ENVIRONMENTAL

AUDITING AND
MEETING THE
CHALLENGES
INTAUD1 - H008
(For In ternal Use Onl y)
The Environmental Auditing Process
Caring for the environment has assumed an important place in the
American and Filipino culture. We have become aware of the impact that the
pollution of air, ground, and water can have on the quality of life, on the
enjoyment of the earth’s beauty and on the physical well-being of its
inhabitants.

Because of this importance, federal, state and local governments have

entered the picture with laws and regulations that are intended to correct and
cure the effects of past violations of good environmental practices and designed
to prevent future violations of good environmental disciplines.

As a part of the management and internal control fabric of the

organization, the internal auditor is interested in reviewing the compliance
with regulations and statutes, determining the propriety of the accounting
for environmental issues and ensuring that proper disclosure is being made.

However, the internal auditor is also interested in the controls that are
in place or that should be in place to ensure that environmental problems are
kept to a minimum, that environmental operations are efficient and effective,
that waste management operations are proper, and that environmental decisions
are based on factual information.

The Benefits of Environmental Auditing

1) Reduction of fines for regulatory noncompliance

2) Early identification of problems before regulatory action
3) Reduction of long-term environmental risk
4) Increased assurance about compliance with organization
environmental policy
5) Increased management awareness of environmental issues
6) Enhanced reputation for environmental responsibility
7) Cost saving from waste minimization and pollution prevention
8) Increased employee awareness of environmental issues
9) Increased standardization of environmental protection practices
10) Increased assurance of environmental liability accruals

Page | 1
Environmental Risks
The CAE includes environmental, health, and safety (EHS) risks in
any organization-wide risk management assessment. These activities are
assessed in a balanced manner relative to other types of risk associated with an
organization’s operations. Among the risk exposures to be evaluated are the
following:

a) Organizational reporting structures

b) Likelihood of causing environmental harm, fines, and penalties
c) Expenditures mandated by governmental agencies
d) History of injuries and deaths
e) History of losing customers
f) Episodes of negative publicity and loss of public image and
reputation

Environmental Audit Function

If the CAE finds that the management of these risks largely depends on
an environmental audit function, the CAE needs to consider the implications of
that structure and its effects on operations and reporting.

1. If the CAE finds that the exposures are not adequately managed and
residual risks exist, changes in the internal audit activity’s plan of
engagements and further investigations are normal results.

2. The typical environmental audit function reports to the organization’s

environmental component or general counsel. The common models for
environmental auditing are the following:

a) The CAE and environmental audit executive are in separate

functional units and have little contact.

b) The CAE and environmental audit executive are in separate

functional units and coordinate their activities.

c) The CAE has responsibility for auditing environmental issues.

Page | 2
Research Findings
A research study of EHS auditing found the following risk and
independence issues:

1. The EHS audit function is isolated from other auditing activities. It

is (a) organized separately from internal auditing, (b) only
tangentially related to external audits of financial statements, and
(c) reports to an EHS executive, not to the board or senior
management.

This structure suggests that management believes EHS auditing to

be a technical field that is best placed within the EHS function. In
this position, auditors could be unable to maintain their
independence.

2. EHS audit managers usually report administratively to the

executives who are responsible for the physical facilities being
audited. Because poor EHS performance reflects badly on the
facilities management team, these executives have an incentive to
influence (a) audit findings, (b) how audits are conducted, or (c)
what is included in the audit plan. This potential subordination of
the auditors’ professional judgment, even when only apparent,
violates auditor independence and objectivity.

3. It is also common for written audit reports to be distributed no

higher in the organization than to senior environmental executives.
Those executives may have a potential conflict of interest, and they
may prevent or limit further distribution of EHS audit results to
senior management and the board.

4. Audit information is often classified as either (a) subject to the

attorney-client privilege or attorney work-product doctrine (if
available in the relevant jurisdiction); (b) secret and confidential; or
(c) if not confidential, then closely held.

The effect is severely restricted access to EHS audit

information.

Page | 3
Role of the CAE
The CAE fosters a close working relationship with the chief
environmental officer and coordinates activities with the plan for environmental
auditing.
1. When the environmental audit function reports to someone other
than the CAE, the CAE offers to review the audit plan and the
performance of engagements.

2. Periodically, the CAE schedules a quality assurance review of the

environmental audit function if it is organizationally independent of
the internal audit activity. That review determines whether
environmental risks are being adequately addressed.

3. An EHS audit program may be

a) Compliance-focused (verifying compliance with laws,
regulations, and the organization’s own EHS policies,
procedures, and performance objectives),

b) Management systems-focused (providing assessments of

management systems intended to ensure compliance with legal
and internal requirements and the mitigation of risks), or

c) A combination of both approaches.

The CAE evaluates whether the environmental auditors, who are not
part of the CAE’s organization, are conforming to recognized professional
auditing standards and a recognized code of ethics. The CAE evaluates the
organizational placement and independence of the environmental audit function
to ensure that significant matters resulting from serious risks to the organization
are reported up the chain of command to the board. The CAE also facilitates the
reporting of significant EHS risk and control issues to the board.

NOTE: The internal audit activity has an established place in the organization
and normally has a broad scope of work permitting ready assimilation of the
new function. Thus, it is an advantage to conduct environmental audits under
the direction of the internal audit activity because of its position within the
organization.

Page | 4
Environmental Auditing
An organization subject to environmental laws and regulations having a
significant effect on its operations should establish an environmental
management system. One feature of this system is environmental auditing,
which includes reviewing the adequacy and effectiveness of the controls over
hazardous waste. It also extends to review of the reasonableness of contingent
liabilities accrued for environmental remediation.

According to a research report prepared for The IIA Research Foundation,

An environmental management system is an organization’s structure of

responsibilities and policies, practices, procedures, processes, and resources
for protecting the environment and managing environmental issues.
Environmental auditing is an integral part of an environmental management
system whereby management determines whether the organization’s
environmental control systems are adequate to ensure compliance with
regulatory requirements and internal policies.

The report describes seven types of environmental audits:

1. Compliance audits are the most common form for industrial

organizations. Their extent depends on the degree of risk of
noncompliance.
a) They are detailed, site-specific audits of current operations,
past practices, and planned future operations.

b) They usually involve a review of all environmental media the

site may contaminate, including air, water, land, and
wastewater. Moreover, they have quantitative and qualitative
aspects and should be repeated periodically.

c) Compliance audits range from preliminary assessments to (1)

performance of detailed tests, (2) installation of groundwater
monitoring wells, and (3) laboratory analyses.

Page | 5
2. Environmental issues may arise from practices that were legal when
they were undertaken. Environmental management systems audits
determine whether systems are in place and operating properly to
manage future environmental risks.

3. Transactional audits assess the environmental risks and liabilities of

land or facilities prior to a property sale or purchase. Current
landowners may be responsible for contamination whether or not they
caused it.

a) Transactional audits require due diligence (a reasonable level

of research) from the auditor. What constitutes due diligence
for each phase of a transactional audit and the definitions of the
phases are questions for debate. These phases are often
characterized as follows:
I. Phase I – qualitative site assessments involving a
review of records and site reconnaissance
II. Phase II – sampling for potential contamination iii)
III. Phase III – confirming the rate and extent of
contaminant migration and the cost of remediation

b) A transactional audit addresses all media exposures and all

hazardous substances, e.g., radon, asbestos, PCBs, operating
materials, and wastes.

4. Treatment, storage, and disposal facility (TSDF) audits. The law

may require that hazardous materials be tracked from their acquisition
or creation to disposal by means of a document (a manifest). All
owners in the chain of title may be liable.

a) For example, if an organization contracts with a transporter to

dispose of hazardous waste in a licensed landfill and the
landfill owner contaminates the environment, all the
organizations and their officers may be financially liable for
clean-up.

Page | 6
 b) TSDF audits are conducted on facilities the organization owns,
leases, or manages, or on externally owned facilities where the
organization’s waste is treated, stored, or disposed. Thus, when
an outside vendor is used for these purposes, the audit should
consist of such procedures as:
 Reviewing the vendor’s documentation on hazardous
material,
 Reviewing the financial solvency of the vendors,
 Reviewing the vendor’s emergency response planning
 Determining that the vendor is approved by the
governmental organization that is responsible for
environmental protection,
 Obtaining the vendor’s permit number, and
 Inspecting the vendor’s facilities.

5. A pollution prevention audit determines how waste can be minimized

and pollution can be eliminated at the source. The following is a
pollution prevention hierarchy from most desirable (recovery) to least
(release without treatment):
a) Recovery as a usable product
b) Elimination at the source
c) Recycling and reuse
d) Energy conservation
e) Treatment
f) Disposal
g) Release without treatment

6. Environmental liability accrual audits. Recognizing, quantifying,

and reporting liability accruals may require redefinition of what is
probable, measurable, and estimable. When an environmental issue
becomes a liability is also unclear.

The internal auditors may be responsible for assessing the

reasonableness of cost estimates for environmental remediation. Due
diligence may require assistance from independent experts, such as
engineers.

Page | 7
 7. Product audits determine whether products are environmentally
friendly and whether product and chemical restrictions are being met.
This process may result in the development of a) Fully recyclable
products, b) Changes in the use and recovery of packaging materials,
and c) The phase-out of some chemicals.

The New Dimensions of Internal Auditing

We accept that internal audit must deliver added value to the
organization and this is defined by the IIA as:

Organisations exist to create value or benefit to their owners, other

stakeholders, customers, and clients. This concept provides purpose for their
existence. Value is provided through their development of products and
services and their use of resources to promote those products and services. In
the process of gathering data to understand and assess risk, internal auditors
develop significant insights into operations and opportunities for improvement
that can be extremely beneficial to their organisation.

This valuable information can be in the form of consultation, advice,

written communications or through other products all of which should be
properly communicated to the appropriate management or operating personnel.

Past Focus Additional Focus

hard controls soft controls
control evaluation self-assessment
control risk
risk context
risk threats risk opportunities
past future
review preview
Detective preventive
operational audit strategy audit
auditor consultant
imposition invitation
persuasion negotiation
independence value

Page | 8
 audit knowledge business knowledge
catalyst change facilitator
transaction processes
control activities management controls

This sets the new dimensions of internal auditing as the concepts on the
right-hand side become a benchmark for each chief audit executive to consider.

Globalization
One real development in internal auditing coincides with the way
business (and public services) are becoming increasingly internationalized.
Physical location is no longer an issue as buying activity is moving away
from the local high street as it launches into hyperspace through the
Internet.

The IIA has grasped this new thinking and is developing the profession
into a global internal auditing organization whose broad business objectives
include:
 Establishing global standards for the practice of internal auditing.
 Promoting the professional certification of internal auditors
worldwide.
 Fostering the development of the profession around the globe.
 Representing and promoting internal auditing across national
borders.
 Facilitating the timely sharing of information among Member
associations.
 Searching for globally applicable products and services.

The Changing Auditor

Philip Sanity has described a survey conducted by the institute in the
wake of the WorldCom debacle, concerning the way the internal auditing
profession has moved away from traditional financial auditing towards risk-
based auditing. Four groups were described in terms of attitudes towards this
change in focus:

Page | 9
  The Evangelist Some 48% of respondents fell into this group. They
believed that the move towards risk-based auditing has not had a
negative impact on the traditional work of internal audit and should
continue unfettered.

 The Doomsayer Some 24% of respondents fell into this group. They
believe that the move towards risk-based auditing has damaged the
traditional work of internal audit and should not continue.

 The Pragmatists Some 18% of respondents fell into this group. They
felt that the move to risk-based auditing had changed the traditional
work of the internal audit, but said that the trend should continue
nonetheless.

 The Doubters Some 5% of respondents fell into this group. They felt
that the move to risk-based auditing had not damaged the traditional
work of internal audit but said that the trend should not continue.

Meeting the Challenge

All countries to a greater or lesser extent are coming to recognize
the great value from an internal audit service. It is hard to think of any
particular corporate service that is enshrined in laws and regulations and which
carries the burden of the societal expectations that we have mentioned.

In August 2002, Leroy E. Bokmal, chairman of IIA. Inc., wrote that:

With our unique viewpoint as independent but inside observers,

internal auditors play a vital role within governance processes by keeping the
board, senior management, and external auditors aware of risk and control
issues and by assessing the effectiveness of risk management. . . Audit
committees and boards are facing skyrocketing liability costs and ever-
increasing workloads. It’s no wonder that liability costs are rising—boards have
to meet more governance challenges each year, but their resources for
information about their increasingly complex organisations are limited. In the
post-Enron era, it is surprising that boards of directors for any publicly held
companies would choose to do without internal auditing. It is also surprising

Page | 10
that investors, liability insurers, and other stakeholders have not questioned the
decision to do without internal auditing more often. . . There is no simple
checklist showing everything internal auditors can do to add value, because, at
times, techniques for adding value are as unique and personalized as the
organisations for which we work.

Ten Little Maxims

There is much that internal audit is expected to contribute and much
that can be done to make this contribution. We have featured the words of Larry
Sawyer in the handouts and there is no reason not to include something in the
final chapter. Many years ago Sawyer wrote out Ten Little Maxims for the
internal auditor:

1) Leave every place a little better than you found it.

2) You can’t stomp your foot when you are on your knees.
3) Know the objectives.
4) Nothing ever happens until somebody sells something.
5) Every deficiency is rooted in the violation of some principle of good
management.
6) Never believe what the first person tells you.
7) The best question is, “Mr or Ms Manager, how do you satisfy yourself
that . . . ?”
8) Politics and culture will usually win over rules and regulations.
9) When you point your finger, make sure your finger nail is clean.
10) Murphy was an optimist

Summary and Conclusions

The IIA.Inc has prepared a note on their web site that considers
“Internal Auditing: Adding Value across the Board” in which they suggest:

One does not have to sit in the boardroom or occupy the CEO’s chair to
recognize the rapid-fire changes going on in today’s corporate environment.
The business pages regularly contain reports of mergers, acquisitions, and other
organizational restructurings; electronic commerce and other information
technology breakthroughs; privacy invasions; and plain old-fashioned frauds.
And things are likely to get even more frenetic.

Page | 11
 The challenges of today’s changing world introduce great opportunities
for management and the board and point to the necessity for competent
internal auditing. Especially in these times of constant change, internal
auditing is critical to efficient operations, effective internal controls and risk
management, strong corporate governance, and in some cases, the very survival
of the Organization.

Our view of the changing world of the internal auditor is quite simple,
and it is summed up in the following dimensions that move through stages 1–7;
from old- to new-look contexts:

1) We’re here to check on you

2) We’re here to check your controls
3) We’re here to check your risks
4) We’re here to check your risk management system
5) We’re here to help you establish risk management
6) We’re here to help you achieve success
7) We’re here to help you prove you can be trusted to take care of our
business

********** Nothing Follows **********

Page | 12