At Safety 2020, the annual conference of the American Society of Safety Professionals, presented virtually amid the COVID-19 pandemic, Adele Abrams, Esq., CMSP, President of the Law Office of Adele L. Abrams P.C., and Glenna Smith, CMSP, Director of Consulting and Training at McCraren Compliance, discussed the benefits and potential pitfalls of workplace safety audits in a session titled Workplace Examinations, Inspections and Audits: Beyond Compliance.
Workplace audits carry a number of benefits, Abrams noted, such as identifying potential violations in advance of inspections, bringing an objective viewpoint to identify opportunities to improve safety processes, or obtaining certification with a consensus standard such as OHSAS 18001 or ISO 14000 or eligibility for OSHA’s Voluntary Protection Programs (VPP). But if not properly managed, audits can create an incriminating paper trail that can substantiate violations, heighten liability for negligence, and even trigger criminal prosecutions.
A number of OSHA standards require inspections that could be characterized as audits, including the walking/working surfaces rule, the PPE hazard assessment rule, and more detailed requirements under the process safety management (PSM) and hazardous waste operations and emergency response (HAZWOPER) standard. But regulations are minimum standards; by themselves, they do not ensure a safe workplace. For companies that seek to exceed minimum compliance, audits that go beyond required inspections can be an important tool to identify gaps and improve safety performance.
When required by a regulation, an inspection or audit must be disclosed to OSHA on request. But for other types of workplace audits, the rules surrounding privilege and disclosure are more complicated. In general, OSHA seeks to encourage workplace audits, and the agency’s general policy is that an employer’s self-audit, if coupled with a good-faith attempt to correct any identified hazards, will not be used to issue citations. But this policy is not absolute. OSHA can often request and obtain company self-audits, and uncorrected hazards identified in audit documentation can form the basis for a willful violation or provide evidence for an employer’s pattern of violative conduct. Therefore, it is essential that the audit process does not end with hazard identification, but incorporates a process for correcting identified hazards promptly and documenting corrective actions.
Internal vs. third-party
When beginning an audit program, the first decision a company faces is whether to do the audit internally or use a third-party consultant. There are benefits and drawbacks to each option, Smith explained. Internal audits are typically less costly, can demonstrate company management’s commitment to safety, and can benefit from an internal auditor’s familiarity with the company’s operating procedures and established safety practices. However, an internal auditor may have limited experience conducting safety and health audits, and the audit may not provide a truly objective assessment of the company’s safety strengths and weaknesses. Employees may also be less forthcoming during an internal audit out of concerns about retaliation or challenging workplace dynamics associated with pointing out a hazard.
A third-party audit often benefits from the auditor’s training and expertise. For companies without full-time EHS staff, this can be particularly useful. However, this expertise comes at a cost—both financially and in terms of the time and resources needed to prepare for an external audit. And while third-party audits can offer greater objectivity, internal staff may resent what they perceive as an intrusion into their workflow and be reluctant to provide needed information to the external auditor. There is no one-size-fits-all answer; each organization select the course of action that best fits its audit goals, available resources, and other concerns.
Best practices for audits
To ensure that safety and health audits have their intended effect and avoid exposing the company to increased legal liability, organizations should follow these best practices:
- Create a document control system to create, store, use, and share audit documents while maintaining privilege (if applicable), and destroy or dispose of documents that no longer serve a purpose. Understand how long mandatory records must be maintained and which records must be made available during a government inspection.
- Understand what types of audit documents may be privileged and which are not. Generally, documents created in the normal course of business are not considered privileged. There is no “consultant-client privilege,” nor are communications with a workers’ compensation insurer privileged. Privilege does exist for attorney work products and attorney-client communications, but there are exceptions, and caution must be used to prevent inadvertently waiving this privilege. Photographs, videos, sampling data, and audio recordings cannot be privileged.
- Be careful of who audit documents are shared with. If a document is eligible for privilege, that privilege is lost—meaning the information becomes discoverable—if the document is shared outside of a select group of senior managers and legal counsel. Avoid storing sensitive audit information on unprotected servers and forwarding emails to individuals outside the privileged group.
- Do not release non-required records without corporate or legal approval, and always require OSHA to request records in writing during an inspection. Get counsel involved quickly when responding to or challenging and OSHA subpoena.
- Avoid using the terms “hazard” and “violation” interchangeably in audit documents. A hazard is not necessarily a violation of law, even if it violates an internal company policy, and carelessness with terminology may create the wrong impression.
- Avoid expressing opinions or making assumptions in audit documents.
- Act on significant findings as quickly as possible, using a risk assessment approach to demonstrate that a proper evaluation was made, employees were consulted, significant hazards were addressed, precautions are reasonable, and remaining risk is low.