FREE Quality, Health and Safety, and HR Business Software Click <HERE> to Learn More and Download
ISO 45001:2018 Clause 9.2 Internal Audit
Clause 9.2 Breakdown
Q. "does the system conform to requirements?"
9.2 Internal audit
9.2.2 Internal audit programme
The prime reason for auditing is two-fold, provide organization assurance and provide organization improvement. Organizations must look at themselves through the internal audits process with integrity and honesty. However, it's not uncommon that internal auditors are seen as a drain on resources, not an asset.
This is the self-policing clause, requiring the organization to check it's doing what it said it would do, and it meets the requirements of the OH&S management system, which in turn, meets the requirements of the standard.
First, let's look at what the standard requires before venturing into making sense of what this means?
Organisations are mandated by the 'shall' verbal form to plan and conduct periodic and rolling internal audits to demonstrate information concerning the performance and effectiveness of the OH&S management system:
2.the requirements of the ISO 45001 2018 standard as implemented an accredited against the organizations OH&S management system.
b.the internal audit plan is satisfactorily actualized, maintained and perpetually continued to the agreed audit cycle.
A keyword in the internal audit requirement is 'effective', an auditor may well conduct an audit for a specific area of the organization OH&S management system and find it conforms, however, the process may add little value... In cases like this the organization needs to review and consider the 'effectiveness' of the process and make adjustments as necessary. This will doubtlessly take the organization into its ISO 45001 2018 10 Improvements clause and procedures for its OH&S management system.
Auditors need to be trained, competent and ideally familiar, but also have a degree of independence from the area that they will be auditing. Auditors should not conduct audits on their own activities and preferably not their own department. Multi-site organizations will often make use of auditors from operations outside their direct control to undertake audits on areas that are not independent to the organization internal audit team. Alternatively, the organizations can train additional auditors from outside the QHSE department to conduct audits on the auditors so to speak...
Independence within an internal audits plan can not always be guaranteed, for example:
•your auditing a manager of a department your looking to get promoted into;
•your auditing a manager that provides resources into your department;
•your auditing a manager you hold a grudge against;
•your auditing individuals with family links or romantic intentions towards.
This is a clause of the standard that places quite restrictive requirements upon the organization. However, most of the stipulations would be part of a well-managed audit programme, and thus cause little changes or additional undertakings from the existing systems. The audit philosophy will change from organization to organization and generally depend on criteria such as the size and complexity of the organization.
Taking a look at the requirements of clause 9.2.2 there are six bulleted sub-clauses a) to f) all of which are mandated by the 'shall' verbal form.
Bullet point a) sets out the overall audit ethos with sub-clauses b) to f) building on this initial bullet point.
9.2.2 Bullet point a) sets a series of mandated requirements that include:
The organization shall in regards to the internal audit programme:
which shall include the:
All of which needs to take into account the importance of the process in regards to the OH&S management system, its performance, its policy and its objectives as well as the results of previous audit findings.
9.2.2 b) requires that each audit has a:
•defined criteria; and
...to the process.
9.2.2 c) requires auditors to be selected upon their:
9.2.2 d) requires the audit report, including where necessary audit results to be promulgated to:
•relevant workers or their representatives;
•other relevant interested parties. (also see clause 45001 2018 4.2 Understanding the needs and expectations of workers and other interested parties)
9.2.2 e) requires the organization to:
•address OH&S management system nonconformities; (see clause 45001 2018 10.2 Nonconformity and corrective action)
•continually improve the OH&S management system. (see clause 45001 2018 10.3 Continual improvement)
9.2.2 f) maintain records that the audit programme is being implemented and the results of audits undertaken are available as documented information.
Useful integrated management system cross references
Help file v1.154.0333 : Copyright © 2021 Brian G. Welch MSc(QHSE), NVQ4(OH&S), CMIOSH - Supported by Website On Safe Lines