with nongovernmental standards or MS.
Internal audits should be conducted by personnel who are technically competent, have audit training, and are capable of making unbiased and independent assessments. Internal auditors should not have direct responsibility for activities at the site being audited, as to maintain audit independence. An internal audit will generally assemble several individuals who are experienced within their respective disciplines and who may even know the facility and its operations. The audit team should be sufficiently large and broad to adequately address all the anticipated issues. When working with teams drawn from internal sources only, this can sometimes be difficult to achieve. Every audit also requires deft team leadership and communication, skills that may be difficult for an internal person to obtain or keep current if they do not audit on a regular basis. Lead auditors should have training in managing audits. Governmental bodies, professional associations and for‐profit organizations are a source for compliance and management system auditing training.
There are distinct advantages to the organization for using an internal audit team. The costs associated with an internal program can be lower than an external program, though the time commitment internal auditors must make to the program does have a significant impact for the organization. Participating on audits provides participants an excellent way to upgrade regulatory knowledge, and technical and leadership skills. Robust audit programs allow for the development and sharing of best practices within the organization. Once auditors have completed their work, they return to their respective sites and, hopefully, implement best practices or program improvements they have recently seen on an audit. On the other hand, unless the organization empowers the internal auditing function with the authority to clearly identify all issues, and sets the expectation that senior management will respond to these issues, some internal programs may lack the impact of an externally run program. For an organization the least desirable outcome of an audit is to identify concerns and then not act to address them.
8.1.2 Second‐ and Third‐Party External Audits
These audits are conducted by personnel who are not members of the organization that is being audited. In the case of second‐party audits, within a supply chain, a customer performs an audit of a supplier. Second‐party audits are common in the quality management circles (e.g. ISO 9001), but are not as common in the OH&S area. Third‐party audits refer to audits performed by people independent of the organization being audited. These are typically performed by consultants, and in the management system arena, by what are called, third‐party registrars. Third‐party audits are common in the management system arena.
There are several advantages to using external auditors. First, it should provide access to highly qualified individuals best suited to evaluate the site and its unique operations. Second, there should be fewer time and resource issues that plague internal audit programs because auditors are not being pulled off an already full work schedule. Finally, a report from an unbiased outside firm has the advantage of being perceived as presenting the true picture as it lacks local biases.
Organized labor concerns about external auditors, if any, need to be addressed. A concern that can surface is the potential bias that external auditors may not report bad findings for fear of losing future work with the organization. This concern can be addressed by using credible third‐party auditors who hold themselves to a high level of ethical conduct.
8.1.3 Hybrid Approaches
Audit programs in some organizations use hybrid audit teams that include both internal company representatives and external consultants. This approach yields benefits with deep organizational understanding from the internal team members and auditing and external expertise from the consultant. An increasing trend has also been to combine compliance and management system audit functions, thus auditing both at the same time. In fact, compliance with internal and regulatory compliance is part of what is covered during management system audits at a process level. Caution should be taken to ensure that neither is diluted when combined.
8.2 Audit Scope and Goals
Whether an audit is conducted by internal personnel or an external second or third party, there needs to be clarity on the audit scope, objectives, and goals. The audit process should not start until clear objectives have been established along with a commitment to take action on identified gaps. In the case of achieving certification to, say ISO 45001:2018, the goal is clear, certification. However, the scope needs to be clear in the instance where there may be multiple locations or whether the corporate system is included when certification is sought at a specific plant. When both an OH&S and EMS are present, there needs to be clarity on whether both systems are included or whether the location considers these integrated systems. It is common for sites to have an integrated management system that includes both OH&S and environmental management elements. When defining the audit scope, it is important to understand if a stand‐alone OHSMS or an integrated EHSMS is being audited.
Management system standards are periodically updated, so it is important that auditors understand which version of a particular management system standard is being used by a location.
8.3 Preaudit preparation
Thorough preparation before the audit will lead to more effective audit results. Preaudit preparations include gaining an understanding of:
organization context;
activities, processes, and hazards/risks;
monitoring and measurement activities
previous audit findings and OH&S performance history;
physical layout and location of buildings and areas of interest;
the organizational structure and OH&S accountabilities;
recent construction, modifications or organizational changes;
the use of contractors, and outsourcing;
pertinent regulatory agency activity for the site;
security and clearance needs for site access;
the need to have company representatives escort team members;
unique hazards and subsequent PPE requirements; and,
OH&S policies and procedures relevant to the audit scope.
Early in the audit process, the lead auditor typically contacts the site representative who has been designated to coordinate onsite audit activities. In addition to overall audit logistics, such as audit dates, the lead auditor can begin to understand the above site‐specific issues. This information will also help the lead auditor understand the expertise he or she will need on the audit team. At this time, the lead auditor should make sure that there is a mutual understanding about the audit scope. Any discrepancies in understanding of the scope need to be resolved before proceeding any further.
Preaudit activities involved with reviewing site policies and procedures before the official site visit is called the “desk review.” Documents relevant to the audit scope are reviewed by the lead auditor and team members to determine initial compliance or conformance with regulations or standards against which the site is being audited. In MS audits, when nonconformances are found during the desk review, it is common for the lead auditor to suggest that the site bring these areas into conformance before making the official site visit.
A valuable component of preaudit preparation is use of a preaudit questionnaire to be completed by the site in advance of the site visit. The purpose of the questionnaire is to provide the lead auditor with necessary background information that will help her or him plan the audit in the most effective manner. Preaudit questionnaires help lower costs by decreasing the time that the audit team must spend on‐site gathering background information. Gaps between audit findings and the