Health and Safety legislation imposes a primary duty on employers to provide and maintain a workplace that is safe and without risk to health so far as is reasonably practicable. This duty is broad, but it requires a business to have a clear understanding of the hazards that exist due to its operations. In response, most businesses establish systems to manage operational risk, including; policy documents, risk assessment and incident investigation tools, standard operating procedures, training matrices and emergency response plans. But, how does a business know if such systems are effective? In short, auditing against these systems is the answer. But, what type of audit? This article will explore different audit approaches to enable you to decide what works best for your organisation.

A health and safety audit is designed to provide a business with an assessment of their current documented systems against criteria established by a standard (i.e. AS4801: Occupational Health and Safety Management Systems – Specifications with guidance for use or BSOHSAS 18001:2007 – Occupational Health and Safety Management Systems requirements) or against more detailed criteria designed to assess the risk control methodology established by a business to manage and control operational high consequence risk. Typically, audits are conducted in the first instance against established standards. With greater maturity, audits can be customized to ‘dig deeper’ than traditional standards based audits via detailed forensic examination of how high consequence operational risk is documented and applied at a workplace.

Audits performed against a standard

Traditional standards based audits (i.e. AS4801: Occupational Health and Safety Management Systems – Specifications with guidance for use or BSOHSAS 18001:2007 – Occupational Health and Safety Management Systems requirements) examine health and safety documentation using similar criteria based on the following elements:

  • Policy;
  • Planning;
  • Implementation;
  • Measurement and evaluation;
  • Management review.

An auditor examines both the documentary and methods of implementation (including review processes) and issues a conformance or non-conformance against each element and sub-element established by the standard. A report is provided by the auditor upon completion of the audit detailing the methods by which conformance for each element or sub-element can be achieved. Once desk-top based compliance against the standard is achieved, a business can apply to have their documentation and processes examined at a higher level for the purpose of achieving certification. Such certification may be required for tendering of government based contracts and reputational enhancement as a safe and reliable partner, contractor or supplier.

‘Deep-dive’ forensic type audits

The purpose of a ‘deep dive’ forensic health and safety audit is not to examine compliance against criteria established by a standard but rather undertake a detailed examination of how high consequence risk is managed in accordance with a business’s operational risk profile.

Key items examined as part of a ‘deep dive’ forensic health and safety audit:

  1. Governance systems including:
    1. Review of Officer roles and responsibilities, including evidence of participation and active participation in the management of high consequence health and safety risk;
    2. Review of systems established for Officer oversight of risk management strategies designed to control operational high consequence hazards (i.e. top five high consequence hazards);
    3. Review of Officer involvement in the establishment and review of organisational health and safety objectives and targets. Review of systems implemented to actively combat trends identified from such measures;
    4. Review of Officer systems established to review any established Operational Risk Register as part of regular management review meetings.
  2. Operational Risk Register including:
    1. Review of prioritisation methods to manage health and safety risk according to consequence (i.e. high consequence hazards including; work at height, plant/equipment, mobile plant operation, hazardous energy (electrical, hydraulic, pneumatic) confined space entry, hazardous substances/dangerous goods). Review of systems established to assist in the close out of such items including allocation of resources, access to external expertise;
    2. Review of the delegation of responsibility for Risk Register item completion including dates of commencement and planned date of completion including reference to immediate actions taken to rectify whilst medium to longer term actions are established. Existence of exception reporting as part of overall health and safety reporting submitted for review by Officers for any short, medium and longer-term actions that are not established within documented timeframes.
  3. Risk Management processes including (but not limited to):
    1. Review of high consequence risk management systems designed to control for example:
      1. Plant and equipment, including;
        1. Review of plant register;
        2. Review of plant risk assessments and guarding control plans. Confirmation of transference of any outstanding risk control items to Operational Risk Register, including assigned risk rating and allocated responsibility for completion;
        3. Review of Standard Operating procedures for plant operation including hazardous energy control plans for maintenance.
      2. Hazardous Energy Control, including;
        1. Review of lockout procedures including any developed equipment specific lockout procedures that detail the location of energy isolation devices, lock usage, energy dissipation procedures and confirmation of zero energy status via testing.
  • Work at Height, including;
    1. Review of Work at Height Register and Control Plan;
    2. Review of Emergency Rescue Control plans;
    3. Review of equipment and license register.
  1. Confined Space Entry, including:
    1. Review of Confined Space Register including:
      1. Allocation of Confined Space identification number;
      2. Confined space description;
      3. Hazards associated with entry into the space (including emergency rescue requirements);
      4. Any pre-entry atmospheric monitoring requirements, and;
      5. Methods of entering space (top/side).
    2. Review of Confined Space risk assessments;
    3. Review of completed permits to confirm:
      1. Names of persons permitted to enter the space;
      2. Period/duration of time during which the work shall be carried out;
      3. Risk control measures established for entry/exit, works to be undertaken and emergency rescue systems;
      4. Communication requirements including continuous communication from outside of space, and;
      5. Atmospheric monitoring systems.
    4. Hazardous Substances/Dangerous Goods, including:
      1. Review of established Hazardous Substances/Dangerous Goods register or manifest dependent on quantities;
      2. Review of risk assessments, including confirmation of transference of any outstanding risk control items to Operational Risk Register, including assigned risk rating and allocated responsibility for completion.
    5. Incident investigation processes including:
      1. Review of systems implemented to investigate incidents, including methods to establish contributing factors and root cause;
      2. Review of corrective action systems following investigation completion including time taken to implement first methods of controls and verification that any outstanding corrective actions have been transferred to the Operational Risk Register, including assigned risk rating and allocated responsibility for completion;
      3. Review of targeted risk management actions taken to resolve any incident trends.
    6. Consultation processes including direct and indirect employee consultation.


In closing, auditing provides vital information to business on the current status of their health and safety management systems. Compliance based or ‘standard’ audits provide useful insight into a systems general health but, often do not go deep enough to examine how these systems are managing the risk associated with high consequence operational hazards. A ‘deep dive’ is therefore an invaluable audit process that assesses the integrity of these systems in order to provide Officers of a business with the confidence that such systems are delivering the required outcome of the provision and maintenance sound risk control, which forms the cornerstone of primary duty of the health and safety legislation.

Looking for a safety consultant for your project?

Get in touch to discuss how we can be of assistance

Get in touch

600 Congress Ave
Flor 14 Blog C,
Austin,Tx 78965

09876 768 66
09875 788 889

Say Hello.