corporate hse audit

Petroleum Development Oman L.L.C.

Document Title: Corporate HSE Audits

Document ID PR-1969

Document Type Procedure

Security Unrestricted

Discipline HSE MS Audit

Document Owner Corporate Function Discipline Head- Audit

Month and Year of Issue April 2012

Version 1.1

Keywords Audit

Copyright: This document is the property of Petroleum Development Oman, LLC. Neither the whole nor any part of this document may be disclosed to others or reproduced, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, reprographic recording or otherwise) without prior written consent of the owner.

Petroleum Development Oman LLC Revision: 1.1Effective: Apr-12

Document Authorisation

Document Owner Document Custodian Document Author

Name in full: Naaman Naamany

Title: Corporate SE Manager

Date: 01/04/2012

Name in full: Saeed Maamary

Title: Head HSE Corporate Planning

Date: 31/3/2012

Name in full: Younis Hinai

Corporate HSE Auditor

Date: 27/3/2012

Corporate HSE Audits

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.


Revision History

The following is a brief summary of the four most recent revisions to this document. Details of all revisions prior to these are held on file by the Document Custodian.

Version No. Month & Year

Author’s Name and Title Scope / Remarks

1.0 Jan 2012 Younis Hinai


New Corporate Audit procedure Issued

1.1 March 2012 Younis Hinai


• Minor text edits

• Drop of use of Risk Assessment Matrix

• Inclusion of action close-out time-frame in table 3

User Notes:1. The requirements of this document are mandatory. Non-compliance shall only be authorised by a

designated authority through STEP-OUT approval as described in this document.

2. A controlled copy of the current version of this document is on PDO's live link. Before making reference to this document, it is the user's responsibility to ensure that any hard copy, or electronic copy, is current. For assistance, contact the Document Custodian.

3. Users are encouraged to participate in the ongoing improvement of this document by providing constructive feedback.




Related Business Processes & CMF Documents

Related Business Processes

Code Document Title

CP-122 HSE MS

Parent Document(s)

Doc. No. Document TitlePL-04 HSE Policy

PL-10 Security & Emergency Response Policy

Other Related CMF Document(s)

Doc. No. Document TitleCP-142 Internal Audit Code of Practice

PR-1712 Level 3 Audit

The related CMF Documents can be retrieved from the Corporate Business Control Documentation Register CMF.



http://sww3.pdo.shell.om/getdoc?dataid=4172907&action=fetch

http://sww4.pdo.shell.om/CMFportal/ListBP.aspx


TABLE OF CONTENTS

1 Introduction 7

1.1 Purpose and Objectives 7

1.2 Scope and Applicability 7

1.3 Review and Improvement 7

1.4 Distribution 7

2 Roles and Responsibilities 8

2.1 Roles and Responsibilities 8

2.2 Step-out Approval 9

3 Procedure 10

3.1 Overview 10

3.2 Develop Audit Program 10

3.2.1 Level 1 HSE Audits 10



3.3 Audit Execution 11

3.3.1 Initiate the audit 12

3.3.2 Conduct document review 13

3.3.3 Prepare for audit activities 13

3.3.4 Conduct audit activities 13

3.3.5 Prepare Audit Report 16

3.3.6 Conduct Audit Follow Up 17

4 Auditor selection criteria 18

5 Performance Standards, Monitoring, and Reporting 19

5.1 Performance Standards 19

5.2 Performance Monitoring Requirements 19

5.3 Reporting Requirements 19

6 Appendices 20

6.1 Definitions 20

6.2 Abbreviations 20

6.3 Key References 21

6.4 Formats and Templates 21

6.5 Additional Information 21




Tables

Table 1: Level 1 HSE audits program 10Table 2: Level 2 HSE Audits program 11Table 3: Classification of audit findings 15Table 4: Controls assessments color coding 16Table 5: HSE audits program compliance 19Table 6: HSE audits action close out status 19

Figures

Figure 1: HSE Audit Hierarchy 7Figure 2: Overview of audit activities 12




Introduction

1.1 Purpose and ObjectivesThis procedure is required to define the levels of HSE MS Audit and the methodology to manage them.

1.2 Scope and ApplicabilityThis procedure applies to all levels of HSE Management Audits in PDO.

PDO has a three-tiered Audit hierarchy as explained in the diagram below:

Figure 1: HSE Audit Hierarchy

1.3 Review and ImprovementThis procedure needs to be reviewed every three years as a minimum but if there are major changes affecting the auditing practices, it will be reviewed as frequently as required.

1.4 DistributionThis procedure will be hyperlinked to the HSE MS of PDO and made accessible to all PDO personnel and any other parties tasked with carrying out work covered by this procedure on behalf of PDO.




Roles and Responsibilities

1.5 Roles and Responsibilities

Audit Manager

For Level 1 Audits: Head Corporate HSE Planning and Audits.

For Level 2 Audits: Respective Directorate HSE Team Leader.

For Level 3 Audits: Process/Activity Owner.

The Audit manager is responsible for

• Establishing a risk based annual audit program

• Obtaining approval for the audit program – Internal Assurance committee (IAC) and Business Assurance Committee (BAC) for level 1 and Director/Asset manager for levels 2 and 3.

• Implementing audit program.

• Appointing audit leader and team members.

• Appointing, if required, an independent reviewer.

• Evaluating and developing auditors

• Reviewing and improving audit program

• Approving the Terms of Reference (ToR) and the Audit Report.

• Performing supervisory oversight of Audit Teams.

• Providing periodic analyses/reports to the IAC/BAC for Level 1 Audit and Asset Director for Level 2 Audits

• Monitoring the quality of audit delivery.

Lead Auditor

• Leading the Audit Team and managing the audit delivery process to achieve stated deliverables, according to the scope and time estimate in the agreed ToR.

• Reviewing the audit work carried out by the Auditors and ensuring that Auditors properly conclude on the work performed.

• Acting as the primary contact for the Auditee.

• Preparing the draft ToR, the Audit plan and the Audit Report.

• Ensuring full compliance with the ToR and this procedure in all steps of the audit Process.

• Confirming audit dates, duration and resource requirements with Auditee.

Auditor

• Preparing and participating in the audit teams.

• Carrying out allocated audit work and taking responsibility for the work carried out.

• Fully complying with the Audit ToR and in all steps of the Audit Process.

Independent Reviewer (by invitation)




• Reviewing the ToR, the Audit Programme and the Audit Report, ensuring that the

Audit Assessment and Audit Findings are sufficiently substantiated and is responsible for issuing an Independent Review to the Audit Lead before Close out meeting.

Principal Auditee

• Reviewing and agreeing the ToR and the plan for the audit

• Nominating Audit facilitator and follow up coordinator

• Supporting the Audit Process, ensuring availability of people, access to facilities, documents and records for the audit

• Attending Opening and Closing Meetings

• Considering audit recommendations, identifying actions to address the root causes of the findings, action parties and target dates.

• Ensuring that the agreed actions are closed as per plan

Follow up coordinator

• Inputting agreed actions, action parties and target dates in data management system

(Fountain/equivalent) and reporting close out status to the Auditee.

Action party

• Confirming ownership to the given action and the target completion date.

• Ensuring timely close-out of actions with supporting evidences.

1.6 Step-out ApprovalThis procedure is mandatory and any deviation to this procedure must be authorised by the Head corporate HSE planning and audit. The Terms of Reference for an audit duly approved by the Audit Manager may, however, override the requirements of Sections 3.3 and 4.0.




Procedure

1.7 OverviewLevel 1, Level 2 and Level 3 Audits are carried out to:

− Determine whether or not the elements and activities of PDO’s HSE Management System conform to the planned arrangements and are being implemented effectively.

− Determine whether or not PDO’s HSE Management System is fulfilling the Company’s HSE policy, objectives and performance criteria.

− Determine whether or not PDO’s HSE Management System complies with the relevant legislative and regulatory requirements.

− Identify areas for improvement in PDO’s HSE Management System, with the aim of progressively improving the HSE Management System.

− Enable management to ensure that potential or actual flaws in the system are remedied through effective follow-up action.

1.8 Develop Audit ProgramAll business processes should be periodically audited, with the frequency and depth of HSE auditing being determined based on:• The level of risk for the process/activity.• How critical the process or activity is, in relation to PDO’s business objectives.• The statutory, regulatory and contractual requirements.• The contribution or potential contribution of the activity concerned to PDO’s overall HSE

performance.• The results of previous audits.• All business processes activities and assets should be audited within the audit cycle. The

audit cycle should not be longer than five years, as it is likely that major changes (such as asset, staff, mode of operations, organization, etc) may have taken place during that time.

1.8.1 Level 1 HSE Audits

Includes HSE audits conducted on behalf of PDO’s IAC and BAC as part of the Integrated Audit Program, and also includes independent audits carried out by external bodies such as ISO 14001 certification audits.

ACTION RESPONSIBILITY

Identify HSE Audit Units (assets, services, projects and functions) that have a risk potential to affect the Company’s HSE objectives)

Audit Manager

Prepare yearly and five-yearly Level 1 HSE Audit program based on the risk potentials

Audit Manager

Review and approve Level 1 HSE Audit Program IAC & BAC

Direct and review the development and implementation of the Corporate HSE Audit Program

Corporate Safety and Environmental Manager

Incorporate the Level 1 HSE Audit Program into Corporate HSE Business Plan

Audit Manager

Provide resources to manage the audit and lead the plan execution

Corporate Safety and Environmental Manager

Implement level 1 HSE audit program Audit Manager

Report level 1 HSE audit and action status to IAC/BAC Audit Manager

Monitor level 1 audits and actions IAC & BACTable 1: Level 1 HSE audits program





Includes HSE audits carried out on behalf of Asset Directors as part of their own Asset Level assurance processes and included in the Asset HSE Plan.

ACTION RESPONSIBILITY

Coordinate development and implementation of the Asset HSE Audit Programme

Asset Director

Identify HSE Audit Units (areas, services and functions) that have a risk potential to affect the Asset’s HSE objectives

Asset HSE Team Leader

Prepare yearly Level 1 HSE Audit program based on the risk potentials.


Review and approve Level 2 HSE Audit Program Asset director

Incorporate the Level 2 HSE Audit Program into directorate HSE Business Plan


Implement level 2 HSE audit program Asset HSE Team Leader

Report level 2 HSE audit and action status to director Asset HSE Team Leader

Monitor level 2 audits and actions Asset directorTable 2: Level 2 HSE Audits program


Includes planned and documented task verification activities to supplement the formal HSE audit process. This is planned and managed by the managers of areas, services and functions to assure compliance to requirements and procedures in processes. PR-1712 - Level 3 Audit details the methodology for Level 3 Audits.

1.9 Audit Execution




3.3.1 Initiate the audit

• Appoint audit team leader• Establish ToR• Select audit team• Establish initial contact with the auditee

3.3.2 Conduct document review• Review relevant HSE documents including records to determine adequacy with respect to ToR.

3.3.3 Prepare for audit activities• Prepare the audit schedule• Assign work to the audit team• Prepare work documents

3.3.4 Conduct audit activities• Conduct opening meeting• Communication during the audit• Roles and responsibilities of guides and observers• Collect and verify information• Generate audit findings• Classify audit findings• Assess control acceptability• Conduct closing meeting

3.3.5 Prepare, approve & distribute the audit report• Prepare the audit report• Approve and distribute the audit report

3.3.6 Conduct audit follow up

Figure 2: Overview of audit activities

1.9.1 Initiate the audit

• appoint the audit team leader for the specific audit.

• establish and seek agreement from the principal auditee the ToR for each audit that should specify, as a minimum:

Audit Objectives

Scope of the Audit

Timing and duration of Audit

Name and position of the Principal Auditee

Audit Team Leader

Audit Team Members

Audit Methodology

Audit follow up coordinator

Audit report Distribution

• Select audit team




Majority of Personnel on the audit team must be independent of the facility or process audited, and may be sourced from within PDO or externally. People conducting HSE audits should be able to carry out the task objectively, impartially and effectively.Audit Manager selects the audit team members so that their training, skills and knowledge are appropriate to the audit type and scope.

• Establish initial contact with the auditee by either audit manager or audit team leader to:

Establish communication channels with the auditee’s representative(s)

Confirm the authority to conduct the audit

Provide information on the proposed timing and audit team composition

Request access to relevant documents, including records

Determine applicable site safety rules

Make arrangements for the audit

Agree on the attendance of observers and the need for guides for the audit team.

1.9.2 Conduct document review

• Auditee’s documentations should be reviewed to determine the conformity of the system, as documented, with audit ToR. The documentation may include relevant management system documents and records as well as previous audit reports.

1.9.3 Prepare for audit activities

• Audit team leader should prepare the audit schedule to provide the basis for the agreement among the auditee and audit team regarding the conduct of the audit. The schedule should cover the following:

Organisational and functional units and processes to be audited

Dates and places where audit activities are to be conducted

Expected time and duration of audit activities, including meetings with the auditee’s management and audit team meetings

Roles and responsibilities of the audit team members and accompanying persons

Allocation of appropriate resources to critical areas of the audit

Logistics arrangements (travel, accommodation, working areas, etc)

• Audit team leader, in consultation with the audit team, should assign to each team member responsibility for the auditing specific processes, functions, sites, areas or activities.

• Audit team members should review the information relevant to their audit assignments and prepare work documents as necessary for reference and for recording audit proceedings such as checklists, audit sampling plans, forms for recording information, audit working papers, etc. Work documents should be generally retained at least until audit completion, confidential documents should be suitably safeguarded at all times by the audit team members, however, the audit working papers should be filed and retained with the audit report.

1.9.4 Conduct audit activities

• The audit leader shall conduct an opening meeting with the auditee to:




Confirm the audit plan and ToR

Provide short summary of how the audit activities will be undertaken

Confirm communication channels

Provide opportunity for the auditee to ask questions

• The audit leader should confer periodically to exchange information, assess audit progress and to reassign work between the audit team members as needed. During the audit, the audit team leader should periodically communicate the progress of the audit and any major concerns to the auditee. Evidence collected during the audit that suggests an immediate and significant risk should be reported without delay to the auditee. Any need for changes to the audit scope should be reviewed with and approved by the auditee.

• Guides and observers may accompany the audit team but are not a part of it. They should not influence or interfere with the conduct of the audit. They should assist the audit team and act on the request of the audit team leader. Their responsibilities may include:

Establishing contact and timing for interviews

Arranging visits to specific parts of the site or organisation

Ensuring that rules concerning site safety and security procedures are known and respected by the audit team

Witnessing the audit on behalf of the auditee

Providing clarification or assisting in collecting information.

• During the audit, information related to the audit ToR should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence is based on samples of the available information and should be recorded to help reaching audit conclusions.

• Generate audit findings

Audit team shall develop Audit Findings and determine ratings, risk/objectives based on the observations made during the interviews, field visits and examination of documents and records. Every Audit Finding should be based on demonstrable facts or evidence and rated in line with the Assurance ratings definitions. The primary criterion for rating Audit Findings is the risk to the achievement of Business Objectives for the entity under audit. Whilst Low-Medium-High findings indicate a continuum of increasing risk to the entity under audit, a Serious Finding indicates a step-change in risk, and/or reflects notable impact on the entity under audit or the company. Classification of the audit findings shall be in accordance with the Rating Level table in line with the matrix below.

• Classify audit findings




Rating Level table for Classification of the audit findings:

Rating level Definition Follow-up

Serious

The finding is likely to cause a high undesirable effect on the achievement of the entity’s objectives and / or is likely to have a notable impact on other PDO entities, therefore warranting immediate reporting to senior management. e.g. Operations Manager or Asset Director

The next level of management should take urgent (generally within 1 month) action to confront the situation and commit appropriate resources to immediate resolution of the weaknesses. Senior Management should monitor the implementation of agreed actions/improvements.

HighThe finding is likely to cause a high undesirable effect on the achievement of one of the entity’s objectives, warranting reporting to the Auditee’s management.

The next level of management should monitor the implementation (generally within 3 months) of agreed actions/improvements.

MediumThe finding is likely to cause a measurable undesirable effect on the achievement of one of the entity’s objectives.

The next level of management should be advised (generally within 6 months) of and review the actions being taken to enhance the framework.

LowThe weakness is unlikely to have a measurable impact on the entity’s objectives, but its correction would enhance the risk based control framework.

No follow-up is required by the next level of management, but action should be completed within 12 months.

Compliance

A non-compliance to a specific external legal or other regulations applicable to the entity. Reference shall be made to the number of the specific law or regulation in the finding and after confirmation with Legal.

Immediate follow-up by the Auditee/Sponsor.

Table 3: Classification of audit findings

• Assess control acceptability of major risk areas.

The prime criterion for reaching a Control Acceptability Assessment is the level of concern, as concluded by the Audit Team. This level of concern should be based upon three key considerations:

The ‘implications’ for management, i.e. the action intended to be provoked and by whom; the degree to which the Audit Team determines the result of the audit needs to be escalated (or not).

The ‘scope of concern’, i.e. whether the exposure is seen to be confined and contained, or whether it is far-reaching, potentially exposing other entities.

The evidence gathered during the audit regarding the suitability and effectiveness of the risk-based control framework for the entity under audit in terms of achieving its objectives, i.e. the Audit Findings.

A three-point scale for Controls Assessments: Controls Acceptable, Controls Need Improvement or Controls Need Major Improvement. As with the rating of Audit Findings, this scale represents a continuum of increasing risk and increasing concern. A “Controls Need Major Improvement” assessment indicates a step-change in the level of concern. The following terminology and scale are to be used for the Controls Assessments:

Colour Category Definition GuidanceImpact on Business

ObjectivesFollow-up




Controls Acceptable

None, or a few Low and/or Medium rated findings are reported which indicate that a “once-off” rather

than process or system structural

weaknesses is present or that general

enhancement of the controls, process or

system framework is not needed.

Less than three Medium findings.

The expectation is that the entity will meet its Business

Objectives.

No follow-up is required

by the next level of

management.

Controls

Need Improvement

Some Medium and / or one or more

High rated findings are reported which indicate a weakness

in key controls / barriers or in a part of the process or system structural framework.

1-2 High findings or 3-or-more

Medium findings.The

expectation is that the entity will

not meet all its Business Objectives.

The next level of

management should be advised of and review the actions

being taken to enhance the framework.

Controls

Need Major Improvement

Three or more High and/or one or more Serious rated

findings are reported indicating failures in key controls / barriers or across a significant

part of the process or system structural

framework.

Any Serious finding or 3-or-more High

findings.

The next level of

management should

monitor the implementation of agreed

actions/ improvements

.Table 4: Controls assessments color coding

• Conduct Closing Presentation to the Auditee that includes, as a minimum:

Terms of Reference

Summary of Audit findings and ratings

Risk area Control Acceptability

Actions expected from the Auditee

1.9.5 Prepare Audit Report

• The Audit Lead shall prepare the Audit report from the audit team inputs.

As a minimum the Audit report shall contain:

Terms of Reference

Audit findings

Significance of findings

Recommendations

Risk area Control Acceptability

• Distribute Audit Report

The Audit Lead shall distribute report as determined by the ToR.

As a minimum, the report Audits shall be distributed to Corporate HSE Audits



Principal Auditee

Principal Auditee’s line Supervisor

Audit team Members

Audit manager

Corporate HSE manager

1.9.6 Conduct Audit Follow Up

Audit Follow up coordinator and auditee shall retain and archive HSE Audit reports. The Follow up coordinator has to consider the recommendations, if any, from the audit and generate action plan that includes action parties and target completion dates for all findings resulting from the HSE Audits. The Quality of Close out actions has to be reviewed and verified by the follow up coordinator and auditee. Evidences supporting the effective closure shall be retained until the next audit.




Auditor selection criteria

The audit team shall have:

• Knowledge of HSE matters.• Adequate independence from the activities being audited, to enable objective and

impartial judgement.• Operational experience in the area being audited.• The necessary expertise and experience in auditing practices and disciplines.• Access to specialist HSE or other technical expertise, if necessary.• The support and authority from management to procure the necessary information.• Satisfactory completion of training program in auditing methodology

In order to maintain independence and objectivity, the Audit Team Leader and the majority of the audit team should not have a direct reporting line to the Principal Auditee.

The minimum training requirements in auditing for Audit Team members is a HSE Auditing course of 2 days duration.

In addition, the minimum requirements of the Audit Team Leaders for Level 1 Audits are:

• Completion of a prescribed HSE Auditing course of 5 days duration• Participation in three corporate HSE audit as a team member.• Lead one corporate HSE audit under supervision of a Competent Lead Auditor • Job group 3 level or above.• Deemed to be competent to lead audits by the HSE Audit Manager.

The minimum competency requirements of the Audit Team Leaders for Level 2 Audits are:

• Completion of a prescribed HSE Auditing course of 5 days duration• Participation in one corporate HSE audit as a team member.• Job group 4 level or above.• Deemed to be competent to lead audits by the HSE Audit Manager.

The minimum competency requirements of the Audit Team Leaders for Level 3 Audits are:

• Completion of a prescribed HSE Auditing course of 2 days duration• Participation in two HSE audit as a team member.• Lead one level 3 HSE audit under supervision of a Competent Lead Auditor • Deemed to be competent to lead audits by the HSE Audit Manager.




Performance Standards, Monitoring, and Reporting

1.10 Performance StandardsAudit Program Compliance

Action close out status

1.11 Performance Monitoring RequirementsAudit managers report on a monthly basis the audit status and open & overdue actions from the audits

HSE Audits program compliance

Audit Title Current Status

E.g. Corporate HSE MS Audit Planned for Q1 2011

Table 5: HSE audits program compliance

HSE Audits action close out status

Directorate/Asset

Audit Title Principal

Auditee

No. of Open Action Items No. of Overdue Action Items

Serious High Medium Low Total Serious High Medium Low Total

E.g. MD Corporate HSE MS MSEM 0 0 0 0 0 0 0 0 0 0

All Total

Table 6: HSE audits action close out status

1.12 Reporting RequirementsLevel 1 Audit

Audit manager shall report the compliance to the Audit Program and HSE Audits Action close out status to the IAC/BAC.

Level 2 Audit

Audit manager shall report the compliance to the Audit Program and HSE Audits Action close out status to the Director.

Level 3 Audits

Audit manager shall report the compliance to the Audit Program and HSE Audits Action close out status to the asset manager.




Appendices

1.13 DefinitionsAudit program Set of risk-based audits planned for a specific time frame. Audit An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance process for the organisation. Audit Finding An identified area for improvement in the risk-based control framework.

Audit Objective The goals that an Audit Team plan to achieve in an Audit. Audit Process Three phases (Plan, Execute and Wrap-Up) to be followed to issue an Audit Conclusion Audit Report A signed, written document which presents the purpose, scope, and results of the audit. Audit Scope Refers to the activities covered by the Audit. Audit Team A team consisting of a Lead Auditor and one or more Auditors. Auditee The person who manages the business area being audited. Entity That part of the Business being audited. The ‘entity’ is not necessarily an organizational unit; it could be a corporate function, a process or a risk area. Terms of Reference A letter to the Auditee confirming the understanding of the arrangements for the audit. Working Papers All documentation required to support the Audit Report (includingAudit Findings and Audit conclusion). 1.14 AbbreviationsBAC Board Assurance Committee

IAC Internal Assurance Committee ToR Terms of Reference




1.15 Key ReferencesIn addition to the PDO documents listed on Page 3, the following references provide useful information related to this procedure.

S. No. Title, author’s name, year of publication

1 ISO 14001-2004 Environmental management systems - Requirements with guidance for use

2 GU 441- HSE Inspection Guideline

3 PR-1171-Contract HSE Management Procedure

4 ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing

5 OHSAS 18001:2007 Occupational health and safety management systems - Requirements

1.16 Formats and Templates

Model formats of ToR and Audit reports are given below. These are given as guidance; however the use of these formats is not mandatory.

ToR HSE Audit.docx

Audit Report.docx

1.17 Additional InformationNil



corporate hse audit

Documents

hse audits level

document custodian

hse audits action

audit conduct document

hse audit hierarchy

hse audits program table

levels of hse ms audit

audit report conduct