iso14000-digest Wednesday, August 26 1998 Volume 02 : Number 041
----------------------------------------------------------------------
Date: Tue, 25 Aug 1998 08:15:07 -0700
From: "Bert P. Krages"
Subject: Re: Legal compliance - to audit or not to audit?
Sally Goodman is to be commended for raising an interesting issue regarding
how auditing for legal compliance fits within the ISO 14000 framework. It
is unfortunate that other members of the list struggle to participate in a
mature and professional manner. This being said, it seems that there may
be some misunderstanding regarding auditing for compliance issues and how
attorneys participate in the process.
Like it or not, enforcement liability is major motivator for compliance in
the United States since the federal government has chosen a punitive
approach to environmental regulation. Since organizations in the United
States are exposed to substantial civil and criminal liabilities, it is
little wonder that they use legal counsel when managing their environmental
affairs.
ISO 14000 allows for a wide degree of flexibility but its primary purpose
is to improve the effectiveness of an organization's environmental
management system regardless of whether the system is oriented toward
reducing environmental impacts or to achieving compliance with legal
requirements. Similarly, auditing can be directed towards different
objectives. A procedural audit reviews the environmental management system
and assesses the capability of the system in achieving the organization's
objectives. A compliance audit is directed towards discovering instances
of noncompliance and may dispense with looking at management systems
altogether. A property audit is intended to discover the existence of
contamination issues that may affect the liabilities of subsequent owners.
As Ms. Baldi correctly points out, a procedural audit needs to verify that
organizations evaluate compliance issues and have mechanisms in place for
corrective action. Procedural audits do not require that auditors discover
and document instances of noncompliance. The decision regarding the extent
to which a procedural audit addresses specific instances of noncompliance
should be made by the senior management of the organization. Attorneys
should not make the ultimate decision regarding this issue but neither
should auditors. However, once senior management has requested counsel to
advise on the scope of the audit, the auditors should abide by the decision.
With regard to compliance audits, it is again the perogative of senior
management to determine whether the audit is to be done under the attorney
client privilege. In the United States, the attorney client privilege
protects confidential communications relating to legal services between
attorneys and clients from being discovered by government agencies and
private litigants. Audits that are not conducted pursuant to this
privilege are discoverable by federal agencies and by all parties in States
that have not enacted audit privileges. I can speak from experience that
these audits are always requested in civil and criminal enforcement actions
and have served as the basis for enhanced enforcement against clients.
Since it is the client that bear the consequences of having an audit
disclosed to adverse parties, attorneys and auditors need to be sensitive
to the client's wishes regarding whether confidentiality is to be protected.
Finally, with regard to Mr. Wurster's remark alluding to the current
investigation of the President of the United States, compliance with the
law and the legal process are values that are held strongly in the United
States. Citizens of other countries may place less value on adherence to
the justice system (which ISO 14000 accomodates at least to some extent)
but such differences do not justify attacks on either the cultural values
of other countries or or on members of individual professions. Flippant
suggestions that environmental laws may be disregarded at will (e.g.,
refusing to provide unprivileged audit documents when requested by
regulatory agencies) do not reflect the reality that such misconduct can
lead to serious punitive consequences in the United States. Auditors and
attorneys serve their clients poorly when they do not take this into account.
At 08:29 PM 8/24/1998 -0300, Dan Wurster wrote:
>It seems to me that we have lost sight of why we are auditing when we stop
>checking for compliance because a lawyer told us that it was wrong.
>
>I always thought that lawyers were around to offer advice, when asked, and
>not to run things. Of course with contingency fees, too many lawyers, loss
>of morality ( fostered by lawyers, who else gains by it ) perhaps we should
>stop and think about why we are doing the audit in the first place.
>
>Isn't the objective to maintain and improve the environment?
>
>For those who have gone thru QS9000, there were sections in there which
>asked what you have in place to ensure compliance with legislative
>standards.
>
>Lets not skip daintily around the question of whether a facility is in
>compliance or not. And lets not have the regulators insist that they have
>the right to seize our audit documents.
>
>Two wrongs do not make a right. YES, audit, and YES, check for compliance.
>
>Companies being audited have to agree, before the audit to act on
>non-compliance, immediately. And regulators have to foster audits because
>its helping them do their jobs, and its the right thing to do.
>
>And lets keep the lawyers where they belong, arguing with Wolf Blitzer
>about someones sex life.
>
>Dan Wurster, MICHELIN
>Box 1883
>Stellarton, NS, B0K 1S0
>wurstd@north.nsis.com
>
>The usual disclaimers, esp. for my typing!
>
>
Bert P. Krages II
Environmental Law and Mediation
900 S.W. Fifth Avenue, Suite 1900
Portland, Oregon 97204
Law:
Mediation:
------------------------------
Date: Tue, 25 Aug 1998 14:53:51 -0400
From: "Robert Clifford, Jr."
Subject: re: Auditing for Legal Compliance
As one who has conducted both EMS audits and environmental regulatory
compliance audits, I agree with the points in this discussion that indicate
an audit for conformance with ISO 14001 need consider only that an
organization has a process for identifying its legal requirements and a
process for determining that it is meeting them. The extent to which it is
meeting its legal requirements, i.e. compliance, can be an indicator that
the process is, or is not, functional -- but is really no more than an
indicator.
During EMS audits, I've often discovered instances of regulatory
non-compliance but then focused on "swimming upstream" to identify if a
potential management system non-conformance was responsible. In my
experience, remarkably, a management system non-conformance was frequently
involved ! Some of these were major -- most were minor nonconformances.
The ways in which they led to non-compliance were always illuminating.
This critical issue will become related to the larger, developing issue of
auditor credibility, which will grow in importance as more environmental
professionals enter the auditing arena. I fear that many won't be able to
differentiate between compliance with regulation, which they're more
familiar with, and conformance with the standard. They'll end up doing
their clients a diservice by wasting time thumbing through waste manifests
when they should be thumbing through procedure revisions. Other than the
audit procedure -- protocol development; opening meeting; interviews;
document review; closing meeting; report -- EMS audits and regulatory
compliance audits are totally different animals.
Robert Clifford, Jr., Vice President
ISO Environmental Consultancy, Inc.
1103 Glenwood Blvd.
Schenectady NY 12308-2503
518-393-3392
clifford@quality.org
------------------------------
Date: Tue, 25 Aug 1998 22:05:13 +0200
From: "Pepper, John"
Subject: RE: Request for DNV insights
Dear Diana
Regarding your points below:
1. You could call things what you like, however, hazards and risks are
not necessarily the same as aspects and impacts (effects,
consequences, whatever). Be cautious also and make sure resource based
issues have been included - using energy badly is not normally a
hazard nor a risk.
2. I would not normally raise an H&S nonconformance in a 14001 audit -
therefore it would not effect certification.
3. I would except flexibility, but I would have though the benefits of
getting the approach sorted out just once (and then providing the
methodology to the other sites) would outweigh the benefits of
differing approaches.
4. Pilot "sites" are reasonably common, but from our perspective, it
doesn't really matter.
5. Yes, we can and do adjust the periods of the scheduled audits to
get them happening on an integrated basis. As long as this is
reasonable and can be justified, any certification body should be able
to offer the same.
DNV policy is to provide local accredited certification where this
exists, having a range of accreditations worldwide. It is now
accredited for ISO 14001and./or EMAS in the UK, The Netherlands,
Finland, Denmark, Germany, Norway, Sweden, USA, France, Japan, Italy
and Australia. If we do not have local accreditation, we normally use
either the UKAS scheme or the Dutch RvA scheme - for example in Korea,
Iran and Oman to name some countries where we have done some recent
audits.
John Pepper
Lead EMS Auditor
Det Norske Veritas Quality Assurance Ltd
Palace House
3 Cathedral Street
London SE1 9DE
United Kingdom
Tel + 44 (0) 171 357 6080 (Main Switchboard)
(E-mail) john.pepper@dnv.com
- -----Original Message-----
From: Diana Baldi [SMTP:Baldifamily@compuserve.com]
Sent: Friday, August 21, 1998 5:33 AM
To: ,Pepper, John ; ISO 14001 discussion group
Subject: Request for DNV insights
To any 14001 registrar,
I am working with several clients for ISO 9001 that are implementing
14001.
I am interested in getting acquainted with any key interpretations
that
registrar's have developed during the early implementation phases.
Some of
these clients have very mature EMSs and have fully integrated EH&S.
They
are migrating to a QEH&S system.
As you know, this approach can be better for the business but can be
quite
a challenge to actually do well. Especially if their 9001 system is
burdening in its documentation.
Here are a couple specific questions:
1. Since the EMS is mature--with very different numbering than 14001,
do
you agree that as long as we index requirements to where you'll find
them
that we can call "things" what we want? For example aspects and
impacts
could be called hazards and risks since they also include safety and
health
in the process.
2. Even with the EH&S being integrated, would any nonconformance that
was
noted pertained to H&S, not be one for 14001 (granted, that there was
a
reasonable delineation--not trying to shroud a valid E
nonconformance).
The company would want to know, but not have a 14001 registration
"blackmark".
3. For multi-site registrations, what do you expect for the level of
consistency in the procedure for aspects and impact identification
and
methodology for determining significance? This was not one of the
categories that has been stated by one registrar to be required to be
coordinated at the highest level (like audits, management review, and
evaluation of corrective action effectiveness). Does this mean,
flexibility is acceptable for each site in the scope of registration?
4. What do you recommend for adding sites into the larger scope?
What
approaches have been a nightmare to manage from the registrar's side?
Some
clients want to be able to add onesies and twosies and some want to
have a
pilot site or two then register the rest all at once. I'd like to be
able
to assist them chose what will be more workable from both your side
and
theirs. I know you can't "consult", but if you have any factual info
that
would help us decide what to request of you in the quote, it would
help us.
5. As a follow-on to question 4, have you experienced any "learnings"
in
trying to do integrated, sequential, or concurrent audits for 14001
and
9001? A question keeps coming up about trying to adjust the 14001
implementation schedule to coincide with 9001 periodic audits and/or
the 3
year full reassessment. Any comments??
Since these clients are global, it would be helpful to me if your
reply
included the accreditations your Registration Service holds.
Thank you.
Diana Baldi
.
------------------------------
Date: Tue, 25 Aug 1998 18:15:14 -0400
From: HY BRAVERMAN
Subject: Re: Request for DNV insights
Without trying to rehash all the messages, or bashing another
profession.
However, the nature of the this EMS beast is that it's too big to get
your arms around it without some help. According to my perspective, if
you plan, design and implement a sane information architecture, you can
get a better picture of this effort. The key term to remember is
"SANE", not expensive and technologically complex. A system design
thats is not shaped by techno, ego driven people.
The goal is to stop pollution, and make busiensses efficent and
profitable and great places to work. (DREAMING!) But it can be done one
company at a time, even though some folks have biases against computers
and the people who make them work. It's a small planet, we can get
along with clean water, air, land and food.
Thats it. No commercials either........................over and out>>>
hy
------------------------------
Date: Tue, 25 Aug 1998 22:17:32 -0400
From: Jerry Perrich
Subject: The EHS Networkq
Announcing ^Ö a new online resource for Environmental, Health and Safety
professionals!
The EHS Network
The Single Source for EHS Information, Education and Training
http://www.ehsn.com.
A free service to the EHS Community that helps you locate and publicize
EHS resources. Some of the great features you can use are:
***Free searching to find the EHS Resources you want.
***Free customized, email notification to you about new EHS Resources
***Free posting of your EHS Resources.
The EHS Network currently includes more than 25,000 EHS Resources
organized into 6 categories:
Who^Òs Who - people
EHS professionals from industry, government, academia including experts,
speakers, authors and trainers.
Directories ^Ö companies and organizations
consultants, educators/trainers, laboratories, legal services, agencies,
trade/industrial associations and public interest organizations.
Calendar - events
workshops, seminars, conventions, tradeshows, annual meetings ^Ö any EHS
related event local, regional, national and international, with calls
for papers and exhibitors
Marketplace - materials
software, books, magazines, subscription services, CBT ^Ö all types of
materials for education and training ^Ö some free!!!
Employment Forum ^Ö jobs and resumes
from permanent full-time to temporary part-time
Free Online ^Ö other internet resources
websites, listservs, newsgroups, and more ^Ö all the EHS resources online
that you can immediately link to and use.
Visit the EHS Network today and see what it can do for you!!!
Best wishes,
Dr. Jerry Perrich, PE
The EHS Network
The Single Source for EHS Information, Education and Training
http://www.ehsn.com
jperrich@ehsn.com
937-384-0084
937-859-9132 (fax)
------------------------------
Date: Wed, 26 Aug 1998 10:07:00 -0400
From: "Bursley, Juanita M"
Subject: RE: Legal compliance - to audit or not to audit?
To Bert Krages et. al.,
Bert, you did an excellent job of describing the important differences
between a strict compliance audit and a management system audit. My
only
addition would be that, in our organization, our corporate audits have
combined the two concepts for years for a comprehensive assessment of
the
effectiveness of our plants' Health, Safety & Environmental Protection
programs. The management system is not acceptable if implementation
of
the management system does not effectively achieve the company's goals
(in our case, full compliance with internal and legal requirements, as
a
minimum). Therefore, we assess the design, implementation, control
and
effectiveness (i.e. compliance) of the management system and
categorize
the findings accordingly, so local management can understand what went
wrong and apply the appropriate corrective action.
However, it is important to note that lack of any non-compliances does
not necessarily mean there is a good management system in place. To
illustrate this point, I'll share one of my own experiences when one
of
the plants I audited (many years ago before they all "got religion")
had
trouble understanding why SARA reporting was an internal "management
system" compliance finding, when I could find no specific violations
during the audit period due to the types and quantities of materials
currently managed on-site. In this case, the plant barely knew what I
was referring to in my questioning and certainly had no management
system
in place, whatsoever, to ensure compliance. Fortunately, I was later
more successful in convincing local management that it was best not to
manage any part of our business that could cause us significant
liability
by, what simply amounted to, "dumb luck"!
As all this applies specifically to the ISO-14001 certification
process,
I would expect the auditor would have to spend sufficient time
reviewing
enough records to verify that the environmental management systems
were
effective, i.e. designed, implemented and controlled such that the
company's goals (including legal compliance) were achieved.
P.S. For the record, I'm not a lawyer but respect that they do indeed
have an important role to play (although obviously not always
respected
and fully understood) in protecting a company's liabilities.
Juanita Bursley
Juanita.Bursley@UCAR.com
______________________________ Reply Separator
_________________________________
Subject: Re: Legal compliance - to audit or not to audit?
Author: ,Bert P. Krages [SMTP:krages@teleport.com] at WWWEB
Date: 8/25/98 11:15 AM
Sally Goodman is to be commended for raising an interesting issue
regarding
how auditing for legal compliance fits within the ISO 14000 framework.
It
is unfortunate that other members of the list struggle to participate in
a
mature and professional manner. This being said, it seems that there
may
be some misunderstanding regarding auditing for compliance issues and
how
attorneys participate in the process.
Like it or not, enforcement liability is major motivator for compliance
in
the United States since the federal government has chosen a punitive
approach to environmental regulation. Since organizations in the United
States are exposed to substantial civil and criminal liabilities, it is
little wonder that they use legal counsel when managing their
environmental
affairs.
ISO 14000 allows for a wide degree of flexibility but its primary
purpose
is to improve the effectiveness of an organization's environmental
management system regardless of whether the system is oriented toward
reducing environmental impacts or to achieving compliance with legal
requirements. Similarly, auditing can be directed towards different
objectives. A procedural audit reviews the environmental management
system
and assesses the capability of the system in achieving the
organization's
objectives. A compliance audit is directed towards discovering
instances
of noncompliance and may dispense with looking at management systems
altogether. A property audit is intended to discover the existence of
contamination issues that may affect the liabilities of subsequent
owners.
As Ms. Baldi correctly points out, a procedural audit needs to verify
that
organizations evaluate compliance issues and have mechanisms in place
for
corrective action. Procedural audits do not require that auditors
discover
and document instances of noncompliance. The decision regarding the
extent
to which a procedural audit addresses specific instances of
noncompliance
should be made by the senior management of the organization. Attorneys
should not make the ultimate decision regarding this issue but neither
should auditors. However, once senior management has requested counsel
to
advise on the scope of the audit, the auditors should abide by the
decision.
With regard to compliance audits, it is again the perogative of senior
management to determine whether the audit is to be done under the
attorney
client privilege. In the United States, the attorney client privilege
protects confidential communications relating to legal services between
attorneys and clients from being discovered by government agencies and
private litigants. Audits that are not conducted pursuant to this
privilege are discoverable by federal agencies and by all parties in
States
that have not enacted audit privileges. I can speak from experience
that
these audits are always requested in civil and criminal enforcement
actions
and have served as the basis for enhanced enforcement against clients.
Since it is the client that bear the consequences of having an audit
disclosed to adverse parties, attorneys and auditors need to be
sensitive
to the client's wishes regarding whether confidentiality is to be
protected.
Finally, with regard to Mr. Wurster's remark alluding to the current
investigation of the President of the United States, compliance with the
law and the legal process are values that are held strongly in the
United
States. Citizens of other countries may place less value on adherence
to
the justice system (which ISO 14000 accomodates at least to some extent)
but such differences do not justify attacks on either the cultural
values
of other countries or or on members of individual professions. Flippant
suggestions that environmental laws may be disregarded at will (e.g.,
refusing to provide unprivileged audit documents when requested by
regulatory agencies) do not reflect the reality that such misconduct can
lead to serious punitive consequences in the United States. Auditors
and
attorneys serve their clients poorly when they do not take this into
account.
At 08:29 PM 8/24/1998 -0300, Dan Wurster wrote:
>It seems to me that we have lost sight of why we are auditing when we
stop
>checking for compliance because a lawyer told us that it was wrong.
>
>I always thought that lawyers were around to offer advice, when asked,
and
>not to run things. Of course with contingency fees, too many lawyers,
loss
>of morality ( fostered by lawyers, who else gains by it ) perhaps we
should
>stop and think about why we are doing the audit in the first place.
>
>Isn't the objective to maintain and improve the environment?
>
>For those who have gone thru QS9000, there were sections in there which
>asked what you have in place to ensure compliance with legislative
>standards.
>
>Lets not skip daintily around the question of whether a facility is in
>compliance or not. And lets not have the regulators insist that they
have
>the right to seize our audit documents.
>
>Two wrongs do not make a right. YES, audit, and YES, check for
compliance.
>
>Companies being audited have to agree, before the audit to act on
>non-compliance, immediately. And regulators have to foster audits
because
>its helping them do their jobs, and its the right thing to do.
>
>And lets keep the lawyers where they belong, arguing with Wolf Blitzer
>about someones sex life.
>
>Dan Wurster, MICHELIN
>Box 1883
>Stellarton, NS, B0K 1S0
>wurstd@north.nsis.com
>
>The usual disclaimers, esp. for my typing!
>
>
Bert P. Krages II
Environmental Law and Mediation
900 S.W. Fifth Avenue, Suite 1900
Portland, Oregon 97204
Law:
Mediation:
------------------------------
Date: Wed, 26 Aug 1998 12:40:45 -0400
From: "Connie G. Ritzert"
Subject: RE: Legal compliance - to audit or not to audit?
Juanita:
Thanks for making the point that "passing" a compliance audit does not mean
there is a good management system in place - point too often forgotten.
Also, I agree ( from experience) that one can have an effective combined
system audit and compliance audit program, but it is not easy. You must
balance the efficiency benefits against the complexity. It takes time to
get all parties (auditors and auditees) to understand the differences and
keep issues straight.
Connie Ritzert critzert@fyi.net
Meredith-EMC
Mars, PA USA
- -----Original Message-----
From: Bursley, Juanita M [SMTP:Juanita.Bursley@ucar.com]
Sent: Wednesday, August 26, 1998 10:07 AM
To: ,iso14000@quality.org ; ,Bert P. Krages
Subject: RE: Legal compliance - to audit or not to audit?
To Bert Krages et. al.,
Bert, you did an excellent job of describing the important differences
between a strict compliance audit and a management system audit. My
only
addition would be that, in our organization, our corporate audits have
combined the two concepts for years for a comprehensive assessment of
the
effectiveness of our plants' Health, Safety & Environmental Protection
programs. The management system is not acceptable if implementation
of
the management system does not effectively achieve the company's goals
(in our case, full compliance with internal and legal requirements, as
a
minimum). Therefore, we assess the design, implementation, control
and
effectiveness (i.e. compliance) of the management system and
categorize
the findings accordingly, so local management can understand what went
wrong and apply the appropriate corrective action.
However, it is important to note that lack of any non-compliances does
not necessarily mean there is a good management system in place. To
illustrate this point, I'll share one of my own experiences when one
of
the plants I audited (many years ago before they all "got religion")
had
trouble understanding why SARA reporting was an internal "management
system" compliance finding, when I could find no specific violations
during the audit period due to the types and quantities of materials
currently managed on-site. In this case, the plant barely knew what I
was referring to in my questioning and certainly had no management
system
in place, whatsoever, to ensure compliance. Fortunately, I was later
more successful in convincing local management that it was best not to
manage any part of our business that could cause us significant
liability
by, what simply amounted to, "dumb luck"!
As all this applies specifically to the ISO-14001 certification
process,
I would expect the auditor would have to spend sufficient time
reviewing
enough records to verify that the environmental management systems
were
effective, i.e. designed, implemented and controlled such that the
company's goals (including legal compliance) were achieved.
P.S. For the record, I'm not a lawyer but respect that they do indeed
have an important role to play (although obviously not always
respected
and fully understood) in protecting a company's liabilities.
Juanita Bursley
Juanita.Bursley@UCAR.com
------------------------------
Date: Wed, 26 Aug 1998 13:07:47 -0400
From: Reinaldo Ramirez
Subject: Re: Legal compliance - to audit or not to audit?
Bursley, Juanita M wrote:
>
> To Bert Krages et. al.,
>
> Bert, you did an excellent job of describing the important differences
>
> between a strict compliance audit and a management system audit. My
> only
> addition would be that, in our organization, our corporate audits have
>
> combined the two concepts for years for a comprehensive assessment of
> the
> effectiveness of our plants' Health, Safety & Environmental Protection
>
> programs. The management system is not acceptable if implementation
> of
> the management system does not effectively achieve the company's goals
>
> (in our case, full compliance with internal and legal requirements, as
> a
> minimum). Therefore, we assess the design, implementation, control
> and
> effectiveness (i.e. compliance) of the management system and
> categorize
> the findings accordingly, so local management can understand what went
>
> wrong and apply the appropriate corrective action.
>
> However, it is important to note that lack of any non-compliances does
>
> not necessarily mean there is a good management system in place. To
> illustrate this point, I'll share one of my own experiences when one
> of
> the plants I audited (many years ago before they all "got religion")
> had
> trouble understanding why SARA reporting was an internal "management
> system" compliance finding, when I could find no specific violations
> during the audit period due to the types and quantities of materials
> currently managed on-site. In this case, the plant barely knew what I
>
> was referring to in my questioning and certainly had no management
> system
> in place, whatsoever, to ensure compliance. Fortunately, I was later
> more successful in convincing local management that it was best not to
>
> manage any part of our business that could cause us significant
> liability
> by, what simply amounted to, "dumb luck"!
>
>
> As all this applies specifically to the ISO-14001 certification
> process,
> I would expect the auditor would have to spend sufficient time
> reviewing
> enough records to verify that the environmental management systems
> were
> effective, i.e. designed, implemented and controlled such that the
> company's goals (including legal compliance) were achieved.
>
> P.S. For the record, I'm not a lawyer but respect that they do indeed
>
> have an important role to play (although obviously not always
> respected
> and fully understood) in protecting a company's liabilities.
>
> Juanita Bursley
>
> Juanita.Bursley@UCAR.com
>
>
> ______________________________ Reply Separator
> _________________________________
> Subject: Re: Legal compliance - to audit or not to audit?
> Author: ,Bert P. Krages [SMTP:krages@teleport.com] at WWWEB
> Date: 8/25/98 11:15 AM
>
>
> Sally Goodman is to be commended for raising an interesting issue
> regarding
> how auditing for legal compliance fits within the ISO 14000 framework.
> It
> is unfortunate that other members of the list struggle to participate in
> a
> mature and professional manner. This being said, it seems that there
> may
> be some misunderstanding regarding auditing for compliance issues and
> how
> attorneys participate in the process.
>
> Like it or not, enforcement liability is major motivator for compliance
> in
> the United States since the federal government has chosen a punitive
> approach to environmental regulation. Since organizations in the United
>
> States are exposed to substantial civil and criminal liabilities, it is
> little wonder that they use legal counsel when managing their
> environmental
> affairs.
>
> ISO 14000 allows for a wide degree of flexibility but its primary
> purpose
> is to improve the effectiveness of an organization's environmental
> management system regardless of whether the system is oriented toward
> reducing environmental impacts or to achieving compliance with legal
> requirements. Similarly, auditing can be directed towards different
> objectives. A procedural audit reviews the environmental management
> system
> and assesses the capability of the system in achieving the
> organization's
> objectives. A compliance audit is directed towards discovering
> instances
> of noncompliance and may dispense with looking at management systems
> altogether. A property audit is intended to discover the existence of
> contamination issues that may affect the liabilities of subsequent
> owners.
>
> As Ms. Baldi correctly points out, a procedural audit needs to verify
> that
> organizations evaluate compliance issues and have mechanisms in place
> for
> corrective action. Procedural audits do not require that auditors
> discover
> and document instances of noncompliance. The decision regarding the
> extent
> to which a procedural audit addresses specific instances of
> noncompliance
> should be made by the senior management of the organization. Attorneys
> should not make the ultimate decision regarding this issue but neither
> should auditors. However, once senior management has requested counsel
> to
> advise on the scope of the audit, the auditors should abide by the
> decision.
>
> With regard to compliance audits, it is again the perogative of senior
> management to determine whether the audit is to be done under the
> attorney
> client privilege. In the United States, the attorney client privilege
> protects confidential communications relating to legal services between
> attorneys and clients from being discovered by government agencies and
> private litigants. Audits that are not conducted pursuant to this
> privilege are discoverable by federal agencies and by all parties in
> States
> that have not enacted audit privileges. I can speak from experience
> that
> these audits are always requested in civil and criminal enforcement
> actions
> and have served as the basis for enhanced enforcement against clients.
> Since it is the client that bear the consequences of having an audit
> disclosed to adverse parties, attorneys and auditors need to be
> sensitive
> to the client's wishes regarding whether confidentiality is to be
> protected.
>
> Finally, with regard to Mr. Wurster's remark alluding to the current
> investigation of the President of the United States, compliance with the
>
> law and the legal process are values that are held strongly in the
> United
> States. Citizens of other countries may place less value on adherence
> to
> the justice system (which ISO 14000 accomodates at least to some extent)
>
> but such differences do not justify attacks on either the cultural
> values
> of other countries or or on members of individual professions. Flippant
>
> suggestions that environmental laws may be disregarded at will (e.g.,
> refusing to provide unprivileged audit documents when requested by
> regulatory agencies) do not reflect the reality that such misconduct can
>
> lead to serious punitive consequences in the United States. Auditors
> and
> attorneys serve their clients poorly when they do not take this into
> account.
>
> At 08:29 PM 8/24/1998 -0300, Dan Wurster wrote:
> >It seems to me that we have lost sight of why we are auditing when we
> stop
> >checking for compliance because a lawyer told us that it was wrong.
> >
> >I always thought that lawyers were around to offer advice, when asked,
> and
> >not to run things. Of course with contingency fees, too many lawyers,
> loss
> >of morality ( fostered by lawyers, who else gains by it ) perhaps we
> should
> >stop and think about why we are doing the audit in the first place.
> >
> >Isn't the objective to maintain and improve the environment?
> >
> >For those who have gone thru QS9000, there were sections in there which
>
> >asked what you have in place to ensure compliance with legislative
> >standards.
> >
> >Lets not skip daintily around the question of whether a facility is in
> >compliance or not. And lets not have the regulators insist that they
> have
> >the right to seize our audit documents.
> >
> >Two wrongs do not make a right. YES, audit, and YES, check for
> compliance.
> >
> >Companies being audited have to agree, before the audit to act on
> >non-compliance, immediately. And regulators have to foster audits
> because
> >its helping them do their jobs, and its the right thing to do.
> >
> >And lets keep the lawyers where they belong, arguing with Wolf Blitzer
> >about someones sex life.
> >
> >Dan Wurster, MICHELIN
> >Box 1883
> >Stellarton, NS, B0K 1S0
> >wurstd@north.nsis.com
> >
> >The usual disclaimers, esp. for my typing!
> >
> >
>
> Bert P. Krages II
> Environmental Law and Mediation
> 900 S.W. Fifth Avenue, Suite 1900
> Portland, Oregon 97204
> Law:
> Mediation:
_______________________________________________________________________________________________________________
_______________________________________________________________________________________________________________
I wish to express myself regarding the important differences between a
strict compliance audit and a management system audit.
(The management system is not acceptable if implementation of the
management system does not effectively achieve the company's goals)
The key point, according to the Dr. Deming´s SYSTEM OF PROFUND
KNOWLEDGE (SPOK): a system is a network of
interdependent components that work together to try the accomplis the
aim of the system. Then the system must have an aim.
Without an aim, there is no system.
The ISO 14001 was designed taking account the P-D-S-A cycle which is
integral part of the SPOK. Then the components of
the system, legal compliance and management system and others
subsystem, must be managed knowing the interrelationships
between all the components within the system and the people that work
in it (managers are people too); so the system will not
manage itself.
(However, it is important to note that lack of any non-compliances
does not necessarily mean there is a good management system in
place.)
This concept is related to the concept of variation. One of the main
scopes of an quality or environmental (system) audit is to give the
auditee the opportunity to improve the system (common causes of
variation) so the ISO 14010 take account of this matter in 4.1 c) and
d). This concept is a key factor to qualify the environmental
auditors, according to the point 5, c), and e) of ISO 14012, in order
to avoid the addition of special causes of variation to the system.
According to EN 45012 and 45013, the Registrar and the Auditors (both)
play an importan role in the quality of the audit, but we (the
supplier or the auditee) can not rely the reliability of the (quality
or environmental) system in the auditors. We need to know how to
design the system taking account the theories of the SPOK (see as a
guide: Point 4 of ISO 14004) . The auditee has the responsibilities
to be aware of the point 4.2.3 per EN-45012 and 45013 and to control
point 4.2.5 c) both of ISO 14011 to avoid the addition of "unexpected"
variation during the audits.
It is important to say that I learned a lot with the discussion of the
legal compliance vs management system audit. We must audit at least
quarterly.
Respectfully,
Reinaldo Ramirez.
------------------------------
Date: Wed, 26 Aug 1998 20:58:14 +0200
From: "Vianna, Sidney"
Subject: [none]
Diana Baldi asked:
". . .2. Even with the EH&S being integrated, would any nonconformance
that was noted pertained to H&S, not be one for 14001 (granted, that
there was a reasonable delineation-not trying to shroud a valid E
nonconformance). The company would want to know, but not have a 14001
registration "blackmark". . . ."
I believe that progressive organizations realize the benefits of
integrated management systems, instead of compartimentalized ones. We
will see more and more integrated Quality, OH&S, IT and Environmental
systems. It is a natural concern for companies that embrace this
approach to be "written up" by an external auditor for issues that are
not part of the scope of the audit. For those who are concerned with
that, I am re-posting an answer that I had sent to the ISO 9000
Discussion list, last year, on this same subject.
" . . .A good auditor has to remain within the scope of the audit.
Actually this is a requirement of ISO 10011(most QMS auditors should
follow it). So, if I am auditing a system to verify compliance against
the requirements of ISO 9001, I have to refrain from going into areas
that do not pertain to the requirements of such standard.
For example, if I am performing a quality system audit, I would have
no business auditing waste management (which, by definition in ISO
9001, par. 3.1 - by-product - clearly falls outside the scope of this
standard).
Similarly, I should not get involved with fire-extinguishers,
emergency escapes, etc . . . I reckon that there would be some gray
zones, where it is not clear to determine if an issue is purely a
safety problem vs a quality problem, but for the most part of it, I
believe that experienced quality, safety and environmental auditors
realize very well their boundaries during an audit.
Please understand that it does not mean that I do not care about
safety and environmental issues if I am performing a QMS audit, but I
just have to stick to the plan. During the audit, if I happen to see
what I consider to be an unsafe situation, or an environmental
violation, I would certainly bring this to the attention of the
management of the company that I am auditing, but these occurrences
have no ground to be a non-compliance to the ISO 9001 requirements.
An "all-encompassing procedure" (meaning a procedure that describes a
process, from a quality, safety and environmental perspectives) should
help a company in controlling the operation. Thus, I for one,
encourage such approach. Why have three sets of disconnected manuals
(Q,S & E) if one does it much better? Why train an operator 3
different times, for safety, quality and environmental aspects if what
you really want to control is the process?. . ."
Thanks and regards,
Sidney Vianna
Western District Manager
DNV Certification - Long Beach, CA
Tel. 562/435-1908 ext. 209
sidney.vianna@dnv.com
http://www.dnvcert.com
------------------------------
End of iso14000-digest V2 #41
*****************************