Internal Audit ISO 45001: Requirements and Process Guide

Share with

Contents

An internal audit ISO 45001 requires is not just a compliance checkbox - it is one of the most practical tools an organisation has to check whether its health and safety management system is actually working. Clause 9.2 of ISO 45001 makes internal audits mandatory, and for good reason. They help you find gaps before an external auditor or a regulator does.

Internal audit ISO 45001 is the process of systematically reviewing your occupational health and safety (OH&S) management system against the requirements of the standard. It is conducted by people within the organisation - or appointed by the organisation - who are not responsible for the area being audited. The goal is to gather evidence, assess conformance, and identify where improvements are needed.

If your organisation is working toward ISO 45001 certification or maintaining it, understanding how to plan and run internal audits well is critical. A poorly managed audit gives you a false sense of security. A well-run one gives you real visibility into your safety performance.

What ISO 45001 Clause 9.2 Actually Requires

Clause 9.2 is the core reference for internal audits within ISO 45001. It has two parts - Clause 9.2.1 outlines the general requirements, and Clause 9.2.2 covers the audit programme.

Under Clause 9.2.1, your organisation must conduct internal audits at planned intervals to confirm that the OH&S management system conforms to your own requirements, to the requirements of ISO 45001, and that it is effectively implemented and maintained.

Clause 9.2.2 requires you to establish, implement, and maintain an audit programme. This programme must define the frequency, methods, responsibilities, planning requirements, and reporting for each audit. It must also take into account the importance of the processes being audited and the results of previous audits.

A few things auditors from certification bodies look for when they review your ISO 45001 audit checklist:

Is there a documented audit programme covering all relevant processes?
Are audits being conducted at defined intervals?
Are auditors selected to ensure objectivity and impartiality?
Are audit results reported to relevant management?
Are nonconformities followed up with corrective action?

How to Build an Internal Audit Programme for ISO 45001

An audit programme is not a single audit - it is the plan that governs all your internal audits over a period, usually a year. Building one properly saves time, reduces confusion, and makes sure nothing important gets missed.

How to Build an Internal Audit Programme for ISO 45001

Define the scope and frequency

Start by mapping out every process and area covered by your OH&S management system. Higher-risk areas or processes with a history of nonconformities should be audited more frequently. A risk assessment of your audit programme - looking at where things are most likely to go wrong - helps you allocate audit time where it matters most.

Select and train your auditors

ISO 45001 requires auditors to be impartial. This means they should not audit their own work. Auditors also need to be competent - they should understand the standard, the processes they are reviewing, and how to gather and evaluate evidence. Many organisations use safety training programs to build internal audit competency and keep auditors current with the standard's requirements.

Plan each individual audit

Each audit within your programme needs its own plan. This includes the audit scope, objectives, criteria, schedule, and the team conducting it. Audit criteria can include ISO 45001 requirements, your OH&S policy, legal and regulatory obligations, and your own procedures.

What Internal Auditors Check in an ISO 45001 Audit

An internal audit for ISO 45001 covers the full scope of your OH&S management system. While each organisation's system is different, auditors typically review the following areas:

Leadership and OH&S policy

Auditors check whether top management is visibly committed to the system. This includes whether the OH&S policy is documented, communicated, and understood across the organisation. They also look at whether objectives are set, measured, and reviewed.

Hazard identification and risk controls

This is one of the most scrutinised areas in any ISO 45001 internal audit. Auditors verify that the organisation has a systematic process for hazard identification, assessing risks, and implementing risk controls. They look for evidence that controls are documented, applied on the ground, and reviewed after incidents or changes.

Operational controls and procedures

Auditors review whether safety procedures are in place for high-risk tasks, whether workers are following them, and whether controls like permit to work systems are being used correctly.

Incident management and corrective actions

The audit will check whether incidents and near misses are being reported, investigated, and closed out properly. Auditors look at whether corrective actions have been raised for nonconformities and whether they have actually been completed - not just recorded.

Worker competency and participation

Auditors verify that workers have the training and competency needed for their roles, and that workers are actively involved in the safety system - not just informed about it. Records of safety inductionand ongoing training are reviewed as evidence.

Managing Audit Findings and Nonconformities

Finding a nonconformity during an internal audit is not a failure - it is the audit doing its job. What matters is how findings are managed after the audit closes.

ISO 45001 requires that nonconformities are documented, that the root cause is identified, and that corrective actions are taken to prevent recurrence. This is not just about fixing the immediate problem. It is about making sure the same issue does not appear in the next audit.

A good practice is to categorise findings by severity - major nonconformity, minor nonconformity, or observation. This helps prioritise what needs immediate attention versus what can be addressed over a longer timeframe.

The role of internal audits in improving business performance goes beyond just identifying problems. When findings are tracked and closed systematically, audit data becomes a source of insight for management reviews and continual improvement planning.

Common Mistakes in ISO 45001 Internal Audits

Even experienced teams fall into patterns that reduce the value of their internal audits. A few common ones:

Common Mistakes in ISO 45001 Internal Audits

Auditing the same processes every cycle while skipping others. This creates blind spots in your system and is a red flag during external audits.

Using checklists mechanically without actually testing whether controls are effective on the ground. An auditor who ticks boxes without walking the floor misses the real picture.

Raising findings but not following through on corrective actions. If audit findings sit unresolved across multiple audit cycles, it signals a systemic management issue.

Not maintaining adequate audit records. ISO 45001 requires you to retain documented information as evidence of the audit programme and results. Poor records make it difficult to demonstrate compliance during ISO 45001 implementation reviews or certification audits.

How Software Supports ISO 45001 Internal Audits

Managing an internal audit programme manually - through spreadsheets, email threads, and paper-based checklists - creates unnecessary risk. It is easy for audit schedules to slip, findings to go untracked, and corrective actions to be forgotten.

Occupational health and safety management system software like Effivity allows you to schedule audits, assign auditors, record findings, and track corrective actions in one place. Audit reports are generated automatically, and nothing falls through the cracks because the system keeps everything connected - from the audit plan to the closed corrective action.

Try Effivity for Free and see how structured audit management works in practice.

Free Trial →

Frequently Asked Questions

An internal audit in ISO 45001 is a planned review of your occupational health and safety management system to check that it meets the standard's requirements and is working effectively.

ISO 45001 requires audits at planned intervals. Most organisations conduct them annually at minimum, with higher-risk areas audited more frequently based on their audit programme.

Auditors must be competent and impartial - they cannot audit their own work. They can be internal staff or externally appointed, as long as objectivity is maintained.

An internal audit is conducted by or on behalf of the organisation itself. An external audit is conducted by a third-party certification body to assess whether the system meets ISO 45001 for certification purposes.

Share with