An EHS audit is a systematic, documented review that tests a facility against its environmental, health, and safety obligations, OSHA and EPA rules, permit conditions, and a management-system standard like ISO 45001 or 14001, and produces scored findings with tracked corrective actions. It is broader than a floor safety walk.
A safety walk asks "is this guard missing?" An EHS audit asks "does the whole system that is supposed to keep that guard in place actually work?" It covers environmental compliance, occupational health, and safety, and it checks not just conditions on the floor but the paperwork, training, and management system behind them. This post walks the scope, the audit types, a step-by-step method, how to score findings, and how to close them out. It is educational, not legal advice.
What does an EHS audit cover?
Three domains, tested together. An EHS audit spans environmental obligations enforced by the EPA and state agencies, occupational health and safety obligations enforced by OSHA, and the management system that is supposed to hold all of it together. That third leg is what separates an EHS audit from a floor inspection: it asks whether the program is designed and running, not just whether today looks clean.
This is where an EHS audit diverges from a workplace safety audit. The safety walk lives on the floor and checks physical conditions and behaviors in real time. The EHS audit includes that, then adds the environmental compliance calendar, the industrial-hygiene exposure data, the permit conditions, and the conformance of the management system to a standard. Both matter; they answer different questions.
What are the types of EHS audit?
They divide two ways: by who runs them and by what they test against. By auditor, a first-party audit is internal (your own team checking your own site), a second-party audit is a customer or corporate parent checking you, and a third-party audit is an independent registrar or consultant, including the certification audits that grant ISO 45001 or 14001. By subject, a compliance audit tests against legal requirements, is this permit current, is that record kept, is this exposure below the limit, while a conformance audit tests against a management-system standard: is there a policy, are risks assessed, is the improvement loop actually turning.
A mature program runs both. Compliance audits keep you out of trouble with regulators; conformance audits tell you whether the system will keep you out of trouble next year without a scramble. The strongest programs schedule internal audits on a calendar, invite the occasional external audit for an outside eye, and treat the certification audit as a checkpoint rather than the only time anyone looks hard.
How do you run an EHS audit?
The sequence is the same whether you are auditing one process or a whole plant.
- Define scope and criteria. Decide what is in bounds, which areas, processes, and media, and the exact criteria you audit against: the specific OSHA and EPA regulations, permit conditions, and the ISO clauses. An audit without written criteria is just a walk.
- Build the protocol and plan. Turn the criteria into a checklist or protocol, pull the applicable regulations and prior findings, and schedule the audit with the site so the right people and records are available.
- Open and gather evidence. Hold an opening meeting, then collect evidence three ways: examine records (permits, logs, training, the OSHA 300 log), observe the operation on the floor, and interview the people who do the work. A finding stands on evidence, not on impression.
- Test conditions against criteria. Compare what you found to what the rule or standard requires. Where they match, note conformance; where they do not, write a finding that cites the exact requirement and the specific evidence of the gap.
- Classify and score the findings. Rank each finding by severity and, where you use a scoring model, tally a score so the site can compare over time and against sister plants.
- Assign corrective actions with owners and dates. Every finding gets a root cause, a corrective action, a named owner, and a due date. A finding without an owner and a date is a finding that will reappear next audit.
- Verify closure and trend the results. Confirm each corrective action was actually done and worked, not just marked complete, then trend findings across audits to see whether the same gaps keep coming back.
How do you score EHS audit findings?
Rank every finding by severity so limited resources go to the biggest risks first. Most programs use three or four tiers, and the labels matter less than using them consistently across every site.
Whatever scale you use, tie severity to a deadline and an escalation path. Critical findings stop work or trigger an immediate fix; minor findings ride the normal corrective-action cycle. The point of scoring is not a grade for its own sake, it is to make sure the imminent-danger finding does not sit in the same queue as the missing signature.
What happens to the findings after the audit?
The corrective-action loop is where audits earn their keep or die. Each finding needs a root cause, a corrective action that addresses that cause rather than the symptom, an owner, a due date, and verification that it actually worked. The failure mode is universal: a thick audit report that everyone reads once, a handful of quick fixes, and the structural findings still open when the next audit arrives. Reading a repeat finding on two consecutive audits is the clearest sign the loop is broken.
Good corrective actions borrow from the same discipline as a job safety analysis: name the specific hazard or gap, then pick a control high on the hierarchy rather than defaulting to "retrain the operator." And leading indicators feed the next audit: near-miss reports the trend in your DART rate and closed-action rates all tell you whether the system is improving between audits or only performing for the auditor.
How does an EHS audit relate to ISO 45001 and 14001?
The ISO standards are what a conformance audit tests against. ISO 45001 is the occupational health and safety management-system standard; ISO 14001 is the environmental one. Both are built on the plan-do-check-act cycle, and both require internal audit as a clause, the organization has to audit itself on a schedule and feed the results into management review. So if you certify to either standard, EHS auditing stops being optional and becomes a required, recurring part of the system. Even without certification, running your internal audits against the ISO structure gives you a proven framework instead of an ad-hoc checklist.
Who should conduct an EHS audit?
Someone competent and independent of the area being audited. Competence means the auditor knows the applicable regulations and the management-system standard well enough to tell a real gap from a paperwork quirk; a checklist in the hands of someone who does not understand the rule behind it produces false findings and misses real ones. Independence means the auditor does not audit their own work, because no one grades their own homework honestly. In a small plant that can mean the safety lead from one line auditing another, or a corporate EHS person auditing the site; in a certification audit it means an outside registrar. The one arrangement to avoid is the area supervisor auditing their own area and signing off that everything is fine, which is how findings quietly disappear before they are ever written down.
What do the numbers say?
The frameworks an EHS audit tests against, from the primary sources:
- Occupational health and safety obligations sit in OSHA 29 CFR 1910 and recordkeeping in 29 CFR 1904.
- Environmental obligations are enforced by the U.S. EPA and state agencies across air, water, and waste programs.
- The management-system standards are ISO 45001 for occupational health and safety and ISO 14001 for environmental management, both of which require internal auditing as a clause.
Most EHS audits drown in their own evidence. Permits live in one binder, training records in another system, corrective actions in a spreadsheet that nobody updates after week two, and the auditor spends more time finding records than judging them. Harmony is an AI-native layer that connects machines, software, and paperwork into one operational layer, with no rip-and-replace: inspection sheets, training records, and corrective actions become structured, searchable data, and AI search returns cited answers across logs, SOPs, and records, so audit evidence surfaces in seconds instead of days. It is the same backbone a crane inspection program or a plant-wide safety walk runs on. Harmony is not an EHS-compliance product, but it keeps the evidence where the audit can find it. See what it looks like in a plant like yours in the CLS case study.