Auditing

Moving through four transitions

• By Richard MacLean
• Apr 01, 2006

The nature of environmental, health, and safety (EHS) auditing has changed dramatically over the past 30 years. It may be on the verge of making its next big transformation: joining ranks with mainstream business governance functions. How has EHS auditing changed, and what may be on the horizon?

One of the few advantages of growing older -- excuse me, I meant wiser -- is that it is possible to place events in an evolutionary context. Freshly minted auditors from universities around the globe might know current auditing techniques, but they may fail to recognize how transitional all these procedures can be. The danger is, of course, to believe that "this is the way it is" and fail to anticipate where auditing and, by inference, your career path may be headed.

Modern financial self-regulation by auditors can be traced to just after the U.S. Securities and Exchange Commission (SEC) was established by the Securities Act of 1933 and the Securities Exchange Act of 1934. Environmental auditing is relatively new, beginning in the 1970s with the arrival of the U.S. Environmental Protection Agency (EPA). There were so few environmental laws before then that manufacturing plant staff handled requirements just as they dealt with any other facility audit need. One may claim that safety and health auditing has been around a lot longer than either of these (e.g., back to the Mine Safety Act 1890s), but the need for industry-wide, formal auditing systems really began around the time of the creation of the Occupational Safety and Health Administration (OSHA), also in the 1970s.

In this relatively short period of time, EHS auditing has gone through three phases, each adding another layer of complexity and rigor to the prior audit requirements.

First on the scene was compliance auditing. There were so many local, state, and federal regulations emerging during the 1970s that employees were assigned to verify that each was being handled properly. Not much in the way of specialized training was involved, just Jill or Bob with a clipboard and a check sheet.

Risk auditing was next, implemented during the 1980s. Here the distinction gets a bit hazy since process risk analysis had been around for quite some time. I draw this distinction because, for many, the advent of retrospective liability under The Comprehensive Environmental Response, Compensation, and Liability Act of 1980 (CERCLA) was a major wake-up call for business. CERCLA -- or as it is commonly referred to, "Superfund" -- impelled businesses to closely assess potential acquisitions or divestitures for risks that, in some cases, rose to the level of deal killers. This brought on the advent of specialized expertise and an entire new brand of consulting to support these activities (e.g., Phase 1 and 2 environmental site assessments).

The growing complexity of the regulations resulted in a parallel increase in the size of EHS organizations, which, in turn, sought efficiency and standardization. Companies, especially the larger corporations, started to develop their own systems to manage the process. By the mid 1990s, ISO 1400 (standards created by the International Organization for Standardization) arrived on the scene, and management systems' auditing began in earnest.

Routine audits and inspections still had to be done at a local level and for large corporations; it was too unwieldy to conduct these audits from a central group. Corporate EHS departments responded by developing audit tools (especially computer-enhanced systems) and then audited to check that the systems were in place rather than check the compliance details. To the delight of software and consulting companies, a whole new revenue stream was created.

By the early 1990s, EHS auditing was in full swing; it was becoming a profession, not just a task assigned to Jill and Bob with the checklist now on a laptop. Informal networking began in 1982 when the managers of 10 corporate environmental audit programs met to discuss their auditing programs and practices. Today, The Auditing Roundtable includes more than 600 members with two national conferences.

The Board of Environmental, Health & Safety Auditor Certifications (BEAC) was established in 1997 to issue professional certifications relating to EHS auditing. It is now possible to be certified in one or even all of four specialized areas: Management System, Environmental Compliance, Health & Safety, and Responsible Care®. BEAC was originally created as a joint venture between The Auditing Roundtable and the Institute of Internal Auditors (IIA).

It is this last point -- the IIA link -- that is the most telling of what the future may hold. Internal auditors are the folks who check to make sure that the adults in charge (a.k.a., the business managers) are not running amok. With few exceptions, they have done an excellent job, but even rare lapses quickly trigger corrective action on the part of Congress (e.g., the Sarbanes-Oxley Act of 2002 or SOX). Internal auditors report up through boards of directors; they have clout. In fact, they have "a seat at the table," something that EHS professionals have longed for since Robert Shelton wrote "Hitting the Green Wall" in 1994.¹

What I found fascinating at the recent Auditing Roundtable winter meeting was the integration of the language of EHS and social responsibility with the processes used by business financial auditors. For example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), enterprise risk management (ERM), and integration of Six Sigma methodologies into EHS practice were all discussed. This is about business continuity, governance, efficiency, and competitive positioning.

I see the beginnings of the audit profession thinking along lines akin to business risk and opportunity vis-à-vis EHS and social responsibility. The profession will, however, fail to reach its full potential if it interprets SOX to just mean doing an excellent job at the first three familiar levels instead of recognizing that there is a new level emerging. Since this level is not yet here, let's call it enterprise auditing.

Enterprise auditing is all about understanding embryonic EHS and social responsibility issues and then placing them in the context of evolving business dynamics and strategic planning for the corporation. Jill and Bob cannot do this with a computerized checklist. Even mainstream internal auditors cannot do this synthesis because they are unfamiliar with emerging EHS and social responsibility dynamics. BP's "Beyond Petroleum" and GE's "EcoInnovation" were not found on a checklist, but they required such an understanding.

Lawyers probably will not help in the transition to level four because they get fixated at the first two levels -- Compliance and Risk. For example, although I have not called it enterprise auditing, that is what I have been providing clients for the past five years. The reports I write are, in essence, a business analysis, unlike the typical neutral, factual, "regulation-status-gap" reports that auditors usually produce. Opinions and speculation are verboten in that narrow arena.

I always warn clients to do these investigations under attorney-client privilege. Since many companies are quite comfortable that any significant issues would already have been discovered by their internal audit procedures, they sometimes fail to see the need; that is, until they read the draft report.

On a number of occasions, I have described potential issues that could have not just an economic impact, but a material effect on the company in the context of SEC disclosure requirements. I recall an internal company lawyer several years ago being taken aback because he was expecting the usual findings that can be linked to specific regulatory citations and direct observations. My report covered emerging business issues that he could not dispute nor reject out of hand. And while he recognized the relevance to the company, he sure felt uncomfortable being drawn outside his usual territory of laws and regulations.

Conclusions
There are still some companies who do not see the need for any EHS and social responsibility audits -- internal or external. I kid you not. There are, however, some companies that are starting to notice a new direction and emphasis. These are potentially exciting times for auditors that rise to the occasion -- and I'm not just talking about the addition of security auditing to the portfolio under risk auditing. For example, I know of a dozen companies that have already shifted their EHS and social responsibility auditors to within their internal, business audit function. This could result in both positive and negative outcomes, the subject of which would require another "Manager's Notebook." Regardless, it is an indicator of change.

In the final analysis, auditing is all about keeping one step ahead of the next liability issue or competitive opportunity, or as Joseph Cotier, president of The Auditing Roundtable, states, "Part of the business of auditing is adapting to change. One of the missions of The Auditing Roundtable is to identify where changes will occur and help our members to be more prepared for those changes."²

References

1. Robert Shelton, "Hitting the Green Wall: Why Corporate Programs Get Stalled," Corporate Environmental Strategy, Vol. 3, No. 2., pp. 5-12. www.cesjournal.com
2. Personal communication 2/2/06.

This article originally appeared in the 04/01/2006 issue of Environmental Protection.