John Nolan Updated: August 20, 2023.
Clause 9.2 of ISO 45001 outlines the standard’s expectations of organizations to perform internal audits. The standard requires that the internal audit needs to meet the planned arrangements of the OH&S Management System, and the outputs need to be made available. The internal audit schedule must be planned and established, and based on the results of both risk assessments and previous audit results.
While most of this seems sensible and standard, like several clauses in ISO 45001, the internal audit should be taken more seriously than its equivalent in say, ISO 9001 (Quality Management) or ISO 14001 (Environmental Management). The reason for this is simple: ineffective auditing in ISO 45001 can endanger the well-being of your workforce. So, in that case, how can we ensure that the internal audit function is as effective as possible, and that the ensuing actions protect the health and safety of the workforce? After all, the internal audit is not only a requirement of the ISO 45001 standard, but also a real opportunity for improvement.
To make the results of your ISO 45001 internal audit truly effective, ensure this audit is:
- thorough
- honest
- accurate
Internal audit: When, who, and how?
The organization should have planned your internal audits at regular intervals when performing the management review, which you can read more about in this previous article: How to perform management review in ISO 45001. But, it should be noted that the results of incidents, accidents, stakeholder input, or risk assessment can and should be used to initiate an internal audit outside your regular schedule if this is deemed beneficial to your organization’s overall health and safety performance. So, let us look at the “when, who, and how” of the internal audit in the ISO 45001 system.
- When: As stated above, the internal audit should be carried out at “planned intervals,” or when additionally deemed necessary or beneficial to your ISO 45001 system.
- Who: The standard states that the selection of the auditor needs to ensure “impartiality and objectivity.” The selection of the auditor is critical. Obviously, the auditor must have experience and preferably formal training, and be acutely aware of the organization’s OH&S Policy, objectives, and performance. In my experience, many organizations consider taking external advice from an expert for internal audit purposes; such is the criticality of the internal audit process.
- How: The internal auditor must have all relevant information in hand, in terms of “input” to the process. Risk assessment information and results, OH&S performance outputs, stakeholder input if relevant, and desired OH&S objectives will all be required by the auditor. The auditor should also have access to all information and people relevant to OH&S performance in your organization. Several different versions of audit documents can be used, and your organization should select the type that fits its needs best.
So, given that we understand the “when, who, and how” of the internal audit, it seems sensible to consider “why.” As mentioned above, in addition to being a standard requirement under ISO 45001, the internal audit should be viewed as a key driver in the continual improvement cycle and a hugely important preventive measure for health and safety in the workplace. Therefore, those involved in interaction with the auditor should strive to provide accurate and truthful information during the course of the audit. “Objectivity and impartiality,” along with accurate assessment should equal the opportunity for candid assessment and suggestions for improvement, based on past and current data. So, what should be done with the output from the audit?
Internal audit output: How to utilize it for maximum benefit
The ISO 45001 standard states that the results of any internal audits should be made available to management. As such, decisions can be made by the top management team on actions that should result from the internal audits. However, it is also beneficial in terms of continual improvement if the auditor himself/herself makes suggestions on the basis of the audit itself, given that he/she has had more direct interaction and experience with the process and procedures during the audit itself. In this way, the management team will have a more rounded view of the effectiveness of the audit and the validity of its results, resulting in a greater chance of continual improvement and output that prevents potential incident and accident. Documenting this process, including the findings, outcomes, and actions, is obviously a necessity given that the internal audit must take its place in the cycle of improvement.
Ensure the audit is thorough, honest, and accurate. Likewise, use the “plan, do, check, act” maxim to ensure the resulting actions are implemented, effective, and maintained. Only then can the results of your internal audit be said to be truly effective.
Improve your knowledge of auditing techniques with this ISO 45001 Internal Auditor Course.
