Internal audits for ISO 45001 are the same as for any other management system standard, they are process audits used to assess if the planned arrangements for the process are actually being met. To this end the internal audit looks at what the company has identified as necessary for the process to function, and to create audit checklists from this information. These audit questions are then asked to those in the process to see if what is actually happening in the process matches with what has been planned.
I received the following question:
What are the problems in conducting the internal audit. My experience:
1. Auditee lack competence
2. Auditor not motivation auditee
3. Result from audit not comprehensive
4. Corrective action late
These are certainly possible problems with the audit, and thinking about them before you audit is a good idea. In many cases audit problems can be mitigated by having good preparation before hand to ensure that you know what you are asking about. To address your specific problems:
1. Auditee competence is one of the things you are trying to assess, so if the auditee is not competent in their job this is one thing you want to know.
2. It is not really the auditor’s job to motivate, only to ask good questions to see if what is occurring is actually what was planned for a process.
3. The audit will only be as comprehensive as the questions asked and the evidence collected. Make sure that auditors are prepared before the audit and are trained to follow the evidence if it shows that other things need to be checked that were not part of the questions at the beginning.
4. Again, the corrective action is not part of the audit, it is to be addressed by the process owner after the audit finds a non-conformance. If this is really a problem then it is a management issue to resolve, not the auditors.
For more information in internal audit in ISO 45001, see this article, Why you should perform effective internal audits in ISO 45001, https://advisera.com/45001academy/blog/2015/07/15/why-you-should-perform-effective-internal-audits-in-iso-45001/
As it relates to the internal audit, I am trying to understand in laymans terms what exactly I am suppose to review.
Example: I oversee a small machine shop that has standard cutting and shaping machines such as drill press, lathe etc.
My confusion can been better understood by the following questions:
1. Should I review the risk assessments and determine if the employees understand the hazards and are using the right controls? This seems logical to me as its directly related to safety.
2. Or am I suppose to audit all of the OH&S processes that were created to meeet and fullfill the ISO 45001 clauses? Should this be done with managment or with the employess that operate the equipment?
3. Do both.
Any clarification would be extrememly helpful. Many thanks in advance.
The idea of the process audit in the ISO management system audits is to compare the requirements of the processes against what is actually happening in the process to see if the requirements are being met. Your confusion may come from the fact that there are 2 sub-processes in the audit; the audit program which determines how you will audit all processes in the OHSMS, and conducting a process audit where you will compare the process requirements against what is actually happening.
So, your audit program should ensure that you audit all processes of the OHSMS as you state in point 2, but each audit of a process will include all the process requirements for review including the risks and controls as you identify in point 1.
Since the focus of 45001 is on preventing injuries and illness, is it the intent of the audit tofind additional hazards or compliance gaps? Or is the intent of the audit to limit and only review what has been mutually agreed upon (ie the auditor would not look beyond what has been documented for hazards and controls/ legal compliance).
Example 1: In my machine shop, I have reviewed my OHSMS processes for hazard identification, risk assessment and legal requirements under 6.1 and determined that they are meeting the intent of 6.1 under 45001. However, during my audit, I discover that the results of the risk assessment did not capture or point our certain hazards that may been overlooked or not known the assessor who orginially performed the hazard assessment.
Question: As an auditor performign an internal audit, should my management review or summary of my internal audit point out the hazards that have not been identified? Or, as an auditor, am I suppose to only audit what has been mutually agreed upon or documented in a risk assessment / compliance review.
Any advice or feedback would be greatly appreciated. BD
The management system audit is intended to compare what is actually happening in the process against the requirements of what is supposed to be happening in the process. If requirements are met this is a conformity, and if not this is a nonconformity. This is the main purpose of the process audit.
However, the audit (especially internal) should also point out opportunities for improvement as well as potential unidentified risks. So, you should definitely identify a hazard that is not identified, but this may not be considered a nonconformity. These additional identifications are one of the biggest benefits of the internal audit.