ISO 45001 is fundamentally different from other management system standards because it demands that auditors understand the mechanics of occupational health and safety (OHS) in ways that quality or environmental auditors often do not. An auditor auditing ISO 9001 can conduct a largely process focused assessment; an auditor assessing ISO 45001 must grasp the hazards, risks, and controls that exist within the workplace itself. This distinction makes ISO 45001 auditing both more technically demanding and more rewarding. The standard requires organisations to identify what could harm their workers, evaluate whether their current controls are adequate, and demonstrate continuous improvement in safety outcomes. As an auditor, your role is not to police compliance with a procedure manual, but to verify that an organisation has genuinely understood its safety landscape and is managing it with competence and commitment.
On this page
Understanding the ISO 45001 Structure and its Audit Implications
ISO 45001:2018 follows the high level structure common to all modern ISO standards, which means it shares similarities with ISO 9001 and ISO 14001 in its framework. However, the content beneath that structure is distinctly focused on occupational health and safety management. The standard comprises ten clauses, with clauses 4 through 10 containing the substantive requirements. Understanding this structure is essential before you begin auditing because it tells you where to look for evidence and what questions to ask.
Clause 4 addresses the organisation's context. In an OHS audit, this means understanding what type of work the organisation does, who its workers are, what hazards are inherent to the operations, and what external factors might influence safety performance. A manufacturing plant faces different hazards to a consulting firm. A construction company operating across multiple sites faces different management challenges than a warehouse with a stable workforce. Your audit of clause 4 should establish whether the organisation has genuinely mapped its context or whether it has ticked a box with generic statements that bear no relation to actual operations.
Clause 5 covers leadership and commitment. This is where you assess whether senior management actually cares about safety or whether OHS is treated as a compliance burden delegated to a safety officer. Look for evidence that the OHS management system receives resources, that management reviews safety performance, and that leadership addresses safety issues at the same level as financial performance. Many auditors make the mistake of accepting verbal assurances from senior managers during interviews. Instead, examine board minutes, budget allocations, and how quickly safety issues are resolved compared to production pressures.
Clause 6 addresses planning. This includes hazard identification, risk assessment, and the determination of controls. This is arguably the most technically demanding clause to audit. You cannot assess the adequacy of a risk assessment without understanding the hazards being assessed. A superficial audit of clause 6 will miss significant gaps. For example, an organisation might identify "manual handling" as a hazard but fail to assess the specific risks arising from the weight of objects, the awkward postures required, or the frequency of the task. Your audit must probe whether risk assessments are thorough, whether they have involved workers and supervisors, and whether control measures address the root causes of risk rather than merely the symptoms.
Clause 7 addresses support and competence. This is where you verify that the organisation has allocated sufficient resources to its OHS management system and that people performing work that affects OHS are competent. Examine competence frameworks, training records, and induction programs. A common gap is that organisations provide training but do not verify that people have actually understood it or can apply it. An auditor should ask to see evidence that competence has been assessed, not just that a training course has been delivered.
Clause 8 covers operation. This is where the system comes to life. You assess whether the organisation has implemented controls for the hazards it identified, whether contractors and suppliers are managed, whether work is planned and executed safely, and whether the organisation responds appropriately to emergencies. Clause 8.1.4 specifically requires organisations to manage changes to ensure that safety risks from changes in processes, equipment, or personnel are controlled before implementation. This is an area where audits frequently find weaknesses because organisations prioritise speed over safety considerations.
Clause 9 addresses performance evaluation, including monitoring, measurement, incident investigation, and auditing. You are checking that the organisation knows how well its OHS management system is performing. Incident investigation is particularly important here. Request copies of incident investigation reports and assess whether they identify root causes or merely assign blame. A weak investigation might conclude that "the worker was careless" without examining why the worker was in a position to make that error. Stronger investigations examine systems, training, supervision, and design of work.
Clause 10 addresses improvement, including the management of nonconformities, corrective action, and continual improvement. This is where you assess whether the organisation learns from its mistakes and genuinely improves rather than repeating the same errors annually.
Critical Differences Between ISO 45001 and Other Management System Audits
An auditor with experience in ISO 9001 and ISO 14001 auditing can apply certain core auditing skills to ISO 45001, but significant differences exist. An ISO 9001 audit focuses heavily on whether documented processes are followed and whether products meet specifications. An ISO 14001 audit focuses on environmental aspects and impacts. An ISO 45001 audit must focus on actual harm to people. This distinction has profound implications for how you conduct your audit.
In an ISO 9001 audit, you might verify that a manufacturing process follows a documented procedure. In an ISO 45001 audit of the same process, you must ask: What could harm a worker? Have we identified all the hazards? Are workers exposed to noise above 85 decibels? Are they exposed to chemical fumes? Are they at risk of being struck by moving equipment? Is the control adequate or is it merely a sign saying "caution"? You must think about what could go wrong in a way that quality auditors do not necessarily need to.
This requires a different mindset. Many auditors approaching ISO 45001 for the first time struggle with the technical nature of hazard assessment and risk evaluation. You cannot simply ask "Do you have a hazard register?" and accept a yes or no answer. You must understand hazards well enough to recognise when significant ones are missing from that register. This might require you to develop basic knowledge of ergonomics, industrial hygiene, mechanical hazards, or chemical safety, depending on the industry you are auditing.
Preparing Yourself as an ISO 45001 Auditor
Before you conduct your first ISO 45001 audit, you should develop foundational knowledge of the standard. Becoming an ISO internal auditor begins with formal training in auditing principles and the specific standard. For ISO 45001, this training should be tailored to OHS auditing, not a generic quality audit training with ISO 45001 content bolted on. Look for training providers who deliver practical scenarios, case studies from actual workplaces, and exercises that require you to assess real hazard identification and risk assessment documents.
Supplement your training by reading the standard itself multiple times. The first reading should establish the overall structure. The second reading should focus on understanding each clause. The third reading should involve looking for the connections between clauses. For example, hazards identified in clause 6.1 must be addressed in the controls determined in clause 6.2, those controls must be implemented in clause 8, and the effectiveness of those controls must be monitored in clause 9. An auditor who reads the standard only once will miss these connections and will conduct fragmented audits that fail to see the whole system.
Develop familiarity with Australia's work health and safety legislation. ISO 45001 is not the law, but it is grounded in the principle that organisations should manage OHS risks. Australian legislation under the Work Health and Safety Act 2011 (Cth) and equivalent state legislation establishes what duty holders must do. ISO 45001 provides a systematic management approach to meeting those duties. An auditor who understands the legislative framework will ask sharper questions and recognise when an organisation might be ISO 45001 compliant but legislatively exposed.
If possible, spend time in different types of workplaces. An auditor who has only experience in office environments will struggle when auditing a construction site or a food processing plant. You need to have seen how manufacturing works, how hazardous substances are handled, how confined spaces operate, or how high risk work is managed. This experiential knowledge cannot be gained from training alone.
Conducting Effective Hazard Identification and Risk Assessment Audits
The most technically challenging part of any ISO 45001 audit is assessing whether the organisation's hazard identification and risk assessment (HIRA) process is adequate. This is clause 6.1 material, and it is where many audits either become superficial or overwhelm the auditor with technical detail. The key is to audit the process while also testing whether the output is adequate.
Start by examining the organisation's HIRA methodology. Does it have a documented process for identifying hazards? How does it involve workers? Does it consider hazards that arise from normal work and also from foreseeable unusual situations or emergencies? An inadequate methodology might look only at permanent hazards and miss occasional but significant risks. For example, a workplace might have identified the hazard of "slips and falls on wet floors" in production areas but failed to identify the same hazard in the loading dock where goods are frequently wet.
Examine whether the organisation has identified hazards across all relevant categories: mechanical, electrical, chemical, biological, ergonomic, psychosocial, and environmental. A common gap is that organisations focus on physical hazards and neglect psychosocial hazards such as violence, bullying, or excessive workload. If the organisation works in isolation or deals with members of the public, have they identified hazards from violence or aggression?
For each significant hazard identified, examine the risk assessment. The organisation should have determined the likelihood and consequence of harm, and combined these to produce a risk rating. Critically, you must assess whether the risk rating is realistic. An organisation might rate the risk of electrocution in an electrical workshop as "low" because "workers are trained." Training reduces risk but does not eliminate it. Is the risk assessment overly influenced by the current control measures, or has the organisation assessed the inherent risk of the hazard itself? This distinction matters because it shows whether the organisation understands that controls can fail.
Ask to see evidence of worker involvement in the HIRA process. Workers are often the people who best understand what can go wrong because they do the work every day. An organisation that has produced a comprehensive HIRA through consultation with workers is more likely to have identified genuine risks. An organisation that has completed HIRA in an office with limited worker input is more likely to have missed important hazards.
Request the HIRA documentation and spend time reviewing it. Look for hazards that are missing. If you are auditing a construction company, are hazards related to working at height adequately identified? If you are auditing a healthcare provider, have psychological hazards from dealing with traumatised patients been identified? Missing hazards are not just a documentation gap; they represent unmanaged risks and potential harm to workers.
Assessing Control Adequacy and Implementation
Once you have evaluated the HIRA, your audit must verify that the controls determined to manage those risks are actually adequate and have been implemented. This is the bridge between clause 6 (planning) and clause 8 (operation).
Examine the hierarchy of controls. The standard expects organisations to apply the hierarchy in this order: elimination, substitution, engineering controls, administrative controls, personal protective equipment (PPE). Many organisations jump to PPE because it is quick and cheap. An auditor should question whether higher order controls have genuinely been considered. For example, if a hazard is exposure to a harmful chemical, elimination might involve using a less harmful alternative, substitution might involve using a different process, engineering controls might involve using closed systems or local exhaust ventilation, and administrative controls might involve limiting exposure time. PPE should only be the last resort.
Verify that implemented controls are appropriate for the hazard and the work environment. A common problem is that organisations implement controls that work in theory but not in practice. For example, a control might specify that all heavy materials should be lifted mechanically, but the workplace might not have sufficient mechanical lifting equipment available during peak periods, causing workers to manually handle loads instead. Your audit should involve observing the actual work to verify that controls are in place and working.
Assess whether workers understand and follow the controls. A control that is documented but not understood is merely a piece of paper. Interview workers about the hazards they face and the controls they use. If workers cannot explain why they use a particular control, they probably do not understand the risk, and compliance will be temporary and unreliable.
Examine records of control maintenance and testing. Engineering controls such as local exhaust ventilation systems must be maintained to remain effective. If the organisation has not maintained control systems, then the controls are no longer adequate, and clause 8.1 requires the organisation to ensure controls remain effective. This is a common finding: organisations implement controls but fail to maintain them, creating a false sense of security.
Evaluating Incident Investigation and Learning
Incident investigation is a crucial element of any OHS management system and represents a major focus area for audits. Clause 9.2 specifically requires investigation of incidents. This is where you determine whether the organisation merely documents what happened or genuinely investigates why it happened and what can be done to prevent recurrence.
Request copies of incident investigation reports. Examine several, not just one. Look for patterns. Are the investigations superficial, stopping at the immediate cause (e.g., "worker slipped") or do they go deeper to understand the systemic cause (e.g., "floor surface was not suitable for the wet environment, worker had not received training on hazards, and the hazard had not been identified in the risk assessment")? Weak investigations are often a sign of weak safety culture where incident investigation is seen as a administrative requirement rather than a learning opportunity.
Assess whether investigations have identified and assigned corrective actions. These actions should address the root cause, not just the immediate cause. If an incident occurred because a worker failed to follow a procedure, the corrective action should not simply be "retrain the worker"; it should examine why the worker did not follow the procedure. Was the procedure unclear? Was there insufficient supervision? Was there pressure to work faster than safely? Understanding the answer to these questions leads to meaningful corrective action.
Follow up on whether corrective actions have actually been implemented and whether they have been effective. Many organisations identify corrective actions but fail to implement them. Auditors should verify implementation by asking for evidence and by asking workers whether the issue has been addressed. If multiple incidents of the same type have occurred, the organisation's corrective actions have not been effective, and this is a significant audit finding.
Competence and Training Assessment
Clause 7.2 requires that the organisation ensure persons doing work that affects OHS are competent. This is broader than simply ensuring that workers have completed a training course. Competence means the person has the knowledge, skills, and experience to perform their work safely and effectively.
Examine the organisation's competence framework. What competencies are required for different roles? How does the organisation assess competence? Many organisations rely on training completion as a proxy for competence. However, completion of a training course does not guarantee competence. An auditor should look for evidence that competence has been assessed, perhaps through observation, practical demonstration, or testing.
Request training records for a sample of workers. Verify that training is current and relevant to the work performed. For example, if the organisation uses a particular type of mobile elevated work platform, has the relevant operator training been completed? If the organisation handles hazardous substances, do workers have training in the hazards of those substances and the control measures required?
Interview workers about their training. Ask them to explain hazards they face and controls they use. If a worker cannot explain why they wear respiratory protection, for example, there is a question about whether the training has been effective or whether the worker has not retained the information. This is not about catching workers out; it is about assessing whether the organisation's investment in training is producing competent workers who understand and manage risks.
Assess induction training. New workers are at particular risk because they are unfamiliar with the workplace and its hazards. Request induction records and assess whether the induction covers OHS hazards and controls specific to the workplace. A generic induction that covers only legal obligations is insufficient; it must be tailored to the actual work environment.
Supplier and Contractor Management
Clause 8.1.4 addresses the management of changes to ensure that OHS risks arising from changes are controlled. A related requirement is that the organisation must ensure that external providers (contractors and suppliers) are managed so that their work does not adversely affect OHS. This is a common area where audits find gaps.
Examine the process for selecting contractors. Does the organisation assess the contractor's competence and OHS performance before engaging them? If you are engaging a contractor to work in a hazardous environment, has the contractor been assessed for capability in that environment? Many organisations engage contractors based primarily on cost, creating risk if the contractor does not have appropriate competence or resources.
Review contracts or agreements with significant contractors. Do they specify OHS expectations? Do they require the contractor to comply with the organisation's OHS management system? Do they allow the organisation to monitor the contractor's OHS performance and to hold them accountable for nonconformities?
Assess how the organisation monitors contractor performance. Does it conduct site inspections? Does it review incident reports from contractors? If a contractor has a poor safety record with your organisation, has this been documented and addressed? Poor contractor management is a significant OHS risk because external parties may not share the organisation's commitment to safety.
Continuous Improvement and Corrective Actions
Clause 10 addresses improvement. This is where you assess whether the organisation is genuinely improving its OHS performance or merely treading water. One of the best ways to audit this is to look at whether the organisation is addressing nonconformities and taking corrective actions effectively. Managing corrective actions after an audit requires a systematic approach to ensure that actions address root causes and prevent recurrence.
Review corrective action records from previous audits, both internal and external. Have the actions been completed? Were they completed within the specified timelines? Have they been effective in preventing recurrence of the nonconformity? If the same nonconformity is found in successive audits, the corrective actions have not worked, and you have found a systemic weakness in the corrective action process itself.
Assess how the organisation identifies and prioritises improvement opportunities. This might come from incident investigation, management review, audit findings, worker feedback, or benchmarking against other organisations. Is there a formal process for proposing improvements? Are workers encouraged to contribute ideas? An organisation that genuinely pursues continuous improvement will have a culture where safety issues are surfaced and addressed, rather than hidden or ignored.
Management Review and OHS Performance
Clause 9.3 requires that top management periodically review the OHS management system to ensure its suitability, adequacy, and effectiveness. Management review is where you can assess whether leadership is engaged with OHS or whether it is delegated entirely to safety personnel.
Request management review records. These should include documented reports of OHS performance, including information on incidents, hazards, risks, and the status of corrective actions. Review minutes should record the discussions and decisions made in response to the reports. Are senior managers asking challenging questions about OHS performance? Are resources being allocated to address identified risks? Are decisions about OHS given the same weight as decisions about financial or production performance?
A weak management review might consist of a safety officer presenting incident statistics and the senior management team approving the OHS management system as "adequate." A strong management review involves senior managers examining root causes of incidents, understanding emerging risks, and making decisions about how the organisation will improve OHS performance in the coming period.
Audit Evidence and Documentation
Throughout your ISO 45001 audit, you must gather sufficient, reliable evidence to support your findings. Gathering audit evidence that stands up to scrutiny requires a systematic approach to ensure that your conclusions are defensible and your findings are fair.
Evidence in an ISO 45001 audit might include documented policies and procedures, hazard registers and risk assessments, training records, incident investigation reports, inspection records, maintenance records, meeting minutes, worker interviews, and direct observation of the workplace. Triangulation is important: do not rely on a single piece of evidence. If you are assessing whether workers are competent, review training records, interview workers, and observe them performing their work. If you are assessing whether controls are adequate, review documentation of the controls, observe the controls in operation, and interview workers about them.
Be specific in your documentation of evidence. Do not write "workers were interviewed"; instead, write "interviewed five production workers on 15 October 2024, asked them to identify hazards in their work area, none could identify ergonomic hazard of repetitive strain despite this being in the risk register." This level of specificity allows you to support your findings and allows the auditee to understand exactly what was assessed.
Distinguish between compliance and effectiveness. An organisation can be compliant with ISO 45001 (have all required documented policies and procedures) but ineffective (workers do not understand the policies and risks are not being managed). Your audit should assess both dimensions. Many auditors focus heavily on compliance and miss effectiveness gaps.
Common Audit Findings in ISO 45001
Across multiple ISO 45001 audits, certain findings recur frequently. Understanding these helps you focus your audit on the areas most likely to reveal weaknesses.
Inadequate hazard identification is extremely common. Organisations often identify obvious hazards but miss those arising from unusual situations, seasonal variations, or low frequency but high consequence events. For example, a manufacturing plant might identify hazards related to its normal operations but miss hazards arising from cleaning or maintenance activities.
Insufficient worker involvement in the HIRA process is another frequent finding. Organisations tick the box of having consulted with workers but the consultation is perfunctory. Workers should be meaningfully involved throughout the identification and assessment of hazards. If only management has been involved, the assessment will inevitably miss issues that workers understand but have not articulated.
Risk assessments that are overly influenced by existing controls are common. An organisation might assess the risk of injury from machinery as "low" because guards are in place, without considering what would happen if a guard was removed or failed. The risk assessment should evaluate the inherent risk of the hazard and then consider how well the controls mitigate that risk.
Inadequate maintenance of control measures is frequently found. Engineering controls such as ventilation systems are installed but not regularly maintained. The organisation believes it has a control in place when in fact the control has degraded and is no longer effective.
Weak incident investigation is extremely common. The organisation investigates incidents but stops at the immediate cause rather than exploring systemic factors. Corrective actions address symptoms rather than root causes and similar incidents recur.
Limited evidence of competence assessment is regularly found. The organisation has training records showing that workers have attended training, but there is no evidence that competence has been verified. An operator might have attended a forklift training course but never been assessed as competent to operate a forklift independently.
Audit Workshop offers accredited ISO training across ISO 9001, ISO 14001, and ISO 45001 at Foundation, Internal Auditor, and Lead Auditor levels. Our courses are Exemplar Global recognised and designed for professionals who want both standard knowledge and practical audit skills.
