ISO 45001 requires organisations to identify hazards and evaluate risks, but many auditors and quality managers struggle to verify whether this process has been conducted thoroughly and systematically. The audit trail is the critical evidence that demonstrates hazard identification has occurred correctly, consistently, and with appropriate rigour. Without a clear audit trail, you cannot confidently assert that your organisation has met clause 6.1 requirements, and certification auditors will identify significant gaps. This article explains what constitutes a proper hazard identification audit trail under ISO 45001, what auditors actually look for, and how to build one that withstands scrutiny.
On this page
What is an Audit Trail in Hazard Identification?
An audit trail in the context of hazard identification is the documented evidence showing the complete journey of how hazards were identified, evaluated, and decisions made about risk control. It is not a single document but rather a collection of interconnected records that allow anyone (internal auditor, external auditor, regulator, or management) to follow the logic and reasoning from identification through to control implementation and monitoring.
Under ISO 45001, clause 6.1 requires organisations to establish, implement, and maintain a process for hazard identification. This process must be appropriate to the nature of the organisation and type of work being performed. The audit trail demonstrates that this process is real, not theoretical. It shows that hazard identification is not a one off exercise completed during system implementation but an ongoing activity integrated into how the organisation operates.
In practice, the audit trail consists of several interconnected elements: the hazard identification methodology or procedure, records of hazards identified at different points in time, documentation of who was involved in identifying those hazards, evidence that the identified hazards were evaluated for risk, records showing which hazards were eliminated or controlled, and communication records showing how findings were shared with relevant personnel. Each of these pieces must be traceable, dated, and attributable to specific individuals or teams.
Build your ISO auditing skills
Self-paced ISO courses built for practitioners. Foundation, Internal Auditor and Lead Auditor levels.
Browse coursesThe Core Components of a Strong Hazard Identification Audit Trail
The Documented Procedure
Your hazard identification procedure is the foundation of your audit trail. This document must describe how, when, and by whom hazards are identified. A weak procedure states that "hazards will be identified." A strong procedure describes the actual mechanisms used. Does the organisation conduct formal hazard identification workshops with cross functional teams? Are near misses and incidents reviewed to identify underlying hazards? Are hazards identified during routine work observations? Are hazards identified through contractor feedback, customer incidents, or supply chain information? Your procedure must be specific enough that someone unfamiliar with your organisation could follow the same process and achieve similar results.
The procedure should specify the scope of hazard identification. Does it cover all locations, all processes, all roles, all contractors? ISO 45001 applies to all workers and to anyone whose actions or inactions could affect occupational health and safety. Your procedure must reflect this breadth. The procedure must also specify the roles and responsibilities. Who initiates hazard identification? Who participates? Who reviews and approves findings? Who maintains the hazard register? Without clear responsibility assignment, hazard identification becomes scattered and inconsistent.
Critically, your procedure must define what constitutes a hazard in your context. This is where many organisations falter. A hazard is a source of potential harm or a situation with potential for harm. It is not a risk. Many organisations conflate these terms or use them inconsistently. Your procedure should provide examples of hazards relevant to your operations so that all personnel understand the standard expected. If you operate a manufacturing facility, examples might include rotating machinery, chemical exposure, noise, and falls from height. If you operate an office, examples might include ergonomic stress, psychological hazards, and slip and fall risks. Specificity matters because it establishes the benchmark against which auditors will assess the completeness of your hazard identification.
Records of Hazard Identification Activities
The audit trail must include dated records documenting that hazard identification activities have actually occurred. This is not theory. Auditors need to see evidence that your organisation has conducted formal hazard identification. This might take several forms depending on the context. Many organisations conduct hazard identification workshops, particularly when establishing their system initially or when operations change significantly. Meeting minutes or workshop reports documenting attendees, date, scope, and hazards identified constitute audit trail evidence.
Some organisations conduct routine hazard identification during safety walk throughs or toolbox talks. Records of these activities, even if brief, demonstrate systematic identification. A log entry noting that a safety walk through occurred on a specific date, who conducted it, which area was covered, and what hazards were observed provides audit trail evidence. Over time, a series of such entries demonstrates that hazard identification is not a one off event but an integrated practice.
Incident and near miss investigations also contribute to the audit trail. When an incident or near miss occurs, the investigation should identify the underlying hazard that was not adequately controlled. Records showing that this link has been made, dated, and reviewed, demonstrate that hazard identification is informed by operational experience. This is particularly important for auditors because it shows that the organisation learns from what actually happens rather than relying solely on theoretical identification.
Many organisations also conduct hazard identification during process change management. When a new process is introduced, new equipment is acquired, or work procedures change, hazard identification should occur. Documentation showing that this step was completed, what hazards were identified, and how they were addressed becomes part of the audit trail.
The Hazard Register and Its Evolution
The hazard register is the central document in your audit trail. It is the repository where all identified hazards are recorded, evaluated, and tracked. A robust hazard register includes not just a list of hazards but metadata showing the complete history of each hazard: when it was identified, who identified it, what controls were implemented, when those controls were implemented, and when the hazard was last reviewed.
Auditors examine the hazard register closely because it reveals the organisation's comprehensiveness and consistency. If a hazard register contains only five hazards for a manufacturing facility with multiple processes, multiple locations, and multiple roles, that register is incomplete. Conversely, if it contains hundreds of trivial or redundant hazards, that suggests a lack of critical thinking in the identification process. A well constructed register shows appropriate granularity. Related hazards are grouped logically, but sufficiently disaggregated to allow separate evaluation and control.
The evolution of the hazard register is significant. The register should not remain static. As the organisation learns, as processes change, as new risks emerge, the register should reflect these developments. Auditors often compare the hazard register from one date to another and ask what changed and why. If nothing changed over months or years, that raises questions about whether hazard identification is truly integrated into operations or merely a compliance checkbox exercise.
Within the hazard register, the audit trail for each hazard should show: the hazard statement, the date identified, the source of identification, the population or process affected, the current controls, the residual risk rating, and the date of last review. Version control or modification history ensures that auditors can understand what was changed, when, and why.
Evidence of Risk Evaluation
ISO 45001 requires that identified hazards be evaluated for risk. The audit trail must demonstrate that this evaluation has occurred using a consistent, documented methodology. Many organisations use a risk matrix with likelihood and severity scales, resulting in a residual risk rating. Others use qualitative judgement with documented reasoning. The methodology matters less than consistency and documentation.
For each significant hazard, the audit trail should include documentation showing how the risk was evaluated. This might be a completed risk assessment form, a meeting record where risk was discussed and rated, or commentary in the hazard register explaining the reasoning. The evaluation should consider the current state of controls. If a hazard has strong administrative controls already in place, the residual risk will be lower than if controls are absent or unreliable.
Auditors pay particular attention to how organisations have evaluated psychological hazards, which many struggle with. Stress, bullying, harassment, fatigue, and workload are legitimate hazards under ISO 45001. The audit trail should show that the organisation has identified these hazards specific to its context, evaluated the risk they pose, and implemented controls. Many organisations have gaps here, and auditors note it.
Control Implementation Records
Once a hazard is identified and its risk evaluated, controls must be implemented. The audit trail must show what controls exist for each hazard, when they were put in place, and evidence that they are actually operating. This is where many organisations struggle because they confuse the plan to implement controls with actual implementation.
For example, suppose a hazard is identified: slips and falls on wet floors in the kitchen. The control plan states that non slip flooring will be installed and cleaning procedures will be reviewed. The audit trail must show that non slip flooring was actually installed (purchase records, inspection records, photographic evidence), that cleaning procedures were actually updated (documented procedure with implementation date), and that staff were trained on the new procedure (training records). Without this evidence, the audit trail is incomplete.
Controls should be classified according to the hierarchy: elimination, substitution, engineering controls, administrative controls, and personal protective equipment. The audit trail should show that the organisation has considered controls in this hierarchy and selected appropriate controls for the organisation's context. A strong audit trail demonstrates that high risk hazards have been addressed with high order controls (elimination or substitution where feasible) rather than relying solely on personal protective equipment.
Communication and Training Records
Hazard identification and the resulting controls are only effective if relevant personnel know about them. The audit trail must include evidence that workers, supervisors, and management have been informed of identified hazards and understand the controls they must follow.
This might include toolbox meeting records discussing specific hazards, training session sign off sheets, safety briefing records, or induction checklists covering hazards relevant to each role. For contractors and visitors, the audit trail should show that hazard briefing has occurred and is documented.
Additionally, the audit trail should show that hazard information has been communicated to relevant external parties where appropriate. If contractors work on site, they need to know about site hazards. If the organisation supplies products or services, customers or downstream users may need to understand hazards associated with those products or services. Documentation of this communication contributes to the completeness of your audit trail.
Building Your Audit Trail Systematically
Integration with Incident Investigation
One of the most effective ways to maintain a robust audit trail is to ensure that incident and near miss investigations systematically feed into the hazard identification process. When an incident occurs, the investigation should ask: what hazard was present that was not adequately controlled? The answer should be recorded and cross referenced with the hazard register. This either confirms that the hazard was known and the control failed, or reveals a previously unidentified hazard.
This integration demonstrates to auditors that hazard identification is not just a theoretical exercise but is grounded in operational reality. Organisations that do this well show auditors a strong causal link between what they identify in the system and what actually happens in the field.
Integration with Change Management
ISO 45001 requires that changes to the organisation's occupational health and safety management system be managed. This includes changes that might introduce new hazards or affect existing controls. Your change management procedure should explicitly require a hazard identification step. When change occurs, new hazards must be identified, evaluated, and controlled before the change is implemented.
The audit trail should show this linkage. For significant changes (new equipment, new processes, new locations, new roles, restructuring), there should be documented evidence that hazard identification was undertaken as part of the change process. This demonstrates that hazard identification is not a static annual exercise but an integrated, continuous practice.
Scheduling Regular Hazard Identification Reviews
ISO 45001 does not specify how frequently hazard identification must be revisited, but the standard requires that the process be maintained. Many organisations interpret this to mean that formal hazard identification workshops should occur periodically (annually, for example) even when no significant change has occurred. This provides auditors with clear evidence that hazard identification is not a one time event.
Recording these periodic reviews in the audit trail is important. A log entry or meeting record dated annually, documenting that hazard identification was conducted, reviewed, and found to be current, or updated to reflect new insights, contributes to a strong trail.
Documentation of Hazard Elimination
Over time, some hazards will be eliminated through substitution, engineering improvements, or process changes. The audit trail should reflect this. When a hazard is eliminated, it should not simply disappear from the hazard register. Rather, the register should note that the hazard is eliminated, document the control that eliminated it, and date when this occurred. This demonstrates that the organisation is actively improving and not just maintaining the status quo.
What Auditors Look for in Your Audit Trail
When conducting an audit of hazard identification under ISO 45001, auditors typically examine the following aspects of your audit trail: comprehensiveness, consistency, documentation quality, frequency, and alignment with operational reality.
Comprehensiveness means that all significant hazards relevant to your organisation's operations have been identified. Auditors will often have significant occupational health and safety experience and can quickly recognise whether hazards have been missed. If your organisation operates in a hazardous environment (manufacturing, construction, mining, chemical production) and your hazard register contains only a handful of hazards, auditors will identify this gap. They may ask probing questions to understand whether hazards have been overlooked or whether the register is incomplete.
Consistency means that your approach to hazard identification is applied uniformly across the organisation. If one location or department has conducted thorough hazard identification and another has not, that inconsistency is a finding. Auditors gather evidence that stands up to scrutiny by checking whether the same process and standard have been applied everywhere.
Documentation quality refers to the clarity and completeness of records. Auditors need to understand what was identified, when, by whom, and why decisions were made. Vague or incomplete records raise questions about the rigour of the process.
Frequency demonstrates that hazard identification is ongoing, not a one off event. If auditors can only find evidence of hazard identification from five years ago, that is a significant concern. A robust audit trail shows hazard identification occurring regularly and including new hazards identified through changes, incidents, and periodic reviews.
Alignment with operational reality is critical. Auditors will compare the hazard register against what they actually observe in operations. If workers are performing tasks in ways not reflected in the hazard register, or if identified hazards do not match the actual work being performed, that suggests the audit trail is disconnected from reality. Auditing occupational health and safety under ISO 45001 requires deep engagement with actual operations to assess whether the documented system reflects true practice.
Common Audit Trail Deficiencies
In our experience training internal auditors and supporting organisations through external audits, several recurrent deficiencies appear in hazard identification audit trails.
The first is missing source documentation. An organisation might have a hazard register, but when asked how a particular hazard was identified, there is no meeting record, no incident report, no change documentation, no evidence of the actual identification activity. The auditor must infer that the hazard exists, but cannot confirm how or when identification occurred. This creates doubt about whether the process is truly being followed.
The second is incomplete risk evaluation. A hazard is listed but no evaluation of its risk is documented. Perhaps the organisation has rated it verbally as "medium" but provides no methodology showing how that rating was derived. Without documented evaluation, auditors cannot confirm that the process required by clause 6.1 has been followed.
The third is controls that are described but not evidenced. An organisation states that a particular control is in place (for example, personal protective equipment is required for a specific task), but provides no evidence that the control actually exists or functions. There are no inspection records showing that protective equipment is available or in use. There are no training records showing that workers know how to use it. The control exists only in the hazard register, not in reality.
The fourth is psychological hazards that are overlooked entirely. Many organisations focus exclusively on physical hazards (machinery, chemicals, falls, noise) and completely overlook psychological hazards. Under ISO 45001, psychological hazards such as workload, stress, bullying, and harassment must be identified and controlled. An audit trail that is silent on these hazards is incomplete.
The fifth is static hazard registers. The hazard register contains the same hazards with the same controls, unchanged, for years. This suggests that hazard identification is not truly integrated into operations. No new hazards have emerged? No controls have been improved? No learning has occurred? That strains credibility and signals to auditors that the system is not functioning as intended.
Building an Audit Trail That Satisfies Auditors
Start with a Clear Procedure
Your hazard identification procedure must be specific and detailed. Do not write generic statements. Describe the actual mechanisms by which hazard identification occurs in your organisation. Specify the frequency, the participants, the outputs, and the decision rules. Ensure that anyone reading your procedure for the first time could understand how to conduct hazard identification in your organisation.
Create and Maintain a Living Hazard Register
Your hazard register is the centrepiece of your audit trail. Ensure it is comprehensive, current, and detailed. Each hazard should include the identification source, date identified, population affected, description of the current situation that creates the hazard, existing controls, risk rating, and date of last review. Maintain version control so that changes are tracked.
Document All Identification Activities
Whenever hazard identification occurs, whether through a formal workshop, an incident investigation, a change assessment, or a routine walk through, create a dated record. This record does not need to be lengthy, but it must exist and must be retrievable. Over time, these records create a documented trail showing that your organisation is systematically and continuously identifying hazards.
Link Hazards to Controls and Evidence
For each significant hazard, document the controls that have been implemented. For each control, provide evidence that it actually exists and functions. This might be a procedure, an inspection record, a training certificate, a purchase record, or a photograph. Ensure that auditors can see the causal link: this hazard exists, this control was implemented to address it, and here is proof that the control operates.
Conduct Regular Reviews
Schedule periodic reviews of hazard identification. Quarterly or annually, have someone responsible for reviewing whether the hazard register remains current and complete. Document these reviews. When reviews occur, ask whether new hazards have emerged, whether existing controls remain effective, and whether any hazards can be eliminated. Update the hazard register to reflect these decisions.
Integrate with Related Processes
Ensure that incident investigation, change management, and periodic reviews all feed into your hazard identification process. When an incident occurs, tie it to the hazard that caused it. When a change is made, document the hazard identification that preceded it. When a review occurs, document what was found and what actions resulted. This integration strengthens your audit trail and demonstrates that hazard identification is truly embedded in how your organisation operates.
Audit Workshop offers accredited ISO training across ISO 9001, ISO 14001, and ISO 45001 at Foundation, Internal Auditor, and Lead Auditor levels. Our courses are Exemplar Global recognised and designed for professionals who want both standard knowledge and practical audit skills.
