Loading...

Please Wait...

 

PT Notes

Third Party Audits

PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.

This PT Note describes proposed amendments to EPA's Risk Management Program regulation relating to third-party audits.

EPA is proposing to strengthen the RMP rule's compliance audit provisions to require independent third-party compliance audits after an accident or findings of significant non-compliance by an implementing agency for stationary sources with Program 2 and/or Program 3 processes. EPA believes that stationary sources that have had accidents and/or substantial non-compliance with RMP requirements pose a greater risk to the surrounding communities. Therefore, EPA believes it is appropriate to require such stationary sources to undergo objective auditing by competent and independent third-party auditors. This provision is intended to reduce the risk of future accidents by requiring an objective auditing process to determine whether the owner or operator of the facility is effectively complying with the accident prevention procedures and practices required by the RMP rule.

The preamble to the proposed rule amendments describes EPA’s views on the meaning of third-party audits. The proposed amendments address:

  • When a third-party audit must be performed.
  • Alternative applicability options.
  • Requirements for third-party audits.
  • Requirements for third-party auditors, including competence, independence, and impartiality.
  • Auditor policies and procedures.
  • Alternative options for auditor qualifications.
  • Third-party audit reports.
  • Other owner or operator obligations.

These are described below.

Meaning of Third-Party

EPA views an independent third-party as a private auditor, inspector, or other type of verifier external to the facility. “Independent third-party” excludes the regulated entity, which is the first party (e.g. the stationary source and its parent company and subsidiaries), second parties within the firm's industry or business community with whom the regulated entity has a supply-chain relationship, and third parties that are not independent of the first party, which may include contractors, consultants, or purchasers of the facility's goods or services.

An independent third-party program should not be confused with a second party program in which a regulated source employs a contractor or consultant, even when the contractor is a separate legal entity from the regulated facility and highly qualified. If a regulated source provides direct or indirect control over the contractor or consultant preparing the audit report, including controlling the report's scope or findings, or has other non-audit relationships with the auditor, then the auditor is not a true independent third-party. EPA believes this is important because auditor independence can be critical to the success of a third-party audit program.

EPA believes that third-party compliance audit programs should establish criteria and standards for auditor independence.

Applicability of Third-Party Audit Requirements

The proposed rule would not require all RMP facilities to use third-party auditors when conducting compliance audits. Instead, EPA is proposing that owners or operators be required to perform third-party compliance audits at their facilities only under two conditions.

Under the first condition, a third-party compliance audit would be required in lieu of an internal compliance audit if there has been an accidental release from an RMP facility meeting the five-year accident history criteria. The existing criteria include accidental releases from covered processes that resulted in deaths, injuries, or significant property damage on-site; or deaths, injuries, property damage, evacuations, sheltering in place, or environmental damage offsite. Following such an accident, the RMP facility's owner or operator would be required to engage a third-party auditor to conduct a compliance audit for the source. The third-party audit and associated report would have to be completed and submitted to the implementing agency within 12 months of when the third-party audit is required, or within three years of completion of the previous compliance audit, whichever is sooner, unless a different timeframe is specified by the implementing agency.

Under the second condition, a third-party compliance audit would be required if an implementing agency has made a determination that circumstances exist that suggest there is a heightened risk for an accident based on information about the facility. Information that would lead to such a determination could be obtained from sources including an inspection of a facility by the implementing agency's representatives. Relevant information to support the determination may include evidence of significant non-compliance with the prevention program requirements of subpart C (Program 2) or subpart D (Program 3) of the RMP rule.

Significant non-compliance includes deficiencies relating to a previous third-party audit (i.e. failure to meet the competency, independence, or impartiality criteria). If such a determination is made, the implementing agency must provide a written notice to the owner or operator of the facility stating the reasons for the determination that a third-party audit must be performed. The proposed rule provides an opportunity for the owner or operator to provide information and data to the implementing agency and to consult with the implementing agency about the need to perform a third-party audit at the facility source before the implementing agency representatives make a final determination.

All other stationary sources with Program 2 and Program 3 processes will continue to follow the current compliance audit requirements.

Alternative Options for Third-Party Audit Applicability Criteria

EPA considered requiring third-party compliance audits for a larger universe of regulated facilities. EPA considered whether to require third-party compliance audits for all facilities with processes subject to Program 3 requirements at least every three years. EPA also considered whether to require third-party compliance audits for all facilities with processes subject to Program 2 or Program 3 requirements every three years. However, because EPA views facilities that have had accidents or significant non-compliance as presenting higher risks to surrounding communities, EPA is proposing to limit the applicability of this provision to these facilities.

EPA is seeking comments and suggestions on the proposed third-party audit applicability requirements and whether to eliminate or further limit applicability of this provision. For example, EPA could consider limiting the provision to only Program 3 facilities that have had accidents or to only facilities that have had major accidents with offsite impacts. EPA is seeking comments on this alternative approach and to define and characterize “major accidents with offsite impacts.”

Alternatively, EPA could revise this provision to reduce its impact on small businesses. When providing suggested alternatives, EPA has requested suggestions for how to improve compliance with auditing provisions.

EPA also is seeking comments on whether there are other criteria that could require RMP facilities to perform third-party compliance audits. For example, a third-party audit could be required if an owner or operator of a facility were to learn or know of a condition or conditions at its facility suggesting a concern for, or potential risk of, future accidents. Such conditions would need to be objective and reasonably ascertainable by the facility owners or operators, the implementing agency, and the public. EPA also is seeking comments on the benefits and costs of proposing additional requirements for third-party compliance audits, and recommendations for appropriate conditions suggesting a concern for, or potential risk of, future accidents.

Third-Party Audits

EPA is proposing that owners and operators of RMP facilities subject to these requirements determine and document the competency, independence, and impartiality of their auditors. Facility owners or operators would be responsible for self-determining and documenting that their third-party auditors are competent and independent by requiring specific provisions and safeguards in their contracts and relationships with their third-party auditors.

EPA is seeking comments as to whether the requirement that owners and operators of RMP facilities be responsible for determining and documenting the competency, independence, and impartiality of their auditors is appropriate.

Alternative Option for Third-party Auditor Selection and Accreditation

EPA also considered an alternative approach of requiring auditors to have accreditation from a recognized auditing body or EPA. Most independent third-party regulatory compliance verification programs require the qualifying third-parties to apply for and receive accreditation from a qualified external party to ensure competency and independence. Such an external accreditation approach can add rigor to the process of confirming the competence and independence of the auditors but it also adds procedures and costs. Therefore, while EPA is not proposing that the Agency itself will accredit third-party auditors, EPA is seeking comments on whether to require additional accreditation criteria and how to best establish and structure an accreditation program within the context of the RMP rule.

Auditor Competence

EPA believes that third-party compliance verification programs should establish criteria and standards for auditor competence. Typically, such criteria and standards combine specified minimum levels of education, knowledge, experience, and training.

EPA is proposing to require that third-party auditors be:

  • Knowledgeable with the requirements of the RMP rule.
  • Experienced with the facility type and processes being audited and the applicable recognized and generally accepted good engineering practices (RAGAGEP).
  • Trained or certified in proper auditing techniques.
  • Be a licensed Professional Engineer (PE), or include a licensed PE on the audit team.

EPA is proposing to require a PE as part of the audit team in an attempt to identify competent auditors who also have an ethical obligation to perform unbiased work.

EPA is seeking comments on:

  • Whether these criteria are appropriate and sufficient to ensure third-party auditors are competent to perform high-quality compliance audits.
  • Whether the proposal to require that a third-party auditor, or a member of the audit team, be a licensed PE is appropriate.
  • Whether there are enough licensed PEs to conduct third-party audits for the universe of facilities that may become subject to these requirements.
  • Whether there are other qualifications that might be appropriate for RMP auditors in lieu of a PE.

EPA also is seeking comments regarding potentially relevant and applicable consensus standards and protocols that might apply to the audits and be built and/or incorporated by reference into the rules.

Auditor Independence and Impartiality

EPA is proposing independence and impartiality requirements for third-party auditors and audit teams. These include that third-party auditors:

  • Act impartially when performing all third-party audit activities.
  • Receive no financial benefit from the outcome of the audit, apart from payment for the auditing services.
  • Not have conducted past research, development, design, construction services, or consulting for the owner or operator within the last 3 years.
  • Not provide other business or consulting services to the owner or operator, including advice or assistance to implement the findings or recommendations in an audit report, for a period of at least 3 years following submission of the final audit report.
  • Ensure all personnel involved in the audit sign and date a conflict of interest statement.
  • Ensure all personnel involved in the audit do not accept future employment with the owner or operator of the facility for a period of at least 3 years following submission of the final audit report. For purposes of this requirement, employment does not include performing or participating in third-party audits.

EPA stated that audit firms with personnel who, before working for the firm, performed services for the owner or operator as an employee, contractor or consultant, meet the rule's independence criteria when such personnel do not participate on, manage, or advise the audit teams. Additionally, employees of an auditing firm are not prohibited from accepting future employment with the owner/operator as long as they were not directly involved in performing or managing the audit.

EPA is seeking comments on:

  • Impacts a third-party auditor may have on a facility's security and whether there is a need to specify security protections or whether existing non-disclosure and contractual agreements should handle this independently.
  • Whether the proposed auditor independence criteria are appropriate and sufficient. If not, EPA is seeking comments on how best to adjust the criteria for maximum auditing effectiveness and efficiency, including comments or suggestions on how to provide more flexibility in the auditor independence criteria, or whether to eliminate the requirement for independence.
  • Whether the proposed 3-year timeframe to separate the audit from other business arrangements with the owner or operator is appropriate.
  • Whether the proposed auditor independence criteria should be modified so as to not exclude a retired employee from auditing a former employer's facility if the employee's sole continuing financial attachment to the owner or operator is an employer-financed or employer-managed retirement plan. While EPA is concerned such attachments could provide the auditor with incentives to ensure the facilities they audit are not negatively impacted financially by their audits, it could also, as a practical matter, limit the available pool of otherwise qualified and competent auditors. EPA is seeking comments on the potential magnitude of such incentives and how to address this concern in the rule.
  • Whether to propose streamlined independence criteria for small facilities (i.e.s based on the size of the facility) including comments or suggestions on how to streamline the requirements.

Auditor Policies and Procedures

EPA is proposing that owners or operators of RMP-regulated facilities ensure that third-party auditors have written policies and procedures to ensure that all personnel comply with the competency, independence, and impartiality requirements.

Alternative Options for Auditor Qualifications

EPA considered including alternative options in the proposed rule for owners and operators of stationary sources who cannot, despite best efforts, find a third-party auditor meeting all of the independence criteria. Two specific options were considered.

Under the first option, owners and operators of RMP facilities, in addition to self-selecting their third-party auditors pursuant to the specified independence criteria, would also self-determine when it is impossible or impractical to hire such auditors and self-select their alternative auditors. Under this option, the owner or operator would be required to inform the implementing agency and the public of the alternative auditors, which could be accomplished by providing and/or publicly posting information on the alternative auditors and how they were selected. The information could describe:

  • Steps taken to identify auditors meeting all of the rule's independence criteria.
  • Identities and competencies of the alternative auditors.
  • Regulatory independence criteria that the alternative auditors were unable to meet and why.
  • Any steps taken to address or limit the impacts of the auditors' lack of independence on the outcomes and reliability of their audits.

Under the second option, owners and operators who, despite best efforts, could not find auditors meeting all the rule's independence criteria would be authorized to identify specific alternative auditors to the implementing agency and petition it for approval to engage those auditors. This approach would include a requirement for auditors not fully satisfying the rule's independence criteria to prepare and implement Conflict of Interest Mitigation Plans similar to those required by the California Air Resources Board (CARB) with associated reporting, record keeping, and due process procedures.

If an owner or operator cannot find a third-party auditor meeting all of the required criteria, despite best efforts, the owner or operator would be required to request approval, in writing, from the implementing agency to use an alternative third-party auditor. The implementing agency would then be required, within a specified timeframe, to approve or disapprove the proposed request and provide notice of its decision to the owner or operator. The owner or operator's request to use an alternative third-party auditor would include:

  • A description of the owner or operator's efforts to find an independent third-party auditor.
  • Identification of the proposed alternative third-party auditor, including the same information required pursuant to this rule for a fully qualified auditor.
  • Identification of the specific independence requirements the proposed alternative third-party auditor meets and does not meet.
  • An organizational chart of the proposed alternative third-party auditor and related entities with brief descriptions of the primary nature of the work each performs.

The owner or operator's request to use an identified alternative third-party auditor would also include a Conflict of Interest Mitigation Plan demonstrating the steps the auditor would take to mitigate its inability to fully meet the independence requirements. These steps could include:

  • Ensuring that any individual or organizational component of the auditor with conflicts of interest or impartiality concerns is removed from the audit and/or isolated from the individuals or organizational component conducting the audit.
  • An explanation of how and why the amount and nature of work previously performed should not be deemed to undermine the auditing team's credibility and lack of bias.
  • Descriptions of any other adjustments or circumstances taken to address actual or potential sources for conflicts of interest, with an appropriate certification signed and dated by a senior owner or operator official.

If the implementing agency approves the alternative third-party auditor, it would provide written notice to the owner or operator and, upon receipt of the approval, the owner or operator may engage the alternative auditor to conduct the audit. If the implementing agency does not approve the identified alternative auditor, the implementing agency would provide a written notice to the owner or operator stating the reasons for the decision. Within a specified timeframe after receipt of such written notice, the owner or operator would be required to submit the name of another proposed auditor for the implementing agency's consideration. In the alternative, the owner or operator would be able to appeal the implementing agency's decision pursuant to the applicable agency's processes.

EPA considered but did not propose other third-party auditor independence safeguards than those included in the proposed amendments. Examples include mandating the random assignment of auditors, paying them from a central pool of auditing funds, or requiring mandatory periodic auditor rotation after a specified period of time. Nor has EPA proposed provisions requiring owners and operators to provide advance notice to the implementing agency of third-party auditor site visits to enable the implementing agency to accompany and observe the third-party auditors on such visits. EPA is seeking comments on these alternative approaches.

EPA also is seeking comments on whether there are any other alternative approaches to third-party auditor qualifications that EPA should consider prior to issuing a final action. For example, EPA could allow for audits to be performed by auditors with some potential conflicts of interest (e.g. employees of the parent company, affiliates, vendors/contractors that participated in developing the facility's RMP, etc.) and/or allow a person employed at the facility who is a registered PE to conduct the audit. If such approaches are adopted in the final rule, the Agency could seek to place appropriate restrictions on auditors and auditing using third parties with less than full independence from their client facilities in an effort to increase confidence that the auditors will act appropriately when performing their activities under the RMP rule. The purposes of such provisions could include ensuring that auditor personnel who assess a facility's compliance with the RMP rule do not receive any financial benefit from the outcome of their auditing decisions, apart from their basic salaries or remuneration for having conducted the audits. EPA also is specifically requesting commenters to identify any supportive literature or data showing that such provisions are effective in counteracting biases due to lack of impartiality or independence as EPA is presently not aware of any.

In addition to the approaches taken in the proposed third-party compliance auditing program or identified above, EPA believes that there may be other options that can increase owner or operator flexibility without compromising audit accuracy. EPA is seeking comments on such alternative auditor/auditing approaches.

If non-independent or limited-independence third-party auditing, second-party auditing, or enhanced self-auditing is authorized, EPA is seeking comments on how best to structure such auditing to maximize auditor independence and accurate auditing outcomes given the lack of complete independence.

EPA also is seeking suggestions for what steps a facility should be required to take if third-party auditors who meet the proposed independence and competence criteria are not available. If RMP facilities are allowed to use enhanced self-auditing in lieu of independent third-party auditing, examples of the types of restrictions that could be placed on such self-auditing to potentially improve auditor impartiality and auditing outcomes appear in the Consent Decree, U.S California Air Resources Board v. Hyundai et al., U.S District Court of DC, November 11, 2014.

Third-Party Audit Report

EPA is proposing that owners or operators of stationary sources ensure that their third-party auditors prepare and submit audit reports. The scope and content of each audit report shall:

  • Identify the lead auditor or manager, participating individuals, and any other key persons participating in the audit, including names, titles, and summaries of qualifications demonstrating that competency requirements are met.
  • Document the auditor's evaluation, for each covered process, of the owner or operator's compliance with requirements to determine whether the procedures and practices developed by the owner or operator under this rule are adequate and being followed.
  • Document the findings of the audit, including any identified compliance or performance deficiencies.
  • Include a summary of the owner's or operator's comments on, and identify any adjustments made by the auditor to, any draft audit report provided by the auditor to the owner or operator for review or comment.
  • Include a certification using language specified in the proposed amendments to the rule, signed and dated by the auditor or supervising manager for the audit.

EPA's stated intent in allowing for owners and operators to receive and comment on draft third-party compliance audit reports with these additional requirements is to promote factual and informative final third-party compliance audit reports without compromising their accuracy and independence.

EPA is seeking comments on whether the Agency should also require draft third-party
compliance audit reports to be submitted to the implementing agency at the same time or before such reports are provided to the owners and operators and whether such a requirement would be further effective in minimizing potential third-party compliance audit bias.

The proposed amendments include requirements for the retention of reports and related records by the third-party auditors for a period of 5 years. The audit report would be required to be submitted to the implementing agency at the same time, or before, it is provided to the owner or operator.

Also, EPA is proposing that the audit report and related records cannot be claimed as attorney-client communications or as attorney work products even if the auditors are themselves, or are managed by or report to, attorneys. With respect to the attorney work product privilege, the audit report and related records are produced to document compliance rather than in anticipation of litigation, just like a monitoring report required by an air emission rule would not be produced in anticipation of litigation.

With respect to the attorney-client communication privilege, the third-party auditor is arms-length and independent of the stationary source being audited. The auditor lacks an attorney-client relationship with counsel for the audited entity. Therefore, neither the audit report nor the records related to the audit report provided to the third-party auditor are attorney-client privileged (including documents originally prepared with assistance or under the direction of the audited source's attorney).

EPA is seeking comments on these proposed requirements including any legal concerns that may result from the provision that limits attorney-related privileges.

Other Owner or Operator Obligations

The proposed amendments would require owners or operators to determine an appropriate response to each of the findings in the audit report, and develop and provide to the implementing agency a findings response report as soon as possible, but no later than 90 days after receiving the final audit report. This findings response report would include:

  • A copy of the final audit report.
  • An appropriate response to each of the audit report findings.
  • A schedule for promptly addressing deficiencies.
  • A statement, signed and dated by a senior corporate officer, certifying that appropriate responses to the findings in the audit report have been identified and deficiencies were corrected, or are being corrected, consistent with the requirements of subpart C or D of the RMP rule.

The requirement to determine appropriate responses to findings is similar to existing compliance audit requirements that require the owner or operator to “promptly determine and document an appropriate response to each of the findings of the compliance audit.”

EPA is seeking comments on these proposed requirements and whether the Agency should provide flexibility on the timeframe for developing the findings response report.

The proposed amendments would require the owner or operator to implement the schedule and address deficiencies identified in the audit findings response report, and document the action taken to address each deficiency, along with the date completed. The proposed amendments also would require the owner or operator to provide a copy of required documents to the owner or operator's audit committee of the Board of Directors, or other comparable committee, if one exists. EPA is seeking comments on these proposed requirements.

The proposed amendments would require the owner or operator to retain records at the stationary source, including:

  • The two most recent third-party audit reports.
  • Related findings response reports.
  • Documentation of actions taken to address deficiencies.
  • Related records.
  • Copies of all draft third-party audit reports.

EPA is proposing that the owner or operator shall provide draft third-party audit reports, or other documents, to the implementing agency upon request. For Program 2 processes, these requirements would not apply to any documents that are more than five years old. For Program 3 processes, as for the existing Program 3 compliance audits, the owner or operator would be required to retain records to support the two most recent audits.

EPA is seeking comments on these proposed requirements.

Further details can be found at:

https://www.regulations.gov/#!documentDetail;D=EPA-HQ-OEM-2015-0725-0001

Comments on the proposed amendments must be submitted on or before May 13, 2016. Comments should be identified by docket EPA-HQ-OEM-2015-0725 and submitted through to the Federal eRulemaking Portal: http://www.regulations.gov.

 

Back to PT Notes