ISO 45001 Clause 9.2 Internal Audit

In this article I’m going to cover clause 9.2 Internal audit. I’m going to break this clause down and turn it into something you can all understand. You’ll then be able to apply this to your own organization's system and understand what the requirements will look like for you. 

This clause starts off with sub-clause 9.2.1 General where it states...

The organization shall conduct internal audits at planned intervals to provide information on whether the OH&S management system:

a) conforms to:

1) the organizations’ own requirements for its OH&S management system, including the OH&S policy and OH&S objectives;

2) the requirements of this document (meaning ISO 45001);

b) is effectively implemented and maintained.

This sub-clause is spelling out what our internal audits should be conducted against – which is normally referred to as the criteria. Your planned audits should ensure that there are two criteria areas that you audit against, and will look something like this:

• The Criteria level is ISO 45001
• The System level is your own OH&S management system
• The Operations level is what they are actually doing

We then move on to the second subclause of 9.2.2 Internal audit program where it states...

The organization shall plan, establish, implement and maintain an audit program (s), including the frequency, methods, responsibilities, consultation, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits.

This is pretty clear that we are required to develop an audit program (sometimes referred to as an audit schedule). The audit program should be for all of the audits planned over a period of time – normally within businesses you see this over a period of 12 months. For myself, as a certification auditor, my audit programs for clients are over 3 years as this ties in with the 3-year certification cycle. It is up to the business to determine what timeframe the audit program is developed for its own internal audits. The audit program should include some key areas, which are:

• frequency – so when are the audits conducted? Which months? Or weeks? And how often?
• methods – this may include a reference to a procedure or a report template to be used for the audit.
• responsibilities – who is conducting which audits.
• consultation – ensure that the process of establishing what is included in your audit program is discussed with workers so that they can have input and provide feedback.
• planning requirements and reporting – again, this may reference a separate procedure that internal auditors are to follow when preparing, planning, conducting, and reporting on an audit.
• results of previous audits. If there were nonconformances raised in an audit this month for example, then this should prompt a review of the audit program, to ensure that this process or area that attracted the nonconformance is included in the audit cycle again. This ensures that high-risk areas (those that have had previous nonconformances) are picked up and reviewed or revisited sooner, rather than later.
• taking into account risk or as this clause says, take into consideration the importance of the processes concerned.

This audit program might have the organization's processes and activities listed and when they are to be audited and by whom. A major part of this is determining which procedures should be audited first or more often as they are high risk. This could be new procedures or procedures related to a new process or location or product.

You can see that this audit program should be a risk-based tool that you use to monitor key parts of the business with a focus on the high-risk areas. It is more important to conduct audits on areas of higher risk than auditing absolutely everything, even the areas that are low-risk and have never had any issues or changes.

Make sure that your audit program is a living, breathing tool that you use to benefit your business.

Before I move on to point b) I want to skip ahead in this clause a bit first to...

f) retain documented information as evidence of the implementation of the audit program and the audit results.

This clause requirement confirms that we need a documented audit program – it can’t just be in your head. So, everything I have talked about so far regarding an audit program, is in documented form, whether it’s a hard copy, electronic, or a software program. Then we also require documented information to be retained as evidence of the audit results. So, this means we need to see documented evidence of the outcomes of the audits conducted.

This could be as simple as an audit report which you need to ensure includes as per...

b) define the audit criteria and scope for each audit;

In your audit report you would include a field to document the audit criteria, which is WHAT you are auditing against, which could be a particular ISO clause or even a specific activity or procedure and then also include a field for the scope of the audit. The scope of the audit is the extent and boundaries. So, this could be specific locations, activities, departments, and so on.

Then finally we have points...

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant managers, ensure that relevant audit results are reported to workers, and, where they exist, workers’ representatives, and other relevant interested parties.

To summarise these 2 final points:

• do not audit your own work. Therefore, if you generate the evidence within the scope of the audit, then you shouldn’t be auditing that area. You need to ensure another auditor who is impartial and has no conflict of interest is assigned to that audit in your audit program.
• and then once you have completed your audit report, ensure that it is provided to relevant management within the business, as well as communicated and shared with workers and any other relevant interested party, which could be customers or suppliers.

And then finally we have...

e) take action to address nonconformities and continually improve its OH&S performance (see Clause 10).

Therefore, ensure that you follow your corrective action process when nonconformances are identified as a result of the audit. To understand what is required for your nonconformance and corrective action process, be sure to refer to the video for clause 10.2.

Now that you have a better understanding of these requirements, it's time to take action and implement them in your own organization and ISO 45001 OH&S management system.

If you're itching to expand your knowledge on ISO 45001, make sure to check out our other articles on the topic, starting with a comprehensive breakdown of What is ISO 45001:2018 OH&S management systems?

But if you're more of a visual learner, head over to our ATOLTV ISO 45001 playlist on YouTube; and if you're ready to become an expert in ISO 45001 OH&S management systems, take a look at our range of courses and qualifications today.