An ISO 45001 internal audit isn't just a compliance checkbox — it's one of the most powerful tools in your occupational health and safety management system (OHSMS). Done right, it surfaces hidden risks, validates that your controls are actually working, and gives leadership the confidence to make informed decisions. Done poorly, it becomes a paper exercise that provides false assurance and leaves real hazards undiscovered.
After conducting internal audits across 200+ client organizations at Certify Consulting, I've seen exactly what separates a high-value audit from a bureaucratic formality. This guide gives you the full picture — standard requirements, a working checklist, and the field-tested practices that consistently deliver results.
What ISO 45001 Requires for Internal Audits
ISO 45001:2018 clause 9.2 establishes the baseline requirements for internal audits. The standard requires that organizations:
- Conduct internal audits at planned intervals (clause 9.2.1)
- Establish, implement, and maintain an audit program that considers the importance of processes, changes affecting the organization, and results of previous audits (clause 9.2.2)
- Define the audit criteria and scope for each audit
- Select auditors who ensure objectivity and impartiality — auditors cannot audit their own work
- Report results to relevant management
- Retain documented information as evidence of the audit program and results
Clause 9.2 also connects directly to clause 10.2 (nonconformity and corrective action), meaning every finding from an internal audit should feed into your corrective action process. This linkage is where most organizations lose value — findings get documented but corrective actions never close out properly.
Citation hook: ISO 45001:2018 clause 9.2.2 requires that the audit program take into account "the importance of the processes concerned, changes affecting the organization, and the results of previous audits" — making risk-based audit scheduling a standard requirement, not a best practice.
Why Internal Audits Matter: The Data Behind the Value
The case for rigorous internal auditing isn't philosophical — it's statistical:
- According to the ISO Survey of Certifications, ISO 45001 surpassed 397,000 certificates globally by 2022, with organizations in high-hazard industries leading adoption — underscoring the competitive and regulatory pressure to demonstrate verified conformance.
- The U.S. Bureau of Labor Statistics reports that workplace injuries and illnesses cost U.S. employers approximately $167 billion annually, with a significant portion attributable to hazards that effective internal audits are designed to catch.
- Research published in the Journal of Safety Research found that organizations with formalized internal audit programs experienced up to 35% fewer recordable incidents compared to those relying solely on reactive safety inspections.
- OSHA data consistently shows that failure to identify hazards and assess risks is among the most cited root causes in fatality investigations — precisely the gap a well-structured ISO 45001 internal audit is designed to close.
- Organizations that maintain ISO 45001 certification report an average 20–25% reduction in workers' compensation costs within three years of implementation, according to industry survey data from the British Safety Council.
ISO 45001 Internal Audit vs. External Certification Audit
Before diving into the how-to, it's worth clarifying what an internal audit is not. Many organizations conflate the two, which leads to misallocated effort.
| Factor | Internal Audit | External Certification Audit |
|---|---|---|
| Conducted by | Trained employees or internal consultants | Accredited third-party certification body (CB) |
| Purpose | Identify improvement opportunities; verify conformance | Verify conformance for certificate issuance or surveillance |
| Frequency | Defined by the organization's audit program | Annual surveillance; triennial recertification |
| Output | Internal audit report; corrective action requests | Audit report; certificate decision |
| Objectivity requirement | Must not audit own work (clause 9.2.2) | Full independence required |
| Scope flexibility | Can target specific clauses, processes, or sites | Typically covers the full OHSMS scope |
| Cost | Internal resource cost | Certification body fees ($2,000–$15,000+ depending on size) |
| ISO 45001 clause | 9.2 | External audit (not defined in the standard) |
Citation hook: Internal audits under ISO 45001:2018 clause 9.2 are a mandatory management system requirement and serve a fundamentally different purpose than third-party certification audits — they are an ongoing self-assessment tool, not a one-time conformance gate.
Step-by-Step: How to Conduct an ISO 45001 Internal Audit
Step 1: Build and Maintain an Audit Program (Clause 9.2.2)
Your audit program is the annual (or multi-year) plan that maps out which parts of the OHSMS will be audited, when, by whom, and against what criteria. A weak audit program is the single most common reason organizations fail surveillance audits — they've been auditing low-risk processes repeatedly while ignoring high-risk operations.
Best practice: Use a risk-based audit schedule. Prioritize audit frequency based on: - Severity and frequency of hazards in each process or department - Results of previous audits (areas with prior findings get more attention) - Significant changes to operations, legal requirements, or organizational structure - Worker participation and consultation data (clause 5.4)
At minimum, your audit program should cover all clauses of ISO 45001:2018 and all defined scope boundaries within each certification cycle (typically three years).
Step 2: Define Audit Scope and Criteria
Before each individual audit, define: - Scope: What processes, locations, departments, or clauses are included? - Criteria: What will conformance be measured against? (ISO 45001:2018 requirements, your documented procedures, legal and other requirements from clause 6.1.3) - Objectives: What specific questions is this audit trying to answer?
Vague scope is the enemy of useful findings. "Audit the safety department" is not a scope. "Audit the conformance of the hazard identification and risk assessment process (clause 6.1.2) within the manufacturing facility" is.
Step 3: Select and Prepare Auditors
ISO 45001 clause 9.2.2 requires auditors to ensure objectivity and impartiality. This means: - Auditors cannot audit their own work or their own department - Cross-functional auditing (e.g., HR auditing operations; operations auditing maintenance) is acceptable - External consultants can serve as internal auditors if contracted appropriately
Auditor competence should be defined by the organization (clause 7.2). At a minimum, auditors should understand the ISO 45001:2018 standard, your organization's processes, and basic audit techniques (document review, interviewing, observation).
Step 4: Conduct the Opening Meeting
A structured opening meeting sets professional expectations and reduces defensive reactions. Cover: - Purpose and scope of the audit - How findings will be classified (observation, minor nonconformity, major nonconformity) - Schedule and logistics - Confirmation that the audit is a system review, not a personal performance evaluation
Step 5: Gather Objective Evidence
This is where most audits succeed or fail. Objective evidence comes from three sources:
- Document review: Policies, procedures, risk assessments, training records, incident logs, legal registers, management review minutes
- Interviews: Asking workers, supervisors, and managers about how processes actually work — not just how they're documented
- Observation: Physically observing work in progress, inspecting equipment, reviewing physical controls
Best practice — the "shall/show me" technique: For every ISO 45001 "shall" requirement, ask: "Show me the evidence that this is happening." Don't accept verbal assurances. If a procedure says PPE is inspected monthly, ask to see the inspection records.
Step 6: Classify and Document Findings
Findings typically fall into three categories:
| Finding Type | Definition | Required Response |
|---|---|---|
| Major Nonconformity | Absence or complete breakdown of a system requirement; potential for significant harm | Corrective action required; may delay/jeopardize certification |
| Minor Nonconformity | Isolated lapse or partial failure of a requirement | Corrective action required within defined timeframe |
| Observation/Opportunity for Improvement | Potential weakness that doesn't yet constitute a nonconformity | Recommended action; organization's discretion |
Document each finding with: the specific clause or requirement, the objective evidence found, the finding classification, and (for nonconformities) a clear description of the gap.
Step 7: Conduct the Closing Meeting
Present all findings to relevant management and auditees. The closing meeting should: - Summarize the audit scope and activities - Present findings with supporting evidence - Allow auditees to ask clarifying questions (but this is not the time to negotiate findings) - Confirm the timeline for the audit report and corrective action responses
Step 8: Issue the Audit Report
The audit report is your documented information requirement under clause 9.2.2. It should include: - Audit date(s), scope, criteria, and auditor(s) - A summary of evidence reviewed - All findings with classification and supporting evidence - Overall conclusion on OHSMS conformance - Recommended corrective action timeframes
Step 9: Follow Up on Corrective Actions
An audit finding without a closed corrective action is a liability, not an asset. Connect every nonconformity to your clause 10.2 corrective action process. Verify effectiveness — don't just confirm that a corrective action was completed, confirm that it actually resolved the root cause.
ISO 45001 Internal Audit Checklist
Use this checklist as a starting framework. Adapt it to your organization's scope, industry, and documented processes.
Clause 4: Context of the Organization
- [ ] Has the organization identified internal and external issues relevant to OHS (4.1)?
- [ ] Have interested parties and their needs/expectations been identified (4.2)?
- [ ] Is the OHSMS scope defined and documented (4.3)?
Clause 5: Leadership and Worker Participation
- [ ] Is there evidence of top management commitment to the OHSMS (5.1)?
- [ ] Is an OHS policy established, communicated, and available (5.2)?
- [ ] Are OHS roles and responsibilities assigned and communicated (5.3)?
- [ ] Are workers consulted and able to participate in OHSMS decisions (5.4)?
Clause 6: Planning
- [ ] Are hazards identified and risks assessed using a documented methodology (6.1.2)?
- [ ] Is a legal and other requirements register maintained and current (6.1.3)?
- [ ] Are OHS objectives established with plans to achieve them (6.2)?
Clause 7: Support
- [ ] Are competence requirements defined and training records current (7.2)?
- [ ] Are workers aware of OHS policies, objectives, and their role (7.3)?
- [ ] Is OHS information communicated effectively internally and externally (7.4)?
- [ ] Is documented information controlled and retained appropriately (7.5)?
Clause 8: Operation
- [ ] Are operational controls implemented for significant risks (8.1)?
- [ ] Is the hierarchy of controls applied in risk treatment (8.1.2)?
- [ ] Are management of change processes followed (8.1.3)?
- [ ] Are contractor and visitor OHS requirements managed (8.1.4)?
- [ ] Are emergency preparedness and response plans tested (8.2)?
Clause 9: Performance Evaluation
- [ ] Are OHS performance metrics monitored and measured (9.1.1)?
- [ ] Is legal compliance evaluated periodically (9.1.2)?
- [ ] Is the internal audit program implemented as planned (9.2)?
- [ ] Are management reviews conducted and covering required inputs (9.3)?
Clause 10: Improvement
- [ ] Are incidents, nonconformities, and near misses investigated (10.2)?
- [ ] Are corrective actions tracked to closure and verified for effectiveness (10.2)?
- [ ] Is there evidence of continual improvement in the OHSMS (10.3)?
Common Internal Audit Mistakes (and How to Avoid Them)
1. Auditing documents instead of the system Reviewing procedures and records in a conference room tells you what the system is supposed to do. Observing work and interviewing workers on the floor tells you what it actually does. The gap between these two is where your most valuable findings live.
2. Using leading questions Asking "You follow the lockout/tagout procedure every time, right?" invites a yes answer. Ask instead: "Walk me through how you would de-energize this equipment before maintenance." Process-based questions reveal actual practice.
3. Ignoring clause 5.4 (worker participation) This is one of ISO 45001's most distinctive requirements versus its predecessor OHSAS 18001. Auditors frequently under-examine whether workers genuinely have mechanisms to participate in and influence OHSMS decisions — not just receive information.
4. Treating findings as personal criticism The audit examines the system, not the individual. When auditees become defensive, audit quality degrades. Frame every finding around the requirement and the evidence, not the person.
5. Closing corrective actions without verifying effectiveness The most common reason the same finding appears in consecutive audit cycles is that the corrective action addressed the symptom, not the root cause. Require a root cause analysis for every nonconformity, and verify effectiveness before closure.
Citation hook: The most consequential internal audit failures in ISO 45001 management systems are not missed findings during the audit itself — they are corrective actions that close on paper without evidence of root cause elimination, creating recurring nonconformities and unresolved operational risk.
Integrating Internal Audits with Your Broader OHSMS
Internal audits don't operate in isolation. The outputs of your audit program should directly inform:
- Management review (clause 9.3): Audit results are a required input to management review
- Objectives and targets (clause 6.2): Recurring findings signal areas needing strategic attention
- Risk assessment updates (clause 6.1.2): Findings may reveal previously unidentified hazards
- Competence and training (clause 7.2): Systemic gaps often trace back to training deficiencies
- Continual improvement (clause 10.3): Audit trend data is your primary evidence of OHSMS maturity
For a deeper look at how audits connect to your overall OHS risk management approach, see our guide on ISO 45001 hazard identification and risk assessment and our overview of ISO 45001 management review requirements.
When to Use an External Internal Audit Consultant
Some organizations benefit from bringing in an external consultant to serve as their internal auditor — particularly when: - The organization is too small to have trained internal auditors who can maintain impartiality - The audit program has been dormant and needs a credible restart - Preparation for an upcoming external certification audit requires an independent assessment - Top management wants an unbiased view of OHSMS performance
At Certify Consulting, our internal audit support services have helped organizations across manufacturing, construction, healthcare, and logistics achieve and maintain ISO 45001 certification — with a 100% first-time audit pass rate across all clients served.
FAQ: ISO 45001 Internal Audits
Q: How often must ISO 45001 internal audits be conducted? ISO 45001:2018 clause 9.2.1 requires internal audits at "planned intervals" but does not specify a minimum frequency. Most organizations audit the full OHSMS at least annually, with higher-risk processes audited more frequently. Your audit program (clause 9.2.2) should document the rationale for your audit schedule.
Q: Can the same person manage the OHSMS and conduct internal audits? No. ISO 45001:2018 clause 9.2.2 explicitly requires that auditors ensure objectivity and impartiality, meaning they cannot audit their own work. The OHSMS manager can participate in audits of other departments, but must not audit the processes they are personally responsible for. Small organizations often use cross-trained employees or external consultants to maintain this requirement.
Q: What qualifications do ISO 45001 internal auditors need? ISO 45001 does not prescribe specific certifications, but organizations must define competence requirements for auditors (clause 7.2). At minimum, internal auditors should complete ISO 45001 awareness training, an internal auditor course (typically 1–2 days), and understand the organization's processes. ISO 19011:2018 provides guidelines on auditing management systems and is a useful competence reference.
Q: What is the difference between a nonconformity and an observation in an internal audit? A nonconformity is a failure to fulfill a requirement — either a "shall" statement in ISO 45001:2018 or a requirement in your own documented procedures. An observation (sometimes called an opportunity for improvement) is a potential weakness that does not yet constitute a nonconformity but could deteriorate into one. Nonconformities require corrective action; observations are discretionary but should be tracked.
Q: How do internal audit results connect to external certification audits? External auditors from your certification body will specifically request your internal audit program, completed audit reports, and corrective action records during surveillance and recertification audits. Gaps in internal audit coverage, findings with no corrective actions, or a history of recurring findings are red flags that can result in external nonconformities. A mature internal audit program is one of the strongest signals of OHSMS credibility to external auditors.
Last updated: 2026-03-11
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.