ISO 45001:2018, the Occupational Health and Safety Management System standard was published in early March 2018. This is the twenty-second in a series of blogs, in which we describe what the implementing company must do in order to meet the requirement of the standard. We will now look at clause 9.2: Internal audit.
ISO 45001:2018 – Clause 9.2: Internal Audit
Clause 9.2.1 General
The organisation must conduct internal audits at planned intervals to provide information on whether the OH&S management system conforms to the organisation’s own requirements for its OH&S management system, including the OH&S policy and OH&S objectives and the requirements of ISO 45001. In addition, the audit allows the organisation to determine if its OH&S management system is effectively implemented and maintained. The extent of the audit programme should be based on the complexity and level of maturity of the OH&S management system.
Clause 9.2.2 Internal Audit Programme
The organisation must plan, establish, implement and maintain an audit programme, which contains information on:
- The frequency that audits are conducted;
- The methodology/protocol used (should be in general conformance with the requirements of ISO 19011:2011 Guidelines for auditing management systems;
- Who is responsible for managing and conducting audits;
- What consultation takes place with auditees and the general workforce;
- How the audits are planned and implemented;
- The format for reporting audits.
The planning of the internal audit programme must recognise the importance of the processes concerned and the results of previous audits. This would be reflected in the audit programme being based on the results of the risk assessments of the organisation’s activities and the results of previous audits, which in turn would guide the organisation in determining the frequency of audits of particular activities, areas or functions and what parts of the OH&S management system should be given attention.
The OH&S management system audits should cover areas and activities within the scope of the OHSMS as defined by clause 4.3 of the standard and also assess conformity to ISO 45001.
The organisation must define the audit scope and audit criteria for each audit. Audit evidence should be evaluated against the audit criteria to generate the audit findings and conclusions. Audit evidence should be verifiable.
Prior to conducting the audit, the auditors should review appropriate OH&S management system documented information, and the results of prior audits. This information should be used by the organisation in planning for the audit.
The organisation must select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. It can establish objectivity and impartiality of the internal audit process by creating a process that separates auditors’ roles as internal auditors from their normal assigned duties. Alternatively, it can utilise the services of external companies to conduct its internal audit programme.
After the audit is complete the auditors must ensure that the results of the audits are reported to relevant managers. In addition, relevant audit results must be reported to workers; where they exist, to workers’ representatives and to other relevant interested parties.
The organisation must take action to address nonconformities in a timely and efficient manner and continually improve its OH&S performance. The audit report should be clear, precise and comprehensive.
The organisation must retain documented information as evidence of the implementation of the audit programme and the audit results.