ISO 45001:2018 Occupational Health & Safety Management System internal audit
The ISO 45001:2018 Occupational Health and Safety (OH&S) standard was released early in 2018. The international standard sets the requirements for an occupational health and safety management system (OH&SMS). It consists of 10 top-level clauses, which break down into many sub-clauses that define hundreds of individual requirements. A successful ISO 45001:2018 implementation requires organizations to fulfil the seven auditable clauses (4-10) and meet their customer and applicable governing and legal requirements.
ISO 45001 internal audit, an essential clause of certification
An essential clause certification-seekers must satisfy Clause 9.2: Internal Audit, which states that an organization must conduct internal audits on a scheduled basis to determine whether the OH&S processes and procedures comply with its OH&SMS, its OH&S policy, and objectives, and the standards’ requirements. The purpose of the internal audit is to provide objective assurance that your governance, risk management, and internal control processes are operating at an optimal level.
OH&S generalization requirements for auditing
Your organization must run internal audits at planned intervals to uncover information on whether the OH&SMS complies with:
- OH&SMS organizational requirements (this includes the OH&S policy and objectives)
- ISO 45001:2018 requirements
- The requirements to ensure effective OH&SMS implementation and maintenance
The scope of the audit program should be proportionate to the complexity level and maturity stage of the OH&SMS. For higher-level conformance, your internal auditing program can span three years with a stronger focus on the higher risk compliance areas of your OH&SMS.
Role of the internal audit program, Plan, establish, implement and maintain your audit program.
Your organization is required to plan, establish, implement and maintain an audit program, which includes information on:
- The frequency with which audits are taking place
- The methodology and protocol utilized must broadly conform with the ISO 19011:2011 Guidelines for auditing management systems requirements
- Who does the responsibility of performing and overseeing audits fall on?
- Is consultation occurring with the employees being audited and the general workforce?
- How audits are designed and implemented
- The format is being used for audit reporting.
Define the scope and audit criteria
When designing the internal audit program, you must ensure that the significance of the concerned processes and previous audit results are taken into account. Into so, the audit program must be based on the findings of the organization’s activities’ risk assessments and past audit findings. This is particularly helpful in determining the required audit frequencies for certain activities, regions, or processes and what part of the OH&SMS should be focused on.
The OH&SMS audits should incorporate areas and activities in the OH&SMS scope as per the guidelines of clause 4.3 of the standard and assess compliance with the ISO 45001:2018 standard. The organization for each audit should define the audit criteria and content. Evidence from the audit must be assessed against audit criteria to produce the results and conclusions of the audit. Audit evidence must always be verifiable.
Before the audit is to take place, the person in charge of conducting it must review all relevant OH&SMS documented information and the findings of past audits. This information is key during the audit planning phase.
Choose your auditors and conduct audits
For the sake of total impartiality and objectivity, the assigned auditors must also be subject to auditing. The organization must foster a climate of objectivity and impartiality throughout the internal auditing process by ensuring the internal auditors’ functions are completely independent of their regular assigned duties.
Auditors may be required to undergo some form of external training to ensure the assigned employees are well equipped for the challenging task ahead of them. In the event where that proves difficult to accomplish, as it is common with smaller organizations, the services of a third-party entity may be sought.
Choose your auditors and conduct audits.
For the sake of total impartiality and objectivity, the assigned auditors must also be subject to auditing. The organization must foster a climate of objectivity and impartiality throughout the internal auditing process by ensuring the internal auditors’ functions are entirely independent of their regular assigned duties.
Auditors may be required to undergo external training to ensure the assigned employees are well equipped for the challenging task ahead of them. In the event where that proves difficult to accomplish, as it is common with smaller organizations, the services of a third-party entity may be sought.
Ensure audit findings are reported to all relevant managers
Once the audit is completed, the auditors are responsible for reporting the results to their reporting manager. In addition to that, results are also reported to workers, their hierarchical superiors, and any other relevant interested parties.
Take action to address nonconformities and continually improve your OH&S performance
Nonconformities should always be addressed, and corrective action must be taken in a timely and efficient manner to ensure continual OH&S performance improvement. Audit reports should always be clear, precise, and comprehensive.
Retain documented information
Audit records, implementation evidence, and all documented information must always be retained by the organization. Findings should be shared during management meetings, consultation meetings, and OH&S review meetings. You should always maintain a record register with all your audit results and non-conformances records, as well as all documents about all corrective actions taken with any further recommendations for improvement opportunities. Finally, you must keep all evidence relevant to how employees and all relevant parties are informed of the audit results.