Health and Safety, Environment and Quality Audits Internal auditing is an essential tool for managing compliance, and for initiating and driving continual improvement in any organization’s systematic HSEQ performance Health and Safety, Environment and Quality Audits includes the latest health and safety, environmental and quality management system standards – ISO 9001, ISO 14001 and ISO 45001 It delivers a powerful and proven approach to risk-based auditing of businesscritical risk areas using ISO, or your own management systems It connects the ‘PDCA’ approach to implementing management systems with auditing by focusing on the organization’s context and the needs and expectations of interested parties The novel approach leads HSEQ practitioners and senior and line managers alike to concentrate on the most significant risks to their objectives, and provides a step-by-step route through The Audit AdventureTM to provide a high-level, future-focused audit opinion The whole approach is aligned to the international standard guidance for auditing management systems (ISO 19011) This unique guide to HSEQ and operations integrity auditing has become the standard work in the field over three editions while securing bestseller status in Australasia, Europe, North America and South Africa It is essential reading for senior managers and auditors alike – it remains the ‘go to’ title for those who aspire to drive a prosperous and thriving business based on world-class HSEQ management and performance Stephen Asbury is Managing Director of AllSafe Group Limited, and a Six Sigma Green Belt He is a Chartered Fellow of IOSH (CFIOSH), a Chartered Environmentalist (CEnv) and a Professional Member Emeritus of ASSP This is his sixth book for Routledge Health and Safety, Environment and Quality Audits A Risk-based Approach Third Edition Stephen Asbury Third edition published 2018 by Routledge Park Square, Milton Park, Abingdon, Oxon, OX14 4RN and by Routledge 711 Third Avenue, New York, NY 10017 Routledge is an imprint of the Taylor & Francis Group, an informa business © 2018 Stephen Asbury The right of Stephen Asbury to be identified as author of this work has been asserted by him in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988 All rights reserved No part of this book may be reprinted or reproduced or utilised in any form or by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying and recording, or in any information storage or retrieval system, without permission in writing from the publishers Trademark notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe First edition published by Butterworth Heinemann 2006 Second edition published by Routledge 2014 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data Names: Asbury, Stephen, author Title: Health and safety, environment and quality audits : a risk-based approach / Stephen Asbury Description: Third edition | Abingdon, Oxon ; New York, NY : Routledge, 2018 | Includes bibliographical references and index Identifiers: LCCN 2017056823| ISBN 9780815375715 (hbk) | ISBN 9780815375395 (pbk) | ISBN 9781351239349 (ebk) Subjects: LCSH: Total quality management | Organization | Auditing | MESH: Total Quality Management—standards | Management Audit—standards | Organizational Culture | Safety Management—standards Classification: LCC HD62.15 A845 2018 | NLM HD 62.15 | DDC 658.5/62—dc23 LC record available at https://lccn.loc.gov/2017056823 ISBN: 978-0-8153-7571-5 (hbk) ISBN: 978-0-8153-7539-5 (pbk) ISBN: 978-1-351-23934-9 (ebk) Typeset in TheSans by Keystroke, Neville Lodge, Tettenhall, Wolverhampton Visit the companion website: www.routledge.com/cw/asbury Contents List of Figures List of Tables List of Case Studies About the Author Foreword Endorsements Preface to the Third Edition Preface to the Second Edition Preface to the First Edition Acknowledgements vii xi xiii xv xvii xix xxv xxix xxxiii xxxvii Introduction 1 Context of the Organization Management Systems and Business Control 52 ISO 19011 and Initiating Audit Culture 93 Relationships with Auditees 135 The Audit AdventureTM 157 Prepare Audit Activities 169 Conduct the Audit 198 Teamwork and the Conscious Use of Language 235 Conclude the Audit 252 Write the Audit Report and Follow Up 288 10 Appendix A-Factors 309 Appendix Preparation, Preparation, Preparation 320 vi CONTENTS Appendix Pre-audit Letter 328 Appendix Guide to Online Content 331 Appendix Example Examination Questions 333 List of Abbreviations Glossary of Operations Integrity Language Further Reading References Comments from Training Course Participants Index 337 339 347 353 359 362 List of Figures ISO 19011 Initiate: I need an Audit AdventureTM soon Silos: How management systems are sometimes implemented and audited A dozen examples of corporate failings, 2007 to date Major non-US business control failings Prototype ‘flying car’ The beautiful beach and cove, Poldhu, Cornwall, UK The Audit Adventure™: A flattened and simplified dynamic Time: It flies by The Audit Adventure™ Basic PEST recording tool Simple schematic for the transformation of inputs to outputs Example of a classic hierarchical organization chart A model for democratic government Connecting business environment (Context) to Vision, Mission and Business objectives 1.6 The Four Ts: Four choices for managing a risk 1.7 The essence of enterprise 1.8 A simple risk-ranking matrix, showing the ‘Black Swan’ characteristic 1.9 A more developed risk-ranking matrix, the PEARL matrix 2.1 Business control gone mad – for safety, please use a life jacket during water activities 2.2 A timeline of management system thinkers 2.3 W Edwards Deming in the 1950s 2.4 The PDCA cycle, commonly known as the ‘Deming Wheel’ 2.5 ISO 9001, ISO 14001 and ISO 45001 2.6 ILO-OSH 2001 2.7 Example of a sector’s own HSE-MS 2.8 The Asbury and Ball Management System model for Corporate Social Responsibility (2016) 2.9 The five groups of interested parties or ‘stakeholders’ 2.10 My Business Control Framework (BCF) F.1 P.1 P.2 P.3 I.1 I.2 I.3 I.4 I.5 1.1 1.2 1.3 1.4 1.5 vi xxvi xxx xxxv 4 12 13 20 22 38 43 45 46 47 53 56 57 59 64 65 66 70 75 77 viii LIST OF FIGURES 2.11 2.12 2.13 3.1 3.2 3.3 3.4 3.5 3.6 Layers of control provide risk-reducing barriers An organization’s environmental factors Achieving success by aligning objectives at all levels in the organization Audit is a mirror; it reflects what is there Relationship between ISO 19011:2011 and ISO/IEC 17021:2015 From Groan to Growth! The three levels of audit The deployment of assurance activities in typical organizations A Food Hygiene Rating certificate (following an apparently successful third-party audit) 3.7 A representation of an organization’s audit plan, in which each jigsaw piece represents a single audit 3.8 Graph showing the numbers of IRCA certificated auditors, 1984–2016 (1984–1991 estimated) 3.9 An IRCA OH&S Lead Auditor certification card 4.1 Seek, sort and share 4.2 Potentially useful contacts to be developed during the conduct of an audit 5.1 The Audit AdventureTM: Prepare, Conduct, Report 5.2 The Audit AdventureTM: The high-level view from the top 5.3 The Audit AdventureTM: Know what you are looking for 5.4 The Audit Adventure TM: Top-down, bottom-up 5.5 The Audit AdventureTM: Planning the division of time 5.6 A typical timing plan for a two-week audit (20/60/20) 6.1 Activities of the Prepare stage 6.2 The main features of a typical Terms of Reference document 6.3 Audit time plan showing the allocation of onsite and offsite time 6.4 Scheduling the lead auditor’s review and determining the use of planned contingency time 6.5 Six well-known risk families 6.6 An example audit work plan showing seven selected risks 6.7 Mapping work plan items to interviewees creates agendas for each interview 6.8 An example of an audit finding working paper (AFWP) 7.1 The work plan keeps the audit team on track 7.2 Audit thought process, with the Review sub-stage highlighted 7.3 PDCA: How management systems should be implemented and audited 7.4 Get to the level of detail you need 7.5 Missouri ‘Show-Me State’ licence plate 7.6 Audit thought process, with the Verify sub-stage highlighted 7.7 Decide the level of detail necessary to Verify each risk 7.8 Six sampling techniques for auditors: C-COVER 8.1 Useful form (1): Initial review of the context, objectives, and risks 8.2 Useful form (2): Initial operational risk identification 9.1 From detail to high-level opinion; bringing it all together 82 84 87 94 97 104 109 111 114 116 127 129 140 146 158 159 160 161 163 164 172 174 186 186 188 191 192 196 200 201 202 210 212 217 218 226 240 241 253 LIST OF FIGURES 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 10.1 10.2 10.3 The lead auditor updates the work plan Ideas for grouping your audit findings Tracking down the root cause of basic control weaknesses Consolidate the number of findings for senior management Allocating facts from each interview to BCF wall charts Wall charts help an audit team to share their information Records of the work done on the client’s premises The spillage of crude oil into the Gulf of Mexico Typical structure of Part of the audit report Adding facts from the AFWP to the BCF wall charts Cross-referencing between the results of each work plan item and the cumulative performance of each BCF element The audit opinion reflects the audit team’s independent assessment of the organization’s ability to meet its objectives A typical structure for a two-part-plus-appendices audit report The conclusion is always delivered at high level How a win-win conclusion should feel How many errors can you spot? The Audit Adventure™ – after the audit is completed, the audit team can look back on a job well done 255 258 261 264 265 266 267 273 276 277 277 279 282 287 289 304 307 ix References AICPA (1978) The Commission on Auditors’ Responsibilities: Report, Conclusions and Recommendations American Institute of Certified Public Accountants Asbury, S.W (2005) ‘A risk-based approach to auditing’, The Environmentalist, 29 June Asbury, S.W and Ball, R (2016) The Practical Guide to Corporate Social Responsibility Abingdon and New York: Routledge (Taylor & Francis) ASQ (2013) ‘About ASQ’ Available at: http://asq.org/about-asq/who-we-are/index.html (accessed June 2013) Atherton, J and Gil, F (2008) Incidents that Define Process Safety Hoboken, NJ: Wiley Inter-science BAB (2015) Available from www.british-assessment.co.uk/guides/iso-9001-opens-doorsfor-uk-businesses (accessed 11 January 2017) Baden-Powell, R (2013) BrainyQuote Available at www.brainyquote.com/quotes/quotes/r/ robertbade138358.html (accessed 17 May 2013) Baird, D (2005) ‘The implementation of a health and safety management system and its interaction with organisational/safety culture: an industrial case study’, in Policy and Practice in Health and Safety, 03/01 17–39 Leicester: IOSH Services Limited Ball, D.J and Ball-King, L (2011) Public Safety and Risk Assessment – Implementing Decision Making London and New York: Routledge Bandura, A (1997) Self Efficacy – The Exercise of Control Derby: Worth Publishers (Macmillan) Bennett, J and Foster, P (2007) ‘Developing an Industry-specific Approach to a Safety Management System’, in Policy and Practice in Health and Safety 05/01 37–59 Leicester: IOSH Services Limited Bernstein, P.L (1996) Against the Gods: The Remarkable Story of Risk Hoboken, NJ: Wiley Bird, L (2013) Quotations Book Available at: http://quotationsbook.com/ quote/22788/#sthash.fAPWsVFF.L9hhwTtT.dpbs (accessed June 2013) 354 REFERENCES Blanpain, R and Inston, R (1996) The Bosman Case London and Edinburgh, UK: Sweet & Maxwell Boyle, T (2002) Health and Safety: Risk Management Leicester, UK: The Institution of Occupational Safety and Health Bryce, L (1991) The Influential Manager London, UK: Piatkus Burns-Warren, A (2006) Personal communication Chevron (2012) ‘The Chevron Way’ Available at: www.chevron.com/about/chevronway/ (accessed October 2012) CNN (2010) ‘BP Chief to Gulf Residents: “I’m Sorry”’, CNN Available at: http://edition.cnn com/2010/US/05/30/gulf.oil.spill/index.html (accessed June 2013) Coca-Cola Company (2012) ‘Our Company: Mission, Vision and Values’ Available at: www coca-colacompany.com/our-company/mission_vision_values.html (accessed October 2012) Collins, J (2001) Good to Great New York: Random House Corbett, C.J.; Montes-Sancho, M,J and Kirsch, D.A (2005) ‘The Financial Impact of ISO 9000 Certification in the United States: An Empirical Analysis’, in Management Science 51(7): 1607–16 COSO (2017) Enterprise Risk Management: Integrating with Strategy and Performance Available at: www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-andPerformance-Executive-Summary.pdf (accessed 24/9/2017) COSO (2013) Internal Control: Integrated Framework Available at: www.coso.org/ Documents/990025P-Executive-Summary-final-may20.pdf (accessed 24 September 2017) Dekker, S (2014), Safety Differently – Human Factors for a New Era Boca Raton, FL: CRC Press (Taylor & Francis) Deming, W.E (1986) Out of the Crisis Cambridge, MA: MIT Press Deming, W.E (1993) The New Economics for Industry, Government, Education Cambridge, MA: MIT Press Drucker, P (2013) ‘Quotations by Author: Peter Drucker’, The Quotations Page Available at: www.quotationspage.com/quotes/Peter_Drucker (accessed 24 May 2013) Eichenwald, K (2005) Conspiracy of Fools: A True Story New York: Random House Evans, C (2006) Personal communication Eves, D and Gummer, J (2005) Questioning Performance: The Director’s Essential Guide to Health, Safety and the Environment Leicester, UK: The Institution of Occupational Safety and Health REFERENCES Fuller, C.W and Vassie, L.H (2004) Health and Safety Management: Principles and Best Practice Upper Saddle River, NJ: Prentice Hall Gallagher, C.; Underhill, E and Rimmer, M (2003) ‘Occupational Safety and Health Management Systems in Australia: barriers to success’, in Policy and Practice in Health and Safety 01/02 67–81 Leicester: IOSH Services Limited Gardner, D (2009) Risk London, UK: Virgin Books Ghosh, B (2012) ‘The Agents of Outrage’, Time, 13 September Available at: http://world.time com/2012/09/13/the-agents-of-outrage/ (accessed June 2013) Haffey, R (2009) Lean Safety: Transforming Your Safety Culture with Lean Management, Boca Raton, FL: CRC Press (Taylor & Francis) Handy, C (1994) The Empty Raincoat Arrow Business Books Heinz (2012) ‘Mission and Values’ Available at: www.heinz.com/our-company/about-heinz/ mission-and-values.aspx (accessed October 2012) Heras, I., Dick, G.P.M and Casadesus, M (2002) ‘ISO 9000 registration’s impact on sales and profitability: A longitudinal analysis of performance before and after accreditation’, in International Journal of Quality and Reliability Management, 19(6):774 Higson, A (2002) Corporate Financial Reporting: Theory and Practice Thousand Oaks, CA: Sage Publications Hollnagel, E (2014) Safety-I and Safety-II Oxford and New York: Routledge Hopkins, A (2009) Failure to Learn: The BP Texas City Refinery Disaster North Ryde NSW, Australia: CCH Australia Limited HSE (1997) HSG65 Successful Health and Safety Management, 2nd ed Liverpool, UK: HSE Books HSE (2015) Historical Picture – Trends in Work-related Injuries and Ill-Health in Great Britain since the Introduction of the Health and Safety at Work Act 1974, available from www.hse gov.uk/statistics/history/historical-picture.pdf (accessed 24 September 2017) HSE (2016) Personal correspondence with Helen Wilson, HSE Science Directorate – Statistics and Epidemiology Unit, 22 January 2016 IEMA (2013) ‘About IEMA: Mission’ Available at: www.iema.net/about-iema (accessed May 2013) IIA (2004) Practice Advisory 2060–2 IIA (2013a) ‘What is Internal Audit?’ Available at: www.iia.org.uk/about-us/what-is-internalaudit/ (accessed June 2013) IIA (2013b) ‘The Institute of Internal Auditors’ Available at: www.theiia.org/ theiia/?search=IIA%20Welcome (accessed June 2013) 355 356 REFERENCES ILO (2001) ILO-OSH 2001 Guidelines on Occupational Safety and Health Management Systems Available at: www.ilo.org/safework/info/standards-and-instruments/ WCMS_107727/lang-en/index.htm (accessed 12 October 2012) ILO (2016) available from the IOGP website www.iogp.org/blog/2016/08/02/safety-innumbers/ (accessed 31 August 2017) IPC (2010a) ‘About Us: Mission’ Available at: www.ipcaweb.org/content aspx?page=2&type=1 (accessed May 2013) IPC (2010b) ‘IATCA Has Become IPC’ Available at: www.ipcaweb.org/content aspx?page=i&type=1 (accessed June 2013) IRCA (2013) ‘About IRCA: Mission and History’ Available at: www.irca.org/en-gb/about/ mission-and-history (accessed May 2013) IRCA (2017) Personal communication with Gareth Kingston, Head of Membership via email, 28 September 2017 ISO (2009a) ISO 31000:2009 Principles and General Guidelines on Risk Management International Organization for Standardization ISO (2009b) ISO Guide 73:2009 Risk Management: Vocabulary International Organization for Standardization ISO (2012a) Annex SL (previously ISO Guide 83) of the Consolidated ISO Supplement of the ISO/IEC Directives International Organization for Standardization ISO (2012b) ISO 19011:2011 Guidelines for Auditing Management Systems Available at: www.iso.org/iso/catalogue_detail?csnumber=50675 (accessed 11 October 2012) ISO (2012d) ISO/IEC 17024:2012 Conformity Assessment: General Requirements for Bodies Operating Certification of Persons Available at: www.iso.org/iso/catalogue_ detail?csnumber=52993 (accessed 11 October 2012) ISO (2017a) Available at www.iso.org/news/2017/01/Ref2149.html (accessed 5/9/2017) ISO (2017b) ISO/IEC 17021:2015 Conformity Assessment: Requirements for Bodies Providing Audit and Certification of Management Systems Available at: www.iso.org/standard/61651 html (accessed September 2017) James, T and James, A (2009) The Intensive NLP Practitioner Certification Training Manual, version 6.53 The Tad James Co Jennings, M., Kneer, D.C and Reckers, P.M.J (1993) ‘The significance of audit decision aids and precase jurists’ attitudes on perceptions of audit firm culpability and liability’, Contemporary Accounting Research, 9(2): 489–507 Johnson, S (1999) Who Moved My Cheese? London, UK: Vermilion Keyser, S (2012) ‘The write stuff’, Business Life, October: 14 REFERENCES Luscombe, B (2012) ‘10 Questions for Sir Tim Berners-Lee’, Time, September Available at: http://techland.time.com/2012/09/05/10-questions-for-sir-tim-berners-lee/ (accessed June 2012) McCormick, J (2015) European Union Politics Basingstoke: Palgrave Macmillan Merritt, C.W (2005) ‘Statement for the BP Independent Safety Review Panel’, US Chemical Safety and Hazard Investigation Board Available at: www.csb.gov/assets/1/19/Carolyn_ Statement_3.pdf (accessed August 2013) Michaels, A., Hoyos, C and Parker, A (2004) ‘Retired Shell engineer played central role’, Financial Times, 25 August Monroe, G.S and Woodliffe, D.R (1993) ‘The effect of education on the audit expectation gap’, Accounting and Finance, 33(1): 1–91 National Trust (2013) ‘Cornwall’ Available at: www.nationaltrust.org.uk/visit/local-to-you/ south-west/things-to-see-and-do/cornwall (accessed June 2013) OGP (1994) HSE-MS 6.36/210 Guidelines for the Development and Application of Health, Safety and Environmental Management Systems ONS (2016) Labour force report, available from www.ons.gov.uk/ employmentandlabourmarket/peopleinwork/employmentandemployeetypes/bulletins/ uklabourmarket/dec2016 (accessed 30 December 2016) O’Toole, G (2012) ‘If I Had More Time, I Would Have Written a Shorter Letter’, Quote Investigator, blog posting Available at: http://quoteinvestigator.com/2012/04/28/ shorter-letter/ (accessed June 2013) Oxford University Press (2008) Concise Oxford English Dictionary, 11th ed Oxford University Press PECB (2017) https://pecb.com/en/about (accessed September 2017) Porter, B (1993) ‘An empirical study of the audit expectation-performance gap’, Accounting and Business Research, 24(93) RABOSA International (2007) ‘RABOSA Vision, Mission, Objectives’ Available at: www.rabqsa.com/ab0ut02.html (accessed June 2013) Reason, J (1990) Human Error Cambridge, UK: Cambridge University Press Robson, L.S.; Clarke, J.A.; Cullen, K.; Bielecky, A.; Severin, C.; Bigelow, P.L.; Irvin, E.; Culyer, A and Mahood, Q (2007) The effectiveness of occupational health and safety management system interventions: A systematic review, in Safety Sciences 45/3 329–53 London: Elsevier Russia G20 (2013) ‘G20’ Available at: www.g20.org/docs/about/about_G20.html (accessed 24 May 2013) 357 358 REFERENCES Sarup, D (2004) ‘Watchdog or bloodhound? The push and pull toward a new audit model’, Information Systems Control Journal, Available at: www.isaca.org/Journal/ Past-Issues/2004/Volume-1/Documents/jpdfo41-WatchdogorBloodhound.pdf (accessed June 2013) Schuman, M (2012a) ‘Why China must push reset’, Time, 18 June Available at: www.time com/time/magazine/article/0,9171,2116604-2,00.html (accessed 24 May 2013) Schuman, M (2012b) ‘The new Great Wall of China’, Time, 24 September Available at: www.time.com/time/magazine/article/0,9171,2124406-1,00.html (accessed 24 May 2013) Silberman, B (2013) ‘The year in highlights’, Time, January: 31 Taleb, N.M (2007) The Black Swan: The Impact of the Highly Improbable, New York: Random House and London: Allen Lane/Penguin Toone, B (2004) Protect Your People-and Your Business Leicester, UK: The Institution of Occupational Safety and Health Tzu, S (2009, first published 1910) The Art of War, trans Giles, L Pax Librorum Under30CEO (2017) Available at http://under30ceo.com/top-50-most-motivationalpeople-on-the-web/ (accessed October 2017) Wikipedia (2012) ‘Risk’ Available at: http://en.wikipedia.org/wiki/Risk (accessed October 2012) Willis Corroon (1996) Environmental Management Manual Willis Corroon Environmental Forum Zakaria, F (2006) ‘Voices’, Newsweek, 147(22) 29 May: 28 Zakaria, F (2012) ‘Tax and spend’, Time, 23 July Available at: www.time.com/time/magazine/ article/0,9171,2119336,00.html (accessed 24 May 2013) Zukav, G (2013) ‘Gary Zukav > Quotes > Quotable Quote’, Goodreads Available at: www.goodreads.com/quotes/149697-reality-is-what-we-take-to-be-true-what-we (accessed June 2013) COMMENTS FROM TRAINING COURSE PARTICIPANTS Comments from Training Course Participants IOSH ‘SHE Auditing – A Management Systems Approach’ Steve rocks It’s my greatest opportunity to attend a programme and get personally trained by Steve I have never attended a training that made so much impact on the audience He is always prepared, pre-empted and punctual Steve took what is almost a dry topic and completely transformed it into an extraordinary training programme He is an excellent coach; his knowledge in safety and operations integrity is world class I [will] recommend my colleagues to attend this training and suggest make sure they are trained under Steve I wish Steve to continue creating this awareness and making the world a better place Shivasangaran (‘Shiva’) Sundarraj Viswanathan Material Engineering Specialist Doha, Qatar The interactivity was fantastic! Steve and his team were great instructors and lead auditors I feel like I learned so much, and it was interesting and very, very enjoyable One of the best classes I have ever taken Morgan lannuzzi Environmental Engineer, Air Team San Ramon, California, USA Thank you so much for your incredible professionalism, expressed in individual approach, emotional and so effective methods of teaching, during which all members of our team could reveal their abilities and enthusiasm Thank you for your support and the great experience that surely will be useful in our work and normal life Tatyana Saporova HSE Manager Kazakhstanskaya, Kazakhstan 359 360 COMMENTS FROM TRAINING COURSE PARTICIPANTS Honestly, I found all of the class helpful Every part of the class from the high level, down to the beach, and from there back to the high level – we’ve had three genius instructors with us this week guiding us through The Audit Adventure™ Jose Baqui Lutumbo HES Specialist Cabinda, Republic of Angola I really enjoyed the interactive nature of this course, and the great knowledge and enthusiasm of the instruction team I liked the small and focused group size when we split into audit teams, and the real-time learning this gave me The focus on ‘the risk-based auditing process’ was perfect – thank you Bernabe Munoz Toxicology Specialist, Health and Product Stewardship Unit San Ramon, California, USA I liked all of the tutorial sessions, and the conduct in real-time of the case study The lead auditor’s support throughout was simply excellent! Inacio B Desire Compliance Assurance Specialist Malongo, Republic of Angola A very well-blended and balanced class Hands-on team exercises in the case study were great learning experiences – and with perfect coverage of risk-based auditing techniques Carl W Lam Environmental Engineer, Waste Management and Soil Remediation Houston, Texas, USA Course was very well organized, and the instructors were extremely engaging Matthew Barnes HES Specialist Moon Township, Pennsylvania, USA Role play, interviews, and altogether the hands-on learning experience provided by the case study was great It really helped me to understand the risk-based auditing process The instructors were so committed to providing continual improvement in my learning throughout the class Peixi Yan MCP Specialist Houston, Texas, USA COMMENTS FROM TRAINING COURSE PARTICIPANTS The risk-based perspective presented in the auditing training provided a high-level approach to risks that really impact the company objectives This approach has given me a whole new set of eyes to use going forward in my career Ximena Gutiérrez HES Advisor, LABU OE Planning & Performance, Upstream and Gas Bogotá, Colombia I really enjoyed the practice of the course, particularly as it took us through each element of the audit from initiation and preparation, through the conduct, to the audit conclusion The instructors were great, incorporating the different characters and simulating the interviews The timing and pace of the class was perfect, and I know what needs to be done to develop audit as a function in my organization Anunciaỗóo Calandula HES Engineer Luanda, Republic of Angola I want to say thank you for the learning experience in the IOSH ‘SHE Auditing’ class It was really interesting and fun and many of the teachings and concepts are applicable to my daily work Thank you again for a fun and productive week Nina Townsend Occupational Health and Safety Specialist California, USA This class was a great place to experience The Audit Adventure™ All my team and I valued highly your high-level, business-centric approach to auditing and the high-value, futurefocused audit opinion we were promised and received My thanks to the audit team for changing our attitude to the value of auditing! Tony Perez Managing Director 361 Index A-Factors 6, 309–19 abbreviations (list of) 337–8 AFWP (audit finding working paper) 194–7, 205–8, 254–5 AICPA 170 ALARP 88 American Society for Quality (ASQ) 132 Annex SL xxxi, 8, 62–4 asking 211–13 assurance 11, 95–6, 117 Audit Adventure (The) 3–6, 157–60; dynamics 161–2; project stages 162–8 see also audit report; conclude stage; conduct stage; prepare stage audit committee 104–7 audit culture 93–6 audit file 197 audit findings 299–301; consolidation 263–5; preliminary confirmation 223–4; preparation 272–4; sharing 265–8 audit finding working paper see AFWP audit logistics 184–5 audit objectives 118, 138, 182 audit opinion 278–82, 298 audit plan 115–17, 137, 185–6 audit report 288–91; contents 293–4; cover 292–3; findings and actions (Part 2) 275–6, 299–301; format 302; liability disclaimer statements 294–5; proofreading 302–5; structure 291; submitting 305–7; summary (Part 1) 281–2, 295–9; title 292 audit sample 171 audit scope 119, 180 audit team 180; competence and evaluation 123–4; knowledge and skills 122–3; personal behaviours 122; selection 120–3 see also teamwork audit types 107–10 auditee relationship 135–7, 176–7, 268–9, 280; audit opinion delivery 152–3; auditee team 150–2; behaviour and communication 143–7; changing perceptions 148–50; closing presentation 283–7; final presentation 153–6; influence 141–2; initial contacts 137–9; opening meeting 181–4; pre-audit documentation 139–41, 176–80 auditor registration organizations 126, 128; ASQ 132; BEAC 132; IEMA 131–2; IIA 131; IPC 133–4; IRCA 128–30; PECB 130; RABQSA International 130–1 background information 176–80 banks see financial institutions barriers (to loss) 82–3 BEAC 132 behaviour see communication; teamwork Berners-Lee, T 35 Bernstein, P 41–2 big rocks xxix Black Swans 44, 46 Bosman, J.-M 32 bottom-up see conclude stage BP; Deepwater Horizon; Tony Hayward 48, 273 Brexit 9, 25 brown paper exercise 229 business control 54–6, 71–7, 95–6; Deming, W E 56–62 see also management systems business control framework (BCF) 77–82, 118–19, 202; audit findings 265–8; barriers to loss 82–3; evaluation 276–8, 299; human factors INDEX 89–90; objectives 84–7; organizational context 83–4; processes 89; risks 87–9 see also control weaknesses; management systems business environment 8–15, 32–3, 83–4; economic 15–17, 27–30; internal environment 18–21; legal 15, 23–4, 30–3; political 15, 21–6; resources 16, 34–7, 69–70; senior management 37–8; sociocultural factors 15–16; technology 1, 16, 35–6 business objectives 84–7, 176 business plan 37–8 business processes 89 capital 35–6 case studies cascading 37–8 C-COVER (sampling techniques) 225–9 CCPS 48 centrally planned economies 28 checklist 320–7 Chevron; Chevron Way 85 civil law and tort 31 classic organizational theory 19 closing presentation 283–7 Coca-Cola Company 85 Commission on Auditors’ Responsibilities 170 Committee of Sponsoring Organizations of the Treadway Commission (COSO) 71–3 communication 143–7, 268–9 see also auditee relationship; language use; teamwork competitors 17 conclude stage 161–2, 168, 248, 252–4; audit opinion 278–82; auditee contact 268–9; BCF evaluation 276–8; closing presentation 283–7; control assessment matrix (CAM) 270–2; findings 263–8, 272–4; information analysis 269–70; information clarification 254–5; main issue development 272; nemawashi 269; recommendations 274–5 see also control weaknesses conduct stage 161–2, 165–6, 198–203; findings confirmation 223–4; time planning 203–4; verify sub-stage 216–22 see also review sub-stage; sampling consequence 49 contacts 145–7 context see business environment contingency time 185–6 continuing professional development (CPD) 36, 126, 128 control see business control control assessment matrix (CAM) 270–2 control weaknesses: categorization 257–9; identifying 255–7; prioritizing 262–3; root causes 260–2 see also business control framework (BCF) controlled descent see conduct stage corporate governance 71–3, 106 corporate social responsibility (CSR) 69–70, 105–6 corroboration 225 COSO; Integrated Framework of Internal Control; Enterprise Risk Management 71–3 cost weaknesses 259 credibility 182 criminal law 31 critical relationships see auditee relationship; teamwork culture 15–16 customers 16, 27, 29 Deepwater Horizon 48, 273 Dekker, S 51 deletions 243 Deming, W E 56–8, 61–62, 82; PDCA 58–9; Profound Knowledge 59–60; Fourteen Points 60–61 democratic government 22–3 distortions 242 draft terms of reference see terms of reference (ToR) Drucker, P 13 E-SEAP 46, 48–9 economic environment 15–17, 27–30 economic systems 28 environmental issues 34 environmental standards 114 Esso 111–2 European Union (EU); principal bodies 25–6, 32 evaluation see review sub-stage examination questions 333–6 expectation gap xxxiv, 170–1 external business environment see business environment external consultation 249–50 363 364 INDEX factors of production 13–14, 34–7 Fibonacci 41 financial institutions 29–30 findings see audit findings flying car follow-up 307 food safety standards 113–14 Foreign Corrupt Practices Act (1977) 71 Four Ts risk management 42–3, 48–9 Fourteen Points of Management 60–1 framing 246–7 free-market economies 28 functional structure 20 further reading 347–52 G8 24–5 G8+5 25 G20 24 gemba 5, 210 generalizations 242–3 geographical structure 20 glossary 339–46 government functions 23–4 Handy, C 16 Hawthorne Experiments 19 Hayward, T 48, 273 hazard 42–3 health and safety standards 113 Heinz, H.J Company 86 hierarchy for control see E-SEAP Hollnagel, E 51 honesty 93–5 HR based organizational theory 19 human capital see labour ILO-OSH 2001 65–6 independence 125–6 independent confirmation 227 influence 141–2 information analysis 269–70 information sources 176–80, 209–15 inherent risk 40 inputs 13–14, 34–6 Institute of Environmental Management and Assessment (IEMA) 131–2 Institute of Internal Auditors (IIA) 131 insurance 43–4 integrated standards 115 integrity 93–5 inter-personal relationships see auditee relationships; teamwork interested parties see stakeholders internal audit manager 106–7, 121 internal business environment 18–21, 73–7 see also business environment; business control framework (BCF) international auditor registration bodies see auditor registration organizations international governance 24–6 International Labour Organization (ILO) xxvi, 31, 65–6 international law 31–2 International Monetary Fund (IMF) 30 International Personnel Certification Association (IPC) 133–4 International Register of Certificated Auditors (IRCA) 128–30 international standards see recognized standards internet 35, 331–2 interviews: framing 246–7; questions 192–4; scheduling 186–7; techniques 243–5; work plan 191–2 IOGP Guidelines 66–7 ISO 9001/14001/45001 8, 39, 64–6; 95; 112–3 ISO/IEC 17021 97 ISO 19011 xxv, 2–3, 96–7; competence and evaluation of auditors 102–4, 122–4; contents 97–8; follow-up 307; managing an audit programme 98–101; monitoring/ reviewing/improving the audit programme 101; performing an audit 101–2; principles of auditing 98 ISO 31000 115 ISO Annex SL see Annex SL iteration 254 Jigsaw 116 Kodak 17 labour 34–5, 69–70 land 34 language use: framing 246–7; information level 239; metaphor 247; patterns 242–3; questioning techniques 243–5 see also audit report INDEX lead auditor 120, 169–70 see also audit team; auditee relationship; teamwork learning model see Audit Adventure legal framework 15, 30–1; government functions 23–4; influence on business 32–3; international law 31–2 see also recognized standards liability disclaimer statements 294–5 lifeboats 204 likelihood 49 line managers 107 Lloyd’s list; names; Society of; Insurance 43–4 logic 242–3 lone auditor 236 macroeconomic climate 15, 28–9 main issue development 272 management see audit report; auditee relationship management systems 96–8; Annex SL 62–4; ILO-OSH 2001 65–6; IOGP Guidelines 66–7; ISO 9001/14001/45001 64–6; mapping 67–8; recognized standards 113–15 see also business control; business control framework (BCF) management theory see organizational theory matrix organization/project team 21 metaphors 247 Missouri (Show-me State) 212–3 Montreal Protocol 31–2 multiple management system standards (MSS) 62–3 myth-busting 53 NASA; Columbia 76 natural resources 34 nemawashi 254, 257, 269, 280 networking relationships 146–7 observation 211 online content guide 331–2 opening meeting 181–4 operations integrity (OI) xxix–xxx, opinion see audit opinion Organization for Economic Co-operation and Development (OECD) 30 organizational context see business environment organization structures 19 outputs 13–14 overall audit opinion see audit opinion oversight see corporate governance; corporate social responsibility (CSR) PDCA see Plan-Do-Check-Act PEARL model 47, 88–9 peer review 250 PELR framework see external business environment personal observation 228 personal relationships see auditee relationship; teamwork PEST analysis 11–12 passing off 132–3 Plan-Do-Check-Act (PDCA) 58–9, 202, 207–8; modern management systems 62–70 Poldhu beach 3–6, 157 political systems 21–3 politics 15, 21–6 pre-audit documentation 139–41, 176–80 pre-audit letter 328–30 pre-audit site visit 180–1 preparation checklist 320–7 prepare stage 163–5, 172; audit file 197; audit logistics 184–5; audit scope 180; audit working papers 194–7; information sources 176–80; interviews 186–7, 191–4; opening meeting 181–4; pre-audit site visit 180–1; sampling 170–1; terms of reference (ToR) 173–5, 182–3; time and resource planning 185–6; work plan 187–91 principles based mentality xxxiv priority weaknesses 258–9 private banks 29 private law 31 probability 49 product/service structure 20 Professional Evaluation and Certification Board (PECB) 130 progress meetings 183 provisional timetable 183 Public Company Accounting Oversight Board (PCAOB) xxxiv public law 31 qualitative findings 232 quality standards 114 365 366 INDEX quantitative findings 232 questioning techniques 243–5 RABQSA International 130–1 rapport 236–7 reading 210–11, 228–9 recognized standards 113–15 recommendations 274–5, 300–1 records 228–9 reference framework see business control framework (BCF); management systems registration organizations see auditor registration organizations relationship auditing 144–5 relationships see auditee relationships; teamwork report see audit report reporting 166–7 residual risk 40 resource planning 185–6 resources 16, 34–7, 69–70 review sub-stage 204–5; audit finding working paper’ (AFWP) 205–8; differences in approach 208–9; information sources 209–15; outcomes 215–16 reworking results 229 risk 38–9, 87–9, 198–200; auditors 49–50; hazard 42–3; history of 41–2; inherent and residual 40; insurance 43–4; management 44–9; universe 88–9; work plan 187–91 risk assessment 44–9, 53, 87–8 risk control see business control; business control framework (BCF) risk-ranking matrix 46–7, 199 root cause weaknesses 260–2 rule-book mentality xxxiii–xxxiv Safety-II 52 Safety Differently 52 sampling 170–1, 224–5; reporting findings 232–3; sample size 230–2; techniques 225–9 sausage machine (the) 239 scarcity 27 security standards 114 seek-sort-share 140–1 selection see audit team senior management 154–5; business environment 37–8; closing presentation 283–7 see also auditee relationship severity 49 shareholders 37 Shewhart, W 58 site visit 180–1 sixty-second rule 236–7 sociocultural factors 15–16 soft auditing skills 124 spongy hands 36 stakeholders 49, 74–5 standards see recognized standards state banks 29 statistics 232 structured means of control 73–7 Sugar, Lord Alan Sun Tzu 55–6 Swiss cheese model 83 SWOT analysis 11–12 System of Profound Knowledge 59–60 systems-based organizational theory 19 Taylor, F.W 19 team see audit team teamwork 235–6, 248–50; external consultation 249–50; first meeting 238; internal confirmation of findings 248; language use 239–47; peer review 250; sausage machine 239; sixty-second rule 236–7; united face 249 see also audit team technology 1, 16, 35–6 terms of reference (ToR) 118–19, 138, 173–5, 182–3 test see verify time and resource planning 115–17, 137, 185–6 tips (for auditors) Titanic 44 top-down see conduct stage totalitarian government 22 trans-frontier government see international governance Trump, D UK xxxiv, 52 Union Carbide 99–100 United Nations (UN) 24 USA xxxiii–xxxiv verify physical evidence 228 verify sub-stage 216–22 INDEX virtual structure 21 vision statements 84–6 wall charts 265–8 weaknesses see business control weaknesses Who Moved My Cheese 16 work plan 187–91, 254–5 World Bank 30 world banks 29–30 World Trade Organization (WTO) 25 writing 290–1 Zakaria, F 35 Zukav, G 148 367 ... HSEQ performance Health and Safety, Environment and Quality Audits includes the latest health and safety, environmental and quality management system standards – ISO 900 1, ISO 14001 and ISO 45001.. .Health and Safety, Environment and Quality Audits Internal auditing is an essential tool for managing compliance, and for initiating and driving continual improvement in any organization’s... management, and enables an opportunity to alert and where appropriate to advise management on actions to be taken This book, Health & Safety, Environment and Quality Audits: A Risk-based Approach, offers