Blog

14 Jun
compliance assurance best practices
Six Best Practices for Compliance Assurance

A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice daily.

The following can show evidence of a living, breathing program:

  • Comprehensiveness of the program
  • Dedicated staff and resources
  • Employee knowledge and engagement
  • Management commitment and employee perception
  • Internal operational inspections, “walk-abouts” by management
  • Independent insider, plus third-party audits
  • Program tailoring to greatest risks
  • Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
  • Tracking of timely and adequate corrective/preventive action completion
  • Progress and performance monitoring

Best Practices

To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:

  1. Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).
  2. Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.
  3. Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and then expectations set for operating managers to take responsibility for compliance.
  4. Take action on issues and problems. Capture, log, and categorize noncompliance issues, process non-conformances, and near misses. Implement a corrective/preventive action process based on importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.
  5. Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.
  6. Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.
05 Jun
chemical plant RMP Reconsideration Proposed Rule
RMP Reconsideration Proposed Rule

Chemicals are an important part of many aspects of our lives; however, improper handling and management of chemicals can result in catastrophic releases that have severe and lasting impacts—loss of life, injury, property damage, community disruption.

The USEPA’s Risk Management Plan (RMP) Rule (Section 112(r) of the Clean Air Act Amendments) is aimed at reducing the frequency and severity of accidental chemical releases. While the intent of the RMP Rule is positive, there has been much controversy over what the rule requires. This has resulted most recently in the RMP Reconsideration Proposed Rule, which was published on May 30, 2018.

The History of Modernizing RMP

RMP regulations were first created in 1996 to protect first responders and communities adjacent to facilities with chemical substances. Changes to the original RMP Rule have been in progress since former President Obama issued Executive Order (EO) 1365, Improving Chemical Safety and Security, in August 2013. Modernizing policies and regulations—including the RMP Rule—falls under this umbrella.

A July 2014 Request for Information (RFI) sought initial comment on potential revisions to RMP under the EO. This was followed by a Small Business Advocacy Review (SBAR) Panel discussion in November 2015. On March 14, 2016, the USEPA published Proposed Rule: Accidental Release Prevention Requirements: Risk Management Programs Under the Clean Air Act, Section 112(r)(7), outlining proposed amendments to the RMP Rule.

The much anticipated final RMP Amendments were published in the Federal Register on January 13, 2017. According to the USEPA, these amendments were intended to:

  • Prevent catastrophic accidents by improving accident prevention program requirements
  • Enhance emergency preparedness to ensure coordination between facilities and local communities
  • Improve information access to help the public understand the risks at RMP facilities
  • Improve third-party audits at RMP facilities

After the USEPA published the final rule, many industry groups and several states filed challenges and petitions, arguing that the rule was overly burdensome, created potential security risks, and did not properly coordinate with OSHA’s Process Safety Management (PSM) standard. Under the Trump administration, the USEPA delayed the effective date of the rule until February 2019 and announced its plan to reconsider the rule’s provisions.

Reconsideration

That brings us full circle to the RMP Reconsideration Proposed Rule that was published at the end of May. According to the USEPA, this reconsideration proposes to:

  • Maintain consistency of RMP accident prevention requirements with the OSHA PSM standard.
  • Address security concerns.
  • Reduce unnecessary regulations and regulatory costs.
  • Revise compliance dates to provide necessary time for program changes

What’s Going?

USEPA Administrator Scott Pruitt said in a press release, “The rule proposes to reduce unnecessary regulatory burdens, address the concerns of stakeholders and emergency responders on the ground, and save Americans roughly $88 million a year.”

To accomplish this, the reconsideration proposes making the following changes:

  • All accident prevention program provisions have been rescinded in the reconsideration so the USEPA can coordinate revisions with OSHA and keep regulatory costs in check. This includes repealing the requirements for conducting:
    • Third-party audits
    • Safer Technology and Alternatives Analysis (STAAs) as part of the process hazard analyses
    • Root cause analyses as part of an accident investigation of a catastrophic release or near-miss
  • Most of the public information availability provisions have been rescinded due to their redundancy and security concerns, particularly regarding specific chemical hazard information. The USEPA is proposing to retain the requirement for facilities to hold a public meeting within 90 days of a reportable incident.

What’s Staying?

Many of the emergency coordination and exercise provisions of the Amendments rule are staying–but are being modified to address security concerns and provide more flexibility. The Reconsideration Proposed Rule still requires facilities to:

  • Coordinate response needs at least annual with local emergency planning councils (LEPCs) and response organizations, and to document these activities
  • Provide emergency action plans, response plans, updated emergency contact information, and other information necessary for developing and implementing the local emergency response plan to LEPCs
  • Perform annual exercises to test emergency response notification mechanisms (Program 2 and 3 facilities)

Looking Ahead

The proposed rule is available for public comment for 60 days after its publication date (May 30, 2018). In addition, a public hearing is scheduled for June 14, 2018. If the Reconsideration Proposed Rule is published, compliance dates will be as follows based on the effective date of the final rule.RMP Reconsideration Rule Compliance Timeline

For more information, visit the USEPA website on the RMP Reconsideration Proposed Rule.

 

24 May
EPA Announces Chemical Safety Milestones

EPA Announces Chemical Safety Milestones

To celebrate the one-year anniversary of the Frank R. Lautenberg Chemical Safety for the 21st Century Act, EPA Administrator Scott Pruitt announced on June 22, 2017, that the Agency has met its first-year statutory responsibilities under the law. This includes the following actions:

Read the EPA press release: https://www.epa.gov/newsreleases/epa-marks-chemical-safety-milestone-1st-anniversary-lautenberg-chemical-safety-act

19 May
Technology Tip: Software and Audits Top 10

All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations to industry codes, to system standards (i.e., ISO), to internal corporate requirements.

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.

By combining effective auditing program design, standardized procedures, trained/knowledgeable auditors, and computerized systems and tools, companies are better able to capture and analyze audit data, and then use that information to improve business performance. Having auditing software of some sort can greatly streamline productivity and enhance quality, especially in industries with many compliance obligations.

The following tips can help ensure that companies are getting the most out of their auditing process:

  1. Have a computerized system. Any system is better than nothing; functional is more important than perfect. The key is to commit to a choice and move forward with it. Companies are beginning to recognize the pitfalls of “smart people” audits (i.e., an audit conducted by an expert + notebook with no protocols or systems). While expertise is valuable, this approach makes it difficult to compare facilities and results, is not replicable, and provides no assurance that everything has been reviewed. A defined system and protocol helps to avoid these pitfalls.
  1. Invest time before the audit. The most important time in the audit process is before the audit begins. Do not wait until the day before to prepare. There is value in knowing the scope of the audit, understanding expectations, and developing question sets/protocol. This is also the time to ensure that the system collects the data desired to produce the final report.
  1. Capture data. Data is tangible. You can count, sort, compare and organize data so it can be used on the back end. Data allows the company to produce reports, analytics, and standard metrics/key performance indicators.
  1. Don’t forget about information. Information is important, too. The information provides descriptions, directions, photos, etc. to support the data and paint a complete picture.
  1. Be timely. Reports must be timely to correct findings and demonstrate a sense of urgency. Reports serve as a permanent record and begin the process of remediation. The sooner they are produced, the sooner corrective actions begin.
  1. Note immediate fixes. During the audit, there may be small things uncovered that can be fixed immediately. These items need to be recorded even if they are fixed during the audit. Unrecorded items “never happened”. Correspondingly, it is important to build a culture where individuals are not punished for findings, as this can result in underreporting.
  1. Understand the audience. Who will be reading the final report? What do they need to know? What is their level of understanding? Not all data presentation is useful. In fact, poorly presented data can be confusing and cause inaction. It is important to identify key data, reports desired, and the ways in which outputs can be automated to generate meaningful information.
  1. Compare to previous audits. The only way to get an accurate comparison is if audits have a common scope and a common checklist/protocol. Using a computerized system can ensure that these factors remain consistent. Comparisons reinforce and support a company’s efforts to maintain and improve compliance over time.
  1. Manage regulatory updates. It is important to maintain a connection to past audits and the associated compliance requirements at the time of the audit. Regulations might change and that needs to be tracked. Checklists, however, may remain the same. Companies should have a process for tracking regulatory updates and making sure that the system is updated appropriately.
  1. Maintain data frequency. For data, the frequency is key. Consider what smaller scope, higher frequency audits look like. These can allow the company to gather more data, involve more people, and improve the overall quality and reliability of reports.

A well-designed and well-executed auditing program—with analysis of audit data—provides an essential tool for improving and verifying business performance. Audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. And using a technology tool or system to manage the audit makes that information even more useful.

17 May
EPA Proposes to Delay RMP Rule Effective Date to 2019

EPA Proposes to Delay RMP Rule Effective Date to 2019

On Friday, March 31, 2017, U.S. Environmental Protection Agency (EPA) Administrator Scott Pruitt announced a proposed rule to further delay the effective date of the Obama Administration’s Risk Management Program (RMP) final rule until February 19, 2019. This will give the agency time to reconsider the final RMP rule published on January 13, 2017.

Industry organizations have raised serious concerns about the final rule. The proposal to further delay the effective date of the amendments will allow the Agency time to evaluate these objections and consider other issues that may benefit from the additional public input.

15 May
EPA Puts Risk Management Program Rule on Hold

EPA Puts Risk Management Program Rule on Hold

This January, the much anticipated final RMP amendments were published in the Federal Register. According to the EPA, these amendments are intended to:

  • Prevent catastrophic accidents by improving accident prevention program requirements
  • Enhance emergency preparedness to ensure coordination between facilities and local communities
  • Improve information access to help the public understand the risks at RMP facilities
  • Improve third-party audits at RMP facilities

As Kestrel indicated in a recent article when the final RMP amendments were published, RMP faces an uncertain future under the Trump Administration. It is not clear at this point whether the final RMP rule will actually be implemented as published—or at all.

We are seeing the first wave of that uncertainty demonstrated. EPA received a petition dated February 28, 2017, from the RMP Coalition requesting a reconsideration and request for a stay for the RMP rule amendments. After a proceeding for reconsideration on March 13, 2017, EPA’s Administrator signed a final rule that provides a three-month (90-day) administrative stay of the effective date of the RMP rule amendments, delaying the effective date of the final rule to June 19, 2017. This stay is intended to allow the EPA to revisit these important issues and consider alternative approaches.

12 May
Risk Management Plan (RMP) Final Amendments

Chemicals are an important part of many aspects of our lives; however, improper handling and management of chemicals can result in catastrophic releases that have severe and lasting impacts—loss of life, injury, property damage, community disruption. USEPA’s Risk Management Plan (RMP) data shows that in the last 10 years, there have been more than 1,517 reportable incidents of accidental chemical releases. Those incidents were responsible for 58 deaths, 17,099 injuries, the evacuation or shelter-in-place of almost 500,000 people, and over $2 billion in property damage.

Charting the Changes to RMP

The USEPA’s RMP Rule (Section 112(r) of the Clean Air Act Amendments) is aimed at reducing the frequency and severity of accidental chemical releases. Changes to the RMP Rule have been in progress since former President Obama issued Executive Order (EO) 1365, Improving Chemical Safety and Security, in August 2013. The focus of the EO is to reduce risks associated with hazardous chemicals to owners and operators, workers, and communities by enhancing the safety and security of chemical facilities. Modernizing policies and regulations—including the RMP Rule—falls under this umbrella.

A July 2014 Request for Information (RFI) sought initial comment on potential revisions to RMP under the EO. This was followed by a Small Business Advocacy Review (SBAR) Panel discussion in November 2015. On March 14, 2016, the USEPA published Proposed Rule: Accidental Release Prevention Requirements: Risk Management Programs Under the Clean Air Act, Section 112(r)(7), outlining proposed amendments to the RMP Rule.

Since the initial action to revise the RMP Rule commenced two and a half years ago, the USEPA has received over 60,000 public comments and has had extensive engagement with nearly 1,800 people.

Final Amendments

The much anticipated final RMP amendments were published in the Federal Register on January 13, 2017. According to the USEPA, these amendments are intended to:

  • Prevent catastrophic accidents by improving accident prevention program requirements
  • Enhance emergency preparedness to ensure coordination between facilities and local communities
  • Improve information access to help the public understand the risks at RMP facilities
  • Improve third-party audits at RMP facilities

The final changes in the RMP Rule are outlined in the table below.

Compliance

Risk Management Plan Final Amendment TableThe effective date for the final RMP amendments is March 14, 2017. Compliance dates are set according to this date, as follows:Risk Management Plan Compliance Timeline

The Future of RMP

The final RMP amendments have the potential to significantly affect the 12,500 facilities in the U.S. that are subject to the RMP program. However, like many environmental rules, RMP faces an uncertain future under the Trump Administration. It is not clear at this point whether the final RMP Rule will actually be implemented as published—or at all.

Among the possible outcomes, environmental law firm Beveridge & Diamond PC cites the following possibilities:

  • Congress may rescind the Rule using the Congressional Review Act.
  • The USEPA might stay the Rule and then unilaterally seek to repeal it through amendment.
  • The Rule might be challenged through a petition for reconsideration to the USEPA or a petition for review by the federal courts.

Kestrel will continue to track the RMP Rule and potential upcoming actions or compliance dates that may affect impacted facilities.

06 May
Case Study: Efficient Compliance Management

Regulatory enforcement, customer and supply chain audits, and internal risk management initiatives are all driving requirements for managing regulatory obligations. Many companies—especially those that are not large enough for a dedicated team of full-time EHS&S staff—struggle with how to effectively resource their regulatory compliance needs.

The following case study talks about how The C.I. Thornburg Co., Inc. (C.I. Thornburg) is using a technology tool to efficiently meet National Association of Chemical Distributors (NACD) and a number of other regulatory requirements.

The Challenge of Compliance

C.I. Thornburg joined NACD in January 2015. As a condition of membership, the company started the process of developing and implementing Responsible Distribution in April 2015. Responsible Distribution showcases member companies’ commitment to continuous improvement in every business process of chemical distribution—and it requires rigorous management activities to develop and maintain.

With an EHS&S department of one, managing all of those activities was a challenge for C.I. Thornburg. The company was looking for a way to streamline the process and more effectively manage Responsible Distribution requirements and regulatory compliance obligations.

Code & Compliance Elite™

C.I. Thornburg brought on Kestrel to initially help the company achieve Responsible Distribution verification. Kestrel worked with C.I. Thornburg to customize and implement Code & Compliance Elite (CCE™), an easy-to-use technology tool designed to effectively manage management system and verification requirements. Kestrel tailored the CCE™ application specifically for C.I. Thornburg to provide:

  • Document management – storage, access, and version control
  • Mobile device access
  • Regulatory compliance management and compliance obligation calendaring
  • Internal audit capabilities
  • Corrective and preventive action (CAPA/CPAR) tracking and management
  • Task and action management

CCE™ played a large role toward the end of C.I. Thornburg’s Responsible Distribution implementation, particularly with document control and organization, and in the verification audit. During verification, documents could be quickly referenced because of how they are organized in CCE™, making the process very efficient. According to C.I. Thornburg Director of Regulatory Compliance and EHS&S Richard Parks, “The verifier was blown away by how well we were organized and how the tool linked many documents from different regulatory policies.” The company achieved verification in May 2016.

Broadening to Other Regulatory Requirements

CCE™ is still being used to manage Responsible Distribution requirements, but C.I. Thornburg is now working with Kestrel to expand it to all regulatory branches that govern the business. Regulatory requirements function similarly—for example, Responsible Distribution has 13 codes, Department of Homeland Security (DHS) has 18 performance standards (RBPS), and OSHA PSM has 14 elements. All require internal audits and corrective action tracking—things that can be easily and effectively managed through CCE™ to create a one-stop shop for regulatory compliance. Kestrel is currently developing the DHS and PSM modules in CCE™ for C.I. Thornburg.

Valuable Management Tool

CCE™ is providing C.I. Thornburg with a valuable management tool that automates the regulatory landscape. According to Parks, as a small organization that depends on using efficient tools to manage compliance rather than adding more manpower, CCE™ has provided huge cost savings and tremendous value for the organization, including the following:

  • CCE™ has become the ultimate tool inefficiency. Tasks that used to take hours to complete are now easily done in just minutes.
  • The internal audit function of CCE™ makes audits seamless and tracking and follow-up easy.
  • The CAPA tool ensures that the company is managing corrective actions and completing follow-up activities and tasks.
  • The functionality of CCE™ allows for managing multiple regulatory dashboards, providing a one-stop shop for managing regulatory compliance obligations.
  • CCE™ creates an organized document structure that enables easy access to information and quick response to auditors.
  • During Senior Management Review, senior managers see the benefit of being able to reference the history of corrective actions and audits through CCE™.

“A lot of NACD member companies are small organizations that have limited resources to effectively manage all EHS&S needs,” said Parks. “CCE™ really creates the department and is a huge value to small businesses. With the CCE™ technology and a company’s clearly defined goal, Kestrel can provide an efficient solution to most any need.”

04 May
Frank R. Lautenberg Chemical Safety Act

Last year, we came to you with breaking news about Toxic Substances Control Act (TSCA) reform taking hold, as the U.S. House of Representatives passed the TSCA Modernization Act of 2015 (H.R. 2576) on June 23, 2015.

Almost one year later—and approximately 40 years since the Act’s inception—President Obama signed the Frank R. Lautenberg Chemical Safety Act (FRL-21) into law on June 22, 2016, amending the nation’s primary chemical management law. A historic bipartisan achievement, this Act gives the USEPA immediate authority to begin evaluating the risk of any chemical it designates as “high priority”.

Background

TSCA was developed to ensure that products are safe for intended use by providing the USEPA authority to review and regulate chemicals in commerce. Despite its intention, TSCA has proven to be rather ineffective in providing adequate protection and in facilitating U.S. chemical manufacturing and use. More than 80,000 chemicals available in the U.S. have never been fully tested for their toxic effects on health and the environment. In fact, under TSCA, the USEPA has only banned five chemicals since 1976.

According to a blog by USEPA Administrator Gina McCarthy, “While the intent of the original TSCA law was spot-on, it fell far short of giving EPA the authority we needed to get the job done.”

And that is where FRL-21 takes over, strengthening the foundation built by TSCA to ensure that chemical safety remains paramount.

Key Changes

FRL-21 remains consistent with the 2009 Principles for TSCA Reform. The USEPA outlines the following key regulatory changes in its Q&A briefing on the Act.

Evaluates the safety of existing chemicals in commerce, starting with those most likely to cause risks. This is the first time that all chemicals in commerce will undergo risk-based review by the USEPA. The Agency is charged with creating a risk-based process to determine which chemicals should be prioritized for assessment. High-priority chemicals may present an unreasonable risk to health or the environment due to potential hazard and route of exposure. A high-priority designation, in turn, triggers a risk evaluation to determine the chemical’s safety. This prioritization ensures that those chemicals that present the greatest risk will be reviewed first.

Evaluates new and existing chemicals against a new risk-based safety standard. Under the law, the USEPA will evaluate chemicals based purely on the health and environmental risks they pose. The evaluation must also include considerations for vulnerable populations (e.g., children, elderly, immune-compromised). FRL-21 further repeals the requirement that the Agency apply the least burdensome means of adequately protecting against unreasonable risk from chemicals. Costs and benefits will not be factored into the evaluation.

Empowers USEPA to require the development of chemical information necessary to support these evaluations. In short, the Agency has expanded authority to demand additional health and safety or testing information from manufacturers and/or to conduct risk evaluations on a chemical. USEPA may also expedite the process through new order and consent agreement authorities.

Enforces clear and enforceable deadlines that ensure timely review of prioritized chemicals and timely action on identified risks. Strict deadlines are designed to keep the USEPA’s work on track and to ensure compliance by manufacturers. For example, the Agency must have 10 ongoing risk evaluations within the first 180 days and 20 ongoing risk evaluations within 3.5 years. When unreasonable risks are identified, USEPA must then take final risk management action within two years. Action, which may include labeling, bans, and phase-outs, must begin no later than five years after the final regulation.

Increases public transparency of chemical information by limiting unwarranted claims of confidentiality. The USEPA must review and make determinations on all new confidentiality claims for chemical identity, as well as review past confidentiality claims to determine if they are still warranted. This will allow companies to preserve their intellectual property and competitive advantage, while still providing transparency to the public.

Provides a source of funding for the USEPA to carry out these changes. The USEPA can collect up to $25 million annually in user fees from chemical manufacturers and processors when they:

  • Submit test data for USEPA review
  • Submit a pre-manufacture notice for a new chemical
  • Manufacture or process a chemical that is the subject of a risk evaluation
  • Request that the USEPA conduct a chemical risk evaluation

Impacts

For companies, the most immediate impacts of FRL-21 will be on the new chemicals review process, as the USEPA has to approve any new chemical or significant new use of an existing chemical before manufacturing can commence and chemicals can enter the marketplace. This process will help provide regulatory certainty throughout the supply chain—from raw material produces to retailers. And, in the end, the risk evaluations will help ensure that manufacturers are able to bring new chemicals to the market in a safe and efficient way.

As for the general public, FRL-21 creates a new standard of safety to protect the public and the environment from unreasonable risks associated with chemical exposure. For the first time in 40 years, it provides assurance and greater confidence that chemicals are being used safely.

30 Apr
quality consultants performing audit
Management System Internal Audit: What to Expect

Many companies face requirements to conduct management system internal audits. And many probably consider it to be one of those “necessary evils” of doing business. In reality, an internal audit can be a great opportunity to uncover issues and resolve them before an external audit begins. An internal audit can sometimes even enable more improvements than an external audit because it allows the company to review processes more often and more thoroughly. So what, exactly, goes into an internal audit?

What Is an Audit?

First, conducting a management system internal audit encompasses all of the efforts to gather, accumulate, arrange, and evaluate data so that there is sufficient information to arrive at an audit opinion. According to the ANSI/ASQC Standard Q1-1986 Generic Guidelines for Auditing Management Systems, an audit is:

a systematic examination of the acts and decisions by people with respect to Q/EHS issues, in order to independently verify or evaluate and report conformance to the operational requirements of the program or the specification or contract requirement of the product or service.

Internal audits should be carried out to look for areas for improvement and best practices. In an internal audit, the auditor is evaluating, verifying, and reporting conformance or non-conformance in terms of related documentation. The auditor assesses systems, processes, and products against the related documentation:

  • Systems are compared against company directives and requirements.
  • Processes are compared against procedures, process charts, and work instructions.

The auditor examines where and how “operational requirements of the management system” are described. This is done by reviewing each policy, procedure, work instruction, checklist, and form looking for each “actionable item” listed within.

The Interview

The auditor will go out into the workforce and ask the prepared questions to various employees.  Based on the responses given, the auditor may need to ask follow-up questions to get a clear understanding of how an operation works. Questions asked by auditors are generally open-ended to give the auditee the opportunity to elaborate. The auditor’s goal is to give the employee the opportunity to think prior to answering and to follow the audit trail wherever it leads—within or outside of the department.

Tangible Evidence

In order for an internal audit to support improvement steps, the auditor will seek tangible evidence. For example, work instructions require that inspections are completed every day, but the checklist shows that no checks have been performed for the last week. Tangible evidence may include taking a photo copy of the checklist to document this issue.

Evaluating Internal Controls

During the audit, the auditor is looking for internal controls that regulate an operation. There are seven steps in evaluating internal controls:

  1. Observe the Operation: The auditor needs to understand what processes and systems to review, where they are located, and who is responsible for them.
  2. Identify Constraints: The auditor will identify constraints to the extent possible, such as:
    • Scattered information
    • Internal opposition
    • Process not capable
    • Process not in control
    • Unavailable information
  3. Evaluate Risk: The auditor will assess the importance and risk of internal controls not detecting and preventing non-conformances. The auditor will ask personnel being audited and management if there is anything more that could be done to identify and control risk.
  4. Evaluate the Internal Control Structure: Usually extensive internal controls exist, operate properly, and maintain/improve the process; however, this may not be an accurate assumption. Controls may not exist, may be weak, or may control and measure unimportant variables. It is very important for the auditor to resist assuming that the way an existing system has been set up is the correct way to do something. Auditors should challenge how and why something is being done to encourage system improvements.
  5. Test the Effectiveness of the Internal Control Structure: Gathering evidence is the process of collecting data and information critical to support a decision or judgment rendered by the auditor.
  6. Evaluate Evidence: Once evidence has been gathered from interviews, observations, or records, the auditor must distill and summarize the data into useful information for the company. The evidence is then reviewed to determine whether systems and controls are working effectively.
  7. Issue an Opinion: When all is said and done, the auditor must issue an opinion of conformance or non-conformance. In a deficiency finding (non-conformance), the audit report will clearly state that there is a variance between what is and what should be. All evidence findings should be listed to support this conclusion.

Clarify Issues and Non-Conformances

Upon completion of an audit, there may be times when clarification of an issue or concern will be warranted.  This is when the auditor may go back to the department head and review the current understanding of the audit results. The department head should have ample time to discuss and clarify any issues of concern.

Any outstanding issues that warrant a non-conformance report should be discussed to ensure that the company understands: 1.) why the issue is considered a non-conformance, and 2.) what may need to be done to rectify the situation. It is important to also discuss all positive findings from the audit to leverage best practices.

By using an internal audit to actually improve operations—and not just as another requirement to fulfill—companies can realize significant value through:

  • Meeting regulatory/certification requirements prior to the external audit
  • Improving operational controls and processes
  • Enhancing overall management system effectiveness
Sidebar: