Comment is mandatory

CIC - Internal auditing procedures

DEFINITION

Internal auditing can be defined as a process of independent, systematic examination to assess the extent of conformance with defined standards and recognised good practice and to thereby identify opportunities for improvement.

For a major hazards operator a process safety audit checks that what the business does in reality matches up to:

  • what it says it does in terms of policies and procedures
  • what it should do to ensure that major accident risks are reduced to as low as reasonably practicable.

The task of audit is an integral element to process safety management systems and mandated by the Seveso directive for major hazard establishments.

Fig. 1 Internal audit procedures play an important role in the safety management system

Inspection of internal auditing

It should be noted that the term ‘auditing’ involves fundamental assessment of the validity and reliability of the safety management system itself. It should not be confused with some operator's use of the term "auditing" to refer to activities such as safety tours, physical conditions inspections and behaviour observation carried out by line managers as part of their active performance monitoring activities. The relationship of audit in both monitoring and system review activities is illustrated in Figure 2.

It is expected that the description of the operator’s arrangements for audit will contain the following;

  • the resources and personnel required for each audit, bearing in mind the need for expertise, operational independence and technical support;
  • the audit plan indicating how it has been prioritised;
  • the audit protocols to be adopted (which might include the use of questionnaires, checklists, open and structured interviews as well as checking documents and measurements and observations);
  • the procedures for reporting the audit findings; and
  • the procedures for following up the recommendations shown to be necessary by audits.

Auditing is of little value unless the entire business is prepared to act on the recommendations from the audit itself and track through and validate close out of these actions. Inspectors should be cautious of audits which convey only good news or are biased towards compliance as opposed to improvement actions. Demonstrable evidence of the review and improvement of the audit process is also essential for audits to remain effective.

Fig. 2 Hierarchy of Review, Audit and Monitoring Activities

Audit planning

The ingredients of a robust audit programme are:

  • senior management commitment;
  • employee engagement and participation;
  • an audit team competent in terms of auditing skills (interviewing, report writing, presenting) and specialist process safety skills (knowledge of internal standards, external regulatory requirements and awareness of best practice); and
  • an audit team which brings together expertise and objective unbiased opinion.

Audit teams can be composed of internal staff auditors, independent of the site or section under audit, including those individuals who are either co- opted from other sites or else are group based. Several organisations elect to supplement their audit teams with external auditors in order to bring a fresh perspective to its internal auditing. In this case competence as with internal staff auditors will need to be assessed and monitored.

As far as scheduling audits, the audit frequency should be risk-based and can be a function of several factors including:

  • the nature of the inherent hazards present on a site,
  • the most recent audit results achieved,
  • incident track record, and
  • degree of external regulatory scrutiny.

Aside from routine scheduled audits the business may organise internal audits as a result of:

  • an incident of actual/potential serious consequence,
  • a request from local management (often as a result of newly installed managers who wish to establish a baseline audit of their operations), and
  • a follow up to an earlier routine audit (if the results of that audit merit a special audit visit).

Fig. 3 Example of an Internal Audit Process (Source: www.bizmanuals.com)

Audit Procedures

There are two components to the conduct of an audit. The first is assessment which is a process to develop an opinion on the strengths and weaknesses of process safety activities. This task will require the auditors to have an understanding of acceptable practice as it applies to the operation under audit.

The second component is verification, which is a process to determine adherence to specific internal standards. This task relies on the audit team having intimate knowledge of the internal standards related to process safety which will necessarily be compliant with local legislation.

As far as verification the following should be in place:

  • an audit plan which indicates which elements of the safety management system are audited and the time, location and individual(s) who are conducting the audit;
  • audit planning which covers all elements of the safety management system (including management of change, inspection and maintenance programs, permit to work system, management of operational instructions, training programs, internal emergency planning, investigation of accidents and incidents);
  • instructions on how to audit for each element (what kind of questions, what kind of documents should be checked);
  • auditors who are competent in the application of the auditing instructions;
  • an audit report, clearly indicating the following details: time, place, people involved, the procedure or system that was audited for each audit and which clearly indicates major findings;
  • management evaluation of audit findings which are considered shortcomings (at least by the manager responsible for the audited division of department);
  • corrective action plan to address shortcomings with execution and due dates;
  • an individual assigned to follow up on corrective actions; and
  • a report made periodically on progress and implementation of the audit programme.

Post Audit

As the internal auditing programme matures it is expected that the programme is subject to regular review and improvement based on:

  • debriefing of auditing teams,
  • feedback from audited sites, and
  • bench marking of audit processes with peer companies.

Ultimately the audit outcomes should correlate with process safety performance. A worsening process safety performance indicates that there may be problems with the auditing process.

References

  1. EPSC (European Process Safety Centre) Process Safety Auditing Report 32 www.epsc.org (freely available on request)

  2. Department of Infrastructure, Planning and Natural Resources Major Industrial Hazards Advisory Safety Assurance Paper No. 1

 

Questions for Seveso inspectors

This checklist of questions relates to internal audits to check compliance with the SMS, so this means periodic checks whether the procedures of the SMS are being correctly applied.  

These questions are not necessarily relevant to audits aimed to evaluate the completeness or quality of a process safety management system (by comparison with an external standard for example).  Indentation is used to explore some issues in more detail (if the inspector wishes to do so).

All questions are closed and should be answered positively. Negative answers can only be accepted if a company can demonstrate it has an alternative solution in place or if the question is not relevant or applicable.

If you have any suggestions to add to this checklist, please contact JRC-MINERVA-INFO@ec.europa.eu 

 Audit planning

    1. Is there a plan to carry out audits to verify the correct application of the procedures of the safety management system?
    2. Are all the elements of the process safety management system included in the planning?Are the procedures regarding management of change included in the audit planning?Are the procedures regarding the periodic review of process hazard analysis included in the audit planning?
      1. Are the procedures regarding the management of the inspection and maintenance programs included in the audit planning?
      2. Are the procedures regarding the management of instructions included in the audit planning?
      3. Are the procedures regarding the training and evaluation of plant personnel included in the audit planning?
      4. Is the work permit system included in the audit planning?
      5. Are the procedures regarding emergency planning included in the audit planning?
      6. Are the procedures regarding the analysis of incidents and accidents included in the audit planning?
      7. Are the procedures for taking safeguards in and out of service included in the audit planning?
    3. Over the last years, have the audits been conducted according the planning?
  1. Audit personnel and instructions
    1. Are there instructions for the auditors on how to conduct an audit (of a specific element of the SMS)?
    2. Have the auditors (for each element of the SMS) been assigned?
    3. Are the auditors independent from the auditees?
    4. Have the auditors received training (on how to conduct an audit)?
  1. Audit reports
    1. Is there an audit report available for each conducted audit?
    2. The audit report indicates what procedures were audited?
    3. The date of the audit is mentioned in the report?
    4. Each report mentions who carried out the audit?
    5. The report indicated what verifications or spot checks were carried out?
    6. Each report clearly mentions the established non-conformities?

  2. Evaluation of audit results
    1. Were the results of the audits discussed with the heads of the departments concerned?
    2. The results were communicated to site management?
    3. Were the findings evaluated and have corrective actions been defined?
      1. Are the actions clear?
      2. Is a due date assigned to every action?
      3. Is for every action defined who’s responsible for executing it?
  1. Action follow up
    1. Is there a system of following up actions issuing from internal audits?
    2. Can the company show an overview of the standing actions from internal audits?
    3. Is the planning of the corrective actions being respected (no actions overdue)?
    4. Is the timely execution of the actions followed up?
      1. Is there somebody assigned to follow up the actions?
      2. Is there a periodic reporting to the site management on the status of the actions from internal audits?

PDF Versions for Printing

CIC (English)
CIC (Nederlande)

Questions (English)