Audits are important tools for effective environmental health and safety (EHS) management and continual improvement, including for compliance, EHS management system internal reviews and external certifications, and as part of corporate social responsibility, due diligence and supply chain management. The term audit is defined by the International Organization for Standardization (ISO) as a “systematic, independent and documented process for obtaining objective evidence and evaluating it to determine the extent to which the audit criteria are fulfilled.” [ISO 19011:2018]
Organizations may be subject to external and internal audits of one or more EHS programs or functions including by regulatory agencies, customers, or certifying bodies for voluntary standards, as well as by corporate entities, internal auditors from the site(s) under review, or third-party consultants engaged for internal audit services. Internal audits may vary in structure, level of review, and time period under review, and have a comprehensive or more targeted scope including one or more EHS program, process, activity, area or site. An audit plan should define the scope, criteria and methods to obtain and evaluate objective evidence and identify non-compliance or non-conformance findings.
EHS internal audits have evolved over the last few decades with technological advances to support ready access to standards and regulatory interpretations, electronic tablets for audit protocols and field notes, software solutions for reporting results and tracking action plans, as well as remote interviews and digital evidence review as part of virtual or hybrid audits. Organizations should leverage current technology solutions and resources to advance their audit program objectives, while ensuring key auditing principles and practices (summarized below) are embedded in the foundation and guiding framework.
Several organizations have developed standards or guidelines applicable to EHS auditing practice including the:
- ISO “Guidelines for auditing management systems”, ISO 19011:2018, with a 2026 update currently under publication
- Institute of Internal Auditors (IIA) Global Internal Audit Standards™ (2024) and IIA International Professional Practices Framework®
- American Society for Testing Materials (ASTM) “Standard Practice for Environmental Regulatory Compliance Audits”, E2107-20, latest version published in January 2021
The above guidelines are also integral to and referenced by the Board of Global Credentialing (BGC) for Certified Professional EHS Auditors (CPEA).
The following auditing principles and practices are critical and apply regardless of the audit objectives (e.g., regulatory compliance, management system conformance), scope (e.g., environmental, occupational safety and health, EHS or specific programs), or resources:
- Independence and Objectivity: The audit design, assigned auditor or audit team, and process execution must be free from undue influence, conflict of interest, or similar bias.
- Auditor Competency or Proficiency: The auditor(s) must be competent or proficient in core auditing skills and based on the EHS program areas and audit functions assigned. In addition to technical subject matter knowledge, auditors should have formal training on auditing principles and practices with on-the-job instruction and audit experience; classroom training alone is not sufficient.
- Due Professional Care, Fair Presentation, and Information Security: The audit process should demonstrate proper diligence, professionalism and quality with accurate and effective reporting and appropriate protections for cybersecurity of confidential or proprietary information.
- Evidence- and Risk-Based and Structured for Continual Improvement: The audit design and resources should be aligned with organizational objectives, risks, and opportunities, and appropriately positioned and supported within the organization for success. A structured audit plan should be implemented based on the objective evidence and level of risk. Systemic factors contributing to non-compliance or non-conformance should be addressed in documented actions plans, which are tracked and monitored for organizational improvement.
Stay tuned for the upcoming release of the ISO 19011:2026 guidelines for auditing management systems. The new version increases the focus on risk-based approaches and integration and will address remote or hybrid audits and digital technologies.
To learn more about Colden Corporation and EHS auditing services, please check out our website. For questions or additional information, please contact Michele (Noble) Shepard, PhD, MS, CIH, Colden Principal and Vice President, EHS Services at shepard@colden.com, or send a general inquiry to colden@colden.com.
