Posted on February 6, 2009 by Ridgway Hall
In December, 2008, the Board of Environmental, Health and Safety Auditor Certifications (BEAC) issued its Performance and Program Standards for the Professional Practice of Environmental, Health and Safety Auditing. BEAC is the largest organization which certifies the competence of EHS auditors based on a written test and experience. These standards codify existing “best practices” in the EH&S auditing profession and the design and implementation of auditing programs. They should be particularly helpful to those of us who work with companies to develop compliance assurance programs.
Background
Ever since Congress passed Sarbanes-Oxley in 2002, business entities requesting environmental, health and safety (EHS) compliance audits have had a stronger need for confidence that the audit reports are complete, accurate and reliable. Recall that SOXA Section 302(a) requires that the “Principal executive officer or officers and the principal financial officer or officers . . . certify in each annual or quarterly report” that, based on the officers’ knowledge, the report does not contain any untrue statement of material fact or omit any material facts and that the officers have designed and maintained internal controls to ensure that material information relating to the company is provided to them.
The field of environmental auditing—more broadly EHS auditing—began informally in the late 1970s in response to the wave of complex environmental legislation and regulations which carried up to $25,000 per day for violations. Environmental engineering firms and some law firms offered to assist companies in carrying out compliance audits. Once familiarity with the relevant regulations was demonstrated by the auditors, companies did not bother to require any third-party verification of their qualifications, or ask if there were any “standards” they followed. This has also been true for the related field of environmental site assessments performed as part of the due diligence in a commercial acquisition. However, perhaps as a sign of the times, when EPA codified its “All Appropriate Inquiry” rule providing protection against Superfund liability for innocent landowners, bona fide purchasers and contiguous landowners in 2005 (40 C.F.R. Part 312), it included minimum qualifications requirements for an “environmental professional” in terms of education and experience.
Three years ago the Board of Environmental, Health & Safety Auditor Certifications (BEAC) asked its four-person Standards Board, on which I serve, to review its very slender 1999 standards for auditors and audit programs and design a new set of standards consistent with the current needs and state of the art. The rewrite was completed in December following more than a year of public and peer review and comments on drafts. The new standards are currently being printed and information on them will soon be available at the BEAC web site: www.beac.org.
The New BEAC Standards
The purpose of the BEAC auditing standards is to provide auditors and audit program designers with minimum and broadly worded “standards”. These can be relied on by any auditor or business entity who wants to represent that their audit was conducted, or program designed, consistent with BEAC standards. Our purpose was to codify “best practices” which have been widely in use for a number of years, not to try to push the envelope. Furthermore, the standards are flexible and broadly worded, recognizing that audit assignments come in many sizes and shapes. Similarly, entities designing an internal auditing program come in different sizes and shapes and vary widely in their needs.
The standards are organized into four main sections addressing (1) independence, (2) due professional care (qualifications), (3) performance of audit work, and (4) audit program design. Following the text of the standards themselves in each section there is “guidance” designed to provide practical tips on how to get the job done. The following paragraphs summarize briefly the key elements of each section.
Section 1 requires that auditors must be objective and independent of the activities they audit, free of any conflict of interest. Similarly, an audit program should be designed to ensure that the auditors are independent, that they are not pressured or influenced by entities which they audit, and that they report their results directly to senior management.
Section 2 requires that auditors must have adequate qualifications, skills and experience appropriate to the nature of the task they will be performing. The standards spell out the specifics. An anticipated benefit to an auditor is that if he or she carries out an audit in compliance with the standards, that should be a presumptive defense to a malpractice claim in the event that an apparent violation was allegedly missed during the audit. The auditing program requirements include responsibility to ensure auditor competence and proper supervision.
With respect to Performance of Audit Work, the standards address the planning and scoping phase, preparation, field work and reporting. This includes general requirements for document review, personnel interviews, site inspections and “any other appropriate procedure for the gathering, evaluation and recording of information relevant to the scope and objective of the audit.” An audit report is then normally prepared which sets forth each finding of noncompliance. Reporting procedures should ensure that the reports are accurate and complete. Experienced environmental auditors should find all of this familiar and reassuring.
With respect to the Audit Program design, the standards require that program goals, objectives and scope be defined in a written charter adopted and published by senior management. Subjects such as the scope of the audit program, frequency of audits and procedures to ensure auditor competency are included. Periodic management review is required to be sure that the audit program is carrying out the company’s objectives and has adequate resources in terms of personnel and funding.
The content of the program standards draws on EPA’s “Elements of Effective Environmental Auditing Programs” (published initially in 1986 and reaffirmed in 1994), Justice Department policies describing effective environmental compliance programs, and elements of the ISO-14001 standards, among other sources.
Conclusion
This has necessarily been the briefest of overviews—hardly a comprehensive discussion. No one is required to adopt or follow these new standards. However, hopefully they will provide guidance and reassurance both to EHS auditors and those who design and operate compliance assurance programs and want to “get it right.”
© Ridgway M. Hall, Jr. 2009
Tags: Audit Privilege