What is the most common nonconformity raised in ISO 45001 audits?

The most frequently raised nonconformities in ISO 45001 audits relate to worker participation and consultation under Clause 5.4, management of change under Clause 8.1.3, and incident investigation without genuine root cause analysis under Clause 10.2. These three areas consistently appear across industries and organisation sizes because they require ongoing behavioural commitment rather than one time documentation.

Can an ISO 45001 audit finding be raised for something that is documented but not implemented?

Yes, and this is one of the most important points for organisations to understand. A nonconformity can be raised when a requirement exists in the standard, the organisation has a documented procedure to address it, but the procedure is not being followed in practice. Auditors gather evidence through interviews, observation, and records review, not just document review, so gaps between documentation and practice are regularly identified.

How often should the legal register be reviewed under ISO 45001?

ISO 45001 does not specify a review frequency for the legal register, but it requires that the organisation maintains access to up to date legal requirements. In practice, most certification bodies expect at least an annual review, and more frequent reviews are expected in industries where legislation changes regularly. In Australia, given the pace of WHS regulatory activity at both state and federal level, a quarterly review is a reasonable benchmark for most organisations.

What evidence does an auditor look for to confirm worker consultation is genuine?

Auditors look for evidence that workers were involved in specific decisions, not just informed of them. This includes meeting records that show worker input was sought and recorded, examples where worker suggestions were incorporated into hazard assessments or procedures, and interviews with workers themselves to confirm they feel able to raise safety concerns without reprisal. A toolbox talk attendance register alone is not sufficient evidence of genuine consultation.

What makes an incident investigation nonconforming under ISO 45001 Clause 10.2?

An incident investigation is nonconforming when it identifies only the immediate or proximate cause of an incident without determining the underlying root causes. It is also nonconforming when corrective actions address symptoms rather than root causes, when the investigation was not completed in a timely manner, or when workers involved in or affected by the incident were not consulted as part of the investigation process. Auditors review investigation reports and ask probing questions about how conclusions were reached.

Does ISO 45001 require psychosocial hazards to be identified?

Yes. Clause 6.1.2 requires organisations to identify all hazards, and ISO 45001 explicitly includes psychological health within its scope. Psychosocial hazards such as excessive workload, bullying, harassment, fatigue, and poor job design must be included in the hazard identification process. This is an area of increasing scrutiny in Australian audits, particularly following the introduction of psychosocial hazard regulations under state and territory WHS legislation.

Common ISO 45001 Nonconformities and How to Avoid Them

Why ISO 45001 Nonconformities Keep Appearing

ISO 45001 is the international standard for occupational health and safety management systems. It replaced OHSAS 18001 in 2018 and brought with it a more rigorous, leadership driven approach to managing workplace risk. Yet despite years of implementation experience across Australian industry, the same nonconformities keep appearing in certification and surveillance audits.

On this page

This article draws on real audit experience across construction, manufacturing, transport, mining, and services to identify the most common ISO 45001 nonconformities, explain why they occur, and give you practical guidance on how to avoid them. Whether you are preparing for a certification audit, running internal audits, or building your organisation’s OH&S management system from scratch, understanding where organisations typically fall short will sharpen your focus considerably.

Clause 4: Context and Interested Parties

Context Analysis That Sits in a Drawer

Clause 4.1 requires organisations to understand their internal and external context as it relates to the OH&S management system. The nonconformity auditors raise most often here is not that the context analysis is missing entirely, but that it exists as a document that was completed during implementation and has never been reviewed since.

An organisation that has expanded its workforce, taken on new high risk activities, or moved to a new site needs to revisit its context. When the document still refers to conditions from three years ago, that is a nonconformity. The standard expects this to be a living input into the management system, not a one time exercise.

Incomplete Identification of Interested Parties

Clause 4.2 requires organisations to identify workers and other interested parties whose needs and expectations are relevant to the OH&S management system. A frequent finding is that the interested parties register focuses only on external parties such as regulators and clients, while workers themselves are either absent or listed without any documented understanding of their specific needs and expectations.

Workers are the primary interested party in ISO 45001. An auditor who finds no evidence that worker needs have been considered in system planning will raise this as a nonconformity against Clause 4.2.

Become a certified ISO auditor

Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.

ISO 9001 ISO 14001 ISO 45001 ISO 27001 ISO 42001

Explore Courses

Recognised Training ProviderRTP No. 310970

Clause 5: Leadership and Worker Participation

Top Management Commitment That Cannot Be Demonstrated

Clause 5.1 is one of the most frequently cited clauses in ISO 45001 audits. The standard requires top management to demonstrate leadership and commitment through specific actions, not just signed policies. Auditors look for evidence that top management are actively involved: attending safety meetings, conducting site inspections, reviewing OH&S performance data, and ensuring the system has adequate resources.

The nonconformity typically raised is that top management can produce a signed OH&S policy but cannot demonstrate any of the behavioural requirements of Clause 5.1. When the safety manager answers every question and top management appears disconnected from OH&S performance, expect a finding.

Worker Consultation That Is Consultation in Name Only

Clause 5.4 on worker participation and consultation is one of the areas where ISO 45001 differs most significantly from its predecessor. The standard requires organisations to consult workers on hazard identification, risk assessment, incident investigation, and changes that affect their safety. It also requires that workers are able to raise concerns without fear of reprisal.

The most common nonconformity here is that the organisation has a toolbox talk register or a safety committee meeting record, but there is no evidence that workers were actually consulted on specific OH&S decisions. Consultation means a two way exchange. If workers are simply being informed of decisions already made, that is not consultation and auditors will raise it.

You can read more about the distinction between consultation and participation in our article on worker participation and consultation in ISO 45001.

Clause 6: Planning

Hazard Identification That Misses Routine Activities

Clause 6.1.2 requires organisations to establish, implement, and maintain processes for hazard identification. A very common nonconformity is a hazard identification process that covers high risk or non routine activities well, but fails to address routine work tasks where the majority of incidents actually occur.

Auditors also look for evidence that the hazard identification process considers human factors, work organisation, and psychosocial hazards such as fatigue, bullying, and excessive workload. Many organisations have not incorporated psychosocial hazard identification into their process, which is increasingly a focus area for Australian auditors given the regulatory emphasis on psychological safety in the workplace.

Risk Assessments That Are Generic and Undated

A related finding under Clause 6.1.2.2 is risk assessments that are generic, undated, and show no evidence of being reviewed after incidents or changes to work activities. Auditors frequently find the same risk assessment template in use across different sites, tasks, and teams, with no site specific or task specific information. When workers are interviewed and cannot explain the controls identified in the risk assessment for their own tasks, that is a clear indicator that the assessment is a document exercise rather than a genuine risk management tool.

Legal Register Not Current

Clause 6.1.3 requires organisations to determine and have access to applicable legal requirements and other requirements. The nonconformity raised here is almost always the same: the legal register has not been reviewed or updated in over twelve months. In Australia, where WHS legislation and codes of practice are regularly updated at both state and federal level, a stale legal register is a significant gap.

Auditors will ask when the register was last reviewed, who is responsible for maintaining it, and how changes in legislation are communicated to relevant personnel. If the answers are vague, a nonconformity is likely.

OH&S Objectives Without Measurable Targets

Clause 6.2.1 requires OH&S objectives to be measurable where practicable. A common finding is objectives that are aspirational statements rather than measurable targets. Objectives like “reduce incidents” or “improve safety culture” without specific targets, timeframes, or assigned responsibility will not satisfy the clause. Auditors expect to see objectives that can be tracked, with a clear plan for how they will be achieved.

Clause 7: Support

Competence Records That Cannot Be Located

Clause 7.2 requires organisations to determine the necessary competence of workers affecting OH&S performance, ensure they are competent, and retain documented information as evidence. The nonconformity auditors raise most often is that competence records are incomplete, out of date, or cannot be produced during the audit.

This is particularly common for high risk roles such as forklift operators, workers at heights, electrical workers, and confined space entrants. Auditors will ask for evidence of current licences, training records, and competency assessments. If the organisation cannot produce these quickly, it suggests the system for managing competence is not functioning effectively.

Awareness That Stops at Induction

Clause 7.3 requires workers to be aware of the OH&S policy, their contribution to the effectiveness of the management system, and the implications of not conforming with requirements. Many organisations satisfy this clause at induction and then do nothing further. When auditors interview workers on the shop floor or at a worksite and find that they cannot describe the OH&S policy, do not know who to report a hazard to, or are unaware of recent changes to procedures, a nonconformity against Clause 7.3 is the result.

Communication Processes Without Evidence

Clause 7.4 requires organisations to determine what OH&S information needs to be communicated, when, to whom, and how. Nonconformities here typically arise when the organisation can describe its communication processes verbally but cannot produce evidence that communication actually occurred. Meeting minutes that do not record safety items, toolbox talks with no attendance records, and safety alerts that were emailed but never confirmed as received are all examples auditors encounter regularly.

Clause 8: Operation

Management of Change Without a Formal Process

Clause 8.1.3 requires organisations to control planned temporary and permanent changes that affect OH&S performance. This is one of the most frequently raised nonconformities in ISO 45001 audits, particularly in organisations that are growing, restructuring, or introducing new equipment and processes.

The typical finding is that changes are happening, but there is no documented process for identifying, assessing, and approving them from an OH&S perspective. A new piece of plant is installed, a new chemical is introduced, or a team restructure changes supervision arrangements, and none of these changes have been assessed for their OH&S implications before implementation.

Contractor Management That Lacks Verification

Clause 8.1.4.2 requires organisations to coordinate with contractors to identify hazards and assess risks, communicate requirements to contractors, and monitor compliance. The nonconformity raised most often is that the organisation has contractor induction records and signed contractor agreements, but no evidence of ongoing monitoring or verification that contractors are actually complying with OH&S requirements on site.

Auditors will look for site inspection records, contractor performance reviews, and evidence that incidents or near misses involving contractors have been investigated. If the contractor management system stops at the induction gate, expect a finding.

Emergency Preparedness Without Tested Procedures

Clause 8.2 requires organisations to establish, implement, and maintain processes for potential emergency situations. The common nonconformity is emergency procedures that exist on paper but have not been tested through drills or exercises. Auditors look for evidence of emergency drills, including records of what was tested, who participated, what was found, and what improvements were made. An emergency plan that has never been tested is not a functioning emergency preparedness process.

Clause 9: Performance Evaluation

Monitoring and Measurement Without Analysis

Clause 9.1.1 requires organisations to monitor, measure, analyse, and evaluate OH&S performance. A very common nonconformity is that organisations collect safety data such as incident rates, near miss counts, and inspection scores, but do not analyse or evaluate it. Data sits in spreadsheets or safety software without being used to identify trends, assess the effectiveness of controls, or inform management decisions.

Auditors will ask what the data tells the organisation and what actions have been taken as a result. If the answer is essentially nothing, the monitoring and measurement process is not meeting the intent of the clause.

Internal Audit Programme Not Risk Based

Clause 9.2 requires the internal audit programme to take into account the importance of the processes concerned and the results of previous audits. Many organisations run internal audits on a fixed schedule without any risk based prioritisation. High risk areas or areas with a history of nonconformities receive the same audit frequency as low risk administrative functions. This is a nonconformity that experienced auditors pick up quickly when reviewing the audit programme.

Management Review Missing Required Inputs

Clause 9.3 specifies what inputs must be included in the management review. Nonconformities here arise when the management review minutes do not address all required inputs, particularly the status of corrective actions from previous reviews, changes in external and internal issues, and the results of monitoring and measurement. A management review that covers only incident statistics and training records while ignoring other mandatory inputs is a nonconformity waiting to be raised.

Clause 10: Improvement

Incident Investigation Without Root Cause Analysis

Clause 10.2 requires organisations to investigate incidents and nonconformities, determine root causes, and implement corrective actions. The most common nonconformity in this clause is incident investigations that identify immediate causes but do not go deeper to identify underlying or systemic root causes.

An investigation that concludes “worker was not following procedure” without asking why the procedure was not followed, whether the procedure was adequate, whether supervision was effective, and whether training was sufficient is not a root cause investigation. Auditors will review investigation reports and probe whether the corrective actions address root causes or just symptoms.

For more on how to write findings that capture these issues properly, see our article on how to write a nonconformity report that actually gets fixed.

Corrective Actions Closed Without Verification of Effectiveness

A related finding is corrective actions that are closed in the system once the action has been completed, without any verification that the action was effective. Completing a training session and ticking the corrective action as closed is not the same as verifying that the training changed behaviour and prevented recurrence. Auditors look for evidence that effectiveness has been evaluated, not just that the action was carried out.

Patterns Across the Standard

Looking across all these findings, a few patterns emerge. First, many nonconformities are not about missing documents. They are about systems that exist on paper but are not functioning in practice. Second, worker involvement is a persistent weak point. ISO 45001 was designed around genuine worker participation, and organisations that treat this as a box ticking exercise will continue to attract findings. Third, management review and corrective action processes are frequently superficial, collecting information without using it to drive improvement.

If you are an internal auditor or quality manager preparing for an upcoming audit, use this list as a practical checklist. Walk through each of these areas before the certification body arrives and you will be well positioned to address gaps proactively rather than reactively.

For auditors looking to build their competence in auditing OH&S management systems, understanding the ISO 45001 hazard identification audit trail is a critical skill that connects many of the findings discussed in this article.

Building a System That Avoids These Findings

The organisations that perform best in ISO 45001 audits share a few characteristics. Top management are genuinely engaged, not just signatories to a policy. Workers are consulted on real decisions and their input is documented and acted upon. Hazard identification is ongoing and includes routine tasks and psychosocial hazards. The legal register is reviewed regularly and assigned to a named owner. Competence records are maintained in a system that flags expiry dates before they become a problem. And corrective actions are tracked to effectiveness, not just completion.

None of these are complicated in principle. The difficulty is maintaining discipline across all of them simultaneously while managing day to day operations. That is where a well trained internal audit team adds real value, identifying gaps before they become certification findings.

If you are working towards ISO 45001 certification or want to strengthen your internal audit capability, Audit Workshop offers ISO 45001 internal auditor and lead auditor training that is grounded in real audit practice. Our courses are designed for people who need to apply what they learn, not just pass an exam. You can explore the available training options at auditworkshop.com.