Auditing is defined as the structured process of collecting independent information on the efficiency, effectiveness and reliability of the total health and safety management system and drawing up plans for corrective action.
All control systems tend to deteriorate over time or to become obsolete because of change. Auditing supports monitoring by providing managers with information on how effectively plans and the components of the health and safety management system are being implemented. It should also provide a check on the adequacy and effectiveness of the management arrangements.
Auditing is an essential element of a health and safety management system and is no substitute for the other essential parts of the system. Organisations cannot manage finances by an annual financial audit; they need systems to pay bills and manage cash flow throughout the year. Similarly, organisations need systems to manage health and safety on a day-to-day basis. This cannot be achieved by a periodic audit.
The aims of auditing should be to establish that:
- appropriate management arrangements are in place
- adequate risk control systems exist, are implemented, and consistent with the hazard profile of the organisation
- appropriate workplace precautions are in place
The two types of auditing: internal and external
Auditing by external third party auditors is necessary for certification to ISO 45001 or verification of ongoing maintenance of that standard. Other than that, the key requirements for auditors are that they are competent and independent of the area or activity being audited. This could be achieved by using internal staff from other departments or sites, or by contracting the audit to a third-party organisation. There are advantages and disadvantages to both.
Types of evidence used in an audit
The auditing process involves:
- collecting information about the health and safety management system
- making judgements about its adequacy and performance
Collecting information about health and safety management requires decisions on the level and detail of an audit. All audits involve sampling and a key question is always: ‘How much sampling needs to be done to make a reliable assessment?’ The nature and complexity of an audit will therefore vary according to its objectives and scope; the size, sophistication and complexity of the organisation; and the maturity of the existing health and safety management system.
Auditors have three information sources on which to draw:
| People | Documentation | Observation |
| Interviewing individuals, to gain information about the operation of the health and safety management system and the perceptions, knowledge, understanding, management practices, skill and competence of managers and employees at various levels in the organisation. | Examining documents, assessing records, RCSs, performance standards, procedures and instructions for completeness, accuracy and reliability together with the implications for competence and understanding – in practice these may need to be reviewed in preparing the audit to identify issues to follow up and people to interview. | Visual observation of physical conditions and work activities to examine compliance with legal requirements and verify the implementation and effectiveness of workplace precautions and risk control systems. |
The adequacy of a health and safety management system is judged by making a comparison between what is found against a relevant ‘standard’ or benchmark. If there are no clear standards, the assessment process will be unreliable. Legal standards, HSE guidance and applicable industry standards should be used to inform audit judgements.
It is important that auditing is not perceived as a fault-finding activity but as a valuable contribution to the health and safety management system and learning. Auditing should recognise positive achievements as well as areas for improvement.
In some audits, scoring systems are used to complement judgements and recommendations. This can help with comparing audit scores over time or between sites, but there is no evidence to suggest that quantifying the results yields a better response than an approach providing only qualitative evidence. Scoring systems can, however, introduce other difficulties, e.g. managers aiming their attention at high-scoring questions irrespective of their relevance to developing the health and safety management system.