Our guide to amazing audits

Broadly, health and safety audits are a systemic process for organisations to check compliance and identify areas of improvement.

Without proper planning, audits can be unsuccessful; problems might include the reason for, or the objective of the audit not being met, the auditor failing to check compliance against applicable criteria, auditees not knowing what to expect and failing to gather evidence. So, here are our top tips.

Get the planning right

Decide the audit objective, scope, criteria and methodology. You should identify what the audit should achieve, what or who will be audited, what will be used as the audit criteria, and how you will audit. A basic audit plan might look like this:

Audit planning should also include timings and setting up meetings with the auditees, determining sample sizes, and reporting requirements.

Book time with auditees so they can dedicate enough time to you. Audits can be worrying for auditees, so sharing the audit objectives, scope, criteria, and methodology can help them prepare.

Sample sizes should be proportionate. If Company A uses 200 hazardous substances, you should agree on a suitable sample size.

Reporting requirements might include whether the auditor should make recommendations and how they will be priortised. Priorities can be based on the degree of non-compliance (e.g. legal or procedural) or in line with existing company reporting procedures. Either way, priorities should allow the auditee to address the most pressing issues first.

Find the right person

Find an auditor that is competent and independent. Impartiality avoids bias and conflicts of interest. An auditor working in or close to the audit subject may presume that everything is compliant, believe they know the management arrangements and procedures in place or may be uncomfortable with raising issues or non-conformities.

Keep an open mind

Auditors should approach an audit without ideas or opinions on how something should be done or managed.

Generally, health and safety law isn't prescriptive and doesn't describe how you should do something. Using the legislation referred to in the criteria example above, the COSHH Regulations say that a risk assessment shall include consideration of a range of factors (hazardous properties of a substance, health effects and so on), but the Regulations do not prescribe how that risk assessment should be done or its format.

It is up to the auditee to demonstrate how they comply with the audit criteria, not the auditor’s expectations.

Ask and you shall receive

Open-ended questions help auditors understand how the auditee does something. For example asking 'Can you talk me through how you risk assess your hazardous substances?' or 'What COSHH training do employees receive?' allows a person to explain if and how they consider the necessary factors in a COSHH risk assessment and when and how frequently employees might have COSHH training.

When an auditor understands how a process works, they can move on to closed questions (which aren't always bad!).

For example, 'Can I see the risk assessments for X, Y and Z substances' or ‘Please show me the COSHH training records for yourself, your section manager, and your last new joiner'.

If the auditee cannot show you evidence, or if you identify a potential non-conformance to the criteria, think about whether you're asking the right questions, looking in the right place, or talking to the right person. Then, give the auditees a chance and probe a little further.

If you can't obtain the evidence or resolve the non-conformance, record this in the report.

Record and report

Audit reports are likely to be read by people not directly involved in the process, e.g. senior management or health and safety committees, so they need to contain sufficient information to allow the readers to understand what you did, what you found and what needs correcting.

Audit reports should clearly reference the evidence seen, which can take a range of formats, such as documents and records, photographs, or videos of tasks being carried out.

Audit reports should detail where there is evidence of compliance and an audit conclusion. In the example above, this will be to conclude whether A Company complies with the requirements of the Control of Substances Hazardous to Health Regulations 2002 and Procedure 002, The management of the Control of Substances Hazardous to Health Regulations 2002.

Where there is no compliance with the criteria, the report should contain sufficient information to substantiate the finding. For example:

'Company A's Procedure 002, The management of the Control of Substances Hazardous to Health Regulations 2002, Point F, states that risk assessments shall be reviewed every 12 months. Three of the 10 risk assessments we sampled (references RA 001, RA 005 and RA 009) had not been revised within the last 12 months. They were dated October 2023, and the revision date on each assessment was October 2024. See photographs 1, 2 and 3.'

If required as part of the planning process, the auditor's recommendations should be discussed as part of a close-out meeting so auditees understand the findings and can act accordingly.

In the future, re-completing the audit can help verify that any recommendations have been implemented and are effective.

Auditing isn’t just about finding out where things are wrong. Unless you have agreed during the planning process that you will only report on non-compliance, don’t forget to record where you do find compliance so people can be acknowledged for their work and achievements.

Happy auditing!

For expert advise on auditing, as well as health and safety in general please contact our expert health and safety consultants by clicking on the 'Get in touch' button.