Principles of Auditing (Based on ISO 19011 Guidelines for Auditing Management System)

It presents the seven principles of auditing:

1. Integrity: the foundation of professionalism

2. Fair presentation: the obligation to report truthfully and accurately
3. Due professional care: the application of diligence and judgement in auditing
4. Confidentiality: security of information
5. Independence: the basis for the impartiality of the audit and objectivity of the audit
conclusions
6. Evidence-based approach: the rational method for reaching reliable and reproducible audit
conclusions in a systematic audit process
7. Risk-based approach: an audit approach that considers risks and opportunities

The following types of audits:

1st party audit 2nd party audit 3rd party audit

Internal audit External provider audit Certification and / or accreditation audit

Other external interested party audit Statutory, regulatory and similar audit

List of Lead Auditor Responsibilities

1) Possess strong analytical and problem-solving abilities

2) Manage a team of auditors
3) Periodically inspect and calibrate auditing tools (e.g., scales, callipers)
4) Assist in development of audit plans, audit schedules
5) Participate in audits (and lead a team of quality auditors, when needed)
6) Identify processes, situations, etc., where organization is meeting requirements, as well as
identify opportunities for improvement
7) Assist audit team in developing audit reports; present audit reports to top management, as
needed
8) Assist with follow-up audits, as required

1
ISO 45001: 2018

Types of health and safety incidents, nonconformities and corrective actions will vary widely
depending on the nature of the business and activities.

Examples of incidents, nonconformities, and corrective actions include:

Incidents:
 Work-related near-miss events,
 Injuries and ill health,
 Exposures to health hazards,
 Occupational diseases,
 Vehicle accidents,
 Property and equipment damage where it can lead to OH&S risks.
Nonconformities:
 Protective equipment not functioning properly,
 Failure to apply legal requirements,
 Specified procedures not being followed.
Corrective actions:
As indicated by the hierarchy of controls.
 Elimination of hazards,
 Substitution to safe materials,
 Design or modification to equipment or tools,
 Development of procedures,
 Improving the competence of affected workers,
 Changes in frequency of use,
 Personal protective equipment.

2
The Hierarchy of Controls:
1. Hazard elimination:
Avoiding risks, adapting work to workers, integrating health, safety, and ergonomics when planning
new workplaces and creating physical separation of traffic between pedestrians and vehicles. Can
you find the root cause?
2. Substitution:
Can you perform a different activity, change part of the process to avoid risk and produce the same
results? Replacing the dangerous by the non-dangerous, or the less dangerous, combating the
risks at source, adapting to technical progress, and replacing solvent-based paint with water-based
paint. 
3. Engineering controls:
Is there a technical or mechanical role that will take humans out of the process? 
Implement collective protective measures, such as with isolation, machine guarding, ventilation
systems, mechanical handling, noise reduction, protecting against falls from height by using guard
rails.
4. Administrative controls:
Giving appropriate instructions to workers, such as with lockout procedures, periodical safety
equipment inspections, health and safety coordination with subcontractors’ activities, induction of
new workers, forklift driving licenses, and rotation of workers.
5. Personal protective equipment (PPE):
Providing adequate PPE, and instructions for PPE utilization and maintenance, such as safety
shoes, safety glasses, hearing protection, chemical and liquid resistant gloves, electrical protection
gloves, and cut resistant gloves.

3
Mandatory documents required by ISO 45001:2018

1) Scope of the OH&S management system (clause 4.3)

2) OH&S policy (clause 5.2)
3) Responsibilities and authorities within OH&SMS (clause 5.3)
4) OH&S process for addressing risks and opportunities (clause 6.1.1)
5) Methodology and criteria for assessment of OH&S risks (clause 6.1.2.2)
6) OH&S objectives and plans for achieving them (clause 6.2.2)
7) Emergency preparedness and response process (clause 8.2)

And, here are the mandatory records:

1) OH&S risks and opportunities and actions for addressing them (clause 6.1.1)
2) Legal and other requirements (clause 6.1.3)
3) Evidence of competence (clause 7.2)
4) Evidence of communications (clause 7.4.1)
5) Plans for responding to potential emergency situations (clause 8.2)
6) Results on monitoring, measurements, analysis and performance evaluation (clause 9.1.1)
7) Maintenance, calibration or verification of monitoring equipment (clause 9.1.1)
8) Compliance evaluation results (clause 9.1.2)
9) Internal audit program (clause 9.2.2)
10) Internal audit report (clause 9.2.2)
11) Results of management review (clause 9.3)
12) Nature of incidents or nonconformities and any subsequent action taken (clause 10.2)
13) Results of any action and corrective action, including their effectiveness (clause 10.2)
14) Evidence of the results of continual improvement (clause 10.3)

Non-mandatory documents
There are numerous non-mandatory documents that can be used for ISO 45001 implementation.
However, these are the non-mandatory documents that are most commonly used:

1) Procedure for Determining Context of the Organization and Interested Parties (clause 4.1)
2) OH&S Manual (clause 4)
3) Procedure for Consultation and Participation of Workers (clause 5.4)
4) Procedure for Hazard Identification and Assessment (clause 6.1.2.1)
5) Procedure for Identification of Legal Requirements (clause 6.1.3)
6) Procedure for Communication (clause 7.4.1)
7) Procedure for Document and Record Control (clause 7.5)
8) Procedure for Operational Planning and Control (clause 8.1)
9) Procedure for Change Management (clause 8.1.3)
10) Procedure for Monitoring, Measuring and Analysis (clause 9.1.1)
11) Procedure for Compliance Evaluation (clause 9.1.2)
12) Procedure for Internal Audit (clause 9.2)
13) Procedure for Management Review (clause 9.3)
14) Procedure for Incident Investigation (clause 10.1)
15) Procedure for Management of Nonconformities and Corrective Actions (clause 10.1)
16) Procedure for Continual Improvement (clause 10.3)

4
5
Required knowledge and skills of management system auditors (ISO 19011:2011)
1) Generic knowledge and skills of management system auditors

 Audit principles, procedures and methods

 Management system and reference documents
 Organizational context
 Applicable legal and contractual requirements and other requirements

2) Discipline and sector-specific knowledge and skills of management system auditors

 discipline-specific management system requirements and principles, and their application

 legal requirements relevant to the discipline and sector
 risk management principles, methods and techniques relevant to the discipline
and sector.

3) Generic knowledge and skills of an audit team leader

 balance the strengths and weaknesses of the individual audit team members
 lead the audit team to reach the audit conclusions
 prepare and complete the audit report.

4) Knowledge and skills for auditing management systems addressing multiple disciplines

 understanding of the interaction and synergy between the different

management systems.

Possible evaluation of audit methods

6
How to Create the Appropriate Audit Sample

 Look at your audit objectives.

 Describe the control activity.
 Define the population.
 Define the deviation conditions.
 Think about your expected number of deviations.
 Determine the planned assessed level of control risk.
 Determine the appropriate sample size.
 Determine the method of selecting the sample.

Select a sampling method.

1) Judgement-based sampling

For judgement-based sampling, the following can be considered:

a) previous audit experience within the audit scope.

b) complexity of requirements (statutory and regulatory requirements) to achieve the audit
objectives;
c) complexity and interaction of the organization’s processes and management system elements;
d) degree of change in technology, human factor or management system;
e) previously identified significant risks and opportunities for improvement;
f) output from monitoring of management systems.

2) Statistical sampling

Elements that can affect the audit sampling plan are:

a) the context, size, nature and complexity of the organization;

b) the number of competent auditors;
c) the frequency of audits;
d) the time of individual audit;
e) any externally required confidence level;
f) the occurrence of undesirable and/or unexpected events.

Maintaining and improving auditor competence

The continual professional development activities should take into account the following:
a) changes in the needs of the individual and the organization responsible for the conduct of the
audit;
b) developments in the practice of auditing including the use of technology;
c) relevant standards including guidance/supporting documents and other requirements;
d) changes in sector or disciplines.

Establishing auditor evaluation criteria

The criteria should be qualitative (such as having demonstrated desired behaviour, knowledge or
the performance of the skills, in training or in the workplace) and quantitative (such as the years of
work experience and education, number of audits conducted, hours of audit training).

7
Assigning roles and responsibilities of guides and observers
For observers, any arrangements for access, health and safety, environmental, security and
confidentiality should be managed between the audit client and the auditee.
Guides, appointed by the auditee, should assist the audit team and act on the request of the audit

 confirming timings and locations

 arranging access to specific locations of the auditee
 witnessing the audit on behalf of the auditee, when appropriate
 ensuring that rules concerning location-specific arrangements for access, health and safety,
environmental, security, confidentiality and other issues

1) ISO 45001 requires that internal audits are objective and impartial. Describe the difference
between objectivity and impartiality in this context.

Ans: Impartiality is about being neutral and fairly giving all sides an equal value without
bias. Objectivity is all about sticking to the observable facts without bias.
They are both different methods for overcoming our personal bias. ... If you are
being impartial then you would give both arguments equal value.

2) Explain the likely consequences of undiplomatic behaviour by an auditor.

Ans:  if the auditor is not diplomatic during an audit, he will loss control on the achieving audit set
objective,
And when the auditor is not diplomatic then he will be taking decision based on emotion, Ego,
which will indirectly affect the recommendation/non-conformity based on the non-facts/evidence
and it will affect the implementation of the audit plan and effectiveness of the audit objective.

3) Give four examples of evidence which demonstrates that an organization is managing its OH&S
legal responsibilities in conformance with ISO 45001.

 Acts and statutory instruments such as the Safety, Health and Welfare
 Licenses, permits and other forms of authorization, such as the EPA Office of Radiological
Protection license
 Improvement or prohibition notices issued by HAS / HSE
 Evaluate compliance and take action if needed
or

 Law and regulations,

 Permits, licenses or other forms of authorization,
 Orders, rules or guidance issued by regulatory agencies,
 Judgments of courts or administrative tribunals,
 Treaties, conventions, and protocols.

8
4) Identify two ways in which an auditor can verify that agreed corrective actions have been
effectively implemented.

a) Whether the closed down action is part of continual process, so that the recurrence is not
manifested during next audit (both internal/external)
b) Whether the training provided as part of preventive action is effective, by auditing the
personnel who underwent training as part of the action.

or
c) The actions taken are discussed in the management review meeting so that the
effectiveness is ensured by the top management due to their active participation in the
action plan.

5) List six responsibilities of the lead auditor when conducting an external audit

a) Developing the audit plan

b) Communication with the auditee
c) Chairing the opening and meeting
d) Planning a final team meeting prior to the closing meeting
e) Chairing the closing meeting
f) Completing and distributing the audit report

6) An auditor conducting a third-party audit finds a critical safety hazard which has not been
addressed in the OHSMS. State how the auditor should respond.

Ans: Check the relevant of the organization’s activities, sources and situations, act and ensure
that the risks to people arising from these hazards are assessed, prioritized and controlled to
eliminate hazards or reduce risks to acceptable levels.

7) What are the benefits of ISO 45001?

 Minimize occupational safety and health risk to all those working on its behalf (including to
their mental and physical health)
 Improve its occupational health and safety performance continually
 Integrate occupational health and safety into its business management system and
processes

9
Case No.:01

You are the team leader allocated to a stage 2 OH&S certification audit of a large chemical
company producing explosives for industrial use wishing to gain ISO 45001 certification.
You have been asked to form the audit team,

list five factors you would consider when selecting individual members of that team.

1) The overall competence of the audit team needed to achieve audit objectives, scope and
criteria.
2) Whether the audit is a combined or joint audit
3) The selected audit methods
4) Type and complexity of the processes to be audited.
5) Ensuring objectivity and impartiality to avoid any conflict of interest of the audit process

Case No.:02

A construction company has been certified to ISO 45001 for more than a year. Two months
ago, the company had a fatal accident involving someone working in a narrowed space. Next
week is the surveillance audit and you being the sole auditor conducting the audit.

Explain what you would wish to examine by listing at least 10 issues for investigation making
reference to relevant clauses of ISO 45001.

1. Audit Trail: Check for whether the react in a timely manner to the incident reported and
investigated.
Evidence: Incident and Investigation Report
Clause: 10.2

2. Audit Trail: Check whether the take any action taken and including corrective action.
Evidence: Corrective Action Report
Clause: 10.2

3. Audit Trail: Check whether the review existing assessments of OH&S risks and other risks, as
appropriate after incident.
Evidence: List of Assessment for OH&S Risk
Clause: 6.1.2.2

4. Audit Trail: Check whether there determine and implement any action needed, including
corrective action, in accordance with the hierarchy of controls and the management of change
Evidence: Hierarchy of Control Records
Clause: 8.1.3

10
5. Audit Trail: Check whether the Eliminating hazards and reducing OH&S risks
Evidence: HERA and Risk Register
Clause: 8.1.2

6. Audit Trail: Check whether the review the effectiveness of any action taken, including corrective
action;
Evidence: Corrective and Preventive Action Report.
Clause: 10.2

7. Audit Trail: Check whether the make changes to the OH&S management system, if necessary.
Evidence: Change Management Notes
Clause: 8.1.3

8. Audit Trail: Check whether organization shall communicate this documented information to
relevant workers, and, where they exist, workers' representatives, and other relevant interested
parties.
Evidence: Internal and External communication
Clause: 7.4.2 and 7.4.3

9. Audit Trail: Check whether organization shall Emergency preparedness and response, establish,
implement and maintain a process.
Evidence: Emergency Response Plan
Clause: 8.2

10. Audit Trail: Check whether organization shall provide training or provision of training to, the
mentoring of, or the reassignment of currently employed persons, or the hiring or contracting of
competent persons.
Evidence: Training Records
Clause: 7.2

Case No.:03

You are the audit team leader conducting an OHSMS stage one certification audit on site by
yourself in an organization. At the initial meeting, you are presented with a luxury leather laptop
case containing the company’s OHSMS manual and procedure documents. The OHSMS manager
indicates that the case is a gift for you to use during the audit and retain afterwards.

Describe how you would respond to this situation.

1) Check and review the organization's scope and gather information on the processes and
operations, equipment, levels of control, and any statutory or regulatory requirements.
2) Check whether organization shall determine external and internal issues that are relevant to
its purpose.
3) Check whether the organization shall determine of needs and expectations of workers and
other interested parties.
4) Check whether the organization shall Leadership and commitment
5) Check whether the organization shall establish, implement and maintain an OH&S policy
and Objective.

11
Case No.:04

At the opening meeting of the stage 2 certification audit, the Health & Safety manager informs
you that a recent internal audit has found many nonconformities relating to issues in the
laboratory.

Corrective action has already been planned. The manager therefore suggests that to audit the
laboratory again would add no value and asks if you could delete this department from the
audit plan and spend more time in the production area as there has been an increase in minor
accidents recently and he is concerned that there may be serious problems

Outline five issues you would include in the response which you would give to this request.

1) Check respond in a timely manner to the incident or nonconformity and take action to
control and correct it, deal with the consequences.
2) Check nonconformity investigating the incident or reviewing the nonconformity.
3) Check and review existing assessments of OH&S risks and other risks, as appropriate.
4) Check whether the implement any action needed, including corrective action, in accordance
with the hierarchy of controls and the management of change.
5) Check evaluate OH&S risks that relate to new or changed hazards, prior to taking action.
6) Check the effectiveness of any action taken, including corrective action.

12
1) Examples of objective evidence in auditing

 Test log
 Test report
 Review report
 Non-conformance report
 Witness statement
 In information systems: audit trail
 Quality metric (example: in software development, code defect density - defects per
thousand lines of code)

Note: objective evidence may be obtained through observation, measurement, test, or other

means.
2) The audit objectives define
 Determination of the extent of conformity of the management system to be audited.
 Evaluation of the relevant statutory and regulatory requirements and other requirements
 Evaluation of the effectiveness of the management system in meeting its intended results
 Identification of opportunities for potential improvement of the management system
 Evaluation of the capability of the management system to establish and achieve objectives
and effectively address risks and opportunities.

3) Opening Meeting Agenda

 Introduce the team and outline their roles,

 Confirm audit objectives, scope and criteria
 Confirmation audit plan and relevant arrangement
 Audit method
 Explain Sampling
 Language to be used
 Confirm resource and facility
 Confidentiality and information security
 Health, Safety, Emergency and Security
 Method of reporting and Grading of NCR
 Closing Time
 Complaints, appeal and feed back

4) Explain the auditor behaviour. (Principles of ISO Auditing)

Ethical: fair, truthful, sincere, honest, and discreet

Open- minded: willing to consider alternative ideas or points of view
Diplomatic: tactful in dealing with people
Observant: actively observing physical surroundings and activities
Perceptive: aware of and able to understand situations
Versatile: able to readily adapt to different situations

13
Explain the auditor behaviour. (Principles of ISO Auditing)

Ethical Conduct: is the foundation of professionalism. It includes auditor behaviour that reflects
trust, integrity, confidentiality, and discretion.
Fair Presentation:  is the obligation to report truthfully and accurately:

 Audit activities through – audit findings, conclusions, and reports

 Significant obstacles encountered
 Unresolved diverging opinions between auditee and audit team

Due to professional care: Auditors should exercise due professional care in all tasks
performed during the audit, in accordance with the confidence placed in them by the auditee
and in recognition of the importance of the task they are performing.

One of the most important requirements of this principle is that auditors have the ability to
make reasoned judgements in all situations during the audit.

Confidentiality: Auditors should respect the confidentiality of all information they’re dealing with
throughout the audit.

This means exercising due diligence in making sure all information acquired during the course of
their duties as auditors is respected and adequately protected.

Making sure information is secure includes taking special precautions where necessary, such as
handling sensitive or confidential information.

5) List out three methods of evaluated auditor

 Review of records
 Feedback
 Interview
 Observation
 Testing
 Post audit review

6) Purpose of am closing meeting

 Introductions (attendees not at opening meeting)
 Saying Thanks (time and cooperation)
 Scope (reminder of coverage)
 Disclaimer (limited sample; brief time)
 Conformity areas (strengths; positives)
 Summary of Nonconformities (by lead auditor)
 Conclusions (conformity, effectiveness, trends)
 Follow-up (verification of corrective actions)
 Thanks (courtesy and hospitality)

14
7) Purpose of an opening meeting
 Establish personal contact with the auditee
 Confirm the plan for carrying out the audit
 Explain and confirm the activities, roles and responsibilities of those involved in the audit
 Confirm communication arrangements and reporting requirements
 Provide an opportunity for the auditee to clarify issues and ask any questions.

8) Purpose and Objectives of the audit

 To determine the extent of fulfilling the audit criteria.
 To determine efficiency and effectiveness of implemented system
 To provide opportunity to improve
 To evaluate strength and weakness of the OH&SMS.
 To verify awareness about legal, statutory and other stated requirements
 Certification

9) Audit Checklist Benefits and Disadvantages

a) Identifies relevant samples
b) Defines a formal audit process
c) Requires helpful research
d) Helps maintain the pace of audit
e) Keeps audit objectives clear
f) Gives historical reference as an audit record
g) Reduces workload on auditor during the audit
h) Assures auditee of auditor professionalism
i) Provide space for audit notes

Disadvantages

 Can become a tick list

 Maybe full of yes-no questions
 If not on the checklist, will not look at the area
 May stifle initiative and process analysis

10) There are different types of audit questions:

 Themed questions
 Expansive questions
 Opinion questions
 Investigative questions
 Non-verbal questions
 Repetitive questions
 Hypothetical questions
 Closed questions

11) Audit Evidence

15
  Information, records, or statements of fact
 Qualitative (non-numerical) or quantitative (numerical)
 Based on observation, measurement, or test

12) Techniques to obtain objective evidence include:

Interview People:
 that manage, perform and verify activities
 with responsibility and authority for work

Observe Operations:

 for identification, status, condition, flow, and operation of facilities, materials, product,
equipment, processes, and tasks

Review Documents:

 pertaining to processes and activities

 for details of why, who, what, when, and where

Examine Records:

 for objective evidence of implementation of processes, activities, controls, inspections, and

tests

Evaluate Results:

 to summarize and analyze the audit observations

 to determine the effectiveness of the quality system

13) Examples of incidents, nonconformities and corrective actions can include, but are not limited
to:
Incidents: same level fall with or without injury; broken leg; asbestosis; hearing loss; damage to
buildings or vehicles where they can lead to OH&S risks;
Nonconformities: protective equipment not functioning properly; failure to fulfil legal requirements
and other requirements; prescribed procedures not being followed;
Corrective Actions (as indicated by the hierarchy of controls) eliminating hazards; substituting
with less hazardous materials; redesigning or modifying equipment or tools; developing
procedures; improving the competence of affected workers; changing the frequency of use; using
personal protective equipment.

16
14) Generally speaking, an ISO audit will consist of the following key elements, or stages:

 Audit management
 Audit preparation
 Audit process
 Gathering evidence
 Evaluation of audit evidence against audit criteria
 Closing the audit
 Following up
 Competence and evaluation of auditors

17