As the name implies, these audits are intended to review the site's/company's legal compliance status in an operational context. Compliance audits generally begin with determining the applicable compliance requirements against which the operations will be assessed. This tends to include federal regulations, state regulations, permits and local ordinances/codes. In some cases, it may also include requirements within legal settlements.
Compliance audits may be multimedia or programmatic. Multimedia audits involve identifying and auditing all environmental media (air, water, waste, etc.) that apply to the operation/company. Programmatic audits (which may also be called thematic or media-specific) are limited in scope to pre-identified regulatory areas, such as air.
Audits are also focused on operational aspects of a company/site, rather than the contamination status of the real property. Assessments, studies.
ISO 14001 is a voluntary international standard for environmental management systems ("EMS"). ISO 14001:2004 provides the requirements for an EMS and ISO 14004 gives general EMS guidelines. An EMS meeting the requirements of ISO 14001:2004 is a management tool enabling an organization of any size or type to:
Organizations implementing ISO 14001 usually seek to obtain certification by independent Certification Bodies. Certification indicates that the documentation, implementation and effectiveness of the EMS conform to the specific requirements of ISO 14001. This standard is currently being updated to include elements of including a lifecycle perspective and including top management amongst other changes. The draft (DIS) standard ISODIS 14001:2014 is currently the draft standard applicable until the ISO 14001:2015 standard is finalised and published.
In 2002, the ISO organization also published ISO 19011, the standard for auditing quality and environmental management systems (ISO 19011:2002), which was used for internal audits and certification audits of EMS until it was updated in 2011. The 2011 version on ISO 19011 restricts its use in first and second part audits, while third part audits (certification audits) are now covered in ISO/IEC 17021.
A common misconception is that ISO 14001 certification automatically implies legal compliance. Certification under ISO 14001 does not directly reflect compliance with any legal requirements, although ISO 14001 demands the organization to evaluate its compliance with legal requirements. If there is no compliance with some legal requirement, ISO 14001 requires that the organization sets specific targets related to the non-compliance(s) and establishes, implements and maintains programmes to achieve compliance. Therefore it is possible that, at the time of audit, the organization fulfils the requirements of ISO 14001, yet there are one or more non-compliances with specific requirements, which are identified and which the organization actively works to correct. Specific guidance on this subject is provided by the European co-operation for Accreditation.
The term "protocol" means the checklist used by environmental auditors as the guide for conducting the audit activities. There is no standard protocol, either in form or content. Typically, companies develop their own protocols to meet their specific compliance requirements and management systems. Audit firms frequently develop general protocols that can be applied to a broad range of companies/operations.
Current technology supports many versions of computer-based protocols that attempt to simplify the audit process by converting regulatory requirements into questions with "yes", "no" and "not applicable" check boxes. Many companies and auditors find these useful and there are several such protocol systems commercially available. Other auditors (typically those with many years of environmental auditing experience) use the regulations/permits directly as protocols. There is a long standing debate among environmental audit professionals on the value of large, highly detailed and prescriptive protocols (i.e., that can, in theory, be completed by an auditor with little or no technical experience) versus more flexible protocols that rely on the expertise and knowledge of experienced auditors and source documents (regulations, permits, etc.) directly. However usage of structured and prescriptive protocols in ISO 14001 audits allows easier review by other parties, either internal to the Certification Body (e.g. technical reviewers and certification managers) or external (accreditation bodies).
In the US, permits for air emissions, wastewater discharges and other operational aspects, many times establish the primary legal compliance standards for companies. In these cases, auditing only to the regulations is inadequate. However, as these permits are site specific, standard protocols are not commercially available that reflect every permit condition for every company/site. Therefore, permit holders and the auditors they hire must identify the permit requirements and determine the most effective way to audit against those requirements.
During the past 20 years, advances in technology have had major impacts on auditing. Laptop computers, portable printers, CD/DVDs, the internet, email and wireless internet access have all been used to improve audits, increase/improve auditor access to regulatory information and create audit reports on-site. At one point in the 1990s, one major company invested significant resources in testing "video audits" where the auditor (located at the corporate headquarters) used real-time video conferencing technology to direct staff at a site to carry live video cameras to specific areas of the plant. While initially promising, this technology/concept did not prove acceptable. An emerging technology in environmental auditing is the use of tablet computers.