Pro Tips for Best EHS Audits (Part 3): EHS Audit Follow-up

The purpose of an EHS audit follow-up is to check that EHS risk, including risk of noncompliance, is managed to a level that the organization considers acceptable. Noncompliance with applicable government laws and other requirements are examples of EHS risk sources that need to be controlled. An EHS audit checks that risk controls are in place and effective.  Risk controls can be engineering controls like air pollution control devices, administrative controls like training and work instructions and others.

EHS Audit Findings

The results of an audit are called findings. These can either be positive findings that the controls are in place and effective, or negative. Negative findings are nonconformance’s. Positive findings are good news but not something the organization needs to act on. Positive findings confirm that “what should be is” and that “what should not be is not.

Negative findings however are actionable and create opportunities to improve EHS performance. In Part 2 of this EHS Compliance Audit series, we discussed how negative findings are written and communicated verbally at the end of the audit. As a follow-up to the active evidence gathering and verbal reporting, a written report should be prepared and distributed to document the results of the audit.

Preparing the EHS Audit Follow-Up Report

The audit report presents the results to the auditee and others and helps an organization gauge EHS performance. The report should be concise and to the point and the tone of the report should be factual and nonjudgmental.   

A key part of the EHS audit follow-up report are the negative findings that were made during the audit. The EHS audit follow-up report formalizes the findings in a way that the auditee can act on them. The reported negative findings need to include enough information so that they can be investigated and ultimately fixed in a way that they do not happen again.

Here is an example outline for an EHS audit follow-up report.

  • Executive Summary
  • Background Purpose and Scope
  • Findings
  • Conclusions
  • Recommendations
  • Discussion
  • Appendices

Correction and Corrective Action

Negative EHS audit findings point to EHS risks that need to be better controlled. They are the result of a potential noncompliance with a legal requirement or discovery of some other issue. If left uncorrected they can increase risk and lead to enhanced legal action by a regulatory agency (knowing and willful violation). To avoid exposure to these enhanced penalties, it is important that organizations have a good corrective action process in place.

There are 5 steps in an effective corrective action processes.

  1. Short Term Correction
  2. Investigate the Cause
  3. Identify a Corrective Action
  4. Implement the Corrective Action
  5. Verify the Corrective Action is Effective

The following is a brief description of these steps.

Short Term Correction

Findings that identify a potential serious risk need to be addressed as soon as possible. Continuing to operate equipment that exposes workers to injury after a finding is made is bad business. If a worker were to become injured after the nonconformance was reported the penalties and fines could escalate dramatically.  A correction to quickly reduce the risk from the nonconformance needs to be put in place as soon as practical.

Investigate THE Cause

Once the correction has been put in place a corrective action plan needs to be established. Responsibility to investigate the cause of an audit finding should be assigned to someone with knowledge of and experience with the corrective action process. This knowledge and experience will help identify the root cause of the finding. Once the root cause is established an appropriate corrective action can be proposed that prevents the problem from recurring in the future.

Knowledge and use of root cause analysis tools like “5 Why Cause Analysis” ensure the cause of the unacceptable risk level is identified. Here is an example a “5 Why Cause Analysis”.

This example is for an incident that happened at a roll calendar for polishing extruded plastics sheets. An employee was caught in an in running nip between the rolls and luckily only sustained a recordable injury. This incident could have easily been an amputation or a fatality.

roll calendar for polishing extruded plastics sheets
Why was the OHS hazard of being caught in the nip on the calendar not addressed?The machine was new, and no one thought to do a Job Safety Analysis (JSA) before it was installed and operated.
Why did no one perform a JSA?Performing a JSA to review potential OHS hazards and risk are not part of the capital investment approval process.
Why was OHS hazard and risk review not part of the capital investment process?The manager of the extrusion department manager did not know that a JSA hazard and risk review should be undertaken for all new equipment as part of the purchase process.
Why was extrusion department manager unaware of the need to review hazards and risks for new equipment?An existing employee had recently been promoted to manager of the extrusion department and they had not been informed of the requirement.
Why had the new extrusion department manager not been informed?Our organization has not established a process to identify training needs and provide training to employees when they transfer to a new position within the company.
Table 1 – Example 5 why analysis

Identify a Corrective Action

Once the cause is established, a suitable corrective action can be identified to reduce the risk to an acceptable level. The effort needed to identify a suitable corrective action is proportional to the finding risk level. The higher the risk, the more effort needed to figure out the best way to address it. A finding that an emergency evacuation map could be hidden behind a door when it is opened, is much easier to correct than the finding of an ineffective control to treat wastewater discharge to a municipal sanitary sewer.  

The cause analysis process should have an approval step to confirm the cause analysis was performed with skill and that the corrective action is aligned with the identified cause of the finding. This review and approval can be done by the auditor who made the finding or others in the organization who can impartially review the cause and proposed corrective action.

If the cause and/or the proposed corrective action are found to be deficient during the review, the assignees should be consulted and asked to rethink the cause analysis and corrective action. The evaluation and approval of potential corrective actions requires striking a balance between risk and opportunity. It is not possible to reduce all risk levels to zero.

Some processes have hazards with risk that are difficult to control and the organization needs to think carefully about what level of risk it is willing to accept. In running nips on plastic extrusion rollers is a good example. It is very difficult to properly guard an in running nip on these machines. The guard would prevent the process from working properly.

As a result, the corrective action cannot be the elimination of the hazard or installation of a physical guard (engineering control).  Instead, there may need to be several independent controls such as installing a rope e-stop, providing training to employees on how to operate the process safely and even evaluating the operators competence to ensure they understand the hazard and the associated risk. 

Once both the cause and the corrective action(s) are approved the assignee should be authorized to implement the corrective action.

Implement the Corrective Action

The implementation of the chosen corrective action may take days, weeks or even months depending on what needs to be done. Moving an emergency evacuation sign to a better location can be done almost immediately while designing and installing an upgraded wastewater treatment process may take many months.

Verify the Corrective Action is Effective

Verification that the corrective action has been implemented and that it is effective is the last step in the process. It confirms that the problem causing risk, has reduced that risk. The verification can be done upon completion of the corrective action or during the next audit. When the corrective action is verified, it can be closed.

Tracking EHS Audit Corrective Action Progress

Historically, keeping track of progress toward completing corrective action was done with paper forms that went from in-basket to in-basket. Once complete they were placed in a file drawer for storage. Later, electronic methods including excel spreadsheets and other types of electronic documents were used with some success. However, these tracking methods require much effort and often lead to miscommunications or missed deadlines of incomplete corrective actions for findings. The result was the corrective action process was not successful in reducing risk in a timely fashion and increased risk to the organization. 

Within the last few years cloud-based applications have emerged that solved many of the problems with paper or spreadsheet corrective action tracking systems. These applications allow quick access to users and are readily accessible almost anywhere.

Modern corrective action application
Figure 1 – Modern Corrective Action Application

Cloud based database applications help organizations quickly find the status of any CA and drill down to details for each CA.

Figure 2 – Drill Down Corrective Actions Detail

Applications like CorrectTrack establish users permissions to view, change, verify and approve corrective actions. A permissions based peer review process also helps ensure that corrective actions are investigated thoroughly and verified before they are closed.

Other advantages of a cloud based app like CorrectTrack are:

  • Notify persons of status changes of a CA
  • Define a standard process for doing CA
  • At a glance dashboards for users
  • Provide notifications when CAs are coming due, or past due
  • Provide a record of who changed what, when and why
  • User permissions allow visibility of the CA system to leadership


Effective corrective action processes are powerful tools that help organizations improve EHS performance over time. Investing in, and continually improving the corrective action process will provide a significant short term and long term return.

This EHS Audit Follow-up post is part 3 of a three part article on EHS Auditing. Part 1 and 2 discussed how to plan an EHS audit and conduct an EHS audit. This concludes our three-part series on EHS audits.

We welcome and encourage feedback on this series. Contact us directly at and 262-949-2965, or visit us online for more information: ECSI or CorrectTrack.

ISO 45001 Webinar – FREE!

ISO 45001 is an international standard that helps organizations improve Occupational Health and Safety (OHS) performance.  The ISO 45001 standard can be used to ensure workers are safe by protecting them from workplace injury and ill health.  As the Vice Chair of the US Technical Advisory Group to ISO 45001, I have been seeing a significant rise in awareness of ISO 45001 benefits.  Environmental Compliance Systems, Inc has also helped many organizations plan, implement and integrate an ISO 45001 OHSMS with their other business management systems.   A recent webinar produced with ASSP describes the many benefits of an ISO 45001 OHSMS.  Here is a link to free ASSP webinar: Please watch if you are interested in improving your organizations OHS performance.

ISO 14001:2015 – What is a “Life Cycle Perspective”?

The term” life cycle” is not new to most, but the use of the term “Life Cycle Perspective” (LCP) in ISO 14001:2015 (2015) is one of the bigger changes in the most recent revision.  Organizations transitioning to the revision must think carefully about how to use a life cycle perspective when planning the transition to the 2015 revision.  2015 requires the use of a life cycle perspective when it states:


6.1.2 Environmental aspects
Within the defined scope of the environmental management system, the organization shall determine the environmental aspects of its activities, products and services that it can control and those that it can influence, and their associated environmental impacts, considering a life cycle perspective.

The previous version of 14001 (2004) only mentioned the term life cycle once in the Annex:

The identification of environmental aspects does not require a detailed life-cycle assessment. Information already developed for regulatory or other purposes may be used in this process

In 2015, the term life cycle appears 18 times, 7 of which are associated with the concept of perspective.  2015 does not explicitly define LCP stopping short and providing only a definition of term “life cycle”:

life cycle

consecutive and interlinked stages of a product (or service) system, from raw material acquisition or generation from natural resources to final disposal

Note 1 to entry: The life cycle stages include acquisition of raw materials, design, production, transportation/delivery, use, end-of-life treatment and final disposal.

[SOURCE: ISO 14044:2006, 3.1, modified ? The words “(or service)” have been added to the definition and Note 1 to entry has been added.]

So the major questions are:

  1. How should organizations use a life cycle perspective when planning its EMS?
  2. What sort of evidence will auditors expect to see to confirm a life cycle perspective was used in planning an EMS?

Using a life cycle perspective when planning an EMS.

The introduction of 2015 provides some insight into what the standard means by Life Cycle Perspective when it states:

A systematic approach to environmental management can provide top management with information to build success over the long term and create options for contributing to sustainable development by controlling or influencing the way the organization’s products and services are designed, manufactured, distributed, consumed and disposed by using a life cycle perspective that can prevent environmental impacts from being unintentionally shifted elsewhere within the life cycle.

This statement suggests the purpose of using a life cycle perspective is to prevent the unintentional transfer of environmental impacts.  In order to do this, organizations need to expand their view of the impacts derived from their product and services beyond the property fence line.  Organizations need to look up their supply chain to understand the environmental impacts caused by their suppliers and those supplying their suppliers.   In doing so, the organization may be able to identify environmental impacts of which they had been previously unaware.  Armed with this new information the organization can then consider what, if any, control or influence they have over these supply chain environmental impacts.

Similarly, organizations will need to look down supply chains to identify environmental impacts that derive from the use of their products or services by their customers and end users. Also, they need to  evaluate their ability to control or influence these impacts..

Once these up chain and down chain impacts have been identified, 2015 expects that organizations endeavor to address the environmental aspects that are causing these impacts where practical.  How the organizations choose to address these life cycle aspects depends on several factors including:

  • the level of risk the aspect presents to the organizations
  • the level of risk the aspect presents to the environment
  • the degree of influence or control the organization has over the aspect

The amount of control or influence organizations have over life cycle aspects depends on:

  • how far up or down the supply chain is the aspect
  • how a design change will affect the performance or cost of the product
  • Who controls the design of the product or service

Organizations should also use a life cycle perspective when they are reviewing the potential environmental impacts and aspects from outsourced processes that are performed by other organizations on its behalf.

Evidence of a Life Cycle Perspective During Audits

Proving to an auditor that a life cycle perspective was used to identify the environmental aspects may be more difficult than actually using a life cycle perspective.  Based on early experience with 2015 certifications it is apparent that the certification community has not yet reached consensus on what and how much evidence is required to show conformance with the life cycle perspective requirements.  At minimum we recommend some discussion of how a Life Cycle Perspective was used perhaps in the high level documentation like an EMS Manual or in the documented procedure how the organizations addressed the requirements of Clause 6 Planning.

A graphic such as the one here describing the various life cycle stages may also be helpful in satisfying auditors need for evidence.Life Cycle Perspective ECSI copyright 2016

Unfortunately, and in the short term there is likely to be much variation between certification bodies and individual auditors regarding what is acceptable evidence of conformance the LCP requirements.  We encourage organizations to have a discussion up front with the auditors before the Stage 1 or transition audit about what the Certification Body (CB) and auditor will be looking for when collecting evidence that a LCP has been used in the EMS.

ISO High Level Structure and EH&S Management Systems

ISO 14001 and OHSAS 18001 are undergoing significant change intended to improve these standards.  The new ISO High Level Structure will align all ISO standards along a common management systems structure and promote integration.   The recent US Technical Advisory Group meeting in Orlando, Florida was a particularly enlightening conference for us where US TAG members were able to share their ideas of the way the HLS applies to EHS management Systems.



An important part of the revision processes is being able to communicate to current and new users how the standards are changing and how these changes will affect an existing EHSMS.  This diagram represents how we at ECSI see the developing changes to ISO 14001 and ISO 45001 and the relationships between some of the important clauses of the revised standards.

We are interested in understanding how users of the EHSMS standards feel about the changes and what information they need to begin to plan for the changes to their EHSMS.  ECSI will be conducting a short, one hour webinar Tuesday, April 22, 2014 from 10am-11am Central Standard Time.  The purpose of the seminar is to provide the current state of the revision process and to discuss how we see the EHSMS standard revisions progressing.  If you are interested in participating in one of these webinars send us an email to and we will reply with the logon instructions.