Internal Audit Best Practices for Safety, Environment, and Quality Audits
Transcript of Internal Audit Best Practices for Safety, Environment, and Quality Audits
![Page 1: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/1.jpg)
By John Wolfe
Internal Audit Best Practices for
Safety, Environment,
and Quality Audits
![Page 2: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/2.jpg)
Presenter
John WolfeCEO Management
Horizons
FacilitatorJessica Minhas
Marketing Manager Nimonik
![Page 3: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/3.jpg)
Webinar Objectivesy’s Objectives
Share Knowledge: Health, Safety, Environment, and Quality
Internal Audit Program Best Practices
Agenda• Program drivers• HSEQ Management Systems and where audits and assessments fit in• Compliance obligations and risk management inputs to the auditing
process • Internal audit business processes • The audit planning processes• Frequently asked questions
Webinar Objective
3
![Page 4: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/4.jpg)
Safety & environmental performance is a continuing business risk
Why is an Operationally Excellent Program Needed?
Fatalities and serious injuries persist
Safety process & programs costs are increasing
4
![Page 5: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/5.jpg)
• A well integrated HSEQ management system framework, and safety culture are a required foundation
• An effective Internal Audit Program can help identify best practices and operational weaknesses
You are a powerful agent of change!
So What can We Do to Improve these Trends?
5
![Page 6: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/6.jpg)
Look at Your Data - Trends and Critical Controls
6
![Page 7: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/7.jpg)
HSEQ Management Systems Framework
7
![Page 8: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/8.jpg)
Management System Framework
Company-wide BU/Functions
Facility/Asset
Policy
Standards, Guidelines
Procedures, Instructions, Specifications & Tools
OEMS Audit Focuses on the “How” implemented to accomplish the “What”
Management Systems Hierarchy
![Page 9: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/9.jpg)
Having Controls Documented is Not EnoughDocumentation Is Not Enough
9
![Page 10: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/10.jpg)
Element 16
E2 E3 E13
E9
E17
Elements that Element 16 is dependent upon
Elements dependent on Element 16 delivery
Multiple cross references
E10
E2 – Risk ManagementE3 – Legal Req. & Commit.E9 – Ops. & Mtce. ControlsE10 – Contractor Mgmt. E13 – Comm. & Stake. RelationsE17 – Corrective Actions
Audit and Assessments: Interdependencies
10
![Page 11: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/11.jpg)
AssessmentsInternal;
Client - Business
AuditsIndependent;
Client - Corporate or external
Other Monitoring
& AssuranceActivities
Element 16
Day-to-day managementof controls
e.g. Internal controls, Inspections, Checklists,
Quality Reviews,Workplace Observations
Business managed evaluation
e.g. OEMS Self-assessments,
compliance reviews, M&R Assessments
OIAIA
External
Other ElementsE.G. 9, 14
Where Audits and Assessments Fit
11
![Page 12: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/12.jpg)
EHS Management System Self Assessments & Maturity Roadmaps
12
![Page 13: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/13.jpg)
Lack of Coordination across Risk Functions Can Create Overlap, Redundancy and
Increased Costs
InternalAudit
Risk Management
Businessunit
Businessunit
Businessunit
Businessunit
Compliance InternalControl
InformationTechnology
Legal and Regulatory
External Audit
Board/senior management oversightAudit
committeeRisk
committeeOther
committees
Siloed risk functions reduce value, increase costs, and impact business performance
![Page 14: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/14.jpg)
Each Element has its own PDCA cycle
Compliance Obligations Data Inputs - Note Each Element has its Own PDCA Cycle -
![Page 15: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/15.jpg)
The Risk Management Process Data InputsRisk Assessment Model (Adapted from the ISO Risk 31000 STD)
Communicate & Train
CommunicationReportingTraining
Risk Structure & Accountability
Risk Roles & Responsibilities:
Executive Leadership Team
Chief Risk OfficerBusiness & Function
Leaders & Management
Mandate & Commitment
PolicyStandards
Procedures/Guidelines
Measure, Review & Improve
Control Assurance Policy
Standards & GuidelinesKPI’sKRI’s
Risk management information to action
- Risk Assurance - Risk Registers- Treatment Plan - Reporting Templates
Strategic Process(Framework continuous
improvement cycle)
Strategic Process(Framework
Implementation)
Strategic Process(Framework Implementation)
Strategic Process(Framework continuous
improvement cycle)
IV.
I. II.
V.III.
Comm
unicate and consult
Establish the context
Identify risks
Analyze risks
Evaluate risks
Treat risks
Monitor and review
Tactical Process
Risk assessment
Process for Managing Risk
1.
2.2a.
2b.
2c.
3.
4. 5.
![Page 16: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/16.jpg)
Integrated Risk Analysis Methods
• Brainstorming• Field level risk assessment• Job safety analysis• What-if• HAZOP – Hazard and Operability Study• Failure Mode Effects Analysis • Process Hazard Analysis • Layers Of Protection Analysis etc.
Hazard Identification Methods
16
![Page 17: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/17.jpg)
L6Virtually certain
L5Probable
L4Possible
L3Unlikely
L2Rare
L1Remote
C1 C2 C3 C4 C5 C6
Likel
ihoo
d Ca
tego
ryIn
crea
sing
Likel
ihoo
d
Consequence CategoryIncreasing Consequence
Protracted
Operational
Outage^ Permit Approval
Risk ^
Environmental
Policy / Regulation Change ^
Resource Shortage
^
Environmental / Safety Incident ^
EH&S / Regulation
Non-Complianc
e ^Natural
Disaster / Business
Continuity Planning
Standardized Risk Matrix
17
![Page 18: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/18.jpg)
Dynamics of an Incident and the Hierarchy of Controls
System 1
System 2
System 3
System 4
System 5
System 6
System 7
“Hardware” Defenses- Process design- Plant layout- Protection systemsEngineering Controls:
Separate: The hazard by guarding
Redesign: Reconfigure equipment
Substitute: Materials or processes
“Software” Defenses- Procedures- Audits- Management systems
“Liveware” Defenses- Safety culture- Training- Alertness
Unusual conditions
Latent failures in systems
![Page 19: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/19.jpg)
The Quality of Risk and Control Data Can Be Improved Over Time
• Use appropriate risk analysis techniques
• Utilize professional training and facilitators
• Garbage in = garbage out
• If you get this right – you will focus resources on the right risks and opportunities.
What if Worksheet
![Page 20: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/20.jpg)
Risk Registries as an Audit Planning Input
Business Area B Risk Inventory•Unit 1+2+3 Risks•Additional BU Risks
Business Area C Risk Registry•Unit Risks•Additional BU Risks
PHA Hazops,
LOPAs,What Ifs
Unit 3 Risk Inventory
Business Unit Risk Registry - VP Level•BA A+B+C Risks•Additional BU Risks
Other BU Risk Registries
PHA Hazops,
LOPAs,What Ifs
Unit 2 Risk InventoryPHA
Hazops, LOPAs,What Ifs
Unit 1 Risk Inventory
Business Unit Principal Risk Registry•Prioritized BU Risks
Principal Risk Registry
Other BU Risk Registries
Other BU Risk Registries
Other BU Risk Registries
Corporate Risk Registry
Business Area A Risk Registry•Unit Risks•Additional BU Risks
20
![Page 21: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/21.jpg)
Let’s Look at an Audit Process Flowchart (ISO 19001 conformant)
21
![Page 22: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/22.jpg)
Frequently Asked Questions
Where should the function report?
If the leadership team supports the audit’s independence, where the function reports into is not important.
What should be the audit budget?Budget adequate to complete the scheduled audits and employ outside experts where required.
Frequently Asked Questions
22
![Page 23: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/23.jpg)
Auditable UnitsHow Often Should I Audit ?
How often should one audit?
Audit frequency alters with:
• Compliance history
• Strength of Internal Compliance Program
• Potential risk from poor program performance
• Performance indicators
• Regulatory environment
• Special concerns - sensitive locations / complex operations
Frequently Asked Questions
23
![Page 24: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/24.jpg)
Audit Planning Process
In-Year High Risk Requests
3 Year cycle Embedded into OEMS Process Audits
• Process Hazard Analysis• Mechanical Integrity• Quality Assurance
OEMS Audits – Hazardous Operations
• Annual Determination of Targets
• Significant Risks / Critical Controls
• Environmental• Safety (Personnel and Process)• Emerging Risks• Business Process Effectiveness• Compliance
Risk- Based Audits
Principal Risks Company Strategy & Value Drivers
Management Consultations
Audit Plan
Idea Generation& Project Scoping
Coverage Over Time
Resourcing
Risk, Value, OEMS AlignmentPrioritization& Selection
Process Improvement Project
implementationContinuous Improvement
Prior Audit Insights External Risks
• 5 Year Audit Plan Established
• Process Audit Approach
OEMS Audits – Non Hazardous Operations / Functions
![Page 25: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/25.jpg)
Bow-Tie Risk Analysis
“Bow-tie” – is a graphical representation of the development paths from a hazard to its various potential consequences
25
![Page 26: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/26.jpg)
AUDIT SCHEDULING• Identify liaison
• Meeting Rooms - Data Access• PPE • Accommodations• Special site requirements or rules • Pre audit document and records request -site plans - org charts -
relevant standards, procedures and guidelines - process flows - prior audits
• Communication of audit criteria
• Develop a detailed Audit Interview Schedule in consultation with Audit Team Leader (ATL)
• Assign individuals who will participate directly
• Audits usually take 1 and ½ weeks with three or more auditors
• Schedule should be flexible to follow leads
Audit Scheduling
26
![Page 27: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/27.jpg)
OEMS Element - Audit Focus ExampleRisk: Pipeline Leak Detection
CRITERIA AUDIT FOCUS LOOK FOR…
Element 2 Risk Management
Process for the identification and assessment of risks
Risk Registries•Normal•Abnormal•Emergency
Element 3Legal and Other Requirements
Provincial Pipeline Act / RegulationsReg 91/05CSAZ662 and AnnexesApproval Conditions
Legal RegistryESS Compliance TasksControls (as per Element 9)
Element 7Learning and Competence
Critical PositionsCompetency RequirementsTraining ProgramsRelevant Legal RequirementsE.5.1 Training Requirements“Personnel responsible for interpreting and responding to the results of leak detection systems shall be knowledgeable about and receive training in…
Critical Positions defined (as per Element 6)Role Descriptions (as per Element 6)Competency DocumentationTraining Requirements Records of trainingOperator – Interpreting and responding to results of leak detection system.
Element 9Operations and Maintenance Controls
Leak Detection ProcessesE. 5.2 Leak Detection ManualOperating companies shall have a leak detection manual…Control System - SCADA designMaterial Balance – Persistent small leak detectionInstruments and Systems – Process/ProceduresRight of Way Inspections
Leak Detection Protocols / ManualOperator - SCADA knowledgeMaterial Balance Results (daily, weekly, monthly)Operator - Instrument Readings and ResponseInspection Records
Element 15Incident Management
Protocol for responseHistorical Leaks – Response and Root Cause Analysis
Incidents Corrective Actions (as per Element 17)
Element 12Emergency Management
TestingExercisesEmergency Preparedness and Response
PM Programs for Emergency EquipmentTesting ResultsCorrective Actions (as per Element 17)Drills and ExercisesERP Plans
![Page 28: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/28.jpg)
AUDIT FINDING CLASSIFICATION MATRIXFindings should be clear and focused on the non-compliance / non-conformance to
defensible criteria
Audit Classificatio
nLevel Of Response Management Involvement
Unacceptable Grave concern
The Senior Vice President (EVP) shall:● Resolve findings● Provide detailed quarterly reports to the Operations
Committee on the activities and action plans to raise the local controls
Not Satisfactory Concern
The responsible VP shall :● Resolve findings● Provide detailed semi-annual reports to the
Operations Committee
Satisfactory Scope for enhancement
The responsible leader shall :● Resolve findings● Take action to ensure that controls are raised
Good SpecificThe responsible leader should:
● Resolve findings● Continue general improvement in controls
Audit Finding Classification Matrix
28
![Page 29: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/29.jpg)
Continual Improvement PhilosophyCausal Analysis, Recommendations, and
Corrective Actions
● To a nature and depth commensurate with the potential consequences of the finding
● Focus on system failures not individuals or equipment● Do not provide recommendations ● Reject inadequate corrective and preventive actions● Ensure systemic issues are addressed● Follow-up on the efficacy of closed corrective actions
29
![Page 30: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/30.jpg)
Using Technology to assess and Improve Process
30
![Page 31: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/31.jpg)
• A great HSEQ management system framework • Top down, bottom up leadership safety culture• Efficient monitoring, measuring and self-assessment
programs • Independent internal audit function • Auditor training and quality check business process • Hire outside experts • Data analytics and automation• A risk-based audit program design • Effective reporting to senior management • Good incident management / causal analysis programs• Collaborative partner• Feedback on performance
How to Improve Your Internal Audit Program?
31
![Page 32: Internal Audit Best Practices for Safety, Environment, and Quality Audits](https://reader036.fdocuments.in/reader036/viewer/2022062412/58d0e8b51a28abba558b57af/html5/thumbnails/32.jpg)
Cost/Benefit Analysis - In Conclusion - Management Must Make the Call On Risk and Reward Trade-offs
32