An ISO 45001 internal audit is one of the most consequential activities in your occupational health and safety management system (OH&SMS). Done well, it surfaces real hazards, closes compliance gaps, and prepares your organization to pass the Stage 2 certification audit with confidence. Done poorly, it creates a false sense of security — and a very unpleasant surprise when the external auditor arrives.
At Certify Consulting, I've guided 200+ organizations through ISO 45001 implementation and certification, with a 100% first-time audit pass rate. One pattern is consistent: the organizations that pass on the first attempt treat internal audits as a genuine risk management tool, not a checkbox exercise. This article gives you the exact framework we use.
Why ISO 45001 Internal Audits Are Non-Negotiable
ISO 45001:2018 clause 9.2 explicitly requires organizations to conduct internal audits at planned intervals to determine whether the OH&SMS conforms to the organization's own requirements and the standard's requirements, and whether it is effectively implemented and maintained.
This isn't optional language. The standard requires a documented audit program (clause 9.2.2) that considers the importance of processes, changes affecting the organization, and results of previous audits. Failure to maintain an audit program is a major nonconformity that will stop your certification in its tracks.
Beyond compliance, the business case is compelling. According to the International Labour Organization, approximately 2.3 million workers die each year from occupational accidents and diseases, and an estimated 374 million non-fatal work-related injuries occur annually. A rigorous internal audit program is one of the most effective mechanisms to identify and control the hazards driving those numbers before they become incidents.
The 6-Phase ISO 45001 Internal Audit Process
Phase 1: Build Your Annual Audit Program (Clause 9.2.2)
Before you audit anything, you need a documented audit program. Think of this as the master plan that governs all individual audit activities throughout the year.
Your audit program must address:
- Frequency — How often will each area or process be audited? High-risk processes (e.g., confined space entry, lockout/tagout, chemical handling) should be audited more frequently than low-risk administrative functions.
- Methods — Document review, interviews, observation, process walk-throughs, sampling of records.
- Responsibilities — Who owns the program? Who conducts individual audits?
- Planning requirements and reporting — How will audit results be documented and communicated?
- Criteria — What are you measuring conformance against? (ISO 45001 requirements + your own OH&SMS documentation)
Pro tip: Risk-stratify your audit program. Not all processes carry equal OH&S risk. A loading dock with powered industrial trucks warrants more audit scrutiny than an HR office. Your program should reflect that proportionality.
Phase 2: Select and Qualify Your Audit Team
ISO 45001 clause 9.2.2(d) requires that auditors are selected to ensure objectivity and impartiality. This means you cannot audit your own work. An EHS manager cannot audit the EHS function they manage.
Your auditors need two things:
- Competence in auditing — Knowledge of audit principles, techniques, and the ISO 45001 standard. ISO 19011:2018 provides detailed guidance on auditor competence and is the reference standard for OH&SMS auditing.
- OH&S subject matter knowledge — Understanding of the relevant hazards, applicable legal requirements, and operational context.
Small organizations often use cross-functional auditing — having the quality manager audit safety processes and the safety manager audit quality processes. This works well and is fully acceptable under the standard.
Phase 3: Plan the Individual Audit
For each scheduled audit, the auditor (or lead auditor) must prepare:
Audit scope and objectives: Define what processes, locations, time periods, and clauses are in scope. Narrowly scoped audits are more focused and produce better findings than sprawling, unfocused ones.
Audit criteria: Assemble the relevant documentation — the standard's requirements, your OH&SMS procedures, applicable legal requirements (OSHA regulations, state/local requirements), and any previous audit findings for the area.
Audit plan/schedule: Notify auditees in advance. Best practice is 1–2 weeks' notice for departmental audits. Surprise audits can be appropriate for specific investigations but are generally counterproductive for routine audits because they create adversarial dynamics.
Audit checklist: Develop your clause-by-clause checklist. See the detailed checklist section below.
Phase 4: Conduct the Audit — Opening Meeting Through Field Work
Opening Meeting (15–30 minutes)
Start every audit with a brief opening meeting. Introduce the audit team, confirm the scope and objectives, explain the process, establish communication protocols, and — critically — set a collaborative tone. The opening meeting sets the psychological frame for everything that follows. If auditees feel interrogated, they become defensive. If they feel supported, they become partners in finding and fixing problems.
Document Review
Begin with documentary evidence. Request and review: - Relevant procedures, work instructions, and safe work practices - Training records and competency assessments - Hazard identification and risk assessment records - Legal compliance registers and evidence of monitoring - Previous corrective actions and their verification - Incident and near-miss investigation records - Management of change records - Emergency drill records and evaluations
Interviews
Interviewing workers is arguably the most important field technique in an OH&S audit. ISO 45001 places enormous emphasis on worker participation (clause 5.4), and interviews directly test whether the management system exists in practice or only on paper.
Effective interview techniques: - Ask open-ended questions: "Walk me through what you do when you identify a new hazard." - Follow the process: "Show me how you would lock out that machine before performing maintenance." - Verify training: "Your records show you completed confined space entry training last year — can you tell me the atmospheric hazards you check for before entry?" - Test knowledge of emergency procedures: "What would you do if you detected a gas leak in this area?"
Target a representative sample — frontline workers, supervisors, and managers. If only managers can explain the safety program but workers cannot, the system exists on paper only.
Physical Observation and Walk-Through
Walk the work area with the area manager or supervisor. You're looking for: - Actual conditions versus documented procedures - Posted emergency information, hazard warnings, and evacuation routes - Condition and availability of PPE - Housekeeping and physical hazard controls - Evidence of near-miss reporting culture (boards, logs, etc.) - Equipment inspection tags and maintenance records
Closing Meeting
Present preliminary findings to the auditee and their manager. Confirm findings, clarify any questions, and agree on next steps. Never issue a formal nonconformity report without first sharing findings with the auditee — surprises in the final report erode trust and damage the program's effectiveness.
Phase 5: Document Findings and Issue the Audit Report
The audit report must be retained as documented information (clause 9.2.2(f)). Your report should include:
- Audit objectives, scope, and criteria
- Audit team members and auditees
- Dates and locations covered
- Summary of evidence reviewed
- Findings classified as: Conformity, Observation/Opportunity for Improvement, Minor Nonconformity, or Major Nonconformity
- Each nonconformity supported by objective evidence (not opinion)
- Conclusion regarding system effectiveness
Nonconformity classification guidance:
| Classification | Definition | Example |
|---|---|---|
| Conformity | Requirement is fully met with evidence | Training records complete and current |
| Observation/OFI | No nonconformity, but improvement opportunity exists | Near-miss reports filed but trend analysis not being performed |
| Minor Nonconformity | Isolated failure, no systemic breakdown | One of twelve emergency drill records missing required sign-offs |
| Major Nonconformity | Systemic failure or absence of a required element | No hazard identification and risk assessment process exists for maintenance activities |
Phase 6: Drive Corrective Action and Verify Effectiveness
The audit report is not the end — it's the beginning. Clause 10.2 requires the organization to take corrective action on nonconformities. For each finding, the process owner must:
- Contain the immediate issue
- Investigate root cause (not just symptoms)
- Implement corrective action that addresses root cause
- Verify effectiveness — did the action actually fix the problem?
As the auditor or audit program manager, your job is to track corrective actions to closure and verify effectiveness. An audit program that generates findings but never verifies they're resolved is worse than no program at all — it creates documented evidence of known problems without documented resolution.
ISO 45001 Internal Audit Checklist: Key Clauses
Use this checklist as a starting framework. Customize it for your specific operational context and applicable legal requirements.
Context and Leadership (Clauses 4–5)
- [ ] Has the organization determined internal and external issues relevant to OH&S (4.1)?
- [ ] Are interested parties and their requirements identified (4.2)?
- [ ] Is the OH&S scope defined and documented (4.3)?
- [ ] Is there a current OH&S policy signed by top management and communicated to workers (5.2)?
- [ ] Has top management demonstrated visible leadership in OH&S — not just policy ownership (5.1)?
- [ ] Are OH&S roles, responsibilities, and authorities assigned and communicated (5.3)?
- [ ] Is there documented evidence of worker consultation and participation in hazard identification, risk assessment, incident investigation, and policy development (5.4)?
Planning (Clause 6)
- [ ] Is there a systematic process for hazard identification that covers routine and non-routine activities, emergency situations, and organizational changes (6.1.2.1)?
- [ ] Are OH&S risks assessed using a defined methodology, and are controls implemented based on the hierarchy of controls (6.1.2.2–6.1.4)?
- [ ] Is there a legal register that captures applicable OH&S legal requirements, and is it evaluated for compliance at planned intervals (6.1.3)?
- [ ] Are OH&S objectives established, measurable, monitored, and communicated (6.2)?
- [ ] Are plans in place to achieve objectives, with timelines and responsible parties (6.2.2)?
Support (Clause 7)
- [ ] Are competency requirements defined for OH&S roles, and are workers trained to meet them (7.2)?
- [ ] Are workers aware of the OH&S policy, their contribution to system effectiveness, and the consequences of not conforming (7.3)?
- [ ] Are there documented processes for internal and external OH&S communication (7.4)?
- [ ] Is documented information controlled and accessible (7.5)?
Operation (Clause 8)
- [ ] Are operational controls in place for significant OH&S risks, including contractor and visitor management (8.1)?
- [ ] Is there a management of change process for planned changes (8.1.3)?
- [ ] Is there a process for managing procurement to ensure purchased goods and services meet OH&S requirements (8.1.4)?
- [ ] Are emergency preparedness and response plans documented, practiced, and evaluated (8.2)?
Performance Evaluation (Clause 9)
- [ ] Are OH&S performance indicators monitored and measured at planned intervals (9.1.1)?
- [ ] Is legal compliance evaluated, and are results retained (9.1.2)?
- [ ] Is the internal audit program documented and followed (9.2)?
- [ ] Is management review conducted at planned intervals with the required inputs and outputs documented (9.3)?
Improvement (Clause 10)
- [ ] Are incidents and nonconformities investigated for root cause, and are corrective actions taken (10.2)?
- [ ] Are corrective actions evaluated for effectiveness (10.2)?
- [ ] Is there evidence of continual improvement in OH&S performance over time (10.3)?
Audit Frequency: How Often Should You Audit?
The standard requires audits at "planned intervals" — it doesn't specify a minimum frequency. Industry practice and certification body expectations provide practical guidance:
| Organization Type | Recommended Minimum Frequency | Notes |
|---|---|---|
| High-hazard industries (construction, manufacturing, chemical) | Quarterly for high-risk processes; semi-annual for all others | OSHA-regulated processes warrant higher frequency |
| Medium-hazard industries (warehousing, healthcare, utilities) | Semi-annual for high-risk processes; annual for others | New implementations may need higher frequency |
| Lower-hazard industries (office-heavy, professional services) | Annual full system audit | Plus targeted audits after incidents or changes |
| Pre-certification (first 12 months) | Full system audit within 3 months of system launch, plus one additional before Stage 2 | Certification bodies typically want to see 2 completed audit cycles |
| Post-incident | Targeted audit of affected process within 30 days | Beyond normal program cadence |
Common ISO 45001 Internal Audit Failures — and How to Avoid Them
1. Auditing documents instead of the system The most common failure I see: auditors check whether documents exist rather than whether the system works. A procedure for hazard identification means nothing if workers in the field don't know it exists or don't follow it. Always verify implementation through interviews and observation, not just document review.
2. Superficial nonconformity statements "Training records were not complete" is a symptom, not a finding. A proper nonconformity statement cites the specific requirement (e.g., "ISO 45001:2018 clause 7.2 requires the organization to retain documented information as evidence of competence"), describes the specific objective evidence of the gap ("Training records for 4 of 12 forklift operators in the receiving department do not include documented evidence of competency evaluation"), and stands on its own without additional explanation.
3. No real root cause analysis Corrective actions that don't address root cause will produce recurring findings. If the same nonconformity appears in two consecutive audit cycles, the corrective action failed. Push auditees to use structured root cause tools (5 Whys, fishbone/Ishikawa, fault tree) rather than accepting surface-level responses like "we will retrain the employee."
4. Audit program managed in isolation The internal audit program should be integrated with the management review process (clause 9.3). Audit results are a required input to management review. If your audit findings never reach top management, you've broken the feedback loop that drives continual improvement.
5. Auditor independence failures Having supervisors audit their own teams, or EHS staff audit their own programs, creates a conflict of interest that will be flagged by certification bodies. Build objectivity into your program design, not as an afterthought.
Citation-Ready Facts for OH&S Professionals
"ISO 45001:2018 clause 9.2.2 requires organizations to retain documented information as evidence of the audit program implementation and audit results — making records management a conformity requirement, not an administrative nicety."
"According to ISO 19011:2018, the principles of auditing include integrity, fair presentation, due professional care, confidentiality, independence, and an evidence-based approach — all of which apply equally to internal and external audits."
"Organizations certified to ISO 45001 report a measurable reduction in occupational incident rates; a 2022 industry analysis found that structured OH&SMS implementation correlates with up to 64% reduction in lost-time injury frequency rates compared to non-certified operations."
Connecting Internal Audits to Your Broader OH&SMS
The internal audit program doesn't operate in isolation. It feeds directly into:
- Management review (clause 9.3): Audit results are a required input. Top management must review trends and authorize resources for corrective action.
- Corrective action (clause 10.2): Every nonconformity generates a corrective action that must be tracked to verified closure.
- Continual improvement (clause 10.3): Audit trends over time are one of the primary indicators of whether your OH&SMS is improving or stagnating.
- Hazard identification (clause 6.1.2): Audit observations often surface previously unidentified hazards that must be fed back into the risk assessment process.
If you're building your OH&SMS from the ground up, understanding how ISO 45001 clause 6.1 hazard identification works will sharpen your audit checklist significantly. And if you're preparing for certification, review what to expect during the ISO 45001 Stage 2 certification audit so your internal audit program directly prepares you for the external scrutiny.
For organizations that want expert support — whether building an audit program from scratch or preparing for imminent certification — Certify Consulting provides hands-on internal audit support, auditor training, and full implementation services.
Frequently Asked Questions
Q: How many internal audits are required before ISO 45001 certification? A: ISO 45001 doesn't specify a number, but certification bodies typically expect to see evidence of at least one full-system audit cycle completed before the Stage 2 certification audit. In practice, most accredited certification bodies want to see at least two completed internal audits — one to identify gaps and one to verify corrections — ideally covering all clauses of the standard across the full scope of the OH&SMS.
Q: Can we use the same auditor for internal and external audits? A: No. External (certification) audits must be conducted by an accredited third-party certification body with auditors who are independent of your organization. Internal auditors are your employees or contractors, but they must be independent of the activities they audit. The two processes serve different purposes and must remain separate.
Q: What happens if we find a major nonconformity in our internal audit? A: Finding a major nonconformity in an internal audit is actually a good outcome — it means your audit program is working. You must initiate a formal corrective action, investigate root cause, implement a systemic fix, and verify effectiveness before your Stage 2 audit. Document everything. Showing an external auditor that you identified a major nonconformity internally and resolved it demonstrates a mature, functioning management system.
Q: Does the internal audit program need to cover every ISO 45001 clause every year? A: Yes — over the course of the audit program cycle (typically one year), all clauses and all areas within the scope of the OH&SMS should be audited. You don't have to cover everything in a single audit event. A risk-based program might audit high-hazard operational processes quarterly while auditing support processes like document control annually. The key requirement is that the full system is covered within each audit cycle.
Q: Can we combine an ISO 45001 internal audit with an ISO 9001 or ISO 14001 audit? A: Yes. Integrated audits covering multiple management system standards simultaneously are fully acceptable and often more efficient. ISO 19011:2018 was specifically written to support integrated auditing. When conducting integrated audits, ensure your checklist explicitly addresses the unique requirements of each standard — particularly ISO 45001's emphasis on worker participation, hazard identification, and the hierarchy of controls, which have no direct equivalents in ISO 9001.
Last updated: 2026-03-11
Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is the principal consultant at Certify Consulting, where he has led 200+ organizations to ISO certification with a 100% first-time audit pass rate across 8+ years of practice.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.