September 21, 2004
Sarbanes-Oxley Moves EHS Auditing From the Backroom to Boardroom
by Graham Sinclair
Part one of this two-part article addresses changes Environmental, Health & Safety auditors are
making in response to Sarbanes-Oxley; part two addresses changes prompted by the Global Reporting
The role of Environmental, Health & Safety (EHS) auditors and the information they assess is
currently undergoing a sea change. Traditionally, EHS auditors have assessed company-specific
information using company-specific metrics for use by an internal audience within the company.
Recent developments, such as the passage of Sarbanes-Oxley (SOX) and increased adoption of the Global Reporting
Initiative (GRI), are broadening the
scope of both information collection and modes of data delivery, as well as the audience.
EHS professionals addressed this dynamic earlier this month in Philadelphia at the
annual Auditing Roundtable
conference, entitled The Role and Practice of EHS Auditing in a New Era of Corporate Governance
and Management Systems. EHS auditing is overseen by the Board of Environmental, Health &
Safety Auditor Certifications (BEAC), a joint
venture between the Auditing Roundtable and the Institute of Internal Auditors (IIA).
Historically, EHS auditors have been charged with
assessing EHS information for purposes of compliance, due diligence, risk assessment, and voluntary
standards such as ISO 14001, an environmental management certification.
purpose of these audits is expanding under Sarbanes-Oxley. SOX places greater emphasis on ensuring
that disclosures are accurate and complete in all material aspects. SOX also requires that
processes are in place to bring all relevant information to the attention of senior management.
In other words, EHS auditors have been moved from the backroom to the boardroom.
"EHS auditors are now being asked to generate and submit information directly to the most
senior management levels, including the CEO, the CFO, and the Board of Director," said Roberto
Jiménez, a director on the board of the Auditing Roundtable.
The revised SOX rules require
two separate certifications by the CEO and CFO for each 10-K and 10-Q (and any amendments) filed
with the Securities and Exchange Commission (SEC)
under sections 302 and 906 of Sarbanes-Oxley. Corporate officers face potential civil and criminal
penalties for violations, so these officers are likely to have zero tolerance for surprises from
A critical issue for auditors is the need for financial information that
"fairly presents" the business position.
"Be careful--EHS professionals should know that
their work may make its way to the SEC based on conclusions about material risks that fairly impact
the valuation of companies," warned keynote speaker Brian Carroll, special counsel at the SEC's
Philadelphia district office.
Information assessed in EHS audits is now being considered
with a seriousness rivaling financial information, EHS data collected and verified during internal
audits is no longer being held as tightly under the confines of privilege and confidentiality
clauses. This increased transparency accentuates the importance of EHS auditor independence.
"Without independence, no matter how competently the audit is performed, the resulting report
will be potentially compromised," said Jeff Davidson, partner at Wilmer, Cutler, Pickering, Hale
While financial audits and reporting in 10-Ks by publicly traded companies
largely deal with historical information, the EHS auditors are involved in areas of SEC reporting
that require significant estimation of contingent liabilities and future expenditures. EHS
auditors are therefore required to do a certain amount of crystal ball gazing – meaning they will
have to be very crisp and very articulate about how they audit.
The growing importance of
EHS auditing is a mixed blessing: increased responsibility brings with it increased
"While EHS auditors are likely to play a more important and visible
role, they are also likely to be held more accountable, with an insistence on verification of
processes and a drive by executives to come to accurate hard numbers" more quickly, said Paul
Michalski, a partner at Cravath, Swaine & Moore.
Part two of this two-part article
addresses how EHS auditors are taking up the GRI and other voluntary sustainability reporting