Occupational Health & Safety – ISO 45001:2018 Internal Auditing Procedure Part 2/2

Your organization shall ensure that internal audits of the OH&S Management System are conducted at planned intervals to:

a) Determine whether the OH&S Management System:

Conforms to planned arrangements for OH&S management including the requirements of the ISO 45001:2018 Standard and
Has been properly implemented and is maintained and
Is effective in meeting the organization’s policy and objectives

b) Provide information on the results of audits to management.

Your Audit programme(s) shall be planned, established, implemented and maintained by the organization, based on the results of risk assessments of the organization’s activities, and the results of previous audits.

Audit procedure(s) shall be established, implemented and maintained that address:

a) The responsibilities, competencies, and requirements for planning and conducting audits, reporting results and retaining associated records and

b) The determination of audit criteria, scope, frequency and methods.

Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.

Introduction

OH&S Management System auditing is a process whereby organizations can review and continuously evaluate the effectiveness of their OH&S Management System.

In general, OH&S Management System audits need to consider OH&S policy and procedures, and the conditions and practices in the workplace.

An internal OH&S Management System audit programme should be established to allow the organization to review its own compliance of its OH&S Management System to ISO 45001:2018.

Planned OH&S Management System audits should be carried out by personnel, from within the organization and/or by external personnel selected by the organization, to establish the degree of compliance with the documented OH&S procedures, and whether the system is effective in meeting the OH&S objectives of the organization.

In either case, the personnel conducting the OH&S Management System audits should be in a position to do so impartially and objectively.

NOTE: Internal OH&S Management System audits focus on the performance of the OH&S Management System.

Safety Audits should not be confused with safety inspections.

Typical inputs:

• OH&S policy statement
• OH&S objectives
• OH&S procedures and work instructions
• Hazard identification, risk assessment and risk control results
• Legislation and best practices (if applicable)
• Non-conformance reports
• OH&S Management System audit procedures
• Competent, independent, internal/external auditor(s)
• Non-conformance procedure

Process:

1) Audits

OH&S Management System audits provide a comprehensive and formal assessment of the organization’s compliance with OH&S procedures and practices.

OH&S Management System audits should be conducted according to planned arrangements. Additional audits may need to be performed as circumstances require.

Only competent, independent, personnel should carry out OH&S Management System audits.

The output of an OH&S Management System audit should include detailed assessments of the effectiveness of OH&S procedures, the level of compliance with procedures and practices, and should, where necessary, identify corrective actions.

The results of the OH&S Management System audits should be recorded and reported to management, in a timely manner.

A review of the results should be carried out by management and effective corrective action taken (where necessary).

NOTE: The general principles and methodology described in ISO 19011 or BS 8800:1996, annex F, are appropriate for OH&S Management System auditing.

2) Scheduling

An annual plan should be prepared for carrying out internal OH&S Management System audits. The OH&S Management System audits should cover the entire operation, which is subject to the OH&S Management System, and assess compliance with ISO 45001:2018.

The frequency and coverage of OH&S Management System audits should be related to the risks associated with the failure of the various elements of the OH&S Management System.

Available data on the performance of the OH&S Management System, the output from management reviews, and the extent to which the OH&S Management System or the environment in which it operates should be considered during the scheduling process.

Additional, unplanned, OH&S Management System audits may need to be conducted, if situations occur which warrant them, e.g. after an accident.

3) Management support

For OH&S Management System auditing to be of value, top management should be fully committed to the concept of OH&S Management System auditing and its effective implementation within the organization.

This includes a commitment to consider OH&S Management System audit findings and recommendations and to take appropriate action as necessary, within an appropriate time.

Once it has been agreed that an OH&S Management System audit should be carried out it should be completed in an impartial way.

All relevant personnel should be informed of the purposes of OH&S Management System auditing and the benefits. Staff should be encouraged to co-operate fully with the auditors and to respond to their questions honestly.

4) Auditors

One or more persons may undertake OH&S Management System audits. A team approach may widen involvement and improve co-operation.

A team approach may also allow a wider range of specialist skills to be utilised.

Auditors should be independent of the part of the organization or the activity that is to be audited.

Auditors need to understand their task and be competent to carry it out. They need to have the experience and knowledge of the relevant standards and systems they are auditing to enable them to evaluate performance and identify deficiencies. Auditors should be familiar with the requirements set out in any relevant legislation.

In addition, auditors should be aware of, and have access to, standards and authoritative guidance relevant to the work they are engaged in.

5) Data collection and interpretation

The techniques and aids used in the collection of the information will depend on the nature of the OH&S Management System audit being undertaken.

The OH&S Management System audit should ensure that representative samples of essential activities are audited and that relevant personnel (including employee OH&S representatives, where appropriate) are interviewed.

Relevant documentation should be examined.

This may include:

• OH&S Management System documentation
• OH&S policy statement
• OH&S objectives
• OH&S and emergency procedures
• Permit to work systems and procedures
• Minutes of OH&S meetings
• Accident/incident reports and records
• Any reports or communication from the OH&S enforcement or other regulatory bodies (verbal, letters, notices, etc.)
• Statutory registers and certificates
• Training records
• Previous OH&S Management System audit reports
• Corrective action requests
• Non-conformance reports.

Wherever possible checks should be built into the OH&S Management System audit procedures to help to avoid misinterpretation or misapplication of collected data, information or other records.

6) Audit results

The content of the final OH&S Management System audit report should be clear, precise and complete. It should be dated and signed by the auditor.

The Audit report should, depending on the case, contain the following elements:

The OH&S Management System audit objectives and scope

The particulars of the OH&S Management System audit plan, identification of the members of the auditing team and the audited representatives, dates of audit and identification of the areas subject to audit

The identification of reference documents used to conduct the OH&S Management System audit (e.g. ISO 45001:2018, OH&S management handbook)

Details of identified non-conformance’s

The auditor’s assessment of the degree of conformity with ISO 45001:2018

The ability of the OH&S Management System to achieve the stated OH&S management objectives

The distribution of the final OH&S Management System audit report.

The results of OH&S Management System audits should be fed back to all relevant parties as soon as possible, to allow corrective actions to be taken.

An action plan of agreed remedial measures should be drawn up together with identification of responsible persons, completion dates and reporting requirements.

Follow up monitoring arrangements should be established to ensure satisfactory implementation of the recommendations.

Confidentiality should be considered when communicating the information contained within the OH&S Management System audit reports.

Typical outputs:

• OH&S Management System audit plan/program
• OH&S Management System audit procedures
• OH&S Management System audit reports, including nonconformance reports, recommendations and corrective action requests
• Signed-off/closed-out non-conformance reports
• Evidence of the reporting of the results of OH&S Management System audits to management.

Hints for implementation

Your OH&S audits should focus on objective evidence of conformance. During the actual audit, try to resist evaluating why a procedure was not followed.

This step will come later in the corrective and preventive actions.

During the audit, discuss identified deficiencies with the people who work in the area. This will help the auditors verify that their understanding is correct. It can also serve as refresher training (on OH&S requirements) for employees.

Before you start an audit, be sure to communicate the audit scope, schedule, and other pertinent information with the people in the affected area(s).

This will help avoid confusion and will facilitate the audit process.

Common non-conformances

Potential non-conformances include:

• Auditors are not sufficiently independent of the activity audited
• Responsibilities for performing audits are not clearly defined
• Audit program is not sufficiently comprehensive to cover all areas of the OH&S or activities which hazards can arise
• Audit frequencies are not based upon the levels of risk associated with the activity
• Audit format or activity not consistent with previous audits
• Audit reports are not completed within the original scope of the audit

Self assessment questions:

• Do you have an audit procedure and program?
• Do you undertake periodic OH&S audits?
• Does your audit program determine audit frequency?
• Have you selected and trained an OH&S audit team?
• Have you established a process to keep records of audit reports?