Doctor Tony Boyle writes about auditing, focusing on health and safety auditing but, as with many terms in health and safety, there is no general agreement about what is meant by the term audit. So starts by describing the two main types of audit of relevance to health and safety, that is management system audits and risk based audits.
Management system audit is defined in ISO 19011 Guidelines for auditing management systems as a
systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
Audit criteria are set of policies, procedures or requirements used as a reference against which audit evidence is compared and I will discuss them later.
The ISO 19011 definition of audit has been adopted by all the main management systems including ISO 9001, ISO 14001, OHSAS 18001 and ISO DIS2 45001.
How management system audits should be carried out is well specified in ISO 19011 and there is also guidance on the competences required for auditing health and safety management systems.
The principle underlying management system auditing is that organisations document what they are going to do to meet a particular audit criterion and the auditors check whether the organisations are doing what they said they would do.
The most commonly used audit criteria are external Standards such as OHSAS 18001 and health and safety legislation and Hastam personnel have carried out many management system audits using these audit criteria. However, we have found that these external audit criteria all suffer from the same problem – the standard they set is very low. For example, an organisation meets the requirements of OHSAS 18001 if it carries out incident investigations, risk assessments, internal audits and so on. It does not matter how well these things are being done – an organisation gets its ‘tick in the box’ whether their activities are good bad or indifferent. Similarly, health and safety legislation typically sets quite low standards.
This problem means that while management system audits against external audit criteria are a good starting point, they are of limited value in the longer term. For this reason Hastam recommends that our clients develop their own internal audit criteria that describe the higher standards the clients wish to maintain.
Over the years Hastam has developed audit criteria for all of common health and safety management activities and these we can easily tailor to meet a particular client’s wishes. Hastam has also helped clients develop specialised audit criteria where, for example, there is a specialised activity or there are no relevant external audit criteria.
Turning now to risk based auditing. This type of auditing takes many forms but a detailed risk based audit would answer the following questions.
- Has the organisation identified all of its health and safety risks?
- Has the level of all of the health and safety risks been accurately assessed?
- Are there suitable and sufficient controls for all health and safety risks?
- Are all controls being effectively maintained?
You can see from these questions that risk based auditors require a high level of health and safety competence, and usually a detailed knowledge of what they are auditing. Hastam personnel carry out risk based audits from time to time but we are not able to cover all industry sectors.
Hastam’s experience is that organisations differ in their ‘audit maturity’. The two extremes are:
The organisation has little or no experience with formal health and safety management systems and has few documented health and safety management procedures. Auditing this type of organisation would be a waste of resources which would be better spent on improving the organisation’s health and safety management competence and its health and safety management documentation.
The organisation has an OHSAS 18001 certificate and is meeting all the requirements of health and safety legislation. Again further auditing would be a waste of resources which would be better spent developing internal audit criteria for ensuring continual improvement and greater resilience.
Read a case study about our auditing activities with Imperial College, London, including a quote from their Safety Director, or if you would like to find out more about what Hastam can do for you by way of audit, or audit related activities, then please contact us.