Auditing, reviewing and certifying occupational safety and health management systems
Emilia Dobrescu, National Research - Development for Health and Safety, Romania
- 1 Introduction
- 2 Definition and principles
- 3 Types of audits
- 4 Auditors – qualifications and abilities
- 5 Audit programme
- 6 Audit activities
- 7 Use of audit findings in management review
- 8 External audits and certification of the OSH management system
- 9 Weaknesses in certification of OSH management systems
- 10 References
- 11 Links for future reading
The article presents specific elements of the process of auditing occupational health and safety (OSH) management system, such as definition and principles to be applied during audit, types of audit (internal, second-party and third-party), role of different parties involved (auditor, team-leader, observer, etc), qualification and abilities of OSH auditors, planning and activities in an audit programme, information on conducting an audit, management review and certification or registration of OSH management systems.
Definition and principles
European directives or national legislation establish that the employers have a duty to ensure the safety and health of workers in every aspect related to the work. The employers have the responsibility not only to take the necessary measures, including protection and prevention of occupational risks, information and training of workers, but also to assure an improvement in the level of protection afforded to workers.
By implementing an OSH management system (OSH MS), the employer can fulfil the legal obligations and improve the company's safety and health performance. Audits are a key feature of any management system including OSH MS. An audit is defined as a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
The auditor must look for all the necessary proofs to demonstrate the adequacy of the audit findings. This means first of all to collect information and data from different sources that are relevant to the audit criteria, such as:
- Interviews with workers;
- records: inspection reports, audit reports, accident and incident records, data on work-related health problems and absenteeism, monitoring and test reports (noise, dangerous substances etc);
- documents: policy documents, programmes and action plans, organisation charts, procedures, work instructions, job descriptions.
Information is then verified and the relevant one becomes “audit evidence” to be compared with the audit criteria in order to generate “audit findings”. These, after being analysed in relation to the objectives of the audit, will lead to the “audit conclusion”.
In an audit of an OSH management system, audit criteria are the references against which the “audit evidences” are compared: policies, procedure and requirements, related to occupational health and safety or standards, such as ISO 45001, which is largely applied.
ISO Standard 45001 Occupational health and safety management systems — Requirements with guidance for use has been published in 2018. It's a global standard and since its publication the standard has replaced several other OSH MS standards such as OHSAS 18001 and the AS/NZS 4801. The ISO 45001 standard is based on the harmonised structure that is used for all ISO management system standards, e.g. ISO 9001 (quality) and ISO 14001 (environment). These standards specify steps that organisations can implement to improve their performance based on a continuous cycle of self-evaluation, correction and improvement and on employee commitment and management leadership. These standards are complemented with standard ISO 19011 providing guidelines for auditing management systems.
The auditing process of OSH management system could be applied to the entire organisation’s system or to a subdivision of the organisation. The following principles are to be observed in audit activities:
a) Principles regarding the auditors:
- ethical conduct;
- proper reporting;
- adequate professional attention
b) Principles regarding the audit:
- based evidence
Types of audits
Classification of audits
The main types of audits are:
- internal audits;
- external audits;
- second-party audits;
- third-party audits
An internal audit is performed following a decision of the organisation’s management and it is applied to the activities of the same organisation. The audit must be independent and, in order to ensure the independence of the internal auditor from the auditee, a possible solution is to use auditors from within the organisation, e.g. from another location or another department, but not from the auditee’s site and/or another solution is to apply for external expertise. Internal audits of the OSH management system are conducted in order to determine whether the management system complies with the functioning plan for OSH management, with respect to legal requirements or to standards and to review and evaluate the performance and effectiveness of OSH MS. Internal audits can be made, for example, to check whether risk assessment is carried out, risk controls are in place and that the risk assessment reflects actual workplace conditions and practice.
External audit: second and third party audits
A second-party audit is performed following a decision of the organisation’s management by competent personnel from within the organisation and/or by external personnel selected by the organisation and the audit is applied to the activities of a second organisation, usually a supplier of the first organisation. The purpose of the audit is for the auditor to verify if the auditee meets specific requirements and become satisfied with the performance level of the auditee. The conclusions of the audit are communicated to the management of the two organisations and to no other interested party.
A third-party audit is performed following an application for certification/registration against an OSH standard issued by an organisation’s management. It is undertaken by competent personnel from the certification/registration body. It is applied to the applicant’s organisation and the conclusions of the audit are communicated to the certification body and the management of the applicant. Only a positive decision is public or a negative decision after annual surveillance observations, as established in the final records: certificates, communications of withdrawal of certification.
Auditors – qualifications and abilities
The audit is performed by an audit team, which can be formed by one or more individuals having specific competencies, abilities and experience in activities, audit criteria and audit techniques. The team may include a lead auditor, auditors, and technical experts.
As stated above, guidelines for the auditing of management systems, including OSH MS, are described in ISO 19011. In addition, ISO/IEC TS 17021-1 lays down the general requirements for all bodies providing audit and certification of management systems. It is complemented with ISO/IEC TS 17021-10 that contains the specific competence requirements for bodies providing audit and certification of occupational health and safety.
An auditor must have the necessary knowledge and skills to conduct an audit. An auditor must be correct, honest and discrete, with an open mind, ready to take into consideration alternative points of view or hypotheses, able to attentively observe the surrounding environment and the activities going on, able to adapt to different situations, to reach adequate conclusions based on logical reasons and analysis and to have the capacity to act and perform independently the activities, although he/she effectively interacts with other people.
An OSH management system auditor shall have knowledge and abilities in the following fields:
- principles of prevention, legal requirements;
- other requirements related to health and safety at workplace or environment, e.g. contractual conditions, standards or non-regulatory guidelines related to the work environment, work equipment, personal protective equipment;
- the requirements of the applied OSH MS standard and of the guidelines for its application, including procedures, work instructions, plans, programmes;
- identification of OSH hazards and effects on the exposed people (human injury or ill health incl. mental health problems), risk assessment methodologies, prevention and control strategies, good practices, results of studies and research;
- workplace and job design, processes, installations, machinery/work equipment, operating processes, procurement (including outsourcing and contractors), and work organisation;
- auditing principles, procedures and techniques.
A team leader of an audit team must have additional knowledge and abilities for being capable to plan the audit and to efficiently use the resources, to represent the audit team in interactions with the client and the auditee, to organise and conduct the audit team, to prevent or solve the eventual conflicts and to prepare and finalise the audit report.
Experts provide consultation or advice to the auditors regarding particular technical aspects of operations or of legal requirements, standards, etc.
A person can obtain the necessary competencies and abilities to perform activities of auditing by a combination of education, training and experience. In some countries, e.g. Romania, ’auditor of OSH management system’ is an officially recognised occupation and the auditor’s formation is conducted by approved institutions, on the basis of specific occupational standards.
The competence of the auditor is essential in performing a good audit and in obtaining correct results for an audit. An auditor with a solid background in general audit techniques and OSH standard requirements, but with only a superficial knowledge of OSH regulations, procedures and standards, may be able to assess whether the requirements have been formally met, but at the same time would not be able to reveal major non-conformities of the organisation in taking appropriate measures to ensure the safety and health of workers .
Good practices recommend performing series of audits based on a planned audit programme and each audit to be conducted according to the audit planning. The management of the audit programme and activities related to an audit should be in accordance with the guidelines of ISO 19011. Each audit programme has specific objectives, taking into account management priorities, OSH management system requirements, legal or contractual requirements and customer requirements.
The frequency and coverage of audits in an audit programme should be established taking into account the maturity of the system, the risk of failure of the various elements of the management system, the data obtained from the previous management review and the extent to which the OSH MS and the organisational activities are subject to changes. Audits must be accomplished especially when changes occur in risk assessment or in organisation, and when an increasing number or severity of incidents is observed.
An audit programme can include audit follow-up, as part of each audit or separately.
Internal audit programme
The internal audit programme could have as objectives the evaluation of the compliance of the OSH management system with the occupational safety and health standard (system level), to review and evaluate the performance and effectiveness of the OSH system (operational level) and to analyse compliance capability of the organisation to legal requirements (compliance audit) or to some particular aspects (record management and documentation, incident management). It should be planned and established on the basis of the risk assessment and previous audits and be maintained and implemented by the organisation. A typical internal audit programme, includes series of audits, it is established for one year and covers all the areas and activities and all the audit criteria/ requirements.
External audit programme: second and third-party audits
A second–party audit programme usually has as objective to provide and maintain confidence in the capability of a supplier/contractor to respect the occupational safety and health requirements of an organisation. It should be planned on the basis of the assessment of the suppliers’ activities, the impact to the risk assessment of the supplier to the policy and objectives of the first organisation and the results of the previous audits. A typical second–party programme length is six months.
A third-party audit programme has as objective to evaluate the conformity/compliance of the OSH MS of an organisation with the requirements of an OSH standard or other recognised audit criteria. It is planned and established on the grounds pertaining to the size of the organisation and the nature of risks involved, following the procedures of the certification bodies. A typical certification/registration audit programme is for three years and includes: an application and an agreed contract, pre-audit (optional), review/examination of the documentation, certification auditing and at least two surveillance audits (typically at 6 and 12 months spans) and, where the case arises, follow-up audits. Auditing undertaken for purposes of certification must cover all areas and activities within the scope of OSH management system and shall assess the conformity with all the requirements of the standard to be applied.
The process of auditing originated in the domain of finance and accounting and it was translated to social audits and OSH MS audit.
Audit generally means an on-site audit. Activities in a typical on-site audit are:
- initiating the audit;
- conducting document review (analysis of the relevant documents of OSH MS, including records in order to determine their adequacy);
- preparing the activities to be undertaken during the on-site audit (audit-plan, tasks of audit team, check-lists, questionnaires);
- conducting the audit (opening meeting, communication modalities, collecting and verifying the information, generating the audit findings, preparing the audit conclusions, end meeting);
- preparing and communicating audit report;
- completing the audit (preparing, approval and transmission of the audit report);
- performing the audit follow up.
It is important for the auditor to use measurable audit criteria in order to minimize the subjectivity in evaluation.
The methods of collecting the necessary information are:
- examination of documents and records;
- direct observation of work activities and workplace conditions, including specific measurements to be assessed, e.g. exposure levels.
The audit should ensure that a significant part of the main activities are audited and the personnel involved are interviewed, otherwise the audit will lead to incorrect conclusions. The review of documents and the on-site observation of equipment, facilities and activities should not be formal but thorough. Auditors must be able to detect deficiencies in hazard identification and risk assessment, non-compliant equipment and non-conformities with regard to prevention and control measures. The interviewed personnel should not be only the top-manager but also workers. The mandatory document of the International Accreditation Forum (IAF) on the certification of OSH MS states that the following persons need to be interviewed:
- the management with legal responsibility for OSH;
- employees' representative(s) with responsibility for OSH;
- personnel responsible for monitoring employees' health, for example, doctors and nurses;
- managers and permanent and temporary employees;
- if needed, other persons such as managers and employees performing activities related to the prevention of OSH risks, and contractors’ management and employees.
Interviewing the workers should be an important part of an audit, in order to determine the measure to which the organisation really implemented the OSH arrangements, the awareness of the employers, internal communications, and the participation of the workers in the OSH matters.
Interviewing workers should be an important part of an audit, to assess the extent to which the organisation has actually implemented OSH arrangements, the commitment of management, how internal communication is organised and the extent to which workers are involved in OSH. The audit report gives an overview of all the audit activities and presents a summary of the audit process, including obstacles including obstacles that may affect confidence in the audit conclusion. It also presents the findings of the audit, including details of non-conformities and an overall audit conclusion. Internal or second-party audits may also include suggestions for improving the safety and health of the workers.
Use of audit findings in management review
Top management must periodically review the OSH MS to ensure its continuing suitability and effectiveness and to identify actions for improvement. The outputs of the audit programme are performance indicators, such as safety audits conducted, the percentage of sub-standard conditions identified and corrected as a result of the safety audit. These outputs are used in the top management review as inputs, together with other indicators of safety performance or measurements. The details of non-conformities found during the internal or third-party audit can be used in the management review for establishing the weak points of the OSH management system and for adopting adequate measures to prevent other failures.
The findings and conclusions of internal audits having as the objective to review and evaluate the performance and effectiveness of occupational safety and health management systems are used to define new objectives for the OSH management system or to adopt measures for continual improvement of the system.
External audits and certification of the OSH management system
External audits of OSH management system are accomplished by independent auditors of an external organisation, ‘the certification body’, the applicant intending to make public the results attesting the conformity to all interested parties. The audit criteria can be a standard, legal provisions or particular criteria.
In Europe, the Netherlands was the first country to set up an extensive infrastructure for certification at the beginning of 1990s, for the accreditation of bodies undertaking product certification (testing), certification of individuals and system certification, as Safety Certificate for Contractors in chemical industry or certification of asbestos removal firms. A certification body applies an external, third-party programme audit in order to assess and demonstrate the compliance of the OSH management system of an organisation to the requirements of the OSH MS standard. For the certification of an OSH MS in accordance with ISO 45001 certification bodies must hold an accreditation based on ISO/IEC TS 17021-1 and 17021-10 and use the mandatory document of the International Accreditation Forum (IAF), AF MD 22:2019 – Application of ISO/IEC 17021-1 for the certification of occupational health and safety management systems.
When the audited organisation’s OSH management system fulfils the audit criteria, the certification body issues a written document, ‚the certificate’, attesting the conformity and it records in its client register data about the audited company. The attestation of the conformity of a system by an independent body is usually called „certification”, but the term ‚registration’ is often preferred in North America
Certification delivers “justified confidence” that the organisation meets the set of relevant requirements, which does not mean “certainty” or a ‘guarantee’, although it is often perceived that way and it is sometimes suggested by less scrupulous certifiers. Certification of the OSH management system is usually voluntary. Certification becomes actually mandatory when an important potential client, such as a public organisation requires suppliers to provide OSH management system certification as part of the tendering process. The reason for an organisation to apply for a third-party certification/registration of their OSH management system is to increase the confidence of the clients and other parties in its commitment to prevent accidents and ill-health and to upgrade its brand image.
In the early 2000s, few European companies were in favour of developing a national or international standard regarding OSH management system. After the endorsement of a specific British standard and especially after the approval of the first edition of the OHSAS 18001 standard, more and more companies in Europe asked for certification or registration of their OSH management system. The publication of the global standard for OSH MS (ISO 45001) in 2018, has further contributed to the number of companies that have taken the step of certifying their OSH MS. According to the ISO 2020 survey, around 190,000 businesses have already obtained an ISO 45001 certificate.
Weaknesses in certification of OSH management systems
Certification is supposed to add extra quality to the internal OSH management system, because the audits presumably ensure both compliance and a continuous focus on the improvement of health and safety at work, but this aim is not entirely reached due to the weaknesses of the process.
Traditionally, deviations and solutions are identified in management standards in such a way that they are seen as technical problems with unambiguous technical solutions. Both management and auditors tend to prioritise problems with a clear cause-effect relationship and for which there are often technical solutions, and to ignore more complex problems. Research has shown that auditors of OSH MS pay limited attention to psychosocial risks because they are often uncertain on how they should approach such risks. As a consequence, auditing practices do not ensure a consistent coverage of these issues in their audit reports.
The audits for certification require standardised solutions to OSH problems, and standardisation is therefore indirectly promoted in certified systems, but increased standardisation may in itself compromise areas as the professional judgment of workers or more flexible solutions. The mechanisms of certification in this way partly reconstruct the work environment that they are supposed to control.
OSH audits actually fail also when one of the following causes is involved:
- a lack of auditor independence (overt and intentional or covert) and a lack of skill (lacking in elements of technical or legislative knowledge), leading to confusing or misleading results pr even to fraud;
- focusing of the auditors on audit of documentation and failure to allow worker participation;
- paperwork for the sake of the audit – organisations generate and retain documentation in order to meet the audit criteria, overly prescribing work activities and making rules that are unworkable, with little impact on the action that are necessary to make the workplace healthy and safe and even actually prevent such actions;
- unintended consequences of audit scoring – organisations focus on the goal of passing an OSH management system audit at the expense of the more vital goal of making the workplace healthy and safe;
- the confusion of audit criteria – reductionist reporting of audit results (done or not done, good or bad) may oversimplify matters that should cause concern and the confusion of audit criteria with the OSH MS itself may divert attention away from actions to improve OSH and towards activities that ensure audit success.
Such aspects explain why a positive conclusion of an audit or certification of the occupational safety and health management system is not a guarantee of the compliance with all the requirements of OSH management system and may lead to a false sense of security and why serious accidents have happened soon after an on-site audit.
Even in organisations with successful implementation and certification of OSH management system it can be observed that the external performance for an external audience became the major issue for company management and the demand for visible performance changes the focus from internal identification and control of the work environment to the ability to demonstrate that the work environment is safe and problem-free. Management’s focus on safety, especially the system of monitoring safety, led to a neglect of some areas, such as psychosocial issues, job intensity (related to work pressure and production goals), poor management and general concern for employee well-being. Auditors appear to accept these priorities, most of them identifying minor technical deviations and no offering comments on the exclusion of psychosocial risks.
Accreditation of certification bodies and their periodical independent evaluation focused on critical factors that may undermine the effectiveness of the audit procedures could minimise the impact of negative factors that lead to a false conclusion of the external audits.
- ISO 19011 Guidelines for auditing management systems.
- EN ISO 17021:2006, Conformity assessment – Requirements for bodies providing audit and certification of management systems, European Committee for Standardization (CEN), Brussels, 2002
- Blewett, V., O’Keeffe, V.,’Weighing the pig never made it heavier: Auditing OHS, social auditing as verification of process in Australia’. Safety Science, Vol. 49, Issue 7, August 2011, Pages 1014-21, Available at: 
- Zwetsloot, G. I.J.M., Hale, A., Zwanikken, S. ‘Regulatory risk control through mandatory occupational safety and health (OSH) certification and testing regimes (CTRs)‘, Safety Science, Vol. 49, Issue 7, August 2011, pp. 995-1006. Available at: 
- IAF MD22:2019 Application of ISO/IEC 17021-1 for the Certification of Occupational Health and Safety Management Systems (OH&SMS). Available at: 
- BSI – British Standards Institution, BS 8800:1996 Occupational health and safety management systems. Specifications, BSI, London, 1996
- BSI – British Standards Institution, OHSAS 18001:2007 Occupational health and safety management systems, Requirements, BSI, London, 2007.
- BSI – British Standards Institution, OHSAS 18002:2008 Occupational health and safety management systems Guidelines for the implementation of OHSAS 18001:2007, BSI, London, 2008
- ISO, ISO survey 2020. Available at: 
- Hohnen, P., Hasle, P. ‘Making work environment auditable – A ‘critical case’ study of certified occupational health and safety management systems in Denmark‘, Safety Science, Vol. 49, Issue 7, August 2011, p. 1022-29. Available at: 
- Pernille Hohnen, P., Hasle, P. Third party audits of the psychosocial work environment in occupational health and safety management systems, Safety Science, Volume 109, 2018, pp. 76-85,. Available at:
Links for future reading
EU OSHA – European Agency for Safety and Health at Work, The use of occupational safety and health management systems in the member states of the European Union – experiences at company level, 2002. Available at: 
EU-OSHA – European Agency for Safety and Health at Work, Improving compliance with occupational safety and health regulations: an overarching review, 2021. Available at: 
EU-OSHA – European Agency for Safety and Health at Work, EU-OSHA review of successful Occupational Safety and Health benchmarking initiatives, 2015. Available at: