An industrial hygiene audit can be defined as “the unbiased collection, evaluation and report of workplace information.” IH audits help employers meet objectives that reduce compliance penalties, improve their safety and health management system, prevent illness or disease among workers, and adequately address perceptions of IH risk among workers, the public and regulators.

The three main types of IH audits are: 1) regulatory compliance, 2) management system, and 3) risk assessment.

IH regulatory compliance audits are by far most common. These audits seek to mimic what an OSHA inspector might look for.

The IH management system audit assesses the effectiveness of an employer’s system for anticipating, recognizing, evaluating and controlling IH hazards. These audits are typically used by employers seeking acceptance into OSHA’s Voluntary Protection Program or other safety and health management system frameworks (such as BS 8800, OHSAS 18001, etc.).

An IH risk assessment audit uncovers potential losses from liability, workers’ compensation claims or adverse publicity. These audits are typically used by an employer reacting to a serious concern, or are used by pro-active employers that have successfully completed IH regulatory compliance and management system audits.

IH risk assessment audits are not well defined. Each audit is usually tailored for a specific work site. IH risk assessment auditors (the audit team) require special skills and judgments because the information to be collected and evaluated can be broad, complex and subjective. An IH risk assessment audit team should include a CIH, CSP, lawyer, human resources professional and a management representative — none should have a stake in the areas being audited or have any stake in the outcome of the audit.

Here are key areas that should be addressed in an IH risk assessment audit:

Risk & epidemiological surveillance

An IH risk assessment audit begins with the concept of risk — the potential for a chemical, physical or biological agent to cause harm. The concept of risk should integrate with the site’s strategies for conducting epidemiological surveillance. This examines the distribution and patterns of illness/disease and control.

The foundation for epidemiological surveillance is based on a site’s collection and analysis of employee exposure and medical records required by OSHA 29 CFR 1910.1020 or workers’ compensation laws. Information for this audit element includes workplace monitoring records; material safety data sheets or chemical inventories; job descriptions; medical opinions, diagnoses, progress reports and recommendations; first aid records; and employee medical complaints.

A major audit element is how well the site calculated illness trend analysis and industry rate comparisons using information such as, but not limited to, the OSHA 300 Log.

Another major audit element is whether the site accurately characterized the potential for illness/disease among the site’s similarly exposed worker populations (groups of workers with distinct job classifications or work duties). Biological monitoring or medical exams should be based upon this characterization.

Information for this audit element should be described in the site’s written hazard communication program required by 29 CFR 1910.1200 and expanded upon elsewhere within the site’s written safety and health management system.

Database comparisons

A work site’s information should be evaluated against external databases such as those found at the National Library of Medicine’s Specialized Information Services for Toxicology and Environmental Health ( This is a unique feature of the IH risk assessment audit that is rarely or never used in the two other types of IH audits.

Important databases to use include Haz-Map (; TOXNET (; Tox Town (; and TOXMAP (

Haz-Map is an occupational health database that links jobs and hazardous tasks with occupational diseases and their symptoms. Haz-Map’s features include: browsing by jobs, diseases or agents, searching hazardous agents by adverse effects, searching diseases by jobs and findings, and automated searches of TOXNET. A site’s characterization of the potential for illness/disease should be consistent with information found at Haz-Map, unless the employer provides sufficient information to the contrary.

TOXNET is a cluster of databases on toxicology, hazardous chemicals and related areas. Industrial hygienists are among the top professions that use TOXNET.

Survey findings on TOXNET include: 86 percent of users either always or frequently find what they’re looking for; 47 percent of repeat users come from private industry or business; 45 percent of users use the information to prepare a risk assessment; and, one-third of the users are looking for a link between diseases and chemicals.

Within TOXNET, the GEN-TOX (genetic toxicity) and DART/ETIC (developmental and reproductive toxicity) databases are important when determining if the site has adequately addressed the risk from reproductive toxins — particularly effects upon an embryo/fetus of a pregnant worker.

Note: IH audits for regulatory compliance and management systems rarely cover recognition/management and liability posed from reproductive toxins.

If the site is one of the more than 48,000 facilities in the U.S. that provides a Toxic Release Inventory (TRI) report to the EPA, then Tox Town and TOXMAP are important databases that must be reviewed. Similar Internet databases covering TRI reports found at,, and other locations should also be reviewed. These databases provide a description (sometimes with bias) regarding a potential link between community diseases and the site’s reported release of chemicals. The site must demonstrate that disagreements between internal and external data are adequately resolved and documented within the site’s written safety and health management system.

IH risk assessment auditors must remain alert to new local, state and federal laws that permit expanded public health epidemiology reports and studies. Some state laws, for example, permit public health agencies to monitor the sale of over-the-counter medications at local pharmacies or monitor where people say they work when they visit a clinic or hospital, even without a work-related disorder. A spike in sales for certain medications may be an early indicator of illness/disease clusters within a community. Clinic visits by several people from the same workplace could raise similar illness/disease cluster questions.

Risk communication

Since one objective of an IH risk assessment audit is to assess the potential for adverse publicity, the site must demonstrate through interviews, observations and document review that it has established and rehearsed a thorough and effective risk communication strategy. Peter Sandman’s risk communication Web site ( offers users valuable information and links on this topic.

Finally, an IH risk assessment audit should not conclude in a pass/fail. Report findings should be used for continual improvement.

Integrate audit findings

IH regulatory compliance, management system and risk assessment audits form a three-legged stool. If one of the legs is missing a site will lack a complete picture of its IH issues and concerns. Without complete and accurate information, management and technical staff will not be able to meet all IH objectives.