Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    • Environmental Topics
    • Air
    • Bed Bugs
    • Cancer
    • Chemicals, Toxics, and Pesticide
    • Emergency Response
    • Environmental Information by Location
    • Health
    • Land, Waste, and Cleanup
    • Lead
    • Mold
    • Radon
    • Research
    • Science Topics
    • Water Topics
    • A-Z Topic Index
    • Laws & Regulations
    • By Business Sector
    • By Topic
    • Compliance
    • Enforcement
    • Laws and Executive Orders
    • Regulations
    • Report a Violation
    • Environmental Violations
    • Fraud, Waste or Abuse
    • About EPA
    • Our Mission and What We Do
    • Headquarters Offices
    • Regional Offices
    • Labs and Research Centers
    • Planning, Budget, and Results
    • Organization Chart
    • EPA History

Breadcrumb

  1. Home
  2. Risk Management Program (RMP) Rule

Applicability of compliance audit provisions to non-prevention program elements

I have a Program 2 covered process and a Program 3 covered process at my stationary source. I am required (by 40 CFR Section 68.58 and 40 CFR Section 68.79) to certify compliance with prevention program requirements every three years. These compliance audits specifically address the prevention program portions of my risk management program. Am I required to audit other portions of my risk management program, such as the hazard assessment, management system, and risk management plan (RMP)? If so, will the RMP audit under 40 CFR Section 68.220 serve this purpose?

Other than the prevention program compliance audits, there is no regulatory requirement for a source to formally "audit" other aspects of its risk management program. Facilities are expected to keep all program elements up-to-date, as required by the regulation. The rule requires facilities to track changes and update their RMP when appropriate. For example, there are self review and update requirements for non-prevention program elements specifically in the regulation (68.36(b) and 68.95(a)(4)). Audits, reviews and updates are all intended to provide for vigorous self-oversight by the source. The prevention program compliance audits (40 CFR §68.58 and 68.79) and the implementing agency (IA) audit (40 CFR §68.220) serve two distinct purposes. The IA audit does not replace these obligations because it is fundamentally a different undertaking. The internal audits, review, and update requirements are management controls to minimize accidental releases and consequences, while the IA audit is an external oversight mechanism. IA audits will not be done on every source; they will be done only when an IA deems it appropriate. The relationship of the self-checks required for a sound accident prevention program to IA audits is similar to the relationship between an internal accounting system and an external financial audit in that the external oversight depends upon the company itself having its own internal controls. An IA audit does not in any way relieve a company from its obligations to have internal reviews, controls, and updates.

Risk Management Program (RMP) Rule

  • About RMP
    • Publications
    • Training Resources
    • Frequent Questions
  • Guidance and Fact Sheets
    • Guidance for Facilities
    • Guidance for Implementing Agencies
    • Guidance for Inspections
  • Submitting an RMP
    • RMP*Comp
    • RMP*eSubmit
      • RMP*eSubmit User's Manual
    • Resubmit, Correct or Withdraw
  • Accessing RMP Information
    • Federal Reading Rooms
    • Vulnerable Zone Indicator System
  • General Duty Clause
Contact Us about the Risk Management Program Rule
Contact Us about the Risk Management Program Rule to ask a question, provide feedback, or report a problem.
Last updated on May 9, 2025
  • Assistance
  • Spanish
  • Arabic
  • Chinese (simplified)
  • Chinese (traditional)
  • French
  • Haitian Creole
  • Korean
  • Portuguese
  • Russian
  • Tagalog
  • Vietnamese
United States Environmental Protection Agency

Discover.

  • Accessibility Statement
  • Budget & Performance
  • Contracting
  • EPA www Web Snapshot
  • Grants
  • No FEAR Act Data
  • Plain Writing
  • Privacy
  • Privacy and Security Notice

Connect.

  • Data
  • Inspector General
  • Jobs
  • Newsroom
  • Regulations.gov
  • Subscribe
  • USA.gov
  • White House

Ask.

  • Contact EPA
  • EPA Disclaimers
  • Hotlines
  • FOIA Requests
  • Frequent Questions
  • Site Feedback

Follow.