Standard Operating Procedure: ISO 45001 Occupational Health and Safety (OH&S) Internal Audit

This document outlines the procedural requirements for conducting an internal safety audit in accordance with ISO 45001:2018 standards. The objective of this audit is to evaluate the effectiveness of the Occupational Health and Safety Management System (OHSMS), identify non-conformities, and verify that the organization’s safety policies are being applied consistently across all operational levels. This audit serves as a critical tool for continual improvement and regulatory compliance.

1. Planning and Preparation

• Define the audit scope: Determine which departments, sites, or processes are included.
• Establish audit criteria: Review the ISO 45001:2018 standard requirements and internal documentation.
• Select the audit team: Ensure auditors are independent of the processes being audited.
• Notify stakeholders: Provide formal notification to department heads regarding audit dates and required documentation.

2. Context of the Organization and Leadership

• Verify that the OH&S policy is documented, communicated, and accessible to all staff.
• Confirm top management’s commitment through evidence of resource allocation and oversight.
• Evaluate how the organization identifies internal and external issues affecting the OHSMS.
• Review how "Interested Parties" (workers, contractors, government agencies) and their requirements are identified.

3. Planning and Risk Assessment

• Check the register for Hazards, Identification, and Risk Assessment (HIRA): Is it up to date?
• Verify the process for determining legal and other regulatory requirements.
• Assess OH&S objectives: Are they measurable, monitored, and communicated to relevant functions?
• Examine change management procedures: How are new equipment or process changes vetted for safety risks?

4. Support and Operation

• Audit competence training logs: Ensure employees are trained to perform their jobs safely.
• Verify communication flows: Are safety alerts and policy updates reaching all levels of the organization?
• Assess document control: Are the current versions of safety procedures available?
• Review operational controls: Verify that physical safety measures (guarding, PPE, LOTO) are functioning as per the operational plan.
• Examine emergency preparedness: Inspect records of emergency drills and maintenance of firefighting equipment.

5. Performance Evaluation and Improvement

• Review internal audit records and management review meeting minutes.
• Verify the monitoring and measurement process for OH&S performance indicators.
• Check incident/accident investigation reports: Are root causes identified and corrective actions implemented?
• Audit the process for Non-conformity and Corrective Action (NC/CA): Are issues tracked to closure?

Pro Tips & Pitfalls

• Pro Tip: The "Show Me" Method. Do not just rely on paperwork. When auditing, ask employees to demonstrate how they perform a task safely. Discrepancies between the manual and actual practice are primary audit findings.
• Pro Tip: Focus on Leadership. ISO 45001 places high emphasis on management involvement. Ensure that leadership can speak to the OHSMS, not just the safety manager.
• Pitfall: Siloing the Audit. Do not treat the audit as a checklist exercise. Focus on how the OHSMS integrates with business operations. If it feels like an "add-on," it is likely not effective.
• Pitfall: Ignoring Contractors. A common failure point in audits is failing to verify that contractors adhere to the organization’s safety requirements. Ensure vendor contracts include safety mandates.

Frequently Asked Questions (FAQ)

Q: How often should an ISO 45001 internal audit be conducted? A: ISO 45001 does not dictate a specific frequency, but standard best practice is to conduct a full system audit annually. Many organizations choose to audit specific high-risk processes quarterly.

Q: What is the difference between a "Non-conformity" and an "Observation"? A: A Non-conformity is a failure to meet a specific ISO 45001 requirement or internal policy. An Observation is a suggestion for improvement or a potential risk area that does not currently violate a requirement but could lead to one in the future.

Q: Can a department manager audit their own department? A: No. ISO 45001 requires the audit process to maintain objectivity and impartiality. Internal auditors must be independent of the area or process they are auditing to ensure unbiased reporting.