If the word “audit” puts you into fight-or-flight, you are not alone. For most pipeline operators, a notice from the Pipeline and Hazardous Materials Safety Administration (PHMSA) lands somewhere between a tax letter and a fire drill. The good news: PHMSA inspections are structured, the criteria are published in advance, and operators who run their program well throughout the year rarely get surprised in the audit room.
This guide walks through what to expect, where operators most often get tripped up, and what to have ready before the inspector ever shows up.
Why PHMSA Audits Happen in the First Place
PHMSA enforces 49 CFR Part 199 (the drug and alcohol testing rule for pipeline operators) and 49 CFR Part 40 (the DOT procedural rule that governs how those tests are collected, reviewed, and reported). An audit is PHMSA confirming, on paper and in person, that your anti-drug and alcohol misuse prevention program looks the same in practice as it does in your plan.
Audits can be triggered three ways: routine inspection cycles, follow-up to a reportable incident, or a complaint or referral. All three follow roughly the same playbook — the difference is mostly in how much PHMSA already knows before they arrive.
How Do You Know an Audit Is Coming?
PHMSA provides formal written notice in advance, typically by email or mail. That notice will list:
- The scope of the inspection (including any specific regulations or incidents the auditor plans to focus on)
- The date and location of the inspection
- Documentation requested in advance — commonly collector and BAT (Breath Alcohol Technician) certifications, MIS / DAMIS statistical data, SAMHSA-certified laboratory summaries, and your written program
Advance notice is helpful, but it is not a license to start preparing the week the letter arrives. The records PHMSA wants are records you should be able to produce on any business day. Operators who treat the audit notice as the start of preparation are usually the ones who end up scrambling..
What PHMSA Actually Checks
PHMSA publishes its inspection criteria in the Anti-Drug and Alcohol Misuse Program Inspection Protocol Form 4.1 (Revision 3, March 2021). It is, effectively, the inspector’s open-book test. Read it before they do. Operators who pass cleanly are the ones who can produce documentation across all of these areas:
- Current contact information for the employer and all service agents — the Designated Employer Representative (DER), Medical Review Officer (MRO), and any C/TPA, collector, lab, or Substance Abuse Professional (SAP) you rely on
- A current, written Anti-Drug and Alcohol Misuse Prevention Plan (often shorthand as “the PHMSA D&A plan”)
- Correct random selection rates and the supporting MIS / DAMIS statistical data
- Documented employee awareness training and supervisor reasonable-suspicion training
- Compliant testing across every required category — pre-employment and random drug testing, plus post-accident, reasonable cause, return-to-duty, and follow-up testing (alcohol testing is required post-accident, on reasonable suspicion, and for return-to-duty and follow-up; PHMSA does not require pre-employment or random alcohol testing)
- Complete recordkeeping for the full retention period
- Verified use of certified service agents who themselves follow 49 CFR Part 40
Where Operators Actually Fail
In our experience administering DOT and non-DOT programs across oil and gas, the operators who fail audits almost never fail because the test itself was performed incorrectly. They fail on the paper trail. The recurring red flags:
- Written policies that do not match what the field actually does
- Inconsistent procedures between regions, contractors, or hiring managers
- Missing or incomplete documentation — especially post-accident decision records and random selection logs
- Assumed service agent compliance — trusting that your collector, lab, or C/TPA is current without ever verifying it
That last one stings the most, because PHMSA holds the operator accountable for the service agent.
What the Audit Itself Looks Like
Timelines scale with the size of the operator, but the structure is consistent. Most PHMSA D&A audits unfold in three phases.
1. Opening meeting. PHMSA representatives sit down with your DER and program leadership to outline the agenda, confirm points of contact, and walk through the structure of your testing program.
2. Documentation and records review. This is the bulk of the audit. Auditors compare your records to the requirements of 49 CFR Parts 199 and 40. Commonly pulled documents include:
- The written Anti-Drug and Alcohol Misuse Prevention Plan
- Drug and alcohol testing records (CCFs, ATFs, MRO results)
- MIS / DAMIS reports
- Employee rosters for covered positions
- Random selection records
- MRO certifications
- Collector and BAT certifications
- SAP documentation for any return-to-duty cases
- Semi-annual laboratory statistical reports
3. Interviews and (sometimes) a facility walkthrough. Auditors will sit with program administrators to verify that responsibilities, policies, and procedures are actually owned — not just written down. Some audits also include a tour of the operational site to confirm workflow.
At the close, PHMSA shares preliminary observations, documentation gaps, and follow-up expectations. If corrective action is needed, a timeline comes with it. Formal written findings usually follow later.
What Happens If There Are Findings
PHMSA auditors generally lead with education and correction before escalating to enforcement. Findings arrive in writing and identify specific deficiencies, ranging from minor documentation gaps to material issues with testing procedures or post-accident response.
Operators are typically given a defined response window — anywhere from a few weeks to several months depending on severity — to demonstrate corrective action. That usually means some combination of revised policies, retraining, fixed procedures, improved recordkeeping, or additional documentation. Auditors may request proof of resolution, and depending on the issue, a follow-up review can occur. The operators who fare best are the ones who cooperate fully, fix fast, and document the fix.
How to Prepare — the Operator Checklist
Treat audit readiness as an ongoing program, not a project. The five habits that separate clean audits from painful ones:
- Centralize documentation. One source of truth for your plan, MRO results, random selections, and service agent certifications. If three people have to be called to find one record, that is the gap.
- Assign compliance ownership in writing. Your DER is named in the regulations for a reason. Make sure that role — and any backup — is documented, trained, and current.
- Reconcile the plan to the practice quarterly. Walk through your written program with the people executing it and confirm they actually do what it says. This is where most audits unravel.
- Verify your service agents. Pull current certifications for every collector, BAT, lab, MRO, and C/TPA you use. Annually at minimum. Keep proof on file.
- Run a mock audit. Use the PHMSA Inspection Protocol Form 4.1 as your script. The first time someone runs that checklist against your program should not be the day an inspector arrives.
The Bottom Line
PHMSA audits reward the boring stuff — clean records, current certifications, consistent procedures. There is no shortcut, but there is also no mystery. The criteria are published, the process is predictable, and operators who keep their program tight year-round walk in confident and walk out clean.
Running a compliant testing program is doable in-house, provided someone has the bandwidth, the regulatory fluency, and the time to track PHMSA’s Federal Register updates. For many operators, that someone is Pipeline Testing Consortium (PTC). We administer DOT and non-DOT testing programs across oil and gas, handle the documentation and service agent oversight that audits hinge on. Contact us today for more information on all our services.
