This article provides a brief overview of audit preparation guidance and tips, that are intended to equip environmental staff to work effectively with internal or external auditors. This is the first in a series-future articles will provide more details on preparing for program-specific audits, including those with statutory requirements for periodic audits.
General Audit Preparedness
Coordination and communication are critical to the success of any audit. It is highly likely that auditors will want to interview personnel across the site, and will want to “set eyes” on critical parts of your facility. Having relevant personnel available to share information with the audit team is helpful to ensuring the auditors understand process nuances, as well as gauging their level of comprehension of the programs being audited. Coordination should also include ample and detailed pre-audit communication with all affected personnel regarding the purpose and content of the audit. More importantly, early dissemination of an audit notice, accompanied by reassuring language about the purpose of the audit (e.g., the audit will serve to identify opportunities for improvement), goes a long way in setting the plant-wide expectations with respect to the audit process.
Coordination of overall audit logistics is also a crucial step to guarantee success.
- Have you reserved or set aside meeting rooms or offices for the auditors to work from?
- Will photographs be allowed, or are there any restrictions?
- Will lunch be brought in, or are auditors expected to bring their own lunch?
- Will Transportation Worker Identification Cards (TWICs) be required to access certain portions of the facility?
Most sites will have standard personal protective equipment (PPE) requirements applicable to auditors visiting the facility. For the most part, this means wearing steel-toed shoes, eye and hearing protection, and head protection (e.g., hard hats). In addition, some sites have enhanced PPE requirements such as long-sleeved shirts or fire retardant (FR) clothing to be worn while roaming the plant site. In cases where FR clothing is required, full body coveralls may be required or FR shirts may suffice. Such requirements should be identified well in advance of the audit.
Some facilities have site-specific requirements related to training and certifications, and may also have drug and alcohol testing policies. Auditors coming to the site will sometimes have to undergo medical testing and obtain training in anticipation of the site visit. In certain cases, coordination of testing and specific-training sessions may require weeks of planning. Having a good understanding of these policies and requirements ahead of the site visit will facilitate compliance by the audit team. In addition, most facilities will have safety briefings that must be completed prior to gaining access to the plant, or even to certain process areas. For very complex facilities, these briefings may take hours to complete. This time should be factored into the audit planning agenda since it may significantly affect the amount of on-site time available for the actual audit activities.
Other helpful tips to help prepare for auditors at your site include:
- Availability of records prior to the site visit - Try to fulfill your auditor's requests for information (RFI) as quickly as possible prior to the site visit. Auditors will usually prefer to review permits and other documents before coming to the site, to allow for better use of on-site time.
- General records (personnel training) - If your company relies on online training sessions to comply with any internal or regulatory-based training requirements, make sure those training records are easily retrievable during the site visit or before.
- Confidentiality and sensitive information - Secure non-disclosure agreements (NDAs) or make auditors aware of sensitive or confidential information prior to the site visit. Request auditor certifications (e.g., Chemical-Terrorism Vulnerable Information) prior to providing access to restricted information.
General EHS Compliance Audit Programs
For each of the programs discussed below, attention to both state and federal regulatory programs is imperative since state requirements vary and may be more complex and detailed than the federal regulations.
Water - Complexity of the water audit can range from relatively simple to extremely complex, depending on the type of facility and applicable programs. The water audit could encompass all of the elements described below, as applicable.
- Wastewater discharges - Basic information to be reviewed consists of discharge permits (direct, indirect, or both); discharge reporting (usually accomplished by a review of Discharge Monitoring Reports, or DMRs); overview of laboratory testing, including sampling, sample management and preservation, and general quality control; water balances; and sources of wastewater. Additional documents will be reviewed for sites with zero-discharge permit (including water reuse) and with groundwater discharge permits.
- Stormwater - This entails a review of facility Stormwater Pollution Prevention Plans (SWPPPs); established Best Management Practices (BMPs), including evaluation of effectiveness; reports for Annual Comprehensive Site Evaluations; and results of visual and analytical testing.
- Water appropriation - The scope varies depending on the source of water and withdrawal volumes or flows. Records review will include logs of withdrawals or water usage (as applicable), equipment maintenance, permits, etc. For facilities with regulated cooling water intake structures [CWIS, regulated under Section 316(b) of the Clean Water Act], the review will include an assessment of the effectiveness of any best technology available (BTA) that has been implemented or deployed for the site.
Nuances of the water audit will be explored in further detail in an upcoming article in this series.
Air Quality - Similar to the water audit, the air audit can be extremely complex for sites subject to intricate regulatory requirements. In general, an air audit will examine the elements listed below. These and other details will be discussed in a future article.
- Permits [including Title V, Prevention of Significant Deterioration (PSD), Nonattainment New Source Review (NNSR), etc.]
- Adherence to permit conditions
- Compliance with applicable requirements under New Source Performance Standards (NSPS), National Emissions Standards for Hazardous Air Pollutants (NESHAPs), and Maximum Achievable Control Technologies (MACTs)
- Reporting and records of initial as well as continuous compliance demonstrations
- Records from Continuous Emissions Monitoring Systems (CEMS), including Data Acquisition and Handling Systems (DAHS)
Additional Programs - Additional programs to be audited may include solid waste, emergency preparedness and response [Spill Prevention Control and Countermeasure (SPCC), Facility Response Plan (FRP), etc.], and hazardous materials reporting (Tier 2 and Toxic Release Inventory). We will explore intricacies related to auditing these programs in future articles.
Programs with Statutory Audit Requirements
Some EHS regulatory programs contain audit provisions as part of the compliance requirements. For these programs, audit processes are prescribed within the regulations.
Risk Management Program/Process Safety Management - These two related programs have their own statutory requirements applicable to periodic audits. The Risk Management Program (RMP, Chemical Accident Prevention under 40 CFR 68) includes requirements to conduct compliance audits for Program Level 2 (40 CFR 68.58) and Program Level 3 (40 CFR 68.79) every three years. Be aware that the recently revised rules [see 40 CFR 68.58(f) and 68.79(f)] now also require third-party audits to be conducted under certain circumstances (e.g., certain accidental releases from a covered process). Selection of third-party auditors must meet requirements established under 40 CFR 68. Helpful documents to be reviewed during an RMP audit include the following:
- Results of the off-site consequence analysis (OCA), and supporting documentation for instances where RMPComp was not used as the modeling tool (e.g., ALOHA, DEGADIS, etc.) - please see Addressing Meteorological Data Requirements for RMP Offsite Consequences Analyses from EQ Spring 2019 issue for more details.
- Operating procedures
- Emergency response plans
Similarly, the Process Safety Management (PSM) standard requires compliance audits at three-year intervals [29 CFR 1910.119(o)]. The PSM audit process is quite involved and requires careful planning to guarantee access to relevant documents such as process safety information, process hazard analyses (PHAs), mechanical integrity logs, training records for employees and contractors, and operating procedures.
Facility Security Plan - Facilities subject to the security requirements of the Maritime Security Act must conduct an annual audit to determine if the facility is fully implementing its Facility Security Plan (FSP) [33 CFR 105.415 (b)]. The audit should cover elements associated with the FSP, the Facility Security Assessment (FSA), management of the facility's TWIC program, and response to changes in the MARSEC (MARitime SECurity) levels. The audit will focus on exercise and drill records, adherence to elements of the site-specific FSP, and deployment of security measures.
Chemical Facility Anti-Terrorism Standards - The Chemical Facility Anti-Terrorism Standards (CFATS) program requires annual compliance audits [6 CFR 27.225(e)] of an affected facility's Site Security Plan (SSP). These audits are intended to determine adherence to the site-specific SSP authorized by the Department of Homeland Security (DHS) and to generate the associated compliance demonstration records.
The scope of the audit is thus focused on elements of the SSP, and most importantly, on any security measures implemented to fulfill the applicable Risk Based Performance Standards (RBPS) for the corresponding facility tiering. In addition, any planned measures (including timelines for deployment and completion) included in the SSP will be assessed as part of the audit.
Helpful documents for a CFATS audit include the following:
- DHS correspondence (tiering letter, SSP approval, copies of the SSP)
- Supporting documents associated with planned measures
An effective audit preparation process will result in a more efficient and productive audit, since auditors will be able to devote more time to audit-specific tasks, rather than solving logistical issues. Trinity can help with providing site-specific guidance on preparing for an audit and with conducting EHS Compliance audits for a wide range of programs:
- Air quality
- Solid and hazardous wastes
- Emergency planning and preparedness
- Risk Management Plans and Accidental Releases
- Coast Guard Facility Security Plans
- DHS CFATS Regulations
- Process Safety Management
- Health & Safety Standards, including OSHA's General Industry Standards