by Cameron Clark
You can have the best safety culture and practices in the world, but if you don’t get your documentation right or provide access to records, the audit is going to be an uphill battle.
Safety audits are about evaluating if your health and safety management system is doing what its supposed to do. To do this, safety auditors need evidence sourced from visual observations, interviews with management and employees as well as reviewing documents, data, and records.
But is all evidence created equal?
Not at all.
Each type of evidence has its own pros and cons and safety auditors have to evaluate just how reliable and objective the evidence is that is presented to them.
Visual observations can tell you how people are working on the day of the audit, but like many things, safety practices can improve when people know you’re watching.
Interviews and conversations with people can give you an insight into their knowledge and understanding, but it can’t corroborate that they always act that way.
While using only documentation and records to evaluate a HSMS has its own drawbacks, they often provide the most reliable and objective evidence to safety auditors of how the HSMS has been applied over a period of time. So, making sure you have the right documentation and records is important if you want a strong audit result.
Beyond providing objective evidence, documented processes and records are often a minimum requirement of many audit standards. Failure to document such a process will likely result in a nonconformance, regardless of how well you are actually managing health and safety risks.
You must also remember that not all audit standards require documented procedures or even use the same terminology to describe what they want. Let’s take a quick look at each.
Audit standards often use different terminology to describe requirements. If we look at some common audit standards we can see that the term “procedures” is not used interchangeably:
- AS/NZS 4801 – Requires procedures to satisfy many criteria but only some of these procedures are required to be “documented.”
- OHSAS 18001 – Requires procedures to satisfy some criteria, but “procedures” are defined as a “specified way to carry out an activity or a process, that can be documented or not.”
- National Audit Tool V3 – Requires procedures to satisfy some criteria, and defines a procedure as a document in text or graphic form.
So, amongst three common audit standards, we have three different requirements when it comes to documenting procedures.
To confuse this even further, OHSAS 18001 does require procedures to be documented where their absence could lead to deviations from the OHS policy and objectives.
We also know that not all audit standards require procedures for the same parts of an HSMS. Below is a small sample comparing procedural requirements from the same three audit standards.
We can see from the examples above that it’s important to know and ready the minimum mandatory documentation if you want to get through you audit successfully.
Whilst not every HSMS requirement demands a documented procedure, you should carefully consider how to ensure that complex processes are followed systematically each time. While hazard identification, risk assessment and control (HIRAC) processes don’t specifically need to be documented to satisfy OHSAS 18001, consider how difficult it would be to ensure a consistent outcome each time if the intent, scope, process, responsibilities, and timeframes required of HIRAC procedures weren’t documented.
In addition, be sure you prepare your documentation in accordance with document control requirements.
Having satisfied documentation requirements, it’s time to consider data (registers, incident data, training needs analysis) and records (completed permit to work forms, training attendance records, plant maintenance records). Where procedures outline an intent, data and records demonstrate whether activities match intent.
In any audit, there is generally more data and more records available than can be evaluated. This necessitates a sampling approach where the auditor will select example records at random. The sample size depends on many factors, the regularity and frequency of tasks as well as considering the level of risk.
It’s not uncommon for auditees to prepare a sample of evidence for the auditor, often with the best of intentions (though not always, but we will talk about that in future blog entry). While auditors will often appreciate the effort, a good auditor won’t rely solely on what is provided to them and will seek additional evidence to verify that the provided sample is representative.
If you don’t have ready access to data and records, an inquisitive auditor will begin to wonder why. This might mean a more thorough evaluation or even larger evidence sample to satisfy their curiosity, both of which provide greater opportunity for auditors to find errors or omissions (it is, after all, a big part of what we are trained to do). This may also result in a nonconformance against record keeping requirements.
Finally, make sure the records you do provide are current. If your records are too old, or in a different format to what they are supposed to be, the records are unlikely to be accepted as suitable evidence. Most auditors are likely to want to see evidence that applies to the last three to six months at least.
That certainly seems like a lot to take in, so let’s summarise quickly:
- Documentation and records contribute significantly to objective evidence, so any audit will require the review of a sufficient amount of such evidence.
- Know what standard you’re auditing against and make sure you know what the minimum documentation requirements are.
- Beyond the minimum requirements, consider what other complex processes should be documented to aid in their systematic application.
- Prepare your documentation in accordance with your own document control procedures.
- Make sure you have access to current and relevant records during the audit.
About the author
Cameron Clark is a health and safety professional with more than 17 years experience providing OHS consulting and auditing services to a range of large multinational organizations. He is currently a founder and Managing Director of Verus Australia and an Exemplar Global-certified Lead OHS Management Systems Auditor. Cameron can be contacted via firstname.lastname@example.org or via www.verus.com.au.