ISO 45001:2018
Occupational Health & Safety Management System
Internal Audit Checklist
Organization:
Audit Date:
Lead Auditor:
Audit Ref No.:
Auditee(s):
Scope / Area:
Audit Type:
Next Audit Due:
Instructions for Use
This checklist covers all operative clauses of ISO 45001:2018 (Clauses 4–10) for an Occupational Health & Safety Management System internal audit. For each item, review the stated requirement, gather objective evidence using the guidance notes, assign a rating code, and record findings in the notes column. Attach supporting evidence references (document numbers, interview notes, observation records, measurements) to each finding.
Key focus areas unique to ISO 45001: worker consultation and participation (Clause 5.4); hierarchy of controls (Clause 8.1.2); stop-work authority and non-retaliation; psychosocial/organizational hazards; and contractor OH&S management.
Rating Legend
✓ Conforming
OFI Opportunity
MNC Minor NC
MJC Major NC
N/A Not Applicable
☐ Not Yet Audited
Clause 4: Context of the Organization
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
4.1 Understanding the Organization and Its Context
4.1
External and internal issues relevant to the organization's purpose that affect its ability to achieve the intended OH&S outcomes are determined.
Review PESTLE/SWOT analysis, strategic plans; confirm issues include workforce demographics, regulatory environment, and cultural factors.
☐
4.1
External and internal issues are monitored and reviewed to detect significant changes that could affect the OH&SMS.
Check management review outputs and context review records; verify defined review frequency and triggers.
☐
4.2 Understanding the Needs and Expectations of Workers and Other Interested Parties
4.2
Workers and other interested parties relevant to the OH&SMS are identified (regulators, contractors, unions, communities, insurers, customers).
Review stakeholder/interested party register; confirm workers at all levels and employment types are included.
☐
4.2
Relevant needs and expectations of workers and other interested parties are determined.
Verify documented requirements list; check for worker consultation records and regulatory correspondence.
☐
4.2
Needs/expectations that are legally binding or voluntarily adopted are identified as compliance obligations.
Cross-check against OH&S legal register and voluntary commitment log (e.g., industry codes of practice).
☐
4.3 Determining the Scope of the OH&SMS
4.3
The scope of the OH&SMS is determined, documented, and takes into account external/internal issues, compliance obligations, and planned/performed work activities.
Review scope document; confirm physical and functional boundaries are clear, justified, and include all worksites.
☐
4.3
The scope includes all workers and activities under the organization's control, including contractors, visitors, and remote workers where applicable.
Verify scope statement references all categories of workers; confirm no unjustified exclusions.
☐
4.3
The scope is available as documented information to interested parties.
Confirm scope is accessible on the intranet, in induction packs, or via public disclosure as appropriate.
☐
4.4 OH&S Management System
4.4
Processes needed for the OH&SMS are established, implemented, maintained, and continually improved.
Review OH&SMS process map and procedure register; confirm process owners, KPIs, and improvement plans exist.
☐
4.4
The organization determines the interactions between OH&SMS processes and integrates them into overall business processes.
Check business process documentation for OH&S integration; review project and procurement approvals for OH&S gates.
☐
Clause 5: Leadership and Worker Participation
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
5.1 Leadership and Commitment
5.1
Top management takes overall accountability and responsibility for the prevention of work-related injury and ill health and provision of safe and healthy workplaces.
Interview top management; review OH&S policy sign-off, accountability statements, and board/executive reports on OH&S.
☐
5.1
Top management ensures the OH&S policy and objectives are established and are compatible with the strategic direction of the organization.
Confirm policy is current, reviewed, and signed by top management; check strategic plan references to OH&S.
☐
5.1
Top management ensures integration of OH&SMS requirements into the organization's business processes.
Check project approval records, procurement checklists, and new product/service launch processes for OH&S considerations.
☐
5.1
Top management ensures resources needed for the OH&SMS are available (human, financial, infrastructure, technology).
Review OH&S budget allocations, resource plans, and evidence of resource requests being approved.
☐
5.1
Top management communicates the importance of effective OH&S management and conformance with requirements.
Review communications (emails, town halls, safety bulletins, intranet posts) from senior leadership on OH&S.
☐
5.1
Top management directs and supports persons to contribute to the OH&SMS; ensures workers can report hazards without fear of reprisal.
Check non-retaliation policy, near-miss reporting trends, whistleblower records, and worker interview responses.
☐
5.1
Top management ensures and promotes a culture that supports the intended outcomes of the OH&SMS.
Review safety culture survey results, toolbox-talk frequency, leadership safety walk records, and recognition programmes.
☐
5.1
Top management supports other relevant management roles to demonstrate their leadership in OH&S.
Confirm OH&S accountabilities are embedded in performance appraisals of managers and supervisors.
☐
5.2 OH&S Policy
5.2
An OH&S policy is established providing a framework for setting OH&S objectives, including commitments to: provide safe and healthy working conditions; eliminate hazards and reduce OH&S risks; fulfil compliance obligations; consult and participate workers; and continually improve.
Review policy document against all five mandatory commitments (clause 5.2 a–e); confirm it is not generic.
☐
5.2
The OH&S policy is appropriate to the purpose, size, and context of the organization and to the specific nature of OH&S risks.
Confirm policy addresses actual hazard types (e.g., confined spaces, chemical exposure, manual handling) relevant to the organization.
☐
5.2
The OH&S policy is maintained as documented information, communicated within the organization, available to interested parties, and reviewed for continuing suitability.
Verify posting locations, language versions, intranet access; confirm awareness through worker interviews; check review date.
☐
5.3 Organizational Roles, Responsibilities and Authorities
5.3
Roles, responsibilities, and authorities for relevant functions within the OH&SMS are assigned, documented, and communicated.
Review org charts, job descriptions, and OH&S responsibility matrix (RACI or equivalent).
☐
5.3
Workers at each level take responsibility for those aspects of the OH&SMS over which they have control.
Interview front-line workers and supervisors; confirm they understand their individual OH&S responsibilities.
☐
5.3
A person(s) is assigned responsibility and authority for: ensuring the OH&SMS conforms to ISO 45001, and reporting OH&S performance to top management.
Confirm a designated OH&S Management Representative or equivalent role with documented mandate exists.
☐
5.4 Consultation and Participation of Workers
5.4
Processes for consultation and participation of workers at all levels and functions are established, implemented, and maintained.
Review worker consultation procedure; check for joint OH&S committee, safety representative system, or equivalent forum.
☐
5.4
Workers are consulted on: hazard identification and risk assessment; applicable controls and their prioritization; competence requirements; training needs; and incident investigation outcomes.
Review consultation records, committee meeting minutes, and hazard reporting logs for worker input evidence.
☐
5.4
Non-management workers are consulted when determining: OH&S policy and objectives; contractor management controls; management of change; and monitoring and measurement.
Confirm documented evidence of non-management worker input in policy reviews, change assessments, and monitoring plans.
☐
5.4
Barriers or obstacles to worker participation (e.g., language, literacy, time constraints, intimidation, fear of reprisal) are identified and removed.
Interview a diverse cross-section of workers; review reporting culture data, translation provisions, and shift-coverage for committee meetings.
☐
5.4
Workers are provided with timely feedback on issues and concerns raised through consultation and participation processes.
Check records of responses to worker-raised hazards or suggestions; verify closure communications to originators.
☐
Clause 6: Planning
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
6.1.1 Actions to Address Risks and Opportunities – General
6.1.1
When planning for the OH&SMS, risks and opportunities that need to be addressed are determined, considering context, interested parties, scope, and OH&SMS processes.
Review OH&SMS risk and opportunity register; confirm methodology considers both internal and external factors.
☐
6.1.1
Actions to address risks and opportunities are planned, integrated into OH&SMS processes, and their effectiveness is evaluated.
Verify action plans linked to risk register; check closure evidence and effectiveness assessments.
☐
6.1.2 Hazard Identification and Assessment of OH&S Risks
6.1.2.1
A proactive, ongoing hazard identification process is established covering: routine and non-routine activities; emergency situations; human factors (workload, shift patterns, fatigue, stress, ergonomics); infrastructure, equipment, and materials; past incidents and near-misses; and social factors (work-related violence, harassment).
Review hazard identification procedure; conduct field walk; check pre-task risk assessments and HAZOP/JHA records.
☐
6.1.2.1
Hazard identification considers changes: in work methods, equipment, workforce, legislation, knowledge, and supply chain.
Verify that management of change records trigger hazard re-identification; check contractor on-boarding records.
☐
6.1.2.1
Hazard identification considers work organization factors including: how work is organized, social factors, leadership, and organizational culture.
Confirm psychosocial and organizational hazards (bullying, workload, shift work, lone working) are included in the register.
☐
6.1.2.2
OH&S risks associated with identified hazards are assessed using a documented methodology; severity and likelihood are considered.
Review risk assessment records; confirm a risk matrix or equivalent is consistently applied; check assessors are competent.
☐
6.1.2.2
OH&S risks from other parties (contractors, visitors, neighbors) and their interactions are assessed.
Check contractor risk assessment integration; verify visitor/public risk scenarios are included.
☐
6.1.2.3
OH&S opportunities (adopting better practices, eliminating hazards, improving working conditions) are evaluated.
Review opportunity register; confirm opportunities are action-tracked and linked to improvement plans.
☐
6.1.3 Determination of Legal Requirements and Other Requirements
6.1.3
Legal OH&S requirements and other requirements applicable to the organization's hazards and OH&S risks are determined and kept up to date.
Review OH&S legal register; confirm it covers all applicable legislation, regulations, permits, standards, and voluntary codes.
☐
6.1.3
A process for monitoring changes to legal and other requirements exists and is effective.
Verify subscription to legislative update service; check register revision dates and communication of changes to relevant staff.
☐
6.1.3
Legal and other requirements are considered when establishing, implementing, and maintaining the OH&SMS.
Confirm compliance obligations are reflected in operational controls, procedures, and monitoring programmes.
☐
6.2 OH&S Objectives and Planning to Achieve Them
6.2.1
OH&S objectives are established at relevant functions and levels; are consistent with OH&S policy; are measurable; consider applicable requirements; and address significant risks and opportunities.
Confirm objectives are SMART; trace each to a significant risk, aspect, or compliance obligation.
☐
6.2.1
OH&S objectives are monitored, communicated, and updated as appropriate.
Review objective tracking dashboard or scorecard; confirm regular reporting frequency and communication to workers.
☐
6.2.2
Plans for achieving OH&S objectives define: what will be done; required resources; responsible person(s); completion timescale; how results will be evaluated; and how actions will be integrated into business processes.
Review objective action plans; confirm all six planning elements are addressed for each objective.
☐
Clause 7: Support
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
7.1 Resources
7.1
Resources needed for the establishment, implementation, maintenance, and continual improvement of the OH&SMS are determined and provided.
Review resource planning records; confirm budget, staffing, technology, and infrastructure allocations for OH&S.
☐
7.2 Competence
7.2
The competence of workers that affects OH&S performance and compliance obligations is determined.
Review competency framework; confirm all safety-critical roles and tasks are included.
☐
7.2
Workers are competent on the basis of appropriate education, training, or experience; deficiencies are addressed.
Review training needs analysis, training records, qualifications, and license registers (e.g., forklift, confined space, HAZMAT).
☐
7.2
Competence records are retained as documented information.
Verify training matrix is current; check individual training records are filed and accessible.
☐
7.3 Awareness
7.3
Workers are aware of the OH&S policy and objectives, their contribution to the effectiveness of the OH&SMS (including the benefits of improved performance), and the implications of not conforming with requirements.
Interview workers at various levels and roles; review induction, toolbox-talk, and refresher training records.
☐
7.3
Workers are aware of hazards, OH&S risks, and controls relevant to their work; and the right to remove themselves from work situations they reasonably believe present imminent serious danger.
Confirm workers can describe hazards in their own work area and know how to exercise stop-work authority.
☐
7.4 Communication
7.4.1
Internal and external OH&S communication processes are established covering: what to communicate; when; with whom; how; and who communicates.
Review OH&S communication plan; check that all communication channels are defined and ownership is assigned.
☐
7.4.2
OH&S information is communicated internally across functions and levels, including changes to the OH&SMS.
Verify meeting minutes, safety alerts, notice boards, intranet posts, toolbox-talk registers, and shift handover records.
☐
7.4.3
OH&S information relevant to contractors, visitors, and other interested parties is communicated externally.
Review contractor site induction records, visitor briefing logs, emergency contact lists, and regulatory correspondence.
☐
7.5 Documented Information
7.5.1
Documented information required by ISO 45001 and determined as necessary for OH&SMS effectiveness is established and maintained.
Review document master list against all ISO 45001 mandatory documented information requirements (clauses 4–10).
☐
7.5.2
Documented information is appropriately created, identified (title, date, author, version), reviewed, and approved.
Verify document control procedure; check approval signatures, version numbers, review dates on a sample of documents.
☐
7.5.3
Documented information is controlled for: availability and suitability; protection from loss of confidentiality or improper use; distribution, access, retrieval, and use; storage, preservation, and legibility; retention and disposal.
Check document management system access controls, archive policy, retention schedule, and obsolete document handling.
☐
Clause 8: Operation
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
8.1 Operational Planning and Control – General
8.1.1
Processes needed to meet OH&SMS requirements are planned, implemented, controlled, and maintained by establishing operating criteria and implementing controls per those criteria.
Review safe systems of work, permits to work, and work instructions for high-risk tasks; confirm criteria are specific and measurable.
☐
8.1.1
Documented information is maintained to the extent necessary to have confidence that processes are carried out as planned.
Check procedure compliance records, observation/inspection logs, and supervisor sign-off records.
☐
8.1.2
The hierarchy of controls is applied to eliminate hazards and reduce OH&S risks: (1) Elimination, (2) Substitution, (3) Engineering controls, (4) Administrative controls, (5) PPE.
Review risk assessment treatment records; confirm priority is given to higher-order controls; verify PPE is treated as last resort only.
☐
8.1.3 Management of Change
8.1.3
A process for implementing and controlling temporary and permanent changes that impact OH&S performance is established, including: new products, services, and processes; changes in work processes, equipment, workforce, and legislation.
Review management of change (MOC) procedure and recent completed change assessments; confirm OH&S risk review is part of all change types.
☐
8.1.3
New or modified hazards and OH&S risks arising from proposed changes are identified before implementation.
Check pre-start safety reviews, commissioning checklists, and pre-change hazard assessments for recent projects.
☐
8.1.3
Unintended consequences of changes on OH&S are addressed; temporary changes are reviewed before being made permanent.
Verify that temporary MOC records exist with defined expiry dates; confirm review and formal close-out process.
☐
8.1.4 Procurement
8.1.4.1
A process to coordinate OH&S requirements with contractors is established; hazards and OH&S risks arising from contractor activities are identified and communicated.
Review contractor management procedure; check pre-qualification assessments, site induction records, and contract OH&S clauses.
☐
8.1.4.2
OH&S requirements are communicated to contractors before work commences; contractor performance against OH&S requirements is verified.
Review contractor induction logs, permit-to-work records, and on-site audit/inspection reports for contractors.
☐
8.1.4.3
For outsourced functions, the organization ensures that outsourcing arrangements do not adversely affect ability to achieve OH&S outcomes; controls are applied.
Review outsourcing contracts for OH&S requirements; check audit or inspection records of outsourced operations.
☐
8.1.4.4
OH&S requirements are established, communicated, and evaluated for goods, equipment, and services procured (including design-in safety requirements).
Review procurement specifications; confirm OH&S requirements flow into purchase orders and design briefs.
☐
8.2 Emergency Preparedness and Response
8.2
Potential emergency situations with OH&S implications are identified, including: fires, explosions, chemical releases, structural collapse, medical emergencies, natural disasters, and utility failures.
Review emergency risk register and scenario list; confirm site-specific hazards are comprehensively addressed.
☐
8.2
Processes for responding to potential emergency situations are established, including: first aid, fire evacuation, spillage containment, and liaison with emergency services.
Review emergency response plans; confirm each scenario has defined response steps, roles, and resources.
☐
8.2
Emergency response plans are tested at planned intervals through drills and exercises; results are documented, reviewed, and used to improve plans.
Check drill records, after-action review reports, and plan revision history following exercises; confirm drill frequency meets legal requirements.
☐
8.2
First-aid provision is appropriate to the workplace hazards, workforce size, and distances to medical facilities.
Verify first-aider certification records, ratios, and coverage across all shifts; check first-aid kit inspection logs.
☐
8.2
Emergency communication and coordination arrangements with external parties (emergency services, neighbors, regulators) are established and maintained.
Review emergency contact lists, mutual aid agreements, and records of external emergency liaison exercises.
☐
8.2
Emergency response information and training are provided to all relevant workers, including contractors and visitors.
Check emergency induction records for all worker categories; verify multilingual/accessible formats where needed.
☐
Clause 9: Performance Evaluation
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
9.1 Monitoring, Measurement, Analysis and Performance Evaluation
9.1.1
OH&S performance criteria are determined; monitoring and measurement processes are established covering: extent to which legal requirements and other requirements are fulfilled; activities and operations related to identified hazards, risks, and opportunities; progress towards achieving OH&S objectives; and effectiveness of operational and other controls.
Review OH&S KPI framework; confirm both leading indicators (e.g., inspections completed, training rate, near-miss reports) and lagging indicators (incident rates, lost-time injuries) are tracked.
☐
9.1.1
Monitoring and measuring equipment is maintained, calibrated, and validated; results are retained as documented information.
Check calibration records and certificates for gas monitors, noise meters, lux meters, and other measuring instruments.
☐
9.1.1
OH&S performance data is analysed and evaluated to identify trends, assess effectiveness of controls, and support decision-making.
Review statistical reports, trend analysis charts, and management review input packs; confirm data-driven decision records.
☐
9.1.2
Compliance with legal and other requirements is evaluated at planned intervals; results are retained as documented information.
Review compliance evaluation records; confirm all permits, statutory inspections, and regulatory limits are addressed and findings reported to top management.
☐
9.2 Internal Audit
9.2.1
Internal audits of the OH&SMS are conducted at planned intervals to determine whether the OH&SMS: conforms to the organization's own requirements and ISO 45001; is effectively implemented and maintained.
Review audit schedule; confirm all clauses, significant hazards, and all operational areas are included within the audit programme cycle.
☐
9.2.2
An OH&S audit programme is planned, established, implemented, and maintained; it considers OH&S importance, changes, and results of previous audits.
Check audit programme documentation; verify auditor competence criteria, independence requirements, and audit methodology.
☐
9.2.2
Audit results are communicated to relevant managers and workers; corrective actions are determined and implemented without undue delay.
Review audit reports, distribution records, and CAR register; check average time-to-close for audit findings.
☐
9.2.2
Documented information is retained as evidence of the audit programme and audit results.
Confirm audit files (plans, reports, evidence, CARs) are complete and accessible for the full retention period.
☐
9.3 Management Review
9.3
Top management reviews the OH&SMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
Review management review meeting minutes; confirm frequency (at least annually), top management attendance, and quorum.
☐
9.3
Management review inputs address all required topics: status of previous review actions; changes in external/internal issues; OH&S performance trends (incidents, near-misses, illness, audit results, KPIs); fulfilment of compliance obligations; hazard identification and risk assessment results; consultation and participation outcomes; risks and opportunities; adequacy of resources.
Cross-check meeting minutes and supporting data packs against all clause 9.3 b) input items; confirm each was addressed with evidence.
☐
9.3
Management review outputs include decisions and actions on: continual improvement opportunities; changes to OH&SMS including resources; action items with owners and timescales.
Verify action items are SMART, assigned, tracked in action log, and closed; confirm outputs are communicated to relevant workers.
☐
Clause 10: Improvement
Ref.
Audit Requirement
Guidance / Evidence
Rating
Auditor Notes
10.1 General
10.1
The organization determines improvement opportunities and implements necessary actions to achieve the intended outcomes of the OH&SMS.
Review OH&S improvement register, innovation log, and benchmarking reports against industry best practice.
☐
10.2 Incident, Nonconformity and Corrective Action
10.2
A process exists to report, react to, and investigate incidents and nonconformities in a timely manner; immediate actions are taken to control and correct the situation and deal with consequences.
Review incident/NCR procedure; check response time records and evidence of immediate containment actions.
☐
10.2
Incidents and nonconformities are investigated by competent persons with appropriate worker involvement to determine root causes and contributing factors.
Review completed investigation reports; verify competence of investigators and evidence of worker participation in investigations.
☐
10.2
Root cause analysis methodology is applied consistently (e.g., 5-Why, Ishikawa/fishbone, fault tree); actions address root causes, not just symptoms.
Check sample of investigation reports for depth of root cause analysis; confirm systemic factors (management, design, culture) are explored.
☐
10.2
Corrective actions are appropriate to the severity and potential of the nonconformity; hierarchy of controls is applied when determining actions.
Verify corrective actions prioritize higher-order controls; check that actions address systemic as well as immediate causes.
☐
10.2
The effectiveness of corrective actions is reviewed before closure; if actions are ineffective, further action is taken.
Check effectiveness review records and defined effectiveness criteria; confirm no premature closure of CARs.
☐
10.2
Results of investigations, nonconformities, and corrective actions are communicated to relevant workers and interested parties; lessons learned are shared.
Review lessons-learned communications, safety alerts, and toolbox-talk records referencing specific incidents or NCRs.
☐
10.2
Documented information is retained as evidence of the nature of incidents/nonconformities, subsequent actions, and results.
Confirm incident register and CAR database completeness; check retention period compliance and archiving.
☐
10.3 Continual Improvement
10.3
The organization continually improves the suitability, adequacy, and effectiveness of the OH&SMS to enhance OH&S performance and promote a positive OH&S culture.
Review multi-year trend data on leading and lagging indicators; confirm improving trajectories or documented justification for stable/declining metrics.
☐
10.3
The organization promotes worker participation in identifying and implementing continual improvement actions.
Check suggestion schemes, safety circle records, improvement team minutes, and recognition of OH&S improvement contributions by workers.
☐
OH&S Performance KPI Snapshot
OH&S Performance KPI Snapshot
OH&S Metric
Unit / Basis
Target
Actual (Period)
Status / Trend
Total Recordable Injury Rate (TRIR)
Per 200,000 hrs
Lost-Time Injury Frequency Rate (LTIFR)
Per 200,000 hrs
Severity Rate (lost days)
Days per LTI
Near-Miss Reports Submitted
Count
Hazard Observations / Reports
Count
Safety Inspections / Walk-Throughs Completed
% of scheduled
Corrective Actions Closed On Time
% of total
OH&S Training Completion Rate
% of workforce
Emergency Drills Conducted
Count vs plan
Legal / Regulatory Non-Compliances
Count
Workers' Compensation Cost
Currency
Occupational Illness Cases
Count
Audit Summary & Sign-off
Audit Summary
Total Items Audited
Conforming (✓)
Nonconformities (MNC+MJC)
OFIs
OH&S Performance Trend vs Previous Audit:
☐ Improving ☐ Stable ☐ Declining
Overall Audit Conclusion & Recommendation:
Lead Auditor Signature
Date
Management Rep. Signature
Date