How to Conduct an OHS Internal Audit: Step-by-Step Guide and Checklist
The Audit That Found What Inspections Missed
A construction materials company in the Netherlands had been conducting monthly safety inspections for three years. Their incident rate was below the industry average. Their documentation was thorough. When they decided to pursue ISO 45001 certification, they commissioned an internal audit of their safety management system.
The audit found something the inspections had never detected: the company's hazard identification process — while producing thorough assessment documents — had no mechanism for ensuring that assessments were updated when processes changed. Three significant process modifications in the preceding two years had been implemented without any revision to the relevant risk assessments. The assessments were thorough, well-documented, and out of date.
The incident they were lucky not to have had, according to the auditor, was "in the making."
Safety inspections check physical conditions. Safety audits check the management system — the processes, procedures, and systems that are supposed to produce safe physical conditions. Both are necessary. Neither replaces the other.
What Is an OHS Internal Audit?
An OHS internal audit is a systematic, independent examination of an organization's occupational health and safety management system to determine whether it:
- Conforms to the organization's own requirements and procedures
- Conforms to applicable legal and other requirements
- Has been effectively implemented and maintained
- Is achieving the organization's OHS objectives
An internal audit is not a safety inspection (which examines physical conditions), a risk assessment (which evaluates specific hazards), or an incident investigation (which examines the causes of a specific event). It is a systemic review — evaluating whether the management system is designed and operating as intended.
ISO 45001 Clause 9.2 requires organizations to conduct planned internal audits at defined intervals. The audit must:
- Provide information on whether the OHS management system conforms to requirements
- Provide information on whether the OHS management system is effectively implemented
- Provide input for continual improvement
Internal Audit vs External Certification Audit
| Factor | Internal Audit | External Certification Audit |
|---|---|---|
| Conducted by | Organization's own trained auditors | Independent certification body |
| Purpose | System improvement; compliance verification | Third-party conformance assessment |
| Frequency | Typically annual (may be more frequent for high-risk areas) | Stage 1 + Stage 2 (initial); annual surveillance; triennial recertification |
| Outcome | Findings and improvement opportunities | Certification decision |
| Confidentiality | Internal | Certificate is public record |
| Cost | Internal resource only | Certification body fees |
The 5 Phases of an OHS Internal Audit
Phase 1: Planning
Effective audits begin with a defined scope, objective, and methodology. The audit plan must specify:
Scope: Which parts of the management system and which organizational units are covered. For a full system audit, this means all clauses of ISO 45001. For a partial audit, it means specific clauses, departments, or locations.
Criteria: Against what requirements will conformance be assessed?
- ISO 45001:2018 requirements
- Organization's own OHS policy, procedures, and standards
- Legal and regulatory requirements
Audit team: Who will conduct the audit? Internal auditors must be:
- Trained in audit methodology (ISO 19011 is the reference standard for auditing)
- Independent from the area being audited (they should not audit their own work)
- Competent in OHS — understanding the content of what they are auditing
Schedule: When will each part of the audit occur? Notify departments in advance — audits are not surprise inspections.
Document review: Before on-site activities, auditors should review:
- OHS policy and objectives
- Hazard register and risk assessments
- Legal register
- Corrective action logs
- Training records
- Previous audit findings
Phase 2: Opening Meeting
The audit begins with an opening meeting with the management representative and relevant staff. The purpose:
- Confirm the audit scope, criteria, and schedule
- Confirm the communication protocol (how findings will be raised)
- Answer questions about the audit process
- Establish the logistics for the on-site audit
Keep the opening meeting short — 15–30 minutes. It is not a presentation; it is a brief orientation.
Phase 3: On-Site Audit Activities
The audit collects evidence using three methods:
Interviews: Auditors speak with personnel at all levels — from senior management to front-line workers. The goal is to verify that what the management system says is happening is actually happening. Key questions:
- Do workers know the organization's OHS policy and their responsibilities?
- Do workers know how to report a hazard or near miss?
- How are contractors managed when they work on site?
- When was the last time a risk assessment was reviewed?
- What happens to the findings from safety inspections?
Document and record review: Auditors review documented evidence:
- Risk assessment records and revision history
- Training and competency records
- Inspection records and corrective action status
- Incident investigation records
- Legal compliance evaluation records
- Management review minutes
Observation: Auditors observe work activities, physical conditions, and management behaviors:
- Are procedures being followed in practice?
- Is PPE available, in good condition, and being used correctly?
- Are hazard controls in place and functioning?
- Are there any visible non-conformances with documented procedures?
Phase 4: Findings and Closing Meeting
During the audit, the auditor records findings in three categories:
| Finding Type | Definition | Action Required |
|---|---|---|
| Nonconformity (Major) | Absence of, or complete breakdown of, a required management system element | Corrective action; root cause investigation; verification of effectiveness |
| Nonconformity (Minor) | Isolated failure to comply with a specific requirement that does not indicate a systemic problem | Corrective action; re-audit if significant |
| Observation / Opportunity for Improvement | An area where performance could be improved but is not a nonconformity | Improvement at organization's discretion |
The closing meeting presents the findings to management and agrees on next steps. The auditor should never spring findings on management in the closing meeting — findings should be discussed as they are identified during the audit.
Phase 5: Audit Report and Follow-Up
The audit report documents:
- Audit scope, criteria, team, and dates
- Summary of audit activities
- All findings with supporting evidence
- Overall conformance conclusion
- Corrective action requirements
Follow-up: The most critical phase — and the most commonly neglected. Nonconformities require corrective action with a root cause analysis and a plan to prevent recurrence. The auditor (or a designated person) must verify that corrective actions have been implemented effectively before the finding is closed.
OHS Internal Audit Checklist: ISO 45001 Key Clauses
The following checklist covers the most commonly audited elements of ISO 45001. It is not exhaustive — a full system audit would cover all clauses in detail.
Leadership and Context (Clauses 4–5)
| Audit Item | Evidence to Seek |
|---|---|
| OHS policy is documented, communicated to all workers, and available to interested parties | Policy document, communication records, worker interviews |
| Top management demonstrates visible commitment to OHS (participating in inspections, reviewing OHS performance, etc.) | Management review records, inspection participation records |
| OHS roles and responsibilities are defined and communicated | Job descriptions, organizational charts, worker awareness |
| Workers are consulted on OHS matters; participation mechanisms exist | Consultation records, safety committee minutes, worker interviews |
| Legal and other requirements have been identified and are current | Legal register with review dates |
Planning (Clause 6)
| Audit Item | Evidence to Seek |
|---|---|
| Hazard identification process covers all activities, locations, and personnel (including contractors and visitors) | Hazard register, scope of risk assessment process |
| Risk assessments are current and have been reviewed after changes or incidents | Risk assessment records, revision history |
| Legal compliance has been evaluated | Compliance evaluation records |
| OHS objectives are documented, measurable, and communicated | Objectives register, management review records |
Support (Clause 7)
| Audit Item | Evidence to Seek |
|---|---|
| Competence requirements are defined for all roles with OHS responsibilities | Training needs analysis, competency framework |
| Training records are maintained and current | Training records, worker competency assessments |
| Workers are aware of their contributions to OHS and the consequences of not following procedures | Worker interviews |
| Documented information is controlled — current versions available; obsolete versions removed | Document control procedure, version control evidence |
Operation (Clause 8)
| Audit Item | Evidence to Seek |
|---|---|
| High-risk operations are controlled by documented procedures | Procedures for confined space, LOTO, working at height, hot work |
| Contractors are managed within the OHS management system | Contractor pre-qualification records, on-site induction records |
| Management of change procedure ensures OHS implications are assessed before changes | MoC records, risk assessment updates |
| Emergency procedures are documented, practiced, and known to workers | Emergency plan, drill records, worker interviews |
Performance Evaluation (Clause 9)
| Audit Item | Evidence to Seek |
|---|---|
| Safety inspections are conducted at defined frequencies with findings recorded | Inspection records, corrective action log |
| Incident reports are completed, investigated, and corrective actions assigned | Incident register, investigation records, corrective action closure |
| Legal compliance is evaluated regularly | Compliance evaluation schedule and records |
| Management review is conducted at planned intervals with defined inputs and outputs | Management review minutes, actions |
Improvement (Clause 10)
| Audit Item | Evidence to Seek |
|---|---|
| Corrective action process is functional — root causes identified, actions implemented, effectiveness verified | Corrective action register, closure evidence |
| Near miss reports are captured and investigated | Near miss register, reporting rate trends |
| OHS performance shows continual improvement over time | KPI trend data, incident rate trends |
Common Internal Audit Findings
The following nonconformities appear most frequently in OHS internal audits:
| Finding | Root Cause | Corrective Action Direction |
|---|---|---|
| Risk assessments not updated after process changes | No management of change procedure | Implement formal MoC process with OHS impact assessment |
| Corrective actions from previous audits not closed | No tracking system; owners not accountable | Implement corrective action register with escalation for overdue items |
| Legal register incomplete or not updated | No designated responsibility for legal monitoring | Assign ownership; subscribe to regulatory update service |
| Contractors not inducted to OHS requirements | No formal contractor management process | Develop contractor prequalification and induction procedure |
| Hazard identification does not cover all activities | Scope limited to "main" work areas; non-routine tasks excluded | Review hazard identification scope; include maintenance, emergency activities |
| OHS objectives not measured or not communicated | Objectives exist in policy but no measurement system | Define KPIs for each objective; include in regular reporting |
How FindRisk Supports OHS Internal Audits
Pre-audit evidence collection: Before the audit, safety officers can use FindRisk to generate a summary of recent inspection findings, corrective action status, and incident reports. This provides the auditor with current operational evidence without requiring manual data extraction from multiple systems.
Audit observation recording: During the on-site audit, auditors use FindRisk to record observations, photograph non-conformances, and capture interview notes. Findings are organized by clause reference automatically.
Corrective action tracking: Each nonconformity from the audit generates a corrective action item in FindRisk, assigned to a named owner with a deadline. The audit finding is closed only when corrective action has been verified effective — not when the response is submitted.
ISO 45001-aligned reporting: FindRisk generates audit reports structured against ISO 45001 clause references — ready for submission to certification bodies or for management review.
Frequently Asked Questions
How often must internal audits be conducted for ISO 45001?
ISO 45001 Clause 9.2 requires internal audits to be conducted at "planned intervals." The standard does not specify a frequency. The frequency should be risk-based — higher-risk operations or areas with previous nonconformities should be audited more frequently. Most organizations conduct a full system audit annually, with more frequent partial audits of high-risk operational areas. Certification bodies typically expect evidence of at least one full system audit per certification cycle.
Can a safety officer conduct the internal audit of their own department?
No. The auditor must be independent of the area being audited. A safety officer can audit a department they are not responsible for, but they should not audit their own procedures or management system elements they designed. For small organizations without sufficient trained internal auditors, an external auditor (not the certification body) may be used for the internal audit function.
What training is required to become an internal OHS auditor?
Internal auditors should complete formal training in audit methodology — typically a two-day course covering ISO 19011 (Guidelines for Auditing Management Systems) principles and a practical audit exercise. The auditor should also be competent in the content of the OHS management system — not just the audit process. Many organizations cross-train safety officers as internal auditors.
What happens if a major nonconformity is found during an internal audit?
A major nonconformity requires immediate action to address the safety risk (if applicable) and a corrective action plan with root cause analysis. If the nonconformity relates to an ongoing risk — for example, a complete absence of risk assessment for a high-hazard activity — the work must be controlled until the risk is assessed and controls are in place. Major nonconformities must be tracked to effective closure before the internal audit finding is considered resolved.
Conclusion
The internal audit is the organization's opportunity to look at its own safety management system from the outside — to ask not "are our inspection records complete?" but "is our system actually producing the safety outcomes we intend?"
The difference between organizations that improve after audits and those that don't is almost always in the follow-up. Finding a nonconformity is the easy part. Conducting root cause analysis, implementing effective corrective action, and verifying that the nonconformity does not recur — that is where the value is generated.
Internal audits are not about finding fault. They are about finding the gaps between what the safety management system promises and what it delivers — before those gaps produce an incident.
Download FindRisk to support your internal audit program with mobile observation recording, automatic corrective action tracking, and ISO 45001-aligned reporting.
Try FindRisk
Ready to modernize your safety workflow?
Conduct AI-powered risk assessments, generate reports instantly, and keep your team safe — anywhere, anytime.