When auditing an occupational health and safety management system under ISO 45001, hazard identification is one of the most scrutinised areas on the audit plan. It is not enough for an organisation to have a hazard register sitting in a folder. Auditors want to see that the hazard identification process is systematic, ongoing, and genuinely connected to the work being done. This article walks through the hazard identification methods that experienced auditors find credible, explains what good looks like in practice, and highlights the gaps that generate nonconformities.
On this page
Why Hazard Identification Is Central to ISO 45001 Audits
ISO 45001 Clause 6.1.2.1 requires organisations to establish, implement, and maintain a process for hazard identification. The standard is specific about what that process must consider, including routine and non-routine activities, human factors, changes in work, past incidents, emergency situations, and the design of workplaces and equipment.
The reason auditors pay close attention to this clause is that hazard identification sits at the foundation of the entire OH&S system. If hazards are not identified properly, the risk assessment is built on incomplete information, controls are inadequate, and workers are exposed to harm. A register that was created at system implementation and never touched since is one of the most common findings auditors raise under this clause.
What auditors are really testing is whether the process is alive. Is it triggered by change? Does it involve workers? Is it connected to incident investigation? Does management act on what it finds?
The Hazard Identification Methods Auditors Find Most Credible
Job Safety Analysis and Safe Work Method Statements
Job Safety Analysis (JSA) and Safe Work Method Statements (SWMS) are among the most widely used hazard identification tools in Australian workplaces, particularly in construction, mining, and civil works. When auditors review these documents, they are not just checking that they exist. They are looking at whether the hazards listed reflect the actual work being done.
A well-prepared JSA breaks the task into steps, identifies the hazard at each step, assesses the risk, and documents the controls. An auditor will often take a completed JSA and walk through the work area to verify that the identified hazards match what is actually present. If the JSA lists manual handling as a hazard but the task involves working at height, that is a problem. If the JSA was signed off before the job started but the site conditions have changed, that is another finding waiting to happen.
For SWMS, auditors check whether they are specific to the high risk construction work being performed, whether workers can demonstrate they understand the controls, and whether the SWMS is reviewed when conditions change. A generic SWMS downloaded from the internet and applied without customisation rarely satisfies an auditor conducting a thorough review.
Workplace Inspections and Walk-Through Surveys
Structured workplace inspections are one of the most direct hazard identification methods available. Auditors trust this method when it is done systematically, documented properly, and followed through with action.
During an audit, the auditor will often ask to see inspection records and then physically walk the workplace. The question they are asking is whether the inspection process actually identifies hazards or whether it is a box-ticking exercise. If the inspection checklist records everything as satisfactory but the auditor spots three obvious hazards within five minutes of entering the work area, the credibility of the inspection process collapses.
What makes a workplace inspection credible in audit terms is a combination of factors. The inspection should be conducted by competent people who know what to look for. It should use a structured format that covers the relevant hazard categories. It should be conducted at a frequency appropriate to the risk level of the area. And critically, identified hazards should be tracked through to corrective action, not recorded and forgotten.
Incident Investigation and Near Miss Reporting
One of the strongest indicators of a mature hazard identification process is whether the organisation uses incident investigation and near miss reporting as a feed into the hazard register. ISO 45001 explicitly requires that past incidents and near misses inform the hazard identification process.
Auditors will trace the connection between incident records and the hazard register. If an organisation has recorded a near miss involving a forklift and pedestrian interaction, auditors will expect to see that hazard captured in the register, assessed for risk, and controlled. If that connection is missing, it suggests the hazard identification process is operating in isolation from operational reality.
Near miss reporting culture is itself an indicator of system maturity. Organisations with high near miss reporting rates tend to have better hazard visibility than those with very low rates. An auditor who sees zero near misses reported over a twelve month period in a high-risk environment will probe that data carefully. It usually means workers are not reporting, not that the workplace is hazard-free.
For a deeper look at how auditors assess this area, the article on auditing hazard identification: is the process ongoing and proactive? covers the specific questions and evidence auditors use.
Hazard Reporting by Workers
Worker-initiated hazard reporting is a method that auditors look for specifically because ISO 45001 places significant emphasis on worker participation and consultation. Clause 5.4 requires that workers be actively involved in hazard identification, and Clause 6.1.2.1 reinforces this by requiring the process to consider human factors and the way work is actually performed.
In practice, auditors test this by interviewing workers directly. They will ask whether workers know how to report a hazard, whether they have done so recently, and what happened when they did. If workers cannot describe the reporting process, or if they report that hazards they raised were ignored, that is significant audit evidence pointing to a gap in both hazard identification and worker participation.
The existence of a hazard reporting form or app is not sufficient on its own. What matters is whether the system is actually used, whether reports are acknowledged, and whether they result in action. Auditors will look at the volume and nature of hazard reports over time, and they will check that reported hazards are tracked through to resolution.
Bow-Tie Analysis for High Consequence Hazards
For organisations operating in high-hazard environments such as mining, oil and gas, chemical processing, or utilities, bow-tie analysis is a hazard identification and risk control method that auditors find particularly credible. The method maps the causes that could lead to a hazard event (threats) and the consequences that could follow if controls fail, with the hazard event itself at the centre of the diagram.
Auditors value bow-tie analysis because it forces organisations to think systematically about both prevention and mitigation. It also makes the critical controls visible and creates accountability for maintaining them. When auditors review a bow-tie, they are looking at whether the identified threats are realistic and comprehensive, whether the controls are actually in place and verified, and whether there are adequate barriers on both sides of the event.
Organisations that use bow-tie analysis well tend to have a clearer understanding of their critical risk controls than those relying solely on a risk register. That said, the method is only as good as the process used to create and maintain it. A bow-tie that was developed once and never reviewed is not much better than a static hazard register.
Change Management Processes as a Hazard Identification Trigger
ISO 45001 Clause 6.1.2.1 specifically requires that the hazard identification process consider changes in the organisation, including changes to processes, equipment, materials, and the work environment. This is an area where auditors frequently find gaps.
A credible change management process should trigger a hazard identification review whenever a significant change is planned. This applies to new equipment, new chemicals, changes to work procedures, new contractors, new work locations, and changes in workforce. The question auditors ask is whether the hazard identification process is proactive or reactive. Does the organisation identify hazards before a change is implemented, or does it wait until something goes wrong?
Auditors will ask to see examples of recent changes and then trace whether a hazard identification review was conducted as part of the change process. If an organisation introduced a new piece of plant six months ago and there is no evidence of a pre-implementation hazard assessment, that is a finding. The management of change requirements under ISO 45001 are covered in detail in the article on management of change in ISO 45001: Clause 8.1.3 explained.
Health Surveillance and Biological Monitoring Data
In workplaces where workers are exposed to chemical, biological, or physical agents, health surveillance data is a valuable input to hazard identification. Auditors in industries such as manufacturing, agriculture, and healthcare will look at whether health surveillance results are used to identify emerging hazards or to verify that existing controls are working.
If health surveillance is showing elevated rates of a particular condition, that is a signal that a hazard may not be adequately controlled. Auditors will check whether that signal is being picked up and fed back into the hazard identification and risk assessment process, or whether the health data sits in isolation from the OH&S management system.
What Auditors Actually Check When Reviewing Hazard Identification
Coverage of All Work Activities and Locations
One of the first things an auditor checks is whether the hazard identification process covers all activities, not just the obvious or high-profile ones. Routine tasks, non-routine tasks, maintenance activities, emergency situations, and activities performed by contractors and visitors should all be within scope.
A common gap is that organisations focus hazard identification on their core production or operational activities and overlook support functions. Office-based work, administrative tasks, and activities performed outside normal hours often receive less attention than they should. Auditors will probe this by asking about specific scenarios: what hazards have been identified for night shift work, for working in remote locations, or for tasks performed infrequently?
Worker Involvement in the Process
As noted earlier, worker involvement is a non-negotiable element of a credible hazard identification process under ISO 45001. Auditors will look for evidence of genuine participation, not just consultation on paper. This means workers were involved in identifying hazards for their own tasks, their input was considered and acted upon, and they were informed of the outcomes.
The article on worker participation and consultation in ISO 45001 provides a thorough breakdown of what the standard requires and how auditors assess it.
Currency and Review Frequency
A hazard register that has not been reviewed in three years is a common finding. Auditors will check when the register was last reviewed, what triggered the review, and whether the review was substantive. A review that simply updates the date without changing any content is not evidence of a genuine review process.
The frequency of review should be proportionate to the rate of change in the workplace. High-hazard environments with frequent operational changes need more frequent reviews than stable, low-risk workplaces. Auditors will assess whether the review frequency is appropriate and whether it is defined in the organisation's documented process.
Connection to Risk Assessment and Controls
Hazard identification is only the first step. Auditors will trace identified hazards through to the risk assessment and then to the controls that have been implemented. If hazards are identified but not assessed, or assessed but not controlled, the process has broken down. The audit trail from hazard to control is one of the key things auditors are looking for when they review the OH&S planning documentation.
The hierarchy of controls is also relevant here. Auditors will check whether the organisation has worked through the hierarchy systematically, starting with elimination and substitution before moving to engineering controls, administrative controls, and personal protective equipment. An organisation that jumps straight to PPE without considering higher-order controls will attract scrutiny.
Common Nonconformities in Hazard Identification
Based on practical audit experience, the most frequent nonconformities in hazard identification fall into a handful of categories. The hazard register is static and has not been updated to reflect changes in work activities or the workplace. Worker involvement in hazard identification is documented but superficial, with workers unable to describe their participation when interviewed. Near miss and incident data is not being used to update the hazard register. The hazard identification process does not cover all work activities, locations, or worker groups. And change management processes do not consistently trigger hazard identification reviews.
Each of these findings points to the same underlying issue: the hazard identification process is being treated as a compliance document rather than a living management tool. Auditors who find these gaps will raise them as nonconformities against Clause 6.1.2.1, and in some cases against Clause 5.4 if worker participation is inadequate.
Building Hazard Identification Capability as an Auditor
For auditors working in the OH&S space, understanding hazard identification methods in depth is essential. You need to know what good looks like across different industries and work environments, and you need to be able to assess whether the methods an organisation uses are appropriate for the hazards present.
This requires more than knowing the clause requirements. It requires familiarity with common hazard categories, industry-specific risks, and the practical limitations of different identification methods. It also requires strong interview skills, because much of what you need to know about the quality of a hazard identification process comes from talking to workers and managers, not from reviewing documents.
If you are building your skills in auditing ISO 45001, the ISO 45001 internal auditor and lead auditor courses at Audit Workshop cover hazard identification in the context of the full audit process. The training is built around practical audit scenarios, not just clause-by-clause theory, so you leave with the skills to assess hazard identification processes in real workplaces. Courses are available in both live virtual and self-paced formats.
