Section 68.59 - Third-party audits(a)Applicability. The owner or operator shall engage a third party to conduct an audit that evaluates compliance with the provisions of this subpart in accordance with the requirements of this section when any criterion of § 68.58(f) is met.(b)Third-party auditors and auditing teams. The owner or operator shall either: (1) Engage a third-party auditor meeting all of the competency and independence criteria in paragraph (c) of this section; or(2) Assemble an auditing team, led by a third-party auditor meeting all of the competency and independence criteria in paragraph (c) of this section. The team may include: (i) Other employees of the third-party auditor firm meeting the independence criteria of paragraph (c)(2) of this section; and(ii) Other personnel not employed by the third-party auditor firm, including facility personnel.(c)Third-party auditor qualifications. The owner or operator shall determine and document that the third-party auditor(s) meet the following competency and independence requirements:(1) The third-party auditor(s) shall be:(i) Knowledgeable with the requirements of this part;(ii) Experienced with the stationary source type and processes being audited and applicable recognized and generally accepted good engineering practices; and(iii) Trained and/or certified in proper auditing techniques.(2) The third-party auditor(s) shall: (i) Act impartially when performing all activities under this section;(ii) Receive no financial benefit from the outcome of the audit, apart from payment for auditing services. For purposes of this paragraph (c)(2)(ii), retired employees who otherwise satisfy the third-party auditor independence criteria in this section may qualify as independent if their sole continuing financial attachments to the owner or operator are employer-financed or managed retirement and/or health plans;(iii) Ensure that all third-party personnel involved in the audit sign and date a conflict of interest statement documenting that they meet the independence criteria of this paragraph (c)(2); and(iv) Ensure that all third-party personnel involved in the audit do not accept future employment with the owner or operator of the stationary source for a period of at least two years following submission of the final audit report. For purposes of the requirement in this paragraph (c)(2)(iv), employment does not include performing or participating in third-party audits pursuant to § 68.80 or this section.(3) The auditor shall have written policies and procedures to ensure that all personnel comply with the competency and independence requirements of this section.(d)Third-party auditor responsibilities. The owner or operator shall ensure that the third-party auditor:(1) Manages the audit and participates in audit initiation, design, implementation, and reporting;(2) Determines appropriate roles and responsibilities for the audit team members based on the qualifications of each team member;(3) Prepares the audit report and, where there is a team, documents the full audit team's views in the final audit report;(4) Certifies the final audit report and its contents as meeting the requirements of this section; and(5) Provides a copy of the audit report to the owner or operator.(e)Audit report. The audit report shall:(1) Identify all persons participating on the audit team, including names, titles, employers and/or affiliations, and summaries of qualifications. For third-party auditors, include information demonstrating that the competency requirements in paragraph (c)(1) of this section are met;(2) Describe or incorporate by reference the policies and procedures required under paragraph (c)(3) of this section;(3) Document the auditor's evaluation of the owner or operator's compliance with the provisions of this subpart to determine whether the procedures and practices developed by the owner or operator under this subpart are adequate and being followed;(4) Document the findings of the audit, including any identified compliance or performance deficiencies;(5) Summarize any significant revisions (if any) between draft and final versions of the report; and(6) Include the following certification, signed and dated by the third-party auditor or third-party audit team member leading the audit: I certify that this RMP compliance audit report was prepared under my direction or supervision in accordance with a system designed to assure that qualified personnel properly gather and evaluate the information upon which the audit is based. I further certify that the audit was conducted and this report was prepared pursuant to the requirements of subpart C of 40 CFR part 68 and all other applicable auditing, competency, independence, impartiality, and conflict of interest standards and protocols. Based on my personal knowledge and experience, and inquiry of personnel involved in the audit, the information submitted herein is true, accurate, and complete.
(f)Third-party audit findings-(1)Findings response report. As soon as possible, but no later than 90 days after receiving the final audit report, the owner or operator shall determine an appropriate response to each of the findings in the audit report, and develop a findings response report that includes:(i) A copy of the final audit report;(ii) An appropriate response to each of the audit report findings;(iii) A schedule for promptly addressing deficiencies; and(iv) A certification, signed and dated by a senior corporate officer, or an official in an equivalent position, of the owner or operator of the stationary source, stating: I certify under penalty of law that I have engaged a third party to perform or lead an audit team to conduct a third-party audit in accordance with the requirements of 40 CFR 68.59 and that the attached RMP compliance audit report was received, reviewed, and responded to under my direction or supervision by qualified personnel. I further certify that appropriate responses to the findings have been identified and deficiencies were corrected, or are being corrected, consistent with the requirements of subpart C of 40 CFR part 68, as documented herein. Based on my personal knowledge and experience, or inquiry of personnel involved in evaluating the report findings and determining appropriate responses to the findings, the information submitted herein is true, accurate, and complete. I am aware that there are significant penalties for making false material statements, representations, or certifications, including the possibility of fines and imprisonment for knowing violations.
(2)Schedule implementation. The owner or operator shall implement the schedule to address deficiencies identified in the audit findings response report in paragraph (f)(1)(iii) of this section and document the action taken to address each deficiency, along with the date completed.(3)Submission to Board of Directors. The owner or operator shall immediately provide a copy of each document required under paragraphs (f)(1) and (2) of this section, when completed, to the owner or operator's audit committee of the Board of Directors, or other comparable committee or individual, if applicable.(g)Recordkeeping. The owner or operator shall retain at the stationary source, the two most recent final third-party audit reports, related findings response reports, documentation of actions taken to address deficiencies, and related records. The requirement in this paragraph (g) does not apply to any document that is more than five years old.