Introduction
ISO 45001:2018 is now the global standard for Occupational Health and Safety Management Systems. But maintaining certification requires more than an annual external audit—it demands regular, effective internal audits that drive continuous improvement.
Too many organizations treat internal audits as a compliance checkbox rather than a tool for genuine risk reduction. This guide will show you how to conduct field audits that surface real issues, engage workers, and prepare your organization for external certification audits.
Understanding ISO 45001 Internal Audit Requirements
Clause 9.2.2: What the Standard Requires
ISO 45001 mandates that organizations conduct internal audits at planned intervals to ensure the OH&S management system:
- Conforms to the organization's own requirements
- Conforms to ISO 45001:2018 requirements
- Is effectively implemented and maintained
Key Point: The audit frequency must be based on risk—high-risk areas need more frequent auditing than administrative functions.
Audit Scope: What to Cover
Your internal audit program must cover all elements of the OH&S management system:
- Context of the organization (Clause 4)
- Leadership and worker participation (Clause 5)
- Planning, including risk assessment (Clause 6)
- Support (competence, awareness, communication, documentation) (Clause 7)
- Operational controls (Clause 8)
- Performance evaluation and monitoring (Clause 9)
- Improvement, including incident investigation and corrective actions (Clause 10)
Pre-Audit Preparation: Set Yourself Up for Success
1. Build Your Audit Team
Select auditors who are:
- Independent of the area being audited
- Trained in ISO 45001 requirements (minimum 16-hour course recommended)
- Competent in audit techniques (questioning, sampling, evidence verification)
Pro Tip: Include shop floor supervisors as auditors-in-training. They bring ground reality into the audit process.
2. Develop Risk-Based Audit Plans
Don't audit every department equally. Prioritize based on:
- Injury/incident history
- Hazard exposure levels
- Process complexity and change frequency
- Previous audit findings
- Regulatory inspection history
Example: A chemical processing unit should be audited quarterly, while administrative offices may be audited annually.
3. Prepare Audit Checklists Aligned to Clauses
Create field-ready checklists that translate ISO clauses into observable evidence:
Sample Checklist for Clause 5.4 (Worker Consultation and Participation):
- Are workers involved in hazard identification and risk assessment?
- Do safety committee meeting minutes show worker participation?
- Can workers describe how they report safety concerns?
- Are worker suggestions on safety acted upon and communicated back?
Conducting the Field Audit: What to Look For
Opening Meeting Protocol
Start each audit location with a 10-minute opening meeting:
- Explain audit scope and objectives
- Request access to documents and personnel
- Clarify that the goal is improvement, not punishment
- Confirm audit schedule and closing meeting time
Evidence Collection Techniques
1. Document Review
Verify that documented information exists and is current:
- OH&S policy (Clause 5.2)
- Risk assessment and control records (Clause 6.1.2)
- Legal and compliance registers (Clause 6.1.3)
- Competence and training records (Clause 7.2)
- Operational control procedures (Clause 8.1)
- Monitoring and measurement data (Clause 9.1.1)
- Incident investigation reports (Clause 10.2)
Audit Tip: Don't just check if documents exist—verify they're being used in the field.
2. Shop Floor Observations
Walk the gemba (workplace) to observe:
- Are identified hazards actually controlled per the risk assessment?
- Is required PPE being worn correctly?
- Are machine guards in place and functional?
- Are chemical containers properly labeled and stored?
- Are emergency exits clear and marked?
- Is housekeeping maintained to prevent slips/trips?
Common Finding: A perfect risk register in the office, but controls not implemented on the shop floor.
3. Worker Interviews
Select workers randomly and ask open-ended questions:
- "What hazards do you face in your work, and how do you control them?"
- "When was your last safety training, and what did it cover?"
- "How do you report a safety concern or near miss?"
- "Can you show me the emergency evacuation route from here?"
Red Flag: If workers can't answer basic safety questions, your competency assurance process (Clause 7.2) has gaps.
Common Non-Conformities to Watch For
Based on our experience auditing 200+ ISO 45001 implementations in India, here are the top findings:
| Clause | Common Gap | Evidence to Collect |
|---|---|---|
| 5.4 | Worker consultation is documented but not genuine | Interview workers on recent safety decisions |
| 6.1.2 | Risk assessments outdated or not updated after incidents | Check dates on risk registers vs. incident dates |
| 7.2 | Training records exist but competence not verified | Ask trained workers to demonstrate procedures |
| 8.1.2 | Change management process missing for new equipment | Review recent equipment introductions and risk updates |
| 9.1.1 | Monitoring data collected but not analyzed for trends | Check if leadership reviews injury trends monthly |
| 10.2 | Corrective actions documented but not effective | Verify if similar incidents recur despite "closed" actions |
Audit Checklist Snapshot
Essential checks for every ISO 45001 internal audit:
- OH&S policy signed and communicated to all workers
- Risk assessment covers all work areas and activities
- Legal compliance register updated within last 6 months
- 100% of workers trained for their job hazards
- Safety committee meetings held monthly with documented participation
- OH&S objectives set and progress tracked
- Incident investigations completed within 7 days with root cause analysis
- Corrective actions assigned with due dates and closed with verification
- Management review conducted in last 12 months
- Previous audit findings closed with evidence
Writing Effective Audit Findings
Structure Your Findings Clearly
Every non-conformity should include:
1. Clause Reference: "Non-conformity to Clause 7.2 (Competence)"
2. Objective Evidence: "During shop floor inspection on 15-Jan-2025, 3 out of 5 welders could not demonstrate lockout/tagout procedure despite training records showing completion."
3. Requirement Not Met: "ISO 45001 requires that competence is achieved and verified, not just that training is delivered."
4. Impact: "Risk of electrocution or burn injury during maintenance activities."
Avoid Vague Language: Don't write "Training needs improvement." Write "Welders unable to perform LOTO despite documented training completion (evidence: interviews W1, W2, W3 on 15-Jan-2025)."
Close the Audit with Actionable Recommendations
At the closing meeting, present:
- Summary of conformances (what's working well)
- Clear list of non-conformities with evidence
- Recommended corrective actions with timelines
- Offer to support action closure
Positive Framing: "Your risk assessment process is strong. Let's work on verifying controls are implemented before we sign off on new risks."
Digital Tools for Modern ISO 45001 Auditing
Manual note-taking and Excel trackers slow down your audit process. Leading organizations now use digital audit platforms to:
- Conduct audits offline on mobile devices
- Capture photo/video evidence with GPS and timestamps
- Auto-generate non-conformity reports in ISO format
- Track corrective action closure with reminders and escalation
- Produce management review dashboards from audit data
SafetyWarden™ Advantage: Pre-built ISO 45001 audit templates, clause-by-clause checklists, and automated report generation cut audit documentation time by 70%.
Turning Audit Findings into Continuous Improvement
An audit is only valuable if findings lead to action. Best practices:
1. Assign SMART Corrective Actions: Specific, Measurable, Achievable, Relevant, Time-bound
2. Track to Closure: Use a CAPA (Corrective and Preventive Action) system with status visibility
3. Verify Effectiveness: Re-audit the same area in 3 months to confirm controls are sustained
4. Share Learnings: Communicate recurring issues across all sites to prevent similar findings
Management Commitment Test: Are audit findings discussed at management review? If not, your system lacks leadership engagement (Clause 5.1 gap).
Preparing for External Certification Audits
Internal audits are your practice run. To pass external audits confidently:
- Conduct at least 2 full internal audit cycles before certification audit
- Ensure all previous audit findings are closed with verified evidence
- Train auditees on what to expect during certification audit
- Have all documented information accessible and current
- Prepare workers to answer auditor questions confidently
Certification Success Rate: Organizations that conduct thorough internal audits every 6 months have a 95% first-time certification success rate.
Conclusion: Audit with Purpose
ISO 45001 internal audits should be more than a certification requirement—they're your opportunity to verify that safety controls are working, engage workers in risk conversations, and drive measurable improvements.
Next Steps: Book a free ISO 45001 gap assessment with SafetyWarden's certified auditors, or download our complete ISO 45001 internal audit checklist to improve your audit program today.
Ready to Transform Your Safety Audits?
See how SafetyWarden's digital platform can help you implement the best practices discussed in this article.
Related Articles
Corrective Actions That Actually Close: Fixing the #1 Failure in Safety Audits
Open corrective actions are the silent killer of safety programs. Learn the proven CAPA framework that achieves 95%+ closure rates and prevents recurring incidents.
Incident Readiness: What to Prepare Before a Regulator or Client Audit
Auditors don't just check documents—they test your emergency response. Learn the 15 critical elements auditors verify and how to prepare for incident readiness audits.