What clauses of ISO 45001 must be covered in an internal audit?

ISO 45001 requires that the internal audit programme covers the entire scope of the OH&S management system, which means all relevant clauses must be audited over the programme period. In practice, not every clause needs to be audited in every audit cycle, but higher risk areas and clauses where previous nonconformities have been found should be audited more frequently. The audit programme must be risk based and cover the full system across the programme period, typically one year.

Can the same person who manages the OH&S system conduct the internal audit?

No. ISO 45001 requires that internal auditors are objective and impartial, which means they must not audit their own work. A person who has designed or implemented a particular process cannot audit that same process. In smaller organisations this can be challenging, and it is common to use cross functional auditors, bring in an external auditor for specific areas, or outsource internal auditing to an independent party.

How often should ISO 45001 internal audits be conducted?

ISO 45001 does not specify a minimum frequency. It requires that the audit programme considers the risk and importance of the processes involved and the results of previous audits. In practice, most organisations conduct internal audits at least annually to cover the full system, with higher risk areas audited more frequently. The programme should be reviewed and adjusted based on audit results and changes to the organisation.

What documented information is required for ISO 45001 internal audits?

ISO 45001 requires organisations to retain documented information as evidence of the implementation of the audit programme and the audit results. This includes the audit programme itself, individual audit plans, audit checklists or working papers, audit reports, and records of corrective actions raised from audit findings. The format is not prescribed, but the records must be sufficient to demonstrate that audits were conducted and findings were addressed.

What is the difference between a nonconformity and an observation in an ISO 45001 internal audit?

A nonconformity is a failure to meet a requirement of the ISO 45001 standard or a requirement the organisation has set for itself. An observation, sometimes called an opportunity for improvement, is a finding that does not constitute a breach of a requirement but indicates a weakness or risk that could lead to a nonconformity in the future. Both should be documented, but only nonconformities require formal corrective action under the standard. Observations are valuable for driving improvement before problems escalate.

Do contractors need to be included in an ISO 45001 internal audit?

Yes. ISO 45001 requires that the organisation manages the OH&S risks associated with contractors and outsourced functions. An internal audit should verify that contractor management processes are in place and working, including pre qualification, induction, on site monitoring, and incident reporting. If contractors are performing high risk work, their activities and controls should be sampled as part of the audit, not just the organisation’s administrative processes for managing them.

ISO 45001 Internal Audit Checklist: Clause by Clause Guide

Why a Good ISO 45001 Internal Audit Checklist Matters

An ISO 45001 internal audit checklist is not just a tick sheet. Used well, it is a planning tool that keeps your audit focused, ensures you cover the right ground, and gives you a structured way to record what you find. Used badly, it turns an audit into a box ticking exercise that misses the real risks.

On this page

ISO 45001 is built around worker participation, hazard identification, and the management of OH&S risk. That means your checklist needs to go beyond asking whether documents exist. It needs to prompt you to look at whether the system is actually working, whether workers understand it, and whether top management is genuinely driving it.

This guide walks through the key clauses of ISO 45001:2018 and gives you practical checklist questions for each one. These are the kinds of questions that experienced auditors ask on the floor, not just in the document review room. If you are preparing for your first internal audit, or refreshing your approach before an upcoming audit cycle, this is the reference you need.

For a broader introduction to auditing the OH&S standard, the article on auditing occupational health and safety under ISO 45001 covers the overall approach before you get into clause level detail.

How to Use This Checklist

Before diving into the clause questions, a few practical points on how to apply this checklist effectively.

First, treat these questions as prompts, not a script. Your job is to follow the evidence where it leads. If an answer reveals something unexpected, pursue it. A checklist that forces you to move on before you have understood what you found is working against you.

Second, adapt the checklist to your organisation. An ISO 45001 audit at a construction site will look very different from one at a healthcare facility. The clauses are the same, but the processes, hazards, and controls are completely different. Tailor your questions to the actual work being done.

Third, plan your sampling before you start. You cannot check every record, every worker, or every process. Decide in advance which areas, roles, and activities you will sample, and make sure your selections are risk informed. Higher risk activities deserve more attention.

For guidance on how to use checklists without becoming dependent on them, see how to use an audit checklist without becoming checklist dependent.

Become a certified ISO auditor

Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.

ISO 9001 ISO 14001 ISO 45001 ISO 27001 ISO 42001

Explore Courses

Recognised Training ProviderRTP No. 310970

Clause 4: Context of the Organisation

Clause 4.1 and 4.2: Context and Interested Parties

These clauses ask whether the organisation understands the internal and external factors that affect its OH&S management system, and whether it has identified the workers and other interested parties whose needs and expectations are relevant.

Has the organisation documented the internal and external issues relevant to its OH&S purposes?
Are workers identified as a primary interested party?
Have the needs and expectations of workers, regulators, contractors, and other relevant parties been determined?
Are these inputs reviewed and updated when things change?

Clause 4.3: Scope of the OH&S Management System

Is the scope documented and available?
Does the scope reflect the organisation’s activities, products, services, and locations?
Are there any exclusions, and are they justified?
Do workers understand what is and is not covered by the system?

Clause 4.4: The OH&S Management System

Has the organisation established, implemented, and maintained an OH&S MS?
Are the processes and their interactions defined?
Is there evidence of continual improvement, not just maintenance of the status quo?

Clause 5: Leadership and Worker Participation

Clause 5.1: Leadership and Commitment

This is one of the most important clauses to audit in ISO 45001. Top management commitment to OH&S is not demonstrated by a signed policy. It is demonstrated by what management actually does. Ask questions that require evidence, not just assertions.

Can top management describe the OH&S policy and their personal responsibilities under it?
Are OH&S objectives integrated into the organisation’s business planning?
Does management participate in incident investigations, hazard walks, or safety committee meetings?
Are resources for OH&S visibly allocated, including time, people, and budget?
Is there evidence that top management promotes a culture that supports the system?

Clause 5.2: OH&S Policy

Is the OH&S policy documented, approved by top management, and current?
Does it include a commitment to prevent work related injury and ill health?
Does it commit to satisfying legal and other requirements?
Is it communicated to workers, including those at remote sites or in non standard roles?
Is it available to relevant interested parties?

Clause 5.3: Roles, Responsibilities and Authorities

Are OH&S roles and responsibilities clearly assigned and documented?
Do workers know their own OH&S responsibilities?
Is there a person or persons assigned to report on OH&S performance to top management?
Are responsibilities for hazard identification, risk assessment, and incident reporting clearly owned?

Clause 5.4: Consultation and Participation of Workers

This clause is a distinguishing feature of ISO 45001 compared to its predecessor OHSAS 18001. The standard requires genuine consultation and participation, not just communication. Auditors need to test whether workers are actually involved in decision making, not just informed after the fact.

Are there documented processes for worker consultation and participation?
Are workers consulted on hazard identification, risk assessment, and incident investigations?
Are non managerial workers involved in determining controls, not just managers?
Is there evidence that worker input has influenced OH&S decisions?
Are barriers to participation identified and addressed, such as language, literacy, or shift patterns?
Are worker representatives involved in the process?

Clause 6: Planning

Clause 6.1.1: Risks and Opportunities

Has the organisation considered the issues from clause 4.1 and the requirements from clause 4.2 when planning?
Are risks and opportunities related to the OH&S MS identified and documented?
Are actions planned to address these, and are those actions integrated into the system?

Clause 6.1.2: Hazard Identification and Risk Assessment

This is the technical core of ISO 45001. Your checklist questions here need to test whether the hazard identification process is systematic, proactive, and ongoing, not just a one time exercise done at implementation.

Is there a documented process for hazard identification?
Does the process cover routine and non routine activities, emergency situations, and changes?
Are human factors considered, such as fatigue, workload, and behaviour?
Are workers involved in hazard identification for their own work areas?
Is the hazard register current, and does it reflect actual site conditions?
Has a risk assessment been completed for identified hazards?
Is the risk assessment methodology documented and consistently applied?
Are risk ratings reviewed after incidents or changes?

The article on understanding the ISO 45001 hazard identification audit trail goes into detail on how to trace this process from hazard to control to verification.

Clause 6.1.3: Legal and Other Requirements

Is there a process for identifying applicable legal requirements, codes, and standards?
Is the legal register current, reviewed at defined intervals, and assigned to an owner?
Are changes in legislation communicated to relevant personnel?
Is there evidence that legal requirements are incorporated into the OH&S MS?

Clause 6.1.4: Planning Action

Are actions to address risks, opportunities, and legal requirements documented?
Are these actions integrated into OH&S processes, not maintained as a separate to do list?
Is there a mechanism to evaluate the effectiveness of these actions?

Clause 6.2: OH&S Objectives

Are OH&S objectives documented and consistent with the OH&S policy?
Are objectives measurable or capable of evaluation?
Do they account for applicable legal requirements and significant risks?
Is there a plan for each objective that identifies who is responsible, what resources are needed, and how progress will be monitored?
Are objectives communicated to workers?
Are objectives reviewed and updated as required?

Clause 7: Support

Clause 7.1 to 7.3: Resources, Competence and Awareness

Are the resources needed to establish and maintain the OH&S MS identified and provided?
Is there a process for determining the OH&S competence required for each role?
Are training records maintained and up to date?
Is there evidence that training has been evaluated for effectiveness, not just completed?
Do workers demonstrate awareness of the OH&S policy, their contribution to the system, and the consequences of not following procedures?
Do workers know their right to remove themselves from imminent danger?

Clause 7.4: Communication

Are there documented processes for internal and external OH&S communication?
Do workers receive relevant OH&S information in a timely way?
Is there evidence of two way communication, not just top down?
Are communication arrangements appropriate for the audience, including contractors, visitors, and workers with language barriers?

Clause 7.5: Documented Information

Is documented information created, updated, and controlled in accordance with the standard?
Are documents current, approved, and accessible to those who need them?
Are records retained for the required periods and protected from unintended alteration or disposal?
Is there a process for managing obsolete documents?

Clause 8: Operation

Clause 8.1.1: Operational Planning and Control

This is where the system meets reality. Audit questions here should be tested on the floor, not just in the office. Walk the site and check whether the controls described in documents actually match what is happening in practice.

Are operational controls established for significant hazards and risks?
Are safe work procedures documented and accessible at the point of use?
Do workers follow the procedures in practice?
Are controls consistent with the hierarchy of controls, starting from elimination and substitution before moving to PPE?
Are controls reviewed when processes change?

Clause 8.1.2: Eliminating Hazards and Reducing OH&S Risks

Is the hierarchy of controls applied when selecting and implementing controls?
Is there evidence that higher order controls have been considered before relying on administrative controls or PPE?
Are PPE requirements documented, and is PPE maintained and replaced as needed?

Clause 8.1.3: Management of Change

Is there a process for managing planned changes that may affect OH&S?
Does the change process include hazard identification and risk assessment before implementation?
Are temporary changes managed with the same rigour as permanent ones?
Are workers consulted on changes that affect their safety?

Clause 8.1.4: Procurement

Are OH&S requirements incorporated into procurement processes for goods, services, and contractors?
Are contractors pre qualified against OH&S criteria?
Is there a process for communicating OH&S requirements to contractors before they start work?
Are contractor OH&S performance and compliance monitored on site?
Is there a process for managing outsourced OH&S functions?

Clause 8.2: Emergency Preparedness and Response

Are emergency scenarios identified and documented?
Are emergency response plans in place and communicated to workers?
Are emergency drills conducted at planned intervals and records maintained?
Are drill outcomes reviewed and used to improve the response plan?
Are contractors and visitors included in emergency arrangements?

Clause 9: Performance Evaluation

Clause 9.1.1: Monitoring, Measurement, Analysis and Evaluation

Are OH&S performance indicators defined and monitored?
Does monitoring cover both leading indicators, such as inspections and training completion, and lagging indicators, such as incidents and near misses?
Are monitoring results analysed and used to drive decisions?
Is monitoring equipment calibrated or verified where relevant?

Clause 9.1.2: Evaluation of Compliance

Is there a process for evaluating compliance with legal and other requirements?
How often is compliance evaluated, and is this frequency appropriate for the risk level?
Are compliance evaluation results documented?
Are non compliances identified and addressed through corrective action?

Clause 9.2: Internal Audit

Is there a documented internal audit programme?
Does the programme consider the risk and importance of the processes being audited?
Are internal auditors competent and independent of the areas they audit?
Are audit findings reported to relevant management?
Are corrective actions raised for nonconformities found during internal audits, and are they tracked to closure?

Clause 9.3: Management Review

Does top management conduct management reviews at planned intervals?
Do the review inputs include all items required by the standard, such as audit results, incidents, legal compliance, objectives, and worker participation?
Are outputs documented and include decisions on continual improvement and resource allocation?
Are action items from management review tracked and completed?

Clause 10: Improvement

Clause 10.1: General

Is there evidence of continual improvement in OH&S performance, not just system maintenance?
Are improvement opportunities identified through audits, incidents, near misses, and worker input?

Clause 10.2: Incident, Nonconformity and Corrective Action

This clause is consistently one of the most productive areas to audit in any ISO 45001 system. The way an organisation responds to incidents and near misses tells you a great deal about whether the system is working.

Is there a documented process for reporting, investigating, and responding to incidents and nonconformities?
Are near misses reported and investigated with the same rigour as injury events?
Are root causes identified, not just immediate causes?
Are corrective actions implemented and their effectiveness verified?
Are incident trends analysed and used to drive systemic improvement?
Are workers involved in incident investigations?
Are investigation findings communicated to relevant workers?

Clause 10.3: Continual Improvement

Does the organisation have a structured approach to continual improvement of OH&S performance?
Is there evidence that the system has improved over time, not just been maintained?
Are improvement initiatives linked to OH&S objectives and management review outputs?

Common Gaps Auditors Find in ISO 45001 Systems

Based on real audit experience across a range of industries, these are the areas where nonconformities and observations most frequently arise in ISO 45001 internal audits.

Worker participation is documented but not genuine. Organisations often have a safety committee on paper but workers describe a process where decisions are made by management and communicated down. Ask workers directly whether they have influenced any safety decisions recently.
Hazard registers are static. The register was created at implementation and has not been updated since. Ask when it was last reviewed and what triggered the last update.
Contractor management is incomplete. Pre qualification records exist but there is no evidence of monitoring contractor OH&S performance once on site. Check for site induction records, toolbox talk attendance, and any contractor incidents or near misses.
Near miss reporting rates are very low. A site with no near miss reports is not a safe site. It is a site where near misses are not being reported. Investigate the barriers to reporting.
Corrective actions address symptoms, not root causes. The corrective action for a slip hazard is a new sign, not an investigation into why the spill occurred and was not cleaned up. Check root cause analysis quality.
Legal register is not current. Regulations change. The legal register needs a defined review frequency and evidence of updates. Check the date of the last review and whether recent legislative changes are reflected.

Using This Checklist Before a Certification Audit

If your organisation is preparing for an external certification audit, running a thorough internal audit against this checklist first is one of the most practical things you can do. It gives you a realistic picture of where your system stands before an external auditor arrives.

Be honest about what you find. The purpose of an internal audit is not to generate a clean report. It is to find gaps before they become major nonconformities in a certification audit. Raise corrective actions for genuine findings, track them to closure, and document the evidence of improvement.

The article on auditing occupational health and safety under ISO 45001 provides additional context on how to approach the audit from a process perspective rather than a purely clause based one.

Building Your Competence as an ISO 45001 Auditor

A checklist is only as useful as the auditor using it. Knowing what questions to ask is one thing. Knowing how to evaluate the answers, follow the audit trail, and form a defensible conclusion is something that comes from training and practice.

If you are looking to build formal auditing credentials for ISO 45001, Audit Workshop offers Internal Auditor and Lead Auditor training at both live virtual and self paced formats. The courses are built around practical audit scenarios, not just theory, and are delivered by Dilawar Laghari, a lead auditor with over 500 external certification audits across Australia and internationally.

Whether you are just starting out or looking to move from internal auditor to lead auditor level, the training gives you the skills to conduct audits that actually drive improvement, not just generate paperwork.

ISO 45001 Internal Audit Checklist: A Clause by Clause Guide for OHS Auditors