John Nolan Internal audits are a vital and mandatory part of any ISO 45001:2018-certified OHSMS (Operational Health and Safety Management System) – and for a good reason. An effective internal audit can identify whether the correct arrangements have been made for an OHSMS to meet the terms of the standard itself. It can also identify any process, resource or activity gap that exists, and allows corrective actions to be planned to address these non-conformities. This not only helps the OHSMS to meet the terms of the standard, but also increases the chance of maintaining employee well-being and safety. So, given that the internal audit function is so critical, what form should it take, where should responsibility lie, what content should be included, and what should be done with the information collected? In other words, how do you plan your internal audit program to be most effective?
Planning your internal audit
The frequency and specific aims of your internal audit may well be planned by your top management team, possibly in one of the management review meetings. But if incidents or accidents occur during the interim period, then the specific targets of any internal audit may be subject to change if the organization and workforce are to see real benefit. Therefore, it is critical that the internal audit schedule is planned, and can be changed with stakeholder input. This will ensure not just conformance to the standard, but also identification of any non-conformities in the OHSMS. It will also ensure that non-conformities are addressed with adequate corrective actions. In the previous article How to perform internal audit in ISO 45001 we looked at how to perform the audit function itself, but what shape should the audit plan take?
Breaking down your audit plan
There are several considerations an organization should make to ensure that the internal audit plan is as precise as possible. The output must be accurate, timely and useful in terms of panning activities to close any gaps and ensure that continual improvement is achievable. Let us consider them one element at a time:
- The purpose of the plan: We have already referred to this above, but it is critical that the plan outlines the strategic objectives of the internal audit function. Is it designed merely to identify gaps, or increase employee conditions? Does it merely ensure that the terms of the ISO 45001 standard are met? It is suggested that an effective internal audit plan and function should achieve all of these, plus identify where continual improvement can be achieved.
- The format of the audit plan: It is highly likely that your organization has an agreed format for this, but it can benefit you to consider several options when reviewing this format. Is all the correct information captured, along with details of times and dates? Remember: the quality and effectiveness of your corrective action greatly depend on this. Will you make paper and/or electronic copies available of the plan and output of the audit? As this information needs to be communicated to top management, it is important that this is accurate and traceable.
- Responsibilities within the audit plan: Does your organization have a suitably qualified internal auditor? If so, can you guarantee that the auditor will be impartial? Our article What competences should an ISO 45001 internal auditor have? can help you with this, but it is worth remembering that the effectiveness of your internal audit itself is only as good as your internal auditor.
- Output and review process: Is your audit plan and the audit itself effective? The accuracy of the information retained and the effectiveness of the plan is part of the overall measure of whether this function meets the organization’s needs. As with any function in the OHSMS, it will benefit from “Plan, Do, Check, Act.” If your results do not match your objectives, then review of your plan is required.
Planning for success
As with any function in a management system, the effectiveness of planning has a great bearing on the outcomes of that function. Selecting the right people with the right skills and competencies, recording data accurately and concisely in a relevant fashion and ensuring the outputs are reviewed and improved are all critical. The relevance and accuracy of planning the whole audit cycle at the outset is also of great importance. If any of these elements is not up to scratch, there is a chance that gaps can go unnoticed and that compliance with the standard will not be achieved. More importantly, your workplace will be a less safe environment for your employees. While studying the principles of ISO 19011, “Guidelines for auditing management systems” may help your organization with this task. It is critical that you set your internal audit program out in an intelligent and controlled manner. Treat the construction of your internal audit plan as the most critical starting point, and the chances of success increase greatly for the rest of the internal audit process.
For a better understanding of ISO 190011, see the whitepaper: How to perform an internal audit using ISO 19011
