assets through loss prevention measures. e. Assessing and managing the risk of receiving, buying, or selling real estate or making loans secured by real estate. f. Assessing the hazardous material and waste management practices of an organization s contract operators. g. Protecting worker health and safety. EH&S auditors perform evaluations at specific points in time but should be alert to actual or potential changes in conditions which affect the ability to provide assurance from a forward-looking perspective. In those cases, EH&S auditors should address the risk that performance may deteriorate. An audit program should include provisions for timely follow-up to ensure appropriate corrective action on any audit findings remaining uncorrected at the end of the audit. V. MANAGEMENT OF THE ENVIRONMENTAL, HEALTH AND SAFETY AUDITING FUNCTION THE DIRECTOR OF ENVIRONMENTAL, HEALTH AND SAFETY AUDITING SHALL PROPERLY MANAGE THE ENVIRONMENTAL, HEALTH AND SAFETY AUDITING FUNCTION. Senior management and the board of directors should articulate a clear statement of program expectations for an audit program to be effective. They should commit sufficient resources, not only to implement and maintain the program, but also to 4-

13 correct nonconformities in an appropriate and timely manner. Senior management sets the tone for the success of an audit program by: a. Directing that managers at all levels cooperate fully with audit teams. b. Showing interest in the results of audits. c. Insisting on timely correction of nonconformities identified in the course of audits. The director of EH&S auditing is responsible for properly managing the function so that: a. Audit work fulfills the general purposes and responsibilities accepted by senior management and the board. b. Resources of the EH&S auditing function are efficiently and effectively employed. c. Audit work conforms to the Standards. d. Audit work is coordinated between internal and external audit efforts. An audit program should have written policies and/or procedures (hereafter referred to only as procedures) to describe the scope and operation of the program and individual audit activities. The mechanism for initiating, approving, updating, distributing, and retaining these program procedures should also be documented. The procedures should be consistent with these Standards, the organization s written policies, the board of directors and senior management s expectations, and actual practice. Procedures should be documented in a program description. Any departure from these Standards should be documented in the program description and discussed with senior management. An audit program should include the following key elements: Audit Program Objective and Scope: Describes the objectives and scope of the audit program, including any departure from the Standards. Audit Program Organization: Describes the organization, staffing, authority, minimum qualifications and training of audit program personnel, and the composition and selection of audit team members. Selection of Audit Sites, Subjects and Frequency: Describes the rationale and methodology for selecting and scheduling sites and subjects to be audited. Protocols, Checklists and Guides: Establishes the development, approval, usage, updating and retention of audit protocols and questionnaires. Pre-Audit Activity: Describes the timing and content of pre-audit activities, including scheduling and information-gathering mechanisms. On-Site Activity: Establishes procedures and identifies audit activities that take place at the facility. Audit Reporting and Document Management: Defines the purpose, content, use, review, approval, access, distribution and retention period of each type of audit program document produced. 5-

14 Post-Audit Activity: Describes the procedures, responsibilities and timing for development and implementation of action plans and follow-up mechanisms to correct nonconformities. Quality Assurance: Describes quality assurance mechanisms that are built into the audit procedures. Defines responsibility for each quality assurance function. 6-

15 Standards for the Professional Practice of Environmental, Health and Safety Auditing *Performance Practices Section Only* Performance Practices are suggested methodologies for the implementation of the Standards and are not mandatory. These Performance Practices are provided for guidance and are not the only possible method for implementing the Standards. BOARD OF ENVIRONMENTAL,HEALTH&SAFETY AUDITOR CERTIFICATIONS 249 Maitland Avenue Altamonte Springs, Florida

16 Performance Practices Performance Practices are suggested methodologies for the implementation of the Standards and are not mandatory. These Performance Practices are provided for guidance and are not the only possible method for implementing the Standards. I. INDEPENDENCE A. Organizational Status EH&S auditors should have the support of senior management and of the board so that they can gain the cooperation of auditees and perform their work free from interference. a. The director of the EH&S auditing function should be responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations. b. The purpose, authority, and responsibility of the EH&S auditing function should be defined in a formal written document (charter). c The director should regularly communicate with the board to assure independence and provide a means for the board t be informed on maters involving environmental performance. d. The director of EH&S auditing should submit an annual summary of the function s audit activities, staffing plan and budget to senior management for approval and to the board for its information. Audit activities, staffing plans, and budgets should be included to inform senior management and the board of the scope of EH&S auditing and of any limitations placed on that scope. e. The director of EH&S auditing should submit activity reports to senior management and to the board at least annually. Activity reports should summarize significant audit findings and recommendations and should inform senior management and the board of any significant deviations from approved audit work schedules, staffing plans, and budgets, and the reasons for them. f. The board should concur in the appointment or removal of the director of the EH&S auditing function. g. The director, audit team leaders and auditors may or may not be members of the organization for which the audit program is being implemented. While this may preclude conformance with certain standards, EH&S auditors are required to conform to all standards within their control. Deviations should be documented. 8-

17 B. Objectivity 1. Objectivity is an independent mental attitude which EH&S auditors should maintain in performing audits. EH&S auditors are not to subordinate their judgment on audit matters to that of others. 2. Objectivity requires EH&S auditors to perform audits in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. EH&S auditors are not to be placed in situations in which they feel unable to make objective professional judgments. a. Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided. The director should periodically obtain from the EH&S auditing staff information concerning potential conflicts of interest and bias. b. EH&S auditors should report to the director any situations in which a conflict of interest or bias is present or may reasonably be inferred. The director should then reassign such auditors. c. Staff assignments of EH&S auditors should be rotated periodically whenever it is practicable to do so. d. EH&S auditors should not assume operating responsibilities. But if on occasion senior management directs EH&S auditors to perform non-audit work, it should be understood that they are not functioning as EH&S auditors. Moreover, objectivity is presumed to be impaired when EH&S auditors audit any activity for which they had authority or responsibility. This impairment should be considered when reporting audit results. e. Persons transferred to or temporarily engaged by the EH&S auditing function should not be assigned to audit those activities they previously performed until a reasonable period of time has elapsed. Such assignments are presumed to impair objectivity and should be considered when supervising audit activities and reporting audit results. f. The results of EH&S auditing activities should be reviewed before the related audit report is released to provide reasonable assurance that the activity was performed objectively. 3. The EH&S auditor s objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, and operating systems are not audit activities. Also, the drafting of procedures for systems is not an appropriate audit activity. Performing such activities is presumed to impair audit objectivity. 4. The director should assure that the audit team leader and auditors are independent of the audit site and activity to be audited, free of conflict of interest in any specific situation, and not subject to internal or external pressures to influence the findings. Auditors should neither report to nor derive their compensation directly from the site being audited. 9-

18 II. PROFESSIONAL PROFICIENCY A. Staffing The EH&S Auditing Function 1. The director of EH&S auditing should establish suitable criteria for education and experience for filling EH&S auditing positions, giving due consideration to scope of work and level of responsibility. 2. Reasonable assurance should be obtained as to each prospective auditor s qualifications and proficiency. B. Knowledge, Skills and Disciplines 1. The EH&S auditing staff should collectively possess the knowledge and skills essential to the practice of the profession within the organization. These attributes include proficiency in applying EH&S auditing standards, procedures, and techniques. 2. The EH&S auditing function should have employees or use outside service providers who are qualified in disciplines such as auditing, environmental sciences, health and safety, industrial hygiene, information technology, engineering, law, other sciences, and other such areas as needed to meet the function s audit responsibilities. Each member of the function, however, need not be qualified in all disciplines. 3. The director should ensure that auditors and audit team leaders are properly trained and have the experience necessary to carry out their assigned roles. The composition of audit teams, the rationale for selection of team members, and their roles on the team should be defined. 4. The director should promote auditor competence and ensure that each auditor consistently demonstrates knowledge of auditing procedures and methods, and a current understanding of applicable criteria. A program of continuing training is recommended. Audit program management should observe, review and evaluate auditor performance. Auditors that do not meet minimum standards should be retrained or moved to other assignments. C. Supervision 1. The director of EH&S auditing is responsible for ensuring that appropriate audit supervision is provided. Supervision is a process which begins with planning and continues throughout the examination, evaluation, report, and follow-up phases of the audit assignment. 2. Supervision includes: a. Ensuring that the auditors assigned possess the requisite knowledge and skills. 10-

19 b. Providing appropriate instructions during the planning of the audit and approving the audit program. c. Seeing that the approved audit program is carried out unless changes are both justified and authorized. d. Determining that audit working papers adequately support the audit findings, conclusions, and reports. e. Ensuring that audit reports are accurate, objective, clear, concise, constructive, and timely. f. Ensuring that audit objectives are met. g. Providing opportunities for developing EH&S auditors knowledge and skills. 3. Appropriate evidence of supervision should be documented and retained. 4. The extent of supervision required will depend on the proficiency and experience of EH&S auditors and the complexity of the audit assignment. Appropriately experienced EH&S auditors may be utilized to review the work of other EH&S auditors. 5. All EH&S auditing assignments, whether performed by or for the EH&S auditing function, remain the responsibility of its director. The director is responsible for all significant professional judgments made in the planning, examination, evaluation, report, and follow-up phases of the audit assignment. The director should adopt suitable means to ensure that this responsibility is met. Suitable means include policies and procedures designed to: a. Minimize the risk that professional judgments may be made by EH&S auditors, or others performing work for the EH&S auditing function, that are inconsistent with the professional judgment of the director such that a significant adverse effect on the audit assignment could result. b. Resolve differences in professional judgment between the director and EH&S auditing staff members over significant issues relating to the audit assignment. Such means may include: (a) discussion of pertinent facts; (b) further inquiry and/or research; and (c) documentation and disposition of the differing viewpoints in the audit working papers. In instances of a difference in professional judgment over an ethical issue, suitable means may include referral of the issue to those individuals in the organization having responsibility over ethical matters. 6. Supervision extends to staff training and development, employee performance evaluation, time and expense control, and similar administrative areas. The Environmental, Health and Safety Auditor A. Compliance with Standards of Conduct The Code of Ethics of the Board of Environmental,Health&Safety Auditor Certifications sets forth standards of conduct and provides a basis for enforcement. The Code calls for 11-

20 high standards of honesty, objectivity, diligence, and loyalty to which EH&S auditors should conform. B. Knowledge, Skills, and Disciplines 1. Each EH&S auditor should possess certain knowledge and skills as follows: a. Proficiency in applying EH&S auditing standards, procedures, and techniques is required in performing EH&S audits. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. b. Proficiency in EH&S principles and techniques is required of auditors who work extensively with EH&S records and reports. c. An understanding of management principles is required to recognize and evaluate the materiality and significance of deviations from good business practice. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions. d. An appreciation is required of the fundamentals of such subjects as auditing, environmental sciences, health, and safety, industrial hygiene, information technology, engineering, law, and other sciences. An appreciation means the ability to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained. 2. At a minimum, auditors should have completed secondary education and preferably a college degree. They should have training to the extent necessary to ensure competency in the skills required for carrying out their roles in audits. Audit team leaders should have the skills and knowledge required to manage audits. Competence in the following areas is particularly relevant. a. Knowledge and understanding of the criteria (e.g., policies, statutes, regulations, agency guidelines, internal standards, etc.) and the management systems and operations being audited. b. Techniques for examining, interviewing, verifying, evaluating and reporting. c. Communication (both written and oral) and interpersonal skills. d. For team leaders, the skills of planning, organizing and directing. 3. Additional auditor qualifications are outlined in the BEAC certification program requirements. C. Human Relations and Communications 1. EH&S auditors should understand human relations and maintain satisfactory relationships with auditees. 12-

21 2. EH&S auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as audit objectives, evaluations, conclusions, and recommendations. D. Continuing Education EH&S auditors are responsible for continuing their education in order to maintain their proficiency. They should keep informed about improvements and current developments in EH&S auditing standards, procedures, and techniques. Continuing education may be obtained for example through membership and participation in professional societies; attendance at conferences, seminars, college courses, and in-house training programs; and participation in research projects. E. Due Professional Care 1. Due professional care calls for the application of the care and skill expected of a reasonably prudent and competent EH&S auditor in the same or similar circumstances. Professional care should, therefore, be appropriate to the complexities of the audit being performed. In exercising due professional care, EH&S auditors should be alert to the possibility of errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. They should also be alert to those conditions and activities where non-compliance is most likely to occur. In addition, they should identify inadequate controls and recommend improvements to promote conformance with acceptable procedures and practices. 2. Due care implies reasonable care and competence, not infallibility or extraordinary performance. Due care requires the auditor to conduct examinations and verifications to a reasonable extent. Accordingly, EH&S auditors cannot give absolute assurance that non-compliance does not exist. 3. When an EH&S auditor suspects a potentially serious issue, the senior management within the organization should be informed. The EH&S auditor may recommend whatever investigation is considered necessary in the circumstances. Thereafter, the auditor should follow up to see that the EH&S auditing function s responsibilities have been met. 4. Exercising due professional care means using reasonable audit skill and judgment in performing the audit. To this end, the EH&S auditor should consider: a. The extent of audit work needed to achieve audit objectives. b. The relative materiality or significance of matters to which audit procedures are applied. c. The adequacy and effectiveness of EH&S controls. 5. Due professional care includes evaluating established operating standards and determining whether those standards are acceptable and are being met. When such standards are vague, authoritative interpretations should be sought. If EH&S auditors are required to interpret or select operating standards, they should seek agreement with auditees as to the standards needed to measure operating performance. 13-

22 6. Due professional care is the application of diligence and skill in performing audits. Exercising due professional care means assuring accuracy, consistency, and objectivity in the performance of audits; using good judgment in choosing tests and procedures; developing conclusions and, if necessary, recommendations; and preparing reports. Auditors should conscientiously complete audits in conformance with these auditing standards. Auditors should apply established auditing standards consistently, and should seek authoritative interpretations when such standards are conflicting or vague. Auditors should conclude that sufficient and reasonable evidence exists to allow formation of opinions. 7. The relationship between the audit team members and the client should be one of confidentiality and discretion. Unless required by law, the audit team members should not disclose information or documents obtained during the audit or the final report to any third party without the express approval of the client, and where appropriate, with approval of the auditee. III. PERFORMANCE OF AUDIT WORK A. Planning the Audit 1. Audits should be based on use of systematic plans and procedures that provide uniform guidance in audit preparation, field work, and reporting. Explicit written plans and procedures promote consistency and uniformity of approach. 2. The objectives of an audit should be clearly established and fully communicated beforehand to the auditee. The objectives of specific audits should be consistent with the needs of intended recipients of audit results and the provisions of these standards. 3. Pre-audit planning is an essential part of an effective audit. The audit objective, scope and general methodology should be conveyed to the auditee, as this will establish appropriate expectations for the roles and involvement of site personnel. Pre-audit planning can facilitate arrangements for on-site meetings, file reviews, tours and interviews. Furthermore, advance research and information requests concerning on-site conditions, activities and obligations, can enable the audit team to properly focus and maximize productivity during its time on-site. The program design should establish the timing and content of pre-audit communications information gathering activities. 4. Protocols, checklists and/or guides that reflect the scope of the audit should be used when auditors review operations against audit criteria, in order to ensure consistency and reliability. The program should address the need to keep such materials up-to-date, to ensure that they address changes in regulations, organizational policy, operational activities, or any other criteria about which the 14-

23 program is intended to provide assurance. Procedures for the development, approval, retention and use of such audit protocols, checklists and/or guides should be established. 5. Planning should be documented and should include: a. Establishing audit objectives and scope of work. (1) Audit objectives are broad statements developed by EH&S auditors and define intended audit accomplishments. Audit procedures are the means to attain audit objectives. Audit objectives and procedures, taken together, define the scope of the EH&S auditor s work. (2) Audit objectives and procedures should address the risks associated with the activity under audit. The term risk is the probability that an event or action may adversely affect the activity under audit. (3) EH&S auditors should assess risk for individual audit assignments as outlined in Section V of these Performance Practices. (4) The purpose of the risk assessment during the planning phase of the audit is to identify significant areas of the auditable activity. b. Obtaining background information about the activities to be audited. (Pre- Audit) (1) A review of background information should be performed to determine the impact on the audit. Such items include: Objectives and goals. Policies, plans, procedures, laws, regulations, and contracts which could have a significant impact on operations and reports. Organizational information, e.g., number and names of employees, key employees, job descriptions, and details about recent changes in the organization, including major system changes. Operating information and EH&S data of the activity to be audited. Prior audit working papers. Results of other audits, including the work of external auditors, completed or in process. Files to determine potential significant audit issues. Authoritative and technical literature appropriate to the activity. (2) Other requirements of the audit, such as the audit period covered and estimated completion dates, should be determined. The final audit report format should be considered, since proper planning at this stage facilitates writing the final audit report. c. Determining the resources necessary to perform the audit. (1) The number and experience level of the EH&S auditing staff required should be based on an evaluation of the nature and complexity of the audit assignment, time constraints, and available resources. 15-

24 (2) Knowledge, skills, and disciplines of the EH&S auditing staff should be considered in selecting EH&S auditors for the audit assignment. (3) Training needs of EH&S auditors should be considered, since each audit assignment serves as a basis for meeting developmental needs of the EH&S auditing function. (4) Consideration of the use of external resources in instances where additional knowledge, skills, and disciplines are needed. d. Communicating with all who need to know about the audit. (1) Meetings should be held with management responsible for the activity being examined. Topics of discussion may include: Planned audit objectives and scope of work. The timing of audit work. EH&S auditors assigned to the audit. The process of communicating throughout the audit, including the methods, time frames, and individuals who will be responsible. Business conditions and operations of the activity being audited, including recent changes in management or major systems. Concerns or any requests of management. Matters of particular interest or concern to the EH&S auditor. Description of the EH&S auditing function s reporting procedures and follow-up process. (2) A summary of matters discussed at meetings and any conclusions reached should be prepared, distributed to individuals, as appropriate, and retained in the audit working papers. e. Performing, as appropriate, a pre-audit survey to become familiar with the activities and controls to identify areas for audit emphasis, and to invite auditee comments and suggestions. (1) A survey is a process for gathering information, without detailed verification, on the activity being examined. The main purposes are to: Understand the activity under review. Identify significant areas warranting special emphasis. Obtain information for use in performing the audit. Determine whether further auditing is necessary. (2) A survey permits an informed approach to planning and carrying out audit work, and is an effective tool for applying the EH&S auditing function s resources where they can be used most effectively. (3) The focus of a survey will vary depending upon the nature of the audit. (4) The scope of work and the time requirements of a pre-audit survey will vary. Contributing factors include the EH&S auditor s training and experience, knowledge of the activity being examined, the type of audit being performed, and whether the survey is part of a recurring or follow- 16-

25 up assignment. Time requirements will also be influenced by the size and complexity of the activity being examined, and by the geographical dispersion of the activity. (5) Working papers may involve use of the following: Discussions with the auditee. Interviews with individuals affected by the activity, e.g., users of the activity s output. On-site observations. Review of management reports and studies. Analytical auditing procedures. Flowcharting. Functional walk-thru (tests of specific work activities from beginning to end). Documenting key control activities. (6) A summary of results should be prepared at the conclusion of the survey. The summary should identify: Significant audit issues and reasons for pursuing them in more depth. Pertinent information developed during the survey. Audit objectives, audit procedures, and special approaches such as computer-assisted audit techniques. Potential critical control points, control deficiencies, and/or excess controls. Preliminary estimates of time and resource requirements. Revised dates for reporting phases and completing the audit. When applicable, reasons for not continuing the audit. f. Writing the audit work plan. The audit work plan should: Document the EH&S auditor s procedures for collecting, analyzing, interpreting, and documenting information during the audit. State the objectives of the audit. Set forth the scope and degree of testing required to achieve the audit objectives in each phase of the audit. Identify technical aspects, processes, and transactions which should be examined. State the nature and extent of testing required. Be prepared prior to the commencement of audit work and modified, as appropriate, during the course of the audit. g. Determining how, when, and to whom audit results will be communicated. The director of EH&S auditing is responsible for determining how, when, and to whom audit results will be communicated. This determination should be documented and communicated to management, to the extent deemed practical, during the planning phase of the audit. Subsequent changes which affect the timing or reporting of audit results should also be communicated to management, if appropriate. h. Obtaining approval of the audit work plan. 17-