Session No. 716 Auditing Skills Carol Robinson, CIH, CSP Vice President Specialty Technical Consultants, Inc. Oakland, California Debby Shewitz, CSP Owner Shewitz Consulting, LLC Cleveland, Ohio Introduction Many EHS professionals participate in audits in some way, shape or form. Audits may be conducted to evaluate EHS regulatory compliance, management systems (such as ISO 14001), sustainability practices, and even financial practices (where the whistleblower protections are enforced by OSHA). EHS professionals may be on either side of the audit, either as auditors or as auditees. However, unless they are part of a dedicated audit department, many EHS professionals may be unaware that there are US and international consensus standards and guidelines for the competencies that an EHS auditor is expected to possess. This is because, as of now, US companies tend not to place much emphasis on requiring these competencies in their audit teams. That, in turn, is because there is not yet much demand by the companies customers for certification of such competencies, the way there may be for ISO 9000, CE mark, or even ISO 14000 certification. However, there is a clear, if early, international trend towards placing an emphasis on competence rather than education/training of personnel who perform all types of critical tasks, including audits. Therefore, it will become increasingly important for EHS professionals to understand the core competencies that an auditor must have, if they wish to conduct audits as part of their careers. This session will present an overview of the current guidelines related to EHS auditor skills, along with a brief discussion of the emerging trends in competence evaluation. It also highlights a few of the critical skills/competencies that are significantly different from those that an EHS generalist might typically have.
Guidelines for Auditor Competencies There are two main published guidelines for EHS auditor competencies. One is ISO 19011, Guidelines for Auditing Management Systems, and the other is the EHS Auditor Competency Framework from the trilateral working group of the Institute of Internal Auditors (IIA), the Auditing Roundtable (AR), and the Board of Environmental, Health & Safety Auditor Certifications (BEAC). ISO 19011 This standard from the International Organization for Standardization was first issued in 2002. It provides guidance to organizations who conduct quality audits under ISO 9001 and environmental audits under ISO 14001 as to how to manage and conduct audits. Although the standard is officially focused on auditing management systems, the summary section states The application of ISO 19011:2011 to other types of audits is possible, provided that special consideration is given to the specific competence needed. Section 7 of the standard addresses Competence and Evaluation of Auditors, and has the following contents: 7.1 General 7.2 Determining auditor competence to fulfil the needs of the audit programme 7.3 Establishing the auditor evaluation criteria 7.4 Selecting the appropriate auditor evaluation method 7.5 Conducting auditor evaluation 7.6 Maintaining and improving auditor competence As you can see, this whole clause is very heavily focused on measurable elements of auditor competence. The list of competencies included in section 7.2 is too long to reproduce in its entirety here. The key personal attributes that are suggested as being important include being: Ethical; Open-minded; Tactful; Observant; Able to adjust easily to different situations; Decisive; and Able to work equally well independently and as part of a team. Key knowledge and skills include: Subject matter knowledge; Knowledge of audit principles, procedures and techniques along with the ability to apply that knowledge; Ability to organize work so that the audit is completed within the agreed time schedule while ensuring that there is appropriate prioritization of, and focus on, matters of significance; and Ability to communicate effectively both orally and in writing.
It is important to note that the 2004 edition of ISO 19011 stated that auditors should be evaluated for competence primarily based on their education (e.g. degree) and experience (years of work and years of auditing). The 2011 edition states that auditors should be evaluated for competence based on an evaluation to be conducted using a combination of methods including records review, feedback, interviews, observation and testing of knowledge and skills. This is further evidence of the growing emphasis on measurable skills rather than simple training. EHS Auditor Competency Framework This framework is was issued jointly in 2008 by three organizations that are devoted to auditing. These are: IIA The Institute of Internal Auditors This is an international professional membership organization for the global profession of internal auditing AR The Auditing Roundtable This is a professional membership organization dedicated to the development and professional practice of EHS auditing. BEAC - The Board of Environmental, Health & Safety Auditor Certifications BEAC is a certification body, comparable to the Board of Certified Safety Professionals (BCSP), which issues professional certifications relating to environmental, health, and safety auditing and other scientific fields. The Framework is summarized in the following diagram:
EHS Auditing Competency Framework Chemical Pollutant Hazards Internal Management Controls Environmental Legislation Pollution Control Technology Environmental Media Sustainability Information Technology Interviewing Computer Literacy Coaching/Mentoring Ethics Objectivity Reasoning Technical Competencies Functional Competencies Conflict Resolution Observation Supervision Project Management Foundational Competencies Adaptability Diligence Communication Statistical Concepts Health and Safety Impacts Health & Safety Standards Health and Safety Legislation Risk Assessment Security Writing Literacy Time Management Working Papers Legal Protections Interpersonal Intuition Analyzing Copyright The Auditing Roundtable, Inc. 2012 All Rights Reserved 1 Personal attributes are included in several areas of the BEAC Standards, however specific personality traits are not included, as these are considered by BEAC to be subjective. Regarding skills and knowledge, the Competency Framework states: Auditors shall have adequate qualifications, technical knowledge, training, professional experience and proficiency in the discipline of auditing to perform their assigned audit tasks. Competency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance. Competency is the responsibility of the organization managing auditing activities and of each individual auditor. Qualifications of the auditor or audit team, including technical knowledge, training, professional experience and proficiency, shall be commensurate with the objectives, scope and complexities of the audit assignment. An auditor s technical knowledge, training and professional experience shall be adequate to achieve audit objectives and shall include, but not be limited to, each of the following commensurate with each individual auditor s responsibilities:
Characteristics and analysis of management systems. Regulatory requirements and EH&S policies. EH&S control systems and technologies. Facility operations. Potential EH&S impacts and hazards/risks associated with the types of facilities and operations to be audited. Additionally, the Competency Framework states that auditors should have the following skills and knowledge: Ability to recognize and evaluate the materiality and significance of deviations from good management practice; Skills in communications, team dynamics, conflict resolution, leadership and decision making; Appreciation of the fundamentals of such subjects as environmental sciences, health and safety, industrial hygiene, information technology, engineering, law, business processes, risk and other sciences, sufficient to be able to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained; and A certain competency level, demonstrated through a means such as recognized certification. The Competency Framework document states that Auditors are not expected or required to have all technical competencies to function as a qualified auditor. Obviously nobody knows everything in detail. An auditor must have technical competency in the portion of the audit that s/he is assigned to address, but most audits of any size will use a team of auditors to make sure there is technical knowledge about all of the topics in the audit scope. In addition, the document states that Auditors are expected to have some skill level in most foundational and functional competencies. So depending on the structure of an audit team, maybe an individual auditor doesn t need to be quite as strong in their writing skills, knowing that the audit team leader will be polishing the written findings for the report, and certainly there are ways to cover for people who may not be as strong in IT or computer literacy. The Competency Framework also has a matrix to clarify the relative importance of each of the identified competencies, depending on the role a person is playing in the audit function. They identify 5 roles: an Audit Program Director (who would be in internal person who is responsible for overseeing a business s overall audit program), an Audit Team Leader, a general Auditor, a Subject Matter Expert Auditor (someone brought in to look at a relatively narrow, specialized topic), and a Guest Auditor (typically someone who works at a sister facility who is there to add insight as to how the facility implements requirements, or who is learning auditing skills, etc.) The importance is designated on a scale of 1-4. 1 is not necessary, 2 is preferable to have, 3 is should have, and 4 is must have. The full Competency Framework document can be found online at: http://beac.org/ehs%20auditing%20competency%20framework.pdf A comparison of the BEAC and ISO 19011 (2011) guidelines for auditor competence can be found online at: http://beac.org/standards%20comparison_beac%20and%20iso%2019011.pdf
The Real World Reading through the guidelines above, a natural reaction might be sure, those are important traits, skills and knowledge for any professional. What about them is so special to auditing? To answer that, let s define the purpose of auditing. There are numerous definitions, many of them related to financial audits. For this discussion, let s use a slightly modified version of the ISO definition: A systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which requirements are being met. Keeping in mind this definition, along with the fact that auditors are allotted a fixed amount of time in which to accomplish the goals of the audit, and many of the critical auditor s skills should become readily apparent. One of the first things the auditor must do is to collect meaningful evidence related to the processes and topics being audited. This leads to the importance of communication skills the auditor must be able to express clearly what information s/he is asking for, and must be able to listen openly to the answers that are given. Information may not always be presented in a textbook format, so the auditor needs to be able to follow a trail of information in order to form a complete picture of the situation. Many of the people who are being asked for information, especially front line operating and maintenance personnel, may well feel uncomfortable being asked questions, which can make it look like they don t understand things as well as they actually do, or lead them to give incomplete answers. Auditors need to be able to talk with all levels of personnel in a way that puts them at ease as much as possible (recognizing that the manner may vary with different people, and different positions in the organization). They also need to have a reasonably well-developed sense of when the people they re talking with may be nervous, confused, or possibly even trying to cover something up, in order to be able to decide where the answers fit in with the overall evidence that s being gathered. Auditors need to keep in mind that the people being audited have a stake in the outcome of the audit. At the minimum, most people have a sense of pride about their work, and they will want it to be perceived in a good light. In addition, the organization is being judged by an audit, and this judgment may make its way into individual people s performance reviews or other job evaluations. Some organizations are progressive enough to understand that it s beneficial if an audit uncovers deficiencies before they turn into and accident, or before they re found by regulatory agency, and will welcome an auditor s observations where things can be improved. Other organizations may become defensive or take it personally when deficiencies are found. Auditors need to be able to pick up on the culture of the organization, be tactful about how they present bad news and be flexible in the wording of their findings (especially in writing) so as to make the information palatable to the organization (especially when the organization may have
thought they were doing everything correctly). They must also be able to admit where there is room for differing opinions or interpretations about some requirements, and willing to do more research as needed to come to an agreement about the proper application of the requirement to the specific situation. At the same time, auditors must not give up their integrity if after all efforts there s still a disagreement with an organization about deficiencies, the auditor must be strong enough to stand by his or her evaluation. As mentioned, there will be a fixed amount of time allotted for an audit, which means that not every single bit of information about a process or topic can be evaluated in depth. It is typically stated that an audit is a snapshot in time. Conditions may have been different just before the auditor saw them, and may change right after the auditor leaves. In order to stay within the limits of the allotted time, auditors need to know how to use statistical sampling methods (e.g. how many completed hot work permits to review out of the total that were used during the time period being audited) in order to get a reasonably accurate picture of an overall activity. They must also be able to prioritize the critical risks for the operation, so that if time becomes limited, the focus is given to the most important topics and activities, rather than spending too much time on the nitpicky details of less important items. Time limitations also typically mean that the auditor has to be able to adjust schedules on a moment s notice, come up with different approaches to collecting the required information and evidence, go off and work independently at certain times, and come back and work collaboratively with other members of the audit team to pool their information and reach joint conclusions about what they ve seen. Conclusion Every EHS professional needs to have technical knowledge about the environmental, health and safety regulations, management systems, and best practices that apply to his/her area of responsibility. But technical proficiency is just the beginning for being a successful auditor. EHS professionals who wish to include auditing activities as a significant part of their careers need to add knowledge about audit techniques, and have or develop additional skills in order to be successful. Bibliography Board of Environmental, Health & Safety Auditor Certifications (BEAC). 2008. EHS Auditor Competency Framework. (http://www.beac.org/guidance-gb.html). International Organization for Standardization (ISO). 2011. Guidelines for Auditing Management Systems. ISO 19011-2011. Geneva, Switzerland : ISO.