Understanding Audits and Gap Assessments as Important Components of Compliance Programs

Introduction

In the chemical process industry, effective compliance systems are critical to prevent incidents involving hazardous substances. Two of the most valuable tools used to maintain and evaluate these systems are the compliance audit and the gap assessment. These tools support the requirements of OSHA’s Process Safety Management (PSM), EPA’s Risk Management Plan (RMP), and California’s Accidental Release Prevention (CalARP) program.

They help ensure that documented safety programs are not only in place but functioning as intended. Beyond regulatory needs, they contribute to improved operations, reduced risk, and enhanced protection for people and the environment. Get to know more about these safety practices here at Saltegra Consulting.

What Is a Gap Assessment

A gap assessment is a proactive, internal review used to compare current practices against regulatory requirements and industry best practices. It is not mandated by law but is often used by companies preparing for audits, acquiring new assets, or improving their systems.

The purpose of a gap assessment is to identify missing elements or weaknesses before they result in compliance violations or safety incidents. This allows organizations to take corrective actions early and strategically.

Example: Gap Assessment at a Specialty Chemical Plant

A specialty chemical manufacturer conducted a gap assessment after acquiring a new production unit. Although the facility was not yet subject to immediate regulatory inspection, the company wanted to ensure consistency with its existing process safety standards.

The assessment revealed several issues:

• Operating procedures were outdated and lacked instructions for abnormal conditions.
• Employee training records were incomplete.
• There was no formal Management of Change (MOC) procedure in place.
• The emergency response plan was still in draft form and had not been tested.

The company responded by creating a gap closure plan. This included revising and approving all procedures, rolling out refresher training, implementing a new MOC workflow, and completing a tabletop emergency drill. All actions were tracked through internal compliance software.

This early intervention allowed the company to strengthen safety performance and align with both regulatory expectations and internal policies before a formal audit was required.

What Is a Compliance Audit

A compliance audit is a structured and formal review required under OSHA PSM, EPA RMP, and CalARP. It is conducted at least once every three years to verify that the safety program is implemented and followed. Audits examine whether all required program elements—such as hazard analysis, mechanical integrity, employee training, and emergency response—are complete and effective.

Unlike a gap assessment, a compliance audit has specific regulatory consequences. Findings must be documented, corrective actions must be assigned, and records must be retained.

Example: Compliance Audit at a Bulk Fuel Storage Terminal

A compliance audit was conducted at a bulk fuel terminal storing gasoline and diesel. The facility was due for its triennial audit under both PSM and RMP requirements. The focus was on mechanical integrity, with particular attention to storage tanks and pressure relief devices.

The audit revealed that several relief valves had not been tested in over five years, contrary to company policy and industry standards. Also, some tank inspection reports were missing the required thickness data to verify structural integrity under API 653.

Corrective actions were immediately initiated:

• All overdue relief valve tests were scheduled.
• Inspection procedures were updated to include required data.
• A refresher session on inspection documentation was conducted for maintenance staff.

The findings and resolutions were documented. All corrective actions were verified within 90 days. As a result, the facility avoided citations and significantly improved its mechanical integrity program.

Compliance Audit and Risk-Based Process Safety

Compliance audits and gap assessments align with the principles set out by the Center for Chemical Process Safety (CCPS). They contribute directly to the four pillars of risk-based process safety:

1. Commitment to Safety
   These tools show that leadership prioritizes safety through structured and consistent reviews.
2. Understanding Hazards and Risks
   Audits and assessments help identify weaknesses in systems and improve hazard recognition.
3. Managing Risk
   Findings lead to more informed decisions and better risk control strategies.
4. Learning from Experience
   Facilities use results to improve programs, correct deficiencies, and avoid repeated issues.

Regulatory Requirements

OSHA PSM

OSHA’s PSM regulation (29 CFR 1910.119) applies to facilities that handle threshold quantities of highly hazardous chemicals. It includes 14 elements, such as process hazard analysis, training, and mechanical integrity. A compliance audit must be completed every three years.

EPA RMP

EPA’s RMP rule (40 CFR Part 68) is focused on public and environmental safety. Covered facilities must conduct a prevention program audit every three years to verify that safeguards and planning are in place.

CalARP

The CalARP program builds on federal PSM and RMP regulations with additional state-specific requirements. It mandates triennial audits, detailed documentation, and retention of at least two audit reports. The audit team must include someone knowledgeable in the process being reviewed.

When to Schedule These Activities

• Gap assessments should be scheduled well in advance of a compliance audit. Many organizations perform them every 12 to 18 months to support internal improvement efforts.
• Compliance audits must be scheduled at least once every three years, but earlier audits may be needed after major process changes, incidents, or as part of enforcement settlements.
• Both tools should also be considered when acquiring new facilities, expanding production, or implementing new technologies.

A calendar-based schedule with responsible teams assigned can ensure these reviews are completed consistently and tracked properly.

Key Steps in Each Process

Gap Assessment Process

1. Define the scope and applicable standards
2. Review procedures, training, and implementation practices
3. Compare current performance with regulatory and internal benchmarks
4. Identify and rank deficiencies based on risk
5. Develop corrective actions and assign responsibility
6. Monitor progress and reassess as needed

Compliance Audit Process

1. Plan the audit and gather relevant records
2. Conduct interviews, site observations, and document reviews
3. Identify non-compliance or weaknesses
4. Document findings and assign corrective actions
5. Verify resolution and close out the audit
6. Retain records for at least two audit cycles

Comparison of Gap Assessment and Compliance Audit

Common Deficiencies Identified

During compliance audits and gap assessments, the following issues are frequently observed:

• Missed audit or assessment cycles
• Incomplete or outdated safety procedures
• Unresolved action items from previous reviews
• Lack of MOC documentation following process changes
• Inconsistent training records
• Poor cross-functional involvement in audits or assessments

Best Practices for Effective Implementation

To get the most value from these tools:

• Use cross-functional teams. Include engineering, operations, maintenance, and safety staff.
• Maintain a live action tracking system. Use software or structured spreadsheets to track open and closed actions.
• Verify implementation through field checks. Do not rely only on documents—visit the process area.
• Align findings with risk. Prioritize based on severity and potential impact, not just ease of resolution.
• Document everything. Keep clear records of findings, actions, follow-ups, and communications.
• Train internal audit teams. Conduct refresher sessions on regulatory content and auditing techniques.
• Schedule pre-audit gap assessments. These reduce findings during regulatory audits and improve readiness.
• Integrate with other safety reviews. Combine with PHA, MOC reviews, or operational readiness inspections where appropriate.

Building a Long-Term Safety Strategy

Compliance audits and gap assessments are most effective when integrated into an organization’s broader safety strategy. They should not be treated as isolated events, but as recurring cycles of evaluation, learning, and improvement.

A mature safety culture uses these tools to:

• Identify and correct problems before regulators intervene
• Build discipline and accountability in operations
• Strengthen leadership’s credibility on safety matters
• Make data-driven decisions based on findings
• Support transparency during stakeholder or regulatory reviews

Organizations that treat audits and assessments as regular business practices rather than reactive exercises are better positioned to maintain safe and efficient operations over the long term.

Conclusion

Compliance audits and gap assessments are essential tools for any facility operating under PSM, RMP, or CalARP regulations. A compliance audit confirms that safety systems meet regulatory expectations. A gap assessment helps identify and close weaknesses before they lead to violations or incidents.

Used together, these tools support a structured approach to risk management. They help organizations prevent incidents, maintain compliance, and build strong safety cultures rooted in continuous improvement.

Facilities that invest in these practices not only meet their legal responsibilities but also protect their people, processes, and reputation. Get the assistance you need in ensuring a safe process here at Saltegra Consulting. Contact our team today!