ISO 45001-2018 9.2 Internal audit


FREE QHSE Software Click <HERE> to Learn More

FREE QHSE Business Software Solutions

FREE Quality, Health and Safety, and HR Business Software Click <HERE> to Learn More and Download




QHSE Support >(Site Map) Health & Safety Guidance > ISO 45001:2018 Clauses > ISO 45001:2018 clause 9 >  

ISO 45001:2018 Clause 9.2 Internal Audit







ISO 45001:2018 Clause 9.2 Internal Audit


Clause 9.2 Breakdown


Q. "does the system conform to requirements?"


9.2 Internal audit


  9.2.1 General

  9.2.2 Internal audit programme


9.2.1 General


The prime reason for auditing is two-fold, provide organization assurance and provide organization improvement.  Organizations must look at themselves through the internal audits process with integrity and honesty.  However, it's not uncommon that internal auditors are seen as a drain on resources, not an asset.


This is the self-policing clause, requiring the organization to check it's doing what it said it would do, and it meets the requirements of the OH&S management system, which in turn, meets the requirements of the standard.


First, let's look at what the standard requires before venturing into making sense of what this means? 


Organisations are mandated by the 'shall' verbal form to plan and conduct periodic and rolling internal audits to demonstrate information concerning the performance and effectiveness of the OH&S management system:


a.adheres to:


1.the organization’s defined OH&S management system arrangements, including its specified OH&S policy and OH&S objectives;

2.the requirements of the ISO 45001 2018 standard as implemented an accredited against the organizations OH&S management system.


b.the internal audit plan is satisfactorily actualized, maintained and perpetually continued to the agreed audit cycle.


A keyword in the internal audit requirement is 'effective', an auditor may well conduct an audit for a specific area of the organization OH&S management system and find it conforms, however, the process may add little value... In cases like this the organization needs to review and consider the 'effectiveness' of the process and make adjustments as necessary.  This will doubtlessly take the organization into its ISO 45001 2018 10 Improvements clause and procedures for its OH&S management system.


Auditors need to be trained, competent and ideally familiar, but also have a degree of independence from the area that they will be auditing.   Auditors should not conduct audits on their own activities and preferably not their own department.  Multi-site organizations will often make use of auditors from operations outside their direct control to undertake audits on areas that are not independent to the organization internal audit team.  Alternatively, the organizations can train additional auditors from outside the QHSE department to conduct audits on the auditors so to speak...


Independence within an internal audits plan can not always be guaranteed, for example:


your auditing a manager of a department your looking to get promoted into;

your auditing a manager that provides resources into your department;

your auditing a manager you hold a grudge against;

your auditing individuals with family links or romantic intentions towards.


9.2.2 Internal audit programme


This is a clause of the standard that places quite restrictive requirements upon the organization.  However, most of the stipulations would be part of a well-managed audit programme, and thus cause little changes or additional undertakings from the existing systems.  The audit philosophy will change from organization to organization and generally depend on criteria such as the size and complexity of the organization.


Taking a look at the requirements of clause 9.2.2 there are six bulleted sub-clauses a) to f) all of which are mandated by the 'shall' verbal form.


Bullet point a) sets out the overall audit ethos with sub-clauses b) to f) building on this initial bullet point.


9.2.2 Bullet point a) sets a series of mandated requirements that include:


The organization shall in regards to the internal audit programme:




implement; and



which shall include the:





planning requirements;

requisite consultations;

reporting methodology.


All of which needs to take into account the importance of the process in regards to the OH&S management system, its performance, its policy and its objectives as well as the results of previous audit findings.


9.2.2 b) requires that each audit has a:


defined criteria; and

specified scope.


 the process.


9.2.2 c) requires auditors to be selected upon their:


objectivity; and



9.2.2 d) requires the audit report, including where necessary audit results to be promulgated to:


relevant managers;

relevant workers or their representatives;

other relevant interested parties. (also see clause 45001 2018 4.2 Understanding the needs and expectations of workers and other interested parties)


9.2.2 e) requires the organization to:


address OH&S management system nonconformities; (see clause 45001 2018 10.2 Nonconformity and corrective action)

continually improve the OH&S management system. (see clause 45001 2018 10.3 Continual improvement)


9.2.2 f) maintain records that the audit programme is being implemented and the results of audits undertaken are available as documented information.


ISO 45001 2018 9.2.2 Internal Audit Programme



Useful integrated management system cross references


ISO 9001


ISO 9001-2015 9 Performance evaluation

ISO 9001-2015 9.2 Internal audit


ISO 14001


ISO 14001-2015 9 Performance evaluation

ISO 14001-2015 9.2 Internal audit

Help file v1.175.0542 : Copyright © 2022 Brian G. Welch MSc(QHSE), NVQ4(OH&S), CMIOSH - Supported by Website On Safe Lines