Health and Safety Audit: Best Practice (Internal)
September 2013 saw the Health and Safety Executive (HSE) guidance on good health and safety management being revised, to reflect the widely used Plan-Do-Check-Act approach (PDCA).
Central to this type of management system is that it is cyclical in nature, so as to enable the principle of continuous improvement to be adopted, to take account of organisational changes and to identify deterioration in any of the system’s elements.
Internal auditing is a key discipline of the management system cycle and is used to verify the adequacy of the other elements of the system. However, the effectiveness of the process will be negated if the employer fails to develop and implement appropriate auditing practices.
Health and Safety Audit purpose
OHSAS 18001 defines an audit as a “systematic examination to determine whether activities and related results conform to planned arrangements and whether these arrangements are implemented effectively and are suitable for achieving the organisation’s policy and objectives”.
According to the HSE, organisations should have “formal procedures for auditing and reporting health and safety performance” and this should be “perceived as a positive management and boardroom tool”.
A health and safety audit can be seen as a proactive management tool, used for reviewing and evaluating the performance and effectiveness of the organisation’s health and safety management system, in particular by:
- Confirming that the management system has conformed and been effectively implemented
- Identifying strengths and weaknesses within that system’s elements and ensuring statutory compliance
- Providing feedback to the organisation’s employees and senior management team
- Helping with the creation of action plans for improvement based upon audit findings
- Helping ensure that resources committed to health and safety are value for money and effectively control risks.
Health and safety systems can be subject to examination by external stakeholders, including independent audit organisations, customers or enforcing authorities.
However, auditing is also undertaken internally (first party audits) often forming part of a “self-declaration of conformity”. As such, organisations need to develop a programme based upon best practice.
Health and Safety Audit programme
Auditing should be a structured activity based upon a formal programme. BS EN ISO 19011 provides guidance on the management of an audit programme, on the planning and conducting of an audit of the management system, as well as on the competence and evaluation of an auditor and an audit team.
The above standard states that “objectives should be established for an audit programme, to direct the planning and conduct of audits”, which can be influenced by management priorities, statutory requirements and risks to the organisation.
As well as objectives, the extent of the audit process must be identified in terms of its parameters and focus of attention, as audits can cover whole systems or specific elements, as well as technical and managerial aspects of the system.
In terms of prioritising the programme, BS 18004 states that “audit programme/s should be planned, established, implemented and maintained by the organisation, based on the results of risk assessments of the organisation’s activities, and the results of previous audits”.
Competence is a key element and it is recommended that the person managing the audit programme has sufficient competence in the audit process and knowledge of the activities to be audited.
The person responsible for the development of the audit programme will need to consider the following:
- The health and safety audit programme objectives and extent.
- Roles, responsibilities and resources required.
- Audit process and scope, audit team members and record keeping.
- How the audit process will be monitored and reviewed.
It is essential that the individuals completing the audit, as well as the audit manager, have the necessary competence. In terms of health and safety, BS EN ISO 19011 recommends that auditors, as well as having knowledge of the audit process must have “knowledge and skills related to the discipline and the application of discipline-specific methods, techniques, processes and practices”.
In addition, they should be “independent of the part of the organisation or the activity that is to be audited”.
Health and Safety Audit Process
BS EN ISO 19011 contains a number of principles that aim to make the audit an effective and reliable tool. These principles are integrity of auditors, fair presentation of findings, due professional care in the audit process, confidentiality, independence and the use of an evidence-based approach to reach reliable and reproducible audit conclusions.
Communication is paramount when initiating the audit and so contact needs to be made with the area of the organisation that is to be subject to the audit process so as to detail the purpose of the audit and its process.
This will also enable pre-audit administration to be determined, including ensuring:
- The availability of the audit team staff and that they are aware of their responsibilities
- That staff in the area to be audited are aware of the audit date/process and are available to assist in the process where necessary
- That staff in the area to be audited make available on-site documentation and information.
Prior to the audit, documentation that is applicable to the health and safety management system and the audit focus can be reviewed. This may include the health and safety policy, training records, risk assessments, accident reports, performance reports, etc.
During the audit, information relevant to the audit criteria should be collected to generate the audit findings and conclusions. The main source of information will be additional relevant documentation to the health and safety management system, but interviews and worksite visits to undertake observations can also generate data.
Interviewing employees can give an indication of general attitudes, competency and fulfilment of responsibilities. It will be necessary to consider who to interview, their level within the organisation and their role in health and safety. It should also be borne in mind that this activity can be subjective rather than objective.
The use of a pre-prepared question set relevant to the audit’s objectives and criteria will assist in the completion of the audit and enable objectivity to be maintained.
Evidence gained should be evaluated against the audit criteria in order to determine audit findings, which can indicate conformity/good practice or non-conformity with the set audit criteria.
There are no set methodologies for rating or grading non-conformity outcomes but it is useful to formulate some form of system, either qualitative or quantitative, in order to prioritise remedial action. This may also be useful when numerous/similar parts of the organisation are to be audited as a comparison of compliance to the management system can then be used to make judgments as to future resource allocation to make improvements.
An audit report should be developed that summarises the audit process, the outcomes, any supporting evidence, opportunities for improvement, and any recommendations.
The results of the audit, via the subsequent report, should be communicated to all relevant parties as soon as possible, to allow corrective actions to be taken. When communicating the information contained within the report, confidentiality must be given consideration and it may be necessary to redact the audit for some stakeholders.
In particular, findings should be reviewed with managers responsible for the area audited in order to obtain acknowledgement that the audit evidence is accurate, and that the non-conformities are understood. The senior management team should also consider the outcomes of the audit and “take appropriate action as necessary within an appropriate time”.
Finally, an important element of the audit process is a review and, where necessary, follow-up audit to determine the success or otherwise of the implementation of the recommendations.