All types of business and operational processes demand a variety of audits and inspections to evaluate compliance with standards—ranging from government regulations, to industry codes, to system standards (e.g., ISO), to internal corporate requirements. Audits offer a systematic, objective tool to assess compliance across the workplace and to identify any opportunities for improvement.

Routine internal audits are becoming a larger part of organizational learning and development. They provide a valuable way to communicate performance to decision makers and key stakeholders. Even more importantly, audits help companies identify areas of noncompliance and opportunities for improvement.

For some audits, a company may work with a third-party auditor. This can be valuable in getting an objective assessment of overall compliance status if executed effectively. Here are some best practice tips to help prepare for an internal audit—and ensure that it goes smoothly:

1. Audit scope: Make sure that the scope of the audit is well defined and documented (i.e., regulations, management system standards, company policies). This also involves identifying which areas and functions onsite are included. For example, if contractors are leasing space, are their areas in scope or out? What about other onsite lessees, if any?
2. Documents, plans, and records: Prior to the audit, ask the auditor for a list of documents they may be looking for (e.g., OSHA logs, past audit findings). Depending on the nature of the audit, it can be an extensive list and knowing ahead of time will save time and money. If possible, collect all records in advance and have them easily accessible. If corporate policy allows, it is often advisable to send current versions of all facility-specific plans, permits, and other documents to the auditor in advance of the audit to aid in preparation and create a more efficient use of time onsite. When the auditor arrives, make sure you know where relevant records are and that they are available to the auditor (i.e., not locked up in someone else’s office). Records should be organized by type in separate folders and sorted by date. Not only does that save time, it creates less likelihood of a record being overlooked. In most cases, electronic versions of records are sufficient, as long as they can be easily retrieved and viewed on the computer.
3. Interviews: Advise individuals who may be interviewed during the audit about the purpose of the audit. Communicate well in advance of the audit so that employees aren’t caught off guard when they see an individual walking around taking notes and pictures. Prepare your employees; encourage them to cooperate and provide helpful information when asked. Every employee should:
   • Be aware of the company quality/environmental/safety/food safety policy and able to state it in their own words.
   • Be aware of the quality/environmental/safety/food safety objectives the company has set for the current time period (i.e., what the company is working on to improve the current “state”).
   • Understand how they “make a difference” (i.e., how just by doing their jobs, they are following company policy and objectives and impacting performance).
   • Be knowledgeable about the procedures and practices required for doing their job properly.
4. Schedule: Ask for an audit schedule. This can help you plan for when certain “in-the-know” people need to be available. This can save valuable time—especially for those individuals—and help ensure that those you absolutely need for the audit are available when you need them.
5. Be available: Questions often arise during an audit. It is helpful to assure that qualified and knowledgeable personnel are available to answer questions and clarify information during the audit, in addition to being present during the audit debriefing.
6. Housekeeping: Good housekeeping puts auditors at ease. Conversely, lax housekeeping is often a harbinger of compliance issues and may put auditors on heightened alert.
7. Care of a third-party auditor: Make sure there is adequate work space available for the auditor to review records and other documents—with power, a desk or table, good lighting, and access to internet/email to exchange documents during the audit.
8. Confidentiality: If the audit scope involves regulatory compliance and the company has elected to employ audit privilege mechanisms, make sure that all parties are aware of the means to be taken to ensure that audit privilege is preserved (e.g., marking notes and documents, limiting distribution of output, adhering to state-specific requirements).

According to the UK Health & Safety Commission, a safety culture is “the product of individual and group values, attitudes, perceptions, competencies, and patterns of behavior that determine the commitment to, and the style and proficiency of, an organization’s health and safety management.”

An organization’s safety culture is ultimately reflected in the way that safety is managed in the workplace. A strong safety culture has a number of characteristics in common:

1. Communication. Communication is most effective when it comprises a combination of top-down and bottom-up interaction. Senior management sets the strategic goals and vision for the company’s safety program. It is vital that all levels of management (senior, middle, supervisory) communicate the strategy clearly to the workers who have to carry out the company’s mission. It is equally important that workers provide feedback on a practical level about what’s working and what’s not. Management needs to listen, take that feedback seriously, and act on it—or workers will stop giving it.
2. Commitment. It is one thing to say that safety is a priority; it is another thing to show that it is. When it comes to safety, actions truly speak louder than words. A lack of commitment, as demonstrated by action (or lack thereof), comes across loud and clear to staff. For example, requiring staff to work excessive hours to meet productivity goals, which may result in fatigue and increased likelihood of an accident, sends a clear message that productivity is more important than employee safety.
3. Caring. Caring takes commitment a step further. It involves showing concern for the personal safety of individuals, not just making a commitment to the overall idea of safety. Caring is about doing whatever is necessary to ensure employees return home safely every night. Again, how employees are treated is a much stronger indicator of caring than what the company says.
4. Cooperation. Safety works best if management and workers feel like they are on the same team. Cooperation means working together to develop a strong safety program (e.g., management involving line workers in creating safety policies and procedures). It means that management seeks feedback from workers about safety issues—and uses that feedback to make improvements. And it means that there is no blame when incidents occur. Incident investigations focus on fact finding, not fault finding.
5. Coaching. It is difficult for everyone to remember everything required to maintain a safe working environment. Coaching each other—peer to peer, supervisor to employee, even employee to management— is an important way to keep everyone on track. Coaching involves non-judgmentally providing feedback for improvements and, correspondingly, accepting and incorporating that feedback as constructive criticism. Disciplinary actions are sometimes necessary for repeated rule violations, but punishment is not the first management action in a strong coaching culture.
6. Procedures. There should be documented, clear procedures for every task. This not only prevents disagreement about what is required, it also shows commitment when things are put in writing. Procedures should be designed jointly by management and workers for practicality and to encourage improved cooperation, communication, and buy-in. Procedures should be reviewed periodically and updated, as needed.
7. Training. Training is a more formal, documented process for ensuring that employees follow safety processes and procedures. Management can demonstrate its commitment to safety training by creating formal, written training materials; tracking employee training; and checking for employee understanding. Formal training should happen frequently enough for employees to feel prepared to safely do their jobs.
8. Tools. All equipment and tools should be in good repair, free of debris, and functioning as designed. Inadequate tools directly impact safety/protection and indirectly impact perception of management commitment. For example, if the company doesn’t invest in appropriate PPE, good housekeeping practices, or equipment maintenance, it sends a clear message that employee safety isn’t important.
9. Personnel. There must be enough workers to do each task safely. The company should not sacrifice individual safety because of being understaffed (i.e., requiring shortcuts/overtime to meet production goals). In addition, the company should have safety experts on staff that employees can go to with safety-related questions.
10. Trust. Trust in the safety program, in senior management, and in each other is built when each of these characteristics is present and treated as a company-wide priority.

Benefits of a Best-in-Class Safety Culture

Strong safety performance is a cornerstone of any business. When all of these characteristics come together to create a best-in-class safety culture, everyone wins:

• Fewer accidents, losses, and disruptions
• Improved employee morale
• Increased productivity
• Lower workers compensation and insurance claims
• Improved compliance with OSHA regulations
• Improved reputation to attract new customers and employees and retain existing ones
• Better brand and shareholder value

Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. Addressing all (or those specified in the applicable regulation) of the eight compliance functions outlined below can be instrumental in establishing or improving a company’s capability to comply.

1. Inventory means taking stock of what you have. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
   • Activities and operations (i.e., what you do – raw material handling, storage, production processes, fueling, maintenance, etc.)
   • Human resources (i.e., who does what)
   • Emissions
   • Wastes
   • Hazardous materials
   • Discharges (operational and stormwater-related)

The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities.

2. Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
3. Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
4. Training follows once you have your permits and plans in place. It is crucial to train employees to follow the plans so they can effectively execute their responsibilities and protect themselves and the community. Training should cover operations, safety, security, and environment.
5. Practices in place involve doing what is required to follow the terms of the permits and related plans. These are the day-to-day actions (regulatory, best management practices, planned procedures, SOPs, and work instructions) that are essential for following the required process.
6. Monitoring & inspections provide compliance checks to ensure that the site is operating within the required limits/parameters and that the company is achieving operational effectiveness and performance expectations. This step may include some physical monitoring, sampling, and testing (e.g., emissions, wastewater). There are also certain regulatory compliance requirements for the frequency and types of inspections that must be conducted (e.g., forklift, tanks, secondary containment, outfalls). Beyond regulatory requirements, many companies have internal monitoring/inspection requirements for things like housekeeping and process efficiency.
7. Records provide documentation of what has been done related to compliance—current inventories, plans, training, inspections, and monitoring required for a given compliance program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations, particularly since some, like OSHA, have retention cycles for as long as 30 years.
8. Reports are a product of the above compliance functions. Reports from ongoing implementation of compliance activities often are required to be filed with the regulatory agency on a regular basis (e.g., monthly, quarterly, semi-annually, annually), depending on the regulation. Reports also may be required when there is an incident, emergency, or spill.

Reliable Compliance Performance

Documenting procedures on how to execute these eight functions, along with management oversight and continual review and improvement, are what eventually get integrated into an overarching management system (e.g., environmental, health & safety, food safety, security, quality). This documentation helps create process standardization and, subsequently, consistent and reliable compliance performance.

In addition, completing and organizing/documenting these eight functions of compliance provides the following benefits:

• Helps improve the company’s capability to comply on an ongoing basis
• Enhances confidence in compliance practices by others, providing an indication of commitment, capability, and reliability
• Creates a strong foundation to answer auditors’ questions (agencies, customers, certifying bodies, internal)
• Establishes compliance practices for when an incident occurs
• Helps companies know where to look for continuous improvement
• Reduces surprises and unnecessary spending on reactive compliance-related activities
• Informs management’s need to know