Internal Audit FAQ: What EHS Managers Need to Know
By Cory Sander
What is an internal audit? And what exactly does an internal auditor do? We’re going to break this process down one question at a time, so you’ll feel comfortable with this crucial task as it relates to environmental, health and safety at your facility. Here are some frequently asked questions (and answers) about internal audits:
What’s the difference between an internal audit and an external audit?
An internal audit is exactly what you think it is: An audit of your compliance or management system (or both) initiated by your company. An external audit, on the other hand, is completed by an external certification agency (if you’re doing ISO 14001 or OHSAS 18001, for example) or a regulatory agency, such as your state’s environmental regulatory agency. The idea behind an internal audit is to do a self-check and locate any compliance issues or other areas for improvement.
Are there different types of internal audits?
There are two types of internal audits. A compliance audit against your regulatory requirements. Did you file that OSHA report on time? Are you in line with training requirements? The second is a management system audit. It might look at compliance, too, but it would be minimal. Instead, it’s focused on checking your facility against the requirements of a system like ISO 14001. What do your processes look like? Is there a procedure in place? Are you meeting the specifics of the standard? You also can combine compliance and management system audits into one all-encompassing internal audit.
Who conducts an internal audit?
You have several choices for choosing internal auditors. For starters, you shouldn’t audit your own EHS program—you need a fresh set of eyes to evaluate your work. If you work for a larger, multi-facility company, this might be as easy as having different plants audit each other. You can also tap people in other departments, such as accounting, and ask them to do a smaller check. Hand them a work instruction, explain it to them and ask them to double-check you.
For a full-scale internal audit, you might turn to an environmental, health and safety consulting firm. Ideally, you’ll want to choose a firm you already have a relationship with or who’s an expert in your industry—whether that’s automotive or chemicals. The idea is to work with a firm invested in getting to know your day-to-day challenges and coaching you on potential improvements. It shouldn’t be about a consultant dictating specific solutions.
How often should you conduct an internal audit?
The default is to conduct an internal audit on an annual basis, but your frequency should correlate with your company’s risk level. Most likely, for example, an automotive manufacturer should stick to an annual audit, but a less risky warehousing operation may only need to conduct an internal audit once every three years.
How long does an internal audit last?
This is an important question, and one you should figure out before you tap a consultant or internal peer to conduct an audit. A typical audit might include one to three days of hands-on auditing time followed by a some time to generate and review a report. You’ll want to look at your company’s historical records to find out how long this has taken in the past. It’s also a good idea to think about how deeply you want to dig in with your audit, and if there’s a particular area—air quality or hazardous waste—where you want the auditor to have special focus. All these factors affect the overall length.
How should an internal audit start?
Begin with an opening meeting (think of it as a kick-off meeting) for your internal audit. You’ll have the EHS manager, key team members and the auditor. It’s a chance for people to meet each other, review the process, and make sure everyone is on the same page. Traditionally, this ends with a site walk around with the auditor and one or two key team members. It’s just a quick tour of the facility to gain an overview of what’s going to be reviewed in-depth later. This might take one or two hours to complete.
What happens during the actual audit?
There are several parts of the audit. The first is a review of paperwork and processes. This includes everything from pH monitoring data and training records to reviewing your monthly SPCC inspections. Be prepared to locate and share everything related to your program. Next the auditor will visit key areas of the plant to review equipment and generally look for safety and environmental issues. Finally, the auditor will interview key people on staff. Does your team understand work instructions? Are they aware of the requirements? Are there clear roles and responsibilities for EHS?
Should we hold closing meetings?
Definitely. Hold a closing meeting at the end of each audit day, as well as the end of the on-site visit. This gives everyone a chance to ask questions, avoid confusion and make plans or changes. If any adjustments or course corrections need to be made, this is when you can account for them. At the final closing meeting, the auditor should share his or her high-level findings from the audit. A few details might change after the auditor reviews notes and checks regulations for the final report, but this is a good outline.
What happens after the audit?
The auditor should provide a final written report outlining any areas where you’re not in compliance or not meeting your management system standards. Generally, the report will include suggestions for corrective actions, but ideally, you’ll come up with your own corrective actions in conjunction with your team. Ask yourself: Does this correction make sense for how our organization works? Or is an alternate better suited for our needs.
At the end of an internal audit, you may realize how tough it is to manage all the tasks and reports involved with EHS compliance. Need an easier way? Schedule a free demo of SolutionsTRAK, our EHS management software. Compliance is complicated enough. Managing it doesn’t have to be.