“Auditing of Occupational Health & Safety management

systems forms an important part of the process to

demonstrate continual improvement.”

10 STEPS TO AUDITING AN ISO 45001:2018OHS MANAGEMENT SYSTEM

info@riskza.com | www.riskza.com | 0861 RISK ZA | 28 Siphosethu Road, Mt. Edgecombe, KZN

The addition of ISO 45001:2018 to the suite of ISO management system standards reinforces that Occupational Health & Safety is a key area of business performance for organisations, and that OH&S is about a lot more than legal compliance. When it is well integrated, good OH&S management is an enabler and an asset for a business rather than a cost.

This guide aims to assist you in understanding the requirements for an ISO 45001:2018 OHS Management System and how to audit it.

In this guide, we will be speaking to fi rst and second party audits - also referred to as Internal and Supplier Auditing.

© Risk ZA Corporate Sustainability (PTY) Ltd. Page 2

10 steps to auditing an ISO 45001:2018 OHS Management System

10 steps to auditing an ISO 45001:2018 OHS Management System

© Risk ZA Corporate Sustainability (PTY) Ltd. Page 3

1. WHAT IS AN AUDIT?

2. OBJECTIVES OF AUDITING

3. BENEFITS OF AUDITING

The definition of an “audit” is outlined in ISO 19011:2018 - Guidelines for auditing management systems, as:“systematic, independent and documented process for obtaining objective evidence (3.8) and evaluating it objectively to determine the extent to which the audit criteria (3.7) are fulfilled”

It is important to note that there are different types of audits, each acieving different things but with a common goal of driving continual improvement.

Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the organisation for purposes of self declaration of conformity. This is done periodically to evaluate the need for ongoing improvement.External audits include those generally called second and third party audits.

Second party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf. The purpose is to determine the capabilities of the subcontractor or supplier.

Third party audits are conducted by a body external and independent from the organisation, itssuppliers and customers; there must be no commercial interest in the audit result. The purpose of this audit is to establish whether the organisation’s Management System has been compiled andimplemented in accordance with the requirements of the particular standard.

The aim of an audit is to determine by objective evidence, that an organisation’s activities:• Conform to specified policies and objectives• Conform to requirements of specified standard• Do not contravene statutory regulations• Fulfill requirements of specified codes of practice

• Management tool to provide pure unbiased, independent information• Useful in directing an organisation• It is the duty of the Auditor to know the benefits so as to add value through opportunities for

• highlighting variances from desired practices• investigating the possibility of improved processes• reducing risk by evaluating statutory, contractual or internal requirements• improving motivation

Benefits are assessed against cost; costs include:• The Auditors time, including the phases of planning, preparation, performance, reporting and

follow-up• Auditees time, including participation and investigation of reported results• Sundry costs, including subsistence and travel and management and administrative overheads

10 steps to auditing an ISO 45001:2018 OHS Management System

© Risk ZA Corporate Sustainability (PTY) Ltd. Page 4

4. FOUR PHASES OF THE AUDIT

5. PLANNING AN AUDIT

Common to the three types of audit are the four phases:• Initiating and planning• Preparation• Performance• Report and follow-up

FIRST PARTY AUDITS

Typically an individual is assigned responsibility to manage the audit programme.Once the frequency of audit is decided, they manage decisions regarding the:• Scope planned with programme and may include: function; plant, business unit or division;

procedure or group of procedures which interrelate; process; and/or, product.• Criteria may include internal procedures, contractual requirements, and/or national or

international standards.• Duration is based on size or extent of scope and rarely extends to more than one day.• Responsibility is dependant on auditor’s independence from the function, knowledge of the

criteria, technical knowledge and auditor qualification.

SECOND PARTY AUDITS

• Scope is defined by the product / service to be supplied, and/or the number of sites and their specific activities.

• Criteria may include contractual requirements, purchasing requirements, and/or national or international standards.

• Duration is based on size or extent of scope, rarely extends to more than one day• Responsibility is dependant on auditor’s independence from the function, knowledge of the

criteria, technical knowledge and auditor competence.• Frequency is dependent on confidence in suppliers’ ability to meet criteria; historical

performance of supplier; and/or impending orders.

6. SELECTING THE AUDIT TEAM• Under the planning phase the Lead Auditor will estimate the size of the team, expected

duration and technical representation required.• Teams should be selected to ensure the audit is performed effectively, economically, in the

shortest period and with minimum power.• Audits may be performed by a single Lead Auditor however experience has proven two or

more are more effective.• Prospective Auditors must follow audit principles and display behaviour congruent with

good Auditor qualities.• At least one team member must be qualified for technology / technical specifications.• The team must be sufficient in number to meet planned arrangements.• Language and cultural requirements must be considered.• Consider if the client has previously been audited by a team member.

10 steps to auditing an ISO 45001:2018 OHS Management System

© Risk ZA Corporate Sustainability (PTY) Ltd. Page 5

7. DESK STUDY

8. WHAT EVIDENCE DO YOU NEED TO GATHER?

• Available documents• Consistency with the Management System• Support the audit objectives• Relevant to the scope of the Management System and of the Audit• Analyse the interfaces between procedures and functions

The key to gathering audit evidence is to keep the evidence subjective.• Review the necessary documentation• Observe the organisation’s activities and processes• Evaluate the physical evidence• Question the Auditee• Record relevant information• Develop the ability to consicely record information which substantiates future comments

• Suitable training and competence and/or experienced in the field of auditing• Completely familiar with OHS criteria and applicable standards, statutory/regulatory

requirements and codes of practice• Objective, impartial and not audit their own work• Competent in their ability to apply knowledge and skills to achieve intended results• Certification auditors to be certified by a ISO 17024 accredited organisation, e.g SAATCA

9. BASIC REQUIREMENTS FOR AN AUDITOR

10. HOW CAN RISK ZA ASSIST?To encourage the internal and supplier auditing functions, we offer a practical 2 Day ISO 45001:2018 Auditing course. The course provides the theoretical and practical knowledge of OHS auditing required to determine the conformance of the management system arrangements and its performance; based on outcomes. Content covers practical exercises and other assessments which relate to the requirements of ISO 45001:2018, hazards and other significant factors which influence the organisations OHS performance.

Attendees of this course will be able to facilitate internal Occupational Health & Safety management system audits based on the ISO 45001:2018 Standard and the ISO 19011 Standard for management system auditing. With this training, you will be able to plan and facilitate audits, set and recommend corrective actions, follow up and close out audit findings.

We recommended this training for Occupational Health and Safety Practitioners, Line Managers, Supervisors, and Management.

Contact us to discuss which of our ISO 45001:2018 training courses would best suit you and your organisation: +27 (0) 31 569 5900 or info@riskza.com