Yeah, I’m nosey. What happens? What do people do? How do things work? What can we do to make things better? If I see a cupboard, I’ll open it!
If you’re like me, the chances are you like auditing too. So here are my top tips.
Get the planning right
Decide the audit objective, scope, criteria and methodology. By this, I mean what the audit should achieve, what or who you will audit, what you will audit against, and how.
To verify that A Company complies with the legal requirements of The Control of Substances Hazardous to Health 2002.
The Maintenance Team at A Company’s head office.
The Maintenance Team at A Company’s Manchester office.
The Control of Substances Hazardous to Health 2002.
A Company Procedure 002, Management of COSHH.
Interviewing Maintenance Team Leaders at sites within scope.
Reviewing documents and records as required by the criteria.
Inspecting COSHH storage at sites within scope.
Evidence based sampling.
Audit planning should also include timings, sample sizes, and reporting requirements.
Sample sizes should be proportionate; if Company A uses 200 different substances, you should agree on a suitable sample size to represent the topic fairly.
Reporting requirements might include whether the auditor should make recommendations and how you will prioritise them. Priorities can be based on the degree of non-compliance (e.g., legal or procedural) or in line with existing company reporting procedures. Either way, priorities should allow the auditee to address the most pressing issues first.
Book time with auditees so they can dedicate enough time to you. Audits can be worrying for auditees, so sharing the audit objectives, scope, criteria, and methodology can help them prepare.
Find the right person
Find an auditor that is independent of the topic being audited. Impartiality avoids bias and conflicts of interest. An auditor working in or close to the topic area may audit on the presumption that everything is compliant or may be uncomfortable with raising issues or non-conformities.
Keep an open mind
By this, I mean approaching an audit without ideas or opinions on how you think something should be done or managed. Generally, health and safety law isn’t prescriptive and doesn’t describe how you should do something.
Using the legislation referred to in the criteria example above, the COSHH Regulations say that a risk assessment shall include consideration of a range of factors (hazardous properties of a substance, health effects and so on). Still, they do not prescribe how that risk assessment should be done or its format. It is up to the auditee to demonstrate how they comply with the audit criteria, not how they confirm your expectations.
I find open-ended questions help me to understand how the auditee does something. For example, ‘Talk me through how you risk assess your substances’ or ‘What training do employees receive on COSHH?’.
When I understand how a process works, I can move on to closed questions (which aren’t always bad!).
For example, ‘Show me the risk assessment for X, Y and Z substances’ or ‘Show me the training records for yourself, your section manager, and your last new joiner’.
If the auditee cannot show you evidence, or if you identify a potential non-conformance to the criteria, think about whether you’re asking the right questions, looking in the right place, or talking to the right person. Then, give the auditees a chance and probe a little further.
If you can’t obtain the evidence or resolve the non-conformance, record this in the report.
Record and report
Audit reports are likely to be read by people not directly involved in the process, e.g., senior management or health and safety committees, so they need to contain sufficient information to allow the reader to understand what you did, what you found and what needs correcting.
Audit reports should clearly reference the evidence seen to support the audit objective, e.g., ‘to verify’. Evidence can take a range of formats, such as documents and records, photographs, or videos of tasks being carried out.
Audit reports should detail where there is evidence of compliance and an audit conclusion. In the example above, this will be to conclude whether A Company complies with the requirements of the Control of Substances Hazardous to Health Regulations 2002 and Procedure 002, Management of COSHH.
Where there is no compliance with the criteria, the report should contain sufficient information to substantiate the finding. For example:
‘Company A’s Procedure, 002: Management of COSHH, point f, states that risk assessments shall be revised every 12 months. Three of the 10 risk assessments we sampled (references RA 001, RA 002 and RA 003) had not been revised within the last 12 months. They were dated October 2021, and the revision date on each assessment was October 2022. See photographs 1, 2 and 3.’
If required as part of the planning process, the auditor’s recommendations should be discussed as part of a close-out meeting so auditees understand the findings and can act accordingly.
In the future, re-auditing the topic can help verify that recommendations have been implemented and are effective.