How Often Should You Audit Your Assets and Vendors?
As part of corporate due diligence and minimizing shareholder liability, auditing professionals have been trusted with the responsibility to perform on-site audits of internally owned or managed and contracted vendor facilities. These audits vary in type, depth and scope. The former includes waste handling/transport, disposal, environmental, health & safety and laboratory services, amongst others.
For many corporations, the number of owned, managed and contracted vendor facilities can be quite numerous and require coordinated internal and external resources, but at the foundation is a thoughtfully designed and managed audit program. Audit personnel and resources, both internal and external, can be quite substantial, and while the performance of periodic audits on potentially hundreds of entities/facilities is quite a remarkable goal, the frequency of these audits is usually limited by the audit budget.
The frequency of owned, managed and contracted vendor facility audits for planning purposes are typically established based on several proactive or reactive metrics, for example:
• Time based, depending on the number of required audits, personnel and annual budgets (e.g., audit each facility every 3 years)
• Financial based, depending on a threshold of some sort (e.g., an external vendor above XYZ dollars in annual spend gets audited every year and at a reduced frequency for lower annual-spend vendors)
• Based on some real or perceived risk to the corporation (e.g., high-risk/high-liability activities)
• Reactively timed audit performed based on a negative event (e.g., Notice of Violation [NOV] issued)
Within Environmental Standards, Inc.’s (Environmental Standards’) 30-year audit practice, we have assisted many corporations assessing the adequacy and robustness of their owned, managed and contracted vendor audit programs. During these “audits of audit programs,” review of audit frequency determination is often observed as being not periodically evaluated, based only on historical practice, or at a set frequency allowing for audits to be added upon request by the business or senior management.
A better way of determining audit frequency, or even to determine a reduction in the case of vendors, is to identify realistic metrics that can be used to develop a risk model and use that model to score each owned, managed and contracted vendor. Some of the audit frequency risk model categories that are important to include are:
• Criticality of corporate success of the service or product provided
• Legal and/or regulatory liability associated with the service or product provided
• Criticality of the findings from the last audit performed
• Changes in key personnel, facility compliance and/or accreditation status
• Performance (actual or perceived) of the vendor by the internal company users
While many of Environmental Standards’ corporate clientele have long-term audit programs, the concept of assessing their audit programs (“auditing the audit program”) from an outside, third-party perspective represents a logical and progressive way to utilize and intelligently document the use of internal audit resources.
For more information on Environmental Standards’ audit practice, contact Dr. Michael Green or Mr. Rock Vitale.