Professional Documents
Culture Documents
Section 1.4 - Audit Planning
Section 1.4 - Audit Planning
z Establishing a timetable.
z The essential information required for the internal audit in terms of measurement criteria
(specification, regulatory requirements etc) and any essential internal documentation?
z Clear information on the necessary authority and arrangements with local managers.
z The elements of the management system to be assessed, if the scope is to be limited for
example to the parts of the system that relate to compliance with ‘implementation and
operation’ of the OHSAS 18001 standard.
z The competency skills and technical knowledge needed for an audit team.
z The need for any special precautions and/or whether personal protective equipment (PPE)
is required.
z Selection of appropriate auditors and audit team for the internal audit. Selection of the team
must take into account the need for competence, independence, objectivity and
impartiality.
z Confirming audit arrangements with the auditee and other individuals who will take part in
the audit.
An important part of this process is to understanding any workplace OH&S rules that may
affect the work of the audit team. In areas of high risk it may be necessary for auditors to
have additional training and/or may be required to conform to additional requirements
(e.g. the wearing of specialized personal protective equipment).
The amount of documentation to be reviewed and the detail provided in the plans for the
audit should reflect the scope and complexity of the internal audit. The plans for the audit
should cover the following:
z Audit objectives.
z Audit criteria.
z Audit methodology.
z Audit schedule.
The audit planning information may be contained in more than one document. The focus
should be on providing adequate information to implement the audit.
Where there is a need for other parties to be included in the internal audit process (e.g.
employee representatives), this should be included in the plans for the audit.
It is usual, as part of preparation for audit to evaluate the audit criteria and develop
checklists to guide the audit process and help ensure that the criteria are covered and the
audit objectives met.
If the internal audit requires a team of auditors the person leading the team should
coordinate activities and assign tasks where appropriate. The team leader is responsible
for reviewing findings with the audit team before making a report to the auditee.
Additional activities which are part of conducting an internal audit when using an audit
team:
It may be necessary to make formal arrangements for communication during the audit.
This is particularly the case when undertaking a more complex audit and there should be
provision in the audit plan for the auditor/audit team to communicate during the audit.
A useful mechanism for communicating the audit plan is to hold an opening meeting as
the start of the audit. Audit findings and conclusions should be reported during a closing
meeting.
During the audit, information relevant to the audit objectives, scope and criteria should be
collected by. The methods used will depend on the nature of the OH&S management
system internal audit being undertaken.
A representative sample of the important activities should be is audited and that relevant
people are interviewed. Ideally, this will include interviews with a range of people e.g.
such as individual workers, employee representatives and relevant external people, such
as contractors.
A common approach to auditing is to devise a set of interview questions that can be used
to confirm compliance with an OH&S management system or to test the OH&S
management system against a standard or good practice. There are dangers with such a
structured approach, particularly when the same question set is used every time.
A more open approach is often more effective, which starts with very general open
questions and then allows the auditor to steer the subsequent questions towards those
areas that are to be focused on.
The audit evidence obtained from interviews and document reviews should be evaluated
against audit criteria and findings and to enable conclusions to be produced. It is
important to maintain suitable records of the audit findings both as a record of the audit
and as demonstration of appropriate audit evidence.
z If employees and those working on behalf of the organization, are fully aware of the
requirements and their duties with respect OH&S.
z If the procedures, work instructions etc. are being worked to and satisfy those they are
supposed to protect.
The results of the internal audit should be recorded and reported to the nominated
member of the management team. It is good practice for a closing meeting to be held at
which the audit findings can be presented. It is important to remember that even if the
auditor is employed by the organization it is not the function of the auditor to involve
themselves in the resolution of any difficulties. If necessary they can be involved in
resolution post the audit completion.
As part of the completion of the audit a final written report should be completed and
submitted to the person responsible in the organization. The report should be precise
and clear and signed and dated by the internal auditor or in the case of an audit team, the
person coordinating the team.
z Information about the plans of the audit (identification of the members of the auditing team
and the audited representatives, dates of audit and identification of the areas subject to
audit).
z The identification of reference documents used to conduct the audit - in the case of this
course BSOHSAS18001
z Information relating to the ability of the OH&S management system to achieve the stated
OH&S policy and objectives.
The results of OH&S management system internal audits should be communicated to all
relevant parties as soon as possible, to allow corrective actions to be taken, carefully
considering confidentiality when communicating the findings contained in the report.
The non-conformities should be categorized in some order of prioritization.
z Major non conformities - where immediate action should be taken because harm to people
is imminent or where a requirement of the standard is not being met. In the case of the
former deficiency, the activity may need to be stopped until satisfactory controls are
implemented.
z Minor non conformities - where part of the requirements of the management system
specification is not being fully satisfied. The measures and the timescales to be taken for
corrective action will depend on the risk.
z Areas of concern - where there is not sufficient information or evidence to assign a “non-
conformity” The organization should investigate whether the concern is justified and
implement corrective action if necessary.
Follow-up monitoring of prior audit findings should be established to ensure that identified
non-conformities are addressed.
Where deficiencies in the OH&S management system have been identified in the internal
audit the internal auditor should agree the corrective action timescale for implementation
with the persons responsible for that part of the organization that was the subject of the
audit. Arrangements should be made to assess the effectiveness of the actions taken.
The timing of this re-assessment with be determined by the nature and level of the risk
posed by the non-conformity.