CHAPTER 16: INTERNAL OHSMS AUDIT

16.1 Why conduct internal audits?
(ISO 45001, Clause 9.2.1)

An internal audit is a key element of the PDCA cycle. ISO 45001 defines an audit as a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit ‘criteria’ are fulfilled.

Having established and implemented an OHSMS, an organisation must verify through various measurement and monitoring processes if the system is working according to its defined plans and delivering its intended outcomes. An internal OHSMS audit evaluates the implementation and effectiveness of individual OH&S processes as well as the OHSMS as a whole. ISO 45001 defines the objectives of conducting an OH&S internal audit as follows:

•To determine the extent to which the OHSMS of an organisation conforms to the requirements of ISO 45001;

•To determine the extent to which the OHSMS conforms to the organisation’s own (self-defined) requirements, such as its OH&S policy, procedures, objectives and processes;

•To determine the extent to which the OHSMS enables an organisation to prevent or minimise OH&S risks;

•To determine the extent to which the OHSMS enables an organisation to comply with regulatory and other requirements to which it subscribes;

•To determine if the implementation of the OHSMS is effective and reflects continual improvement. It must be noted that processes must not be seen as a set of mechanical motions, but must also be effective in delivering their intended outputs; and

•To identify opportunities for improvement.

Audits are classified into three categories: first party, second party and third party. First-party audits are internal audits. Second- and third-party audits are external audits.

First-party audits – Organisations use first-party audits to audit themselves. These audits are conducted by an organisation for its own objectives, as listed in the above paragraph. It is possible for an organisation to use its own auditors or to hire external auditors to conduct its first-party audits. The internal audits are also the ones mandated by ISO 45001.

Second-party audits – are external audits. They are usually completed by others who have some interest in the organisation. These could be customers, customer-appointed auditors or regulating bodies.

Third-party audits – are performed by independent organisations such as regulators or certification bodies. These may grant approval or certification.

16.2 Internal audit programme (ISO 45001, Clause 9.2.2)

ISO 45001 requires an organisation to plan, establish, implement and maintain an OHSMS audit programme. The programme shall define the following features:

•Frequency: An organisation must define the frequency at which audits will be carried out. This may depend upon a ‘risk-based approach’, which includes complexity, results of previous audits, risks involved, potential opportunities, organisational context and legal considerations.

•Methodology: An organisation must define the methodologies used when conducting internal audits. This may include defining if and how checklists are used; the conduct of opening and closing meetings; grading of nonconformances; the sampling procedure; review of corrective actions, auditor selection and competencies; audit schedule; audit scope; audit report requirements and the reporting of audit findings.

•Responsibilities: An organisation shall define the roles and responsibilities of auditors, auditees, managers and others involved in the audit process. This could include responsibilities relating to preparation of audit plans, pre-audit consultation with auditors and auditees, role of lead auditor and co-auditors, preparation of checklists, responsibility of auditees, report writing, responsibility for timely corrective actions and the responsibility for review of corrective actions.

16.3 Internal audit criteria and scope

OH&S audit criteria: These are used as a reference against which audit evidence is compared. It would normally include:

•An organisation’s own OH&S policies, procedures, plans, objectives and requirements;

•Requirements specified in ISO 45001;

•Applicable legal and other requirements to which an organisation subscribes;

•Framework standards or requirements laid down by the parent organisation; and

•Customer requirements (in the case of second-party audits).

OH&S audit scope: This typically refers to the geographical locations, departments, functions, processes or organisational units that would be covered by the audit. It could also refer to the criteria against which the audit is carried out. These could be a few or all clauses of ISO 45001, framework standards or specific OH&S regulations. Consider as an example, organisation ABC, located in the city of Manchester, undergoing an internal OHSMS audit. Its scope could be as follows:

Audit findings: Audit evidence when evaluated against audit criteria would result in either a conforming or nonconforming situation. In both cases it would be termed as an ‘audit finding’. Audit findings give a clear picture of the extent to which audit criteria are met or not met. Audit findings can also identify best practices or improvement opportunities.

When requirements of a standard are used as audit criteria, auditors often use the terms conformity and nonconformity to indicate whether the stated requirements are met or not. However, when legal requirements are used as audit criteria, auditors tend to use the terms compliance and noncompliance (instead of conformity and nonconformity).

16.4 Competence of auditors

An auditor is a person who carries out an audit. Auditors collect evidence in order to evaluate how well audit criteria are being met. Audits demand special skills, knowledge and attitudes on the part of auditors. An OHSMS auditor is expected to have the following skill sets in order to be considered competent for conducting audits:

•Impartial attitude, independence, ethical behaviour and communication skills;

•Knowledge of ISO 45001 (or any other document(s) used as criteria);

•Knowledge of audit guidelines defined in ISO 19011;

•Knowledge of OH&S;

•Knowledge of the functions and processes of the organisation under audit;

•Knowledge and skills of conducting and reporting an audit; and

Consider just one example of the various skills that an auditor must possess. An auditor is often required to verify the effectiveness of corrective actions taken on findings (nonconformances) of earlier audits. This includes considerations such as:

•Was the identified nonconformity adequately mitigated and corrected?

•Was the root cause(s) identified correctly?

•Were the actions taken adequate to ensure elimination of root causes? Did these actions actually prevent a recurrence of the same event?

•Have other similar situations, activities, materials, locations and equipment been reviewed for presence of the same, or similar, nonconformance? A nonconformity is like a bad fish in a pond. Removing some and not others, is not likely to be of much good.

•Have deficiencies in training, organisational structure, resources and management commitment been considered and addressed?

The above example highlights just one of the many skills that an auditor must have. Not every auditor needs to be equally qualified to audit every area included within the scope of an audit. However, the combined competence of the audit team members should be appropriate to achieve all the defined objectives of the audit. It is up to the individual responsible to select an audit team, usually the audit manager or the audit team leader, who must ensure that the audit team is adequate and well balanced.

16.5 Audit as a tool for continual improvement of OH&S performance

It may be appropriate to mention that an auditor’s most important contribution is to add value to an organisation through the auditing process and its outcomes. This happens when the audit process provides information that could form useful input for making changes, taking corrective actions and pursuing continual improvement.

Auditing should be considered as a means of helping an organisation to identify and improve its effectiveness and efficiency. This could happen when an auditor identifies a nonconforming or ineffective process. In both cases, an organisation is presented with an opportunity for improvement. A nonconformance would entail corrective actions by identifying and eliminating the root cause(s). If done correctly, it would prevent the nonconformance or the incident from repeating itself. Similar benefits will accrue when an auditor identifies a process that is ineffective in achieving its intended outputs. Audit findings make organisations carry out an in-depth evaluation of the causes that generate nonconformances. Audits provide an opportunity to question the adequacy of hazard identification, the competence of workers, the availability of procedures, the calibration of equipment, the participation of workers, the efficacy of supervision, the quality of corrective actions, the robustness of operational controls and a host of other issues. As a result of the audit findings, an organisation may consider numerous value-adding options to improve its OHSMS. Some of these conclusions may be to:

•Enhance the inspection measurement and monitoring functions;

•Improve the hazard identification process and introduce job safety analysis;

•Provide training on root cause analysis;

•Improve the process of corrective actions;

•Introduce new technology;

•Modify processes to alleviate monotonous and repetitive work;

•Implement new controls such as toolkit meetings and PTW;

•Improve incident investigations; and

•Retrain workers, especially in the areas identified by the audit.

Viewed from a constructive angle, audits are a win-win process and a great tool for value-adding and continual improvement of the OHSMS.

16.6 Implementing an OH&S internal audit programme

To establish an internal OH&S audit procedure, begin by nominating a competent person to assume overall responsibility for ensuring that all tasks such as audit planning, conducting, reporting and follow-up audits are implemented effectively. Select and train a team of auditors for conducting OHSMS audits. Prepare an audit plan that reflects the frequency and the scope of each audit. The audit plan must give due consideration to the significant hazards and risks of the organisation, and the results of previous audits.

The competence of auditors plays an important role in the quality and results of an audit. It is therefore worthwhile investing in auditor training and competence. A good OH&S auditor training programme could be spread over three to seven days and include topics such as the principles of OH&S, hazard identification, risk assessment, hierarchy of controls, OH&S regulatory requirements, corrective and preventive actions, requirements of ISO 45001, guidelines mentioned in ISO 19011 and the skill sets described in paragraph 16.4.

It is good practice to share the audit plan with the auditors and the auditees well in advance. Auditors must prepare themselves by gaining awareness of specific hazards, risks, controls, processes, laws and documentation of the organisation before the start of the audit. Preparation of audit checklists can be of great help in maintaining focus, managing audit time and ensuring that all requirements have been covered.

The independence of auditors is a mandatory requirement and can be ensured by not nominating an auditor for an activity that falls under his/her own area of responsibility. As an example, a manager responsible for implementation of PTW should not be asked to audit activities that are primarily controlled by a PTW system. Any other audit nomination that may suggest a ‘conflict of interest’ should also be avoided.

When raising nonconformities, auditors must always describe the evidence collected and the specific clause(s) of the standard, procedure or criteria that were violated. It is best to keep the audit process open, transparent and based on two-way communication. Nonconformances and opportunities for improvement must be discussed with auditees so that they understand the rationale for a particular finding.

The overall results of an OH&S audit are typically communicated in a ‘closing meeting’ held between auditors, senior management and any other interested party that management may wish to include. A formal written report that includes all findings must also be submitted either at the closing meeting or soon after. The concerned managers respond by allocating responsibilities for taking corrective actions, review and closure of nonconformances.

16.7 Documented information

Documented information relating to OH&S audits must be maintained or retained for:

•Audit plans and procedures;

•Auditor’s training and competence records;

•Audit findings;

•Audit reports, containing results of the audit; and

•Audit-related corrective actions and verification of their effectiveness.