BP paid more than $25 billion; Volkswagen shelled out $19 billion; Anadarko Petroleum, $5.1 billion; and GlaxoSmithKline ponied up $3.75 billion.

No, these aren't prices paid for major acquisitions, they are the penalties these companies paid to resolve environmental, health, and safety issues during the last seven years with a raft of U.S. federal agencies, including the Environmental Protection Agency, the Occupational Safety and Health Administration, and 11 others that deal with EHS issues. Such sums have nearly threatened the ability of these companies and several others to continue as a going concern. To say that EHS risks were substantial in these cases is, of course, a Deep-Water-Horizons-sized understatement.

Yet many companies may not be giving EHS risks the attention these business disasters demand, and internal audit departments may be partly to blame. According to the Institute of Internal Auditors' annual "Pulse of Internal Audit" survey, EHS risk is one of two areas—along with company communications outside of financial reporting—that "have fallen just below or somehow dropped off the radar." According to the IIA report, only 23 percent of chief internal auditor respondents said they were well-informed about EHS risks. Just 48 percent integrated EHS risks into their risk assessments or audit planning process.

So why may chief audit executives be neglecting EHS risks, which include such hair-raising dangers as contaminated food, poor air quality, unsafe factory equipment, and repetitive stress injuries, as well as calamities like accidents and worker deaths? One of the reasons the report cites is that EHS is a highly specialized and complex area in which internal audit may not have specific expertise. To overcome this difficulty, the report's authors suggest internal audit take a similar approach that it uses to assess IT risks. "Similar to the way they approach IT and fraud, internal auditors should obtain sufficient knowledge to evaluate EHS risks and the organization's EHS management processes, but they are not expected to have the expertise of a person whose primary responsibility is managing EHS activities," it states.

Too Compliance Driven?

Another reason that internal audit may not be plugged into EHS risks is that many organizations address such risks in second line of defense functions, such as risk management or compliance. Others have separate dedicated EHS audit functions that often don't communicate well with internal audit. According to the Pulse report, just 11 percent of organizations say internal audit is responsible for providing assurance over EHS risks to the audit committee or board. Indeed, one in five respondents said they did not know who, if anyone, provided such assurance over this heavily regulated area.

Douglas Hileman, president of Douglas Hileman Consulting and an EHS expert who is a member of IIA's global Guidance Development Committee, says since companies mostly view EHS risks through a regulatory compliance lens, they may be missing some important risk aspects. "There are EHS risks that arise from drivers other than regulatory enforcement," he says. "These risks have grown and the typical EHS audit has not."

As might be expected, internal audit departments at industrial companies tend to do a better job of assessing EHS risks than services providers or financial firms. But even among manufacturers and industrial services companies, there is work to be done in assessing EHS risk. The survey found that just 59 percent of industrial companies integrate EHS risks into the risk assessment or audit planning process. At financial services firms, that number slips to 31 percent.

Still, Hileman says that finance firms and other office-based industries shouldn't ignore EHS risks. "Financial services faces different types of EHS risks, such as providing funding to a venture that incurs unforeseen environmental costs and becomes less able to make financial targets or repay loans," he says.

Collaboration Needed

The survey also finds that when companies have a separate EHS audit function, it doesn't coordinate its efforts well with the internal audit department. In fact, nearly two-thirds of respondents (64 percent) say that EHS audit and internal audit are separate and work autonomously. "It's unfortunate because it has enabled EHS auditors to remain in their comfort zone of auditing regulatory compliance only," says Hileman.

According to the report, this provides internal audit with an opening to contribute more in the area. "This provides internal audit with the opportunity to step up and take a leadership role in coordinating efforts to explore providing the organization with combined assurance regarding EHS risks, while also providing independent assurance over the manner in which the first and second lines of defense achieve their risk management and control objectives," the report states.

Hileman agrees. "Internal audit has a thing or two to teach EHS audit about root cause analysis and how to be more effective at implementing preventative measures," he says. If companies continue to get hit with EHS related fines like those paid by BP and others, those EHS audit departments will have no choice but to listen.