PART 1 - WHAT IS AUDITING?

Section 1.4 – Audit Planning

Audit planning
Internal audits cost money. Apart from the direct costs of the internal auditors (even if
they are people who work for the organization who have been seconded to do the audit),
all workers and managers will be involved, so there is a significant indirect cost arising
from the disruption and distraction of those involved from their normal duties. It is
important that a senior manager of the organization is in charge of the internal audit
programme. They should be responsible for planning and managing internal audits, as
well as control of the agreed financial budget for internal audits.

Internal auditing is an important part of any management system approach. It is

important that internal auditing itself should be approached in a systematic and structured
manner.

The programme and frequency of internal audits should be appropriate to the

organization, for example the nature of hazards, degree of risk, size of the operation. As
experience is gained from the internal audits, the records of previous audits will show
where problems have arisen in the past and where the emphasis should be placed in
future internal audit programmes.

Internal audit planning should cover:

z Preparing the internal audit programme.

z The scope of the internal audit.

z Establishing terms of reference.

z Establishing a timetable.

z Selecting an appropriate internal auditor or team.

© 2009 RMS v1.0 Section 1.4 1

 PART 1 - WHAT IS AUDITING?

STAGES OF AN INTERNAL AUDIT PROCESS

One way of planning the internal audit process for a given audit is proposed below:

Stage 1 Initiating the audit

Stage 2 Conducting document reviews &

preparing for audit

Conducting the audit

Stage 3

Stage 4 Preparing & communicating the

audit report

Stage 5 Completing the audit and

conducting follow-up
The audit process - Adapted from ISO 19011, clause 6.1
Often there is a team approach to auditing and the team leader needs to be assigned in
order to prepare for the audit. The internal audit team leader needs to determine:

z The essential information required for the internal audit in terms of measurement criteria
(specification, regulatory requirements etc) and any essential internal documentation?

z Clear information on the necessary authority and arrangements with local managers.

z The elements of the management system to be assessed, if the scope is to be limited for
example to the parts of the system that relate to compliance with ‘implementation and
operation’ of the OHSAS 18001 standard.

z The competency skills and technical knowledge needed for an audit team.

z Briefing of managers and workers where appropriate.

z The need for any special precautions and/or whether personal protective equipment (PPE)
is required.

z Identification of representative sample of activities to be included.

Development of checklists, aides memoir, interview and observation procedures.

© 2009 RMS v1.0 Section 1.4 2

 PART 1 - WHAT IS AUDITING?

STAGE 1 – INITIATING AN INTERNAL AUDIT

Planned OH&S management system internal audits should be carried out by people from
within the organization and/or by people outside the organization, selected by the
organization. The primary aid of the audit is to establish whether the OH&S management
system has been properly implemented and maintained. Individuals selected to conduct
the OH&S management system internal audits should be competent, independent and be
selected in a manner to ensure objectivity and impartially in the audit process.

Activities undertaken when initiating an audit often comprise:

z Selection of appropriate auditors and audit team for the internal audit. Selection of the team
must take into account the need for competence, independence, objectivity and
impartiality.

z Defining the audit objectives, scope and criteria.

Audit objectives – what is to be accomplished by the audit

Audit scope – which areas are the subject of the audit

Audit criteria – in this case against BSOHSAS18001

z The approach adopted for the audit.

z Confirming audit arrangements with the auditee and other individuals who will take part in
the audit.

An important part of this process is to understanding any workplace OH&S rules that may
affect the work of the audit team. In areas of high risk it may be necessary for auditors to
have additional training and/or may be required to conform to additional requirements
(e.g. the wearing of specialized personal protective equipment).

STAGE 2 – CONDUCTING DOCUMENT REVIEWS AND PREPARING FOR

AN INTERNAL AUDIT
An important part for the audit process is the collection of evidence from interviews,
documents and worksite visits, and a check for consistency. Prior to conducting an
internal audit, the auditor should review appropriate OH&S management system
documents and records, along with the results of prior audits. The documentation that
may be included is:

z Information on roles responsibilities and authorities (e.g. an organization chart).

z OH&S policy statement.

z OH&S objectives and programme(s).

z OH&S management system audit procedures.

z OH&S procedures and work instructions.

© 2009 RMS v1.0 Section 1.4 3

 PART 1 - WHAT IS AUDITING?

z Hazard identification, risk assessment and risk control results.

z Applicable legal and other requirements.

z Incident, nonconformity and corrective action report.

The amount of documentation to be reviewed and the detail provided in the plans for the
audit should reflect the scope and complexity of the internal audit. The plans for the audit
should cover the following:

z Audit objectives.

z Audit criteria.

z Audit methodology.

z Audit scope and /or location.

z Audit schedule.

z Roles and responsibilities of the various audit parties.

The audit planning information may be contained in more than one document. The focus
should be on providing adequate information to implement the audit.

Where there is a need for other parties to be included in the internal audit process (e.g.
employee representatives), this should be included in the plans for the audit.

It is usual, as part of preparation for audit to evaluate the audit criteria and develop
checklists to guide the audit process and help ensure that the criteria are covered and the
audit objectives met.

STAGE 3 – CONDUCTING THE INTERNAL AUDIT

As an initial step the internal auditor should explain to the auditee (the manager of the
department, function being audited) exactly what the purpose of the audit is and confirm
the plan as defined in stage 2. They should advise the auditee that upon completion of
the audit their findings will be reported back to the auditee.

If the internal audit requires a team of auditors the person leading the team should
coordinate activities and assign tasks where appropriate. The team leader is responsible
for reviewing findings with the audit team before making a report to the auditee.

The following activities are part of conducting an internal audit:

z Communication with the auditee during the audit.

z Collecting and verifying information.

z Generating audit findings and conclusions.

© 2009 RMS v1.0 Section 1.4 4

 PART 1 - WHAT IS AUDITING?

Additional activities which are part of conducting an internal audit when using an audit
team:

z Allocating responsibilities to individual internal audit team members.

z Communication with other members of the team.

It may be necessary to make formal arrangements for communication during the audit.
This is particularly the case when undertaking a more complex audit and there should be
provision in the audit plan for the auditor/audit team to communicate during the audit.

These may include:

z The plans for the audit.

z The status of the audit activities.

z Any concerns raised during the audit.

z The audit findings and conclusions.

A useful mechanism for communicating the audit plan is to hold an opening meeting as
the start of the audit. Audit findings and conclusions should be reported during a closing
meeting.

During the audit, information relevant to the audit objectives, scope and criteria should be
collected by. The methods used will depend on the nature of the OH&S management
system internal audit being undertaken.

A representative sample of the important activities should be is audited and that relevant
people are interviewed. Ideally, this will include interviews with a range of people e.g.
such as individual workers, employee representatives and relevant external people, such
as contractors.

A common approach to auditing is to devise a set of interview questions that can be used
to confirm compliance with an OH&S management system or to test the OH&S
management system against a standard or good practice. There are dangers with such a
structured approach, particularly when the same question set is used every time.

A more open approach is often more effective, which starts with very general open
questions and then allows the auditor to steer the subsequent questions towards those
areas that are to be focused on.

Interview questions should, preferably, encourage those being questioned to explain in

their own words what their understanding is, what they are doing and any concerns they
may have about the current arrangements. Where appropriate further relevant
documentations, records and results should be examined and the output from the
interviews checked for consistency against the initial document reviews undertaken in
Stage 2.

The audit evidence obtained from interviews and document reviews should be evaluated
against audit criteria and findings and to enable conclusions to be produced. It is

© 2009 RMS v1.0 Section 1.4 5

 PART 1 - WHAT IS AUDITING?

important to maintain suitable records of the audit findings both as a record of the audit
and as demonstration of appropriate audit evidence.

The aim of the audit is to establish:

z If a comprehensive system exists.

z If employees and those working on behalf of the organization, are fully aware of the
requirements and their duties with respect OH&S.

z If the documentation system reflects the practices.

z If the procedures, work instructions etc. are being worked to and satisfy those they are
supposed to protect.

z If there are areas that are deficient and are non-conformities.

z If there are areas where improvements can be made.

STAGE 4 – PREPARING AND COMMUNICATING THE AUDIT REPORT

Having completed the conduct of the audit (stage 3) it is time to review the findings for
the audit. Where a deficiency in the OH&S management systems has been identified the
audit finding should identify the area of the standard where the organization does not
comply. It is important to remember that where there is noncompliance this must be
supported by objective evidence that there is a deficiency.

The results of the internal audit should be recorded and reported to the nominated
member of the management team. It is good practice for a closing meeting to be held at
which the audit findings can be presented. It is important to remember that even if the
auditor is employed by the organization it is not the function of the auditor to involve
themselves in the resolution of any difficulties. If necessary they can be involved in
resolution post the audit completion.

As part of the completion of the audit a final written report should be completed and
submitted to the person responsible in the organization. The report should be precise
and clear and signed and dated by the internal auditor or in the case of an audit team, the
person coordinating the team.

The audit report should contain the following points as a minimum:

z The audit objectives and scope.

z Information about the plans of the audit (identification of the members of the auditing team
and the audited representatives, dates of audit and identification of the areas subject to
audit).

z The identification of reference documents used to conduct the audit - in the case of this
course BSOHSAS18001

z Details of identified non-conformities.

© 2009 RMS v1.0 Section 1.4 6

 PART 1 - WHAT IS AUDITING?

z Information relating to the ability of the OH&S management system to achieve the stated
OH&S policy and objectives.

z A listing of recipients for the audit report.

The results of OH&S management system internal audits should be communicated to all
relevant parties as soon as possible, to allow corrective actions to be taken, carefully
considering confidentiality when communicating the findings contained in the report.
The non-conformities should be categorized in some order of prioritization.

z Major non conformities - where immediate action should be taken because harm to people
is imminent or where a requirement of the standard is not being met. In the case of the
former deficiency, the activity may need to be stopped until satisfactory controls are
implemented.

z Minor non conformities - where part of the requirements of the management system
specification is not being fully satisfied. The measures and the timescales to be taken for
corrective action will depend on the risk.

z Areas of concern - where there is not sufficient information or evidence to assign a “non-
conformity” The organization should investigate whether the concern is justified and
implement corrective action if necessary.

STAGE 5 - COMPLETING THE AUDIT AND CONDUCTING AUDIT

FOLLOW-UP
When the audit has been completed it is necessary for the organization to consider the
findings and take action where necessary. A review should be undertaken by the
management team responsible for the area that is the subject of the audit. Where
appropriate the senior management team of the organization should consider the internal
audit findings as part of the management review process and commit to taking
appropriate action within defined timescales.

Follow-up monitoring of prior audit findings should be established to ensure that identified
non-conformities are addressed.

Where deficiencies in the OH&S management system have been identified in the internal
audit the internal auditor should agree the corrective action timescale for implementation
with the persons responsible for that part of the organization that was the subject of the
audit. Arrangements should be made to assess the effectiveness of the actions taken.
The timing of this re-assessment with be determined by the nature and level of the risk
posed by the non-conformity.

© 2009 RMS v1.0 Section 1.4 7