Law360 (February 23, 2021, 2:12 PM EST) --
Forced to make adjustments to accommodate travel restrictions and remote work environments, many corporate environmental compliance audit team members, who typically log hundreds of thousands of air miles visiting facilities, found themselves grounded, while the plants and factories they were responsible for remained operational.
Further, as the Biden administration promises to ramp up its environmental enforcement initiatives, many companies are beginning to take stock of these COVID-19-weary compliance programs — with an eye on the implications they may have for state and federal regulatory inspections in a post-pandemic world.
As we have continued to advise clients on how to best monitor for internal compliance and react to government inspections, we decided to reach out to some of our contacts to get their impressions of which adaptive measures worked and what challenges they have or have yet to overcome using digital information. We agreed that we would not disclose names or affiliations so that people could speak freely.
What became clear during our discussions was a consensus view that digital and remote technologies will remain a vital tool in the environmental audit toolbox, even as the pandemic subsides.
Background — The Role of Internal Audits
Voluntary environmental audit programs, typically performed under counsel's direction to protect privilege, play an essential role in helping companies meet their obligation to comply with environmental regulations and mitigate liabilities before they arise. These audits also serve as a critical tool in evaluating a facility's overall environmental management systems and efficiencies.
Further, though no federal or state laws or regulations require environmental auditing, some regulatory entities offer penalty mitigation for the voluntary disclosure of certain violations discovered during an audit or through a compliance management system, or CMS.
Internal audits are often comprehensive multiday actions. Tasks are typically amassed into comprehensive checklists that serve as road maps to guide audit teams.
Given the broad range of data, documents and subjects covered during an internal audit, and the need to ensure confidentiality and protect privilege, deploying in-person teams to a specific site was once the norm. Once on-site, these teams could collect data, perform in-person inspections, interview employees and review paper documents.
Unsurprisingly, the ongoing public health crisis has forced entities to reevaluate and alter their internal audit programs. With audit teams indefinitely grounded — a trend that is expected to continue until vaccinations have been widely distributed — regulated industries are increasingly relying on remote tools to collect documents and data, and interview employees — each new tactic presenting new challenges and considerations.
Data and Document Collection — Cybersecurity and Document Management Are Key
Before the pandemic, internal audits often required reviewing hard copies of documents stored at the audit site. The reason for this was not due to an outdated process but for security. Paper cannot be hacked, and on-site document reviews continue to be incredibly secure ways to understand sensitive information.
However, as audits have moved to a remote platform, the need to digitize information once kept in physical mediums has increased. In turn, the need for cybersecurity protections has grown. Best practices now often include the following:
- Activated and continuously updated antivirus software;
- Restrictions on types and names of files that can be shared to mitigate the risk of improper overwriting or malicious code entry;
- Secure file transfers on easy-to-use commercial-grade platforms that provide strong end-to-end encryption;
- File segregation and related user-access logging and restrictions;
- Follow-up emails or phone calls to provide a password or confirm receipt of data;
- Email and file restrictions to prevent forwarding, copying, printing or other unauthorized spread;
- Employee training on strong passwords, phishing and data-retention policies; and
- Limited-term availability of access with files being automatically deleted through a secure overwrite after a short period of time.
Many companies have found that the first step in moving toward a more digitized worksite begins by understanding what paper files are being kept in the regular course of business. In some instances, state regulators already require a SharePoint site. Where that is the case, the transition to a digitized worksite has less of an impact as a significant portion of the records are already digital.
In other instances, there may be stacks of binders containing records, regulations, permits and audit protocols. Having to scan such materials into digital records for an audit can be time-intensive depending on the volume of paper.
Next, in consultation with their internal audit departments, entities can determine which documents should be converted to a digital platform. Regulated entities must also work closely with their information technology departments to assess secure file transfer and document management systems.
Finally, as with paper copies, a digital document retention policy is vital to ensure that document management remains consistent.
In our conversations with multiple clients that have undergone this process, many have described the pandemic as an opportunity to move their internal auditing process to a more digital world.
One client reported that, by beginning with a site with electronic documentation in place, they concentrated their efforts on developing a process to conduct virtual audits. Valuable lessons were learned from this initial remote audit.
The client noted that information came in all forms, including emails and texts and had the potential to leave a sloppy trail. The client promptly made modifications to this collection of data through the creation of a dedicated SharePoint site.
Only individuals participating in the audit could access and upload records to the workspace. By doing this, there was a single file created for the audit as everything was going to happen within the one digital workspace.
This initial pilot proved quickly that past methodology for conducting audits would be forever changed. For example, auditors learned that audit time could be saved by obtaining documents in advance of the actual audit.
Historically, auditors arrived at a site and spent the first several days collecting and reviewing documents. With digital records, auditors can ask for the documents weeks in advance and be better prepared to conduct the actual audit.
Indeed, the client noted that "when we do get back … we will ask for a lot more up front and in advance. When we show up, we will be very prepared and will have finished a great deal of the audit before we have boots on the ground."
Remote Interviews and Inspections — New Formats and Possible Vulnerabilities
Another challenge our clients have discussed is interviewing on-site employees remotely and having an opportunity to see the site without an auditor being physically present.
While the use of technology such as Zoom or Microsoft Teams may seem like an easy solution, it is again important to remember to ensure strict cybersecurity protocols. All video or voice calls should use end-to-end encryption and be password protected.
A waiting-room approach, user log, or a limitation of access to verified users (linked to specific names, phone numbers or e-mail addresses) should be used to avoid unwanted parties from using a reusable link or dial-in number to gain access to a sensitive call.
Repeatedly, clients noted the value of an in-person interview. In addition to being on site to walk the facility and observe operations firsthand, people tend to share information more readily when, for example, they spend a week in the conference room with the on-site auditors, where personal trust or comfort level is established.
While Zoom or Microsoft Teams provided a platform to conduct interviews, and perhaps worked surprisingly better than anticipated, the benefits of the personal interactions were missing. Indeed, getting to know someone over such platforms is more difficult.
As one client observed, "it's that personal relationship that helps us understand and that makes us feel comfortable that things are being done properly."
Further, while some clients have remarked that photographs and videos may allow remote auditors to see a site, many expressed concerns that such documents may not be accurate. Specifically, clients expressed worry that creating new digital records via digital photography would also subject these same photographs to manipulation by nefarious third parties.
Thus, as with any digital files, auditors must give photographs the same — if not greater — cybersecurity protections to ensure safe transmission from inspection site to auditors.
Additionally, internal auditors should keep in mind the limitations of digital photography. Such images can unintentionally fail to represent an inspection site due to challenging lighting conditions and framing. Multiple photographs may need to be taken from various angles, and at different times of the day, to ensure an accurate depiction of the subject.
As one client further noted, there is a "phenomenal benefit to [having] eyes, ears and noses right on site" in order to capture an odor, a sheen, blowing debris, or other observations not captured with a camera lens.
Government Inspections — Currently on Pause but Not Forgotten
Though almost all state and government inspections are on pause, we have found that many clients are bracing for new tactics and increasing inspections as soon as governments resume the inspection process.
As with many industries, government employees have also moved to remote work. Thus, many feel it is only a matter of time until government inspectors use certain tactics employed by regulated entities through their digital internal audit programs.
Accordingly, lessons learned by companies from their move toward remote audits may prepare them for future government inspections that incorporate new digital practices, and at the same time make them vulnerable to government demands for digital data.
Of course, if records — including photographs or videos — are created at the direction of counsel to assist counsel in providing legal advice to a corporation and/or in anticipation of litigation, the ability to resist a demand for production is stronger with privilege and work-product protections maximized.
Looking Ahead — Though On-Site Audits May Return, Digitization Is Here to Stay
Though we look forward to the day when internal audits can be conducted in-person, it is essential to note that the current state of remote auditing presents an opportunity for regulated entities to review their existing processes and make use of new technology.
While cybersecurity and confidentiality must always be at the forefront of any changing process, the considerations discussed above also provide new ways to conduct audits in a post-pandemic world.
Digital documents permit faster and more efficient data collection and review. Remote video interviews allow for more flexibility, can cut down on the number of days and reduce the number of in-person auditors needed at a specific site.
Though in-person reviews will once again play a critical role in the way companies conduct their post-COVID-19 environmental audits, we anticipate that digitization is likely to increase as audits transition to a hybrid model.
Regulatory Site Inspections Post-COVID-19
Finally, though it remains uncertain whether the Biden administration and state regulators will increasingly seek to obtain digital records from companies, or use their own digital technology when they return to the field to conduct in-person inspections, regulated industries should consider developing specific procedures now to protect privilege, including a plan that involves notifying counsel as soon as the inspector arrives and being guided by their direction in responding to information requests.
Nancy DePodesta and Pamela Goodwin are partners, and John Marty is an associate, at Saul Ewing Arnstein & Lehr LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
For a reprint of this article, please contact email@example.com.