What is the purpose and content of an ISO 45001 internal audit report?

The internal audit is one of the key elements in any OHSMS (Operational Health and Safety Management System) that is certified according to ISO 45001:2018 and, as such, producing an audit report to ensure that all vital information is captured and effective actions can be taken is also critical. Given that employee health, safety and well-being – and, in some cases, the lives of people – may be at risk in your chosen business sector, recording data that results from the internal audit becomes even more important to your OH&SMS and the business in general. So, given that the report of any internal audit can be deemed critical, what is the real purpose and recommended content of this report?

Why create an audit report?

The ISO 45001 standard directs that internal audits should be conducted at planned intervals to ensure that the OHSMS meets the terms of the standard, has been properly established and maintained, can help the organization’s objectives be met, and can effectively pass the correct and accurate information to the top management team in terms of audit results. While these elements are all critical to having an effective internal audit process, the audit report can be designed specifically to ensure that the information passed to top management is accurate and contains the details required. Considering that policy and process changes may be made based on this information, accuracy and detail become ever more important. So, knowing that, what should the content and purpose of the audit report be?

What should the content of the audit report be?

The ISO 45001 standard itself provides no mention of the audit report, although the ISO 19011 standard provides guidance on auditing management systems; however, if you have good knowledge of the ISO 45001 standard, the elements that need to be captured should be obvious:

  • Does the audit find that the terms of the ISO 45001 standard have been met or exceeded by the OHSMS? This includes all clauses of the standard as well as the critical elements of hazard evaluation, risk control, communication, documentation, and so on.
  • Is all legislation applicable to the company, its activities, and its OHSMS met?
  • Does the OHSMS help the organization meet both strategic and OH&S objectives?
  • Have any non-conformances been identified, and if so, have specific details been recorded on the report?

Thinking of the possible outcomes and actions from an internal audit on the OHSMS, it would also seem prudent to include the following details on the audit report:

  • An outline of the scope of the audit: what the objective of the audit was – was the audit only against specific clauses, what internal processes did it cover, and so on.
  • General information – who performed the audit, audit location, time, date of the audit – and of the report itself if different from the audit.
  • A good level of detail on any non-conformance – it stands to reason that the more detail that can be recorded, the more effective actions to remove that non-conformance can be. You can learn more about this topic in the article How to handle non-conformities in ISO 45001.

What other purposes does your audit report serve?

Think of your audit report as a type of report card on your OHSMS – that is, a report on the progress and effectiveness of objectives, with areas identified to improve in the future. The audit itself is a critical element in preparation and readiness for your certification or surveillance audit, but again, the ability to improve processes is only as good as the level of detail found on the report. It is worth noting that while a non-conformance may be fresh in the auditor’s mind on the day, in some cases it may be some weeks before this is reviewed and actions decided upon by the top management team, and therein lies the criticality of the level of detail and accuracy recorded. Whether you decide to audit your full OHSMS at once, or break it down into bite-size sections to enable you to cover all clauses in one year, or even a full certification cycle, the detail on your audit report – whether recording non-conformance, recommendations, or suggestions – has a great bearing on the opportunity to improve the OHSMS and its performance.

Treating your internal audit report as a business tool

Given that the safety objectives and strategic goals of an organization should be aligned, you can see that the internal audit report is more than just a function of the OHSMS or ISO standard, but also a business tool. If your organization works in a “high risk” sector, then employee safety and the OHSMS may be critical to your ability to gain a license to operate in your chosen sector. This level of seriousness again illustrates the importance of the accurate recording, processing, and decision making behind internal audit reporting. Perform this critical element with the correct level of planning and execution, and your OHSMS performance will surely benefit.

For more information on using the ISO 19011 standard to improve internal auditing, download this free white paper:  How to perform an internal audit using ISO 19011

Advisera John Nolan
John Nolan
John Nolan is a Fellow of the Institute of Leaders and Managers in the United Kingdom, and Prince 2 accredited with a background in Engineering and Electronics and Data Storage and Transfer. Having studied and qualified as both a Mechanical and Electronic Engineer, he has spent the last 15 years designing and delivering Quality Systems and projects across many sectors in the UK, including both national and local government.