An ISO 45001 audit can create pressure — particularly if your health and safety management system has grown organically rather than being built to the standard's requirements from the outset. But with the right preparation, an audit is an opportunity to demonstrate that your OHSMS is genuinely effective, properly evidenced.
This guide draws on direct experience of ISO 45001 certification and surveillance audits across construction, manufacturing and engineering businesses. It covers what auditors look for, where organisations typically fall short, and how to make sure your system is ready.
What Is ISO 45001?
ISO 45001:2018 is the international standard for Occupational Health and Safety Management Systems. It replaced OHSAS 18001 in 2018 and introduced a stronger emphasis on leadership commitment, worker participation, and the integration of health and safety into broader business processes.
Certification to ISO 45001 is voluntary but increasingly expected in supply chain pre-qualification processes — particularly in construction, manufacturing and facilities management. Many clients require it as a minimum standard before awarding contracts.
Understanding The ISO 45001 Audit Process
ISO 45001 audits are conducted by an accredited certification body (CB). There are two types of scheduled audit:
- Stage 1 audit — a documentation review, typically conducted remotely. Auditors review your OHSMS documentation against the requirements of the standard and identify any gaps that must be addressed before Stage 2.
- Stage 2 audit — the on-site assessment. Auditors verify that your documented system is actually implemented across the organisation. They will interview staff, inspect records and visit operational areas.
- Surveillance audits — once certified, you will receive surveillance audits (typically annual) to maintain certification. Recertification audits occur every three years.
The Seven Most Common ISO 45001 Audit Findings
Based on experience of preparing organisations for certification, these are the gaps that appear most consistently:
1. Leadership Has Not Demonstrated Visible Commitment
ISO 45001 Clause 5 places specific duties on top management — not just the H&S manager. Auditors will interview senior leaders and ask about their involvement in the OHSMS. Common gaps include senior managers who cannot articulate the OH&S policy, who have not participated in system reviews, and who have not visibly allocated resources to health and safety.
Preparation: ensure your leadership team is briefed on the standard's expectations of them personally, not just the H&S function.
2. Context and Interested Parties Are Not Documented
Clause 4 requires organisations to identify the external and internal factors relevant to their OHSMS (the 'context of the organisation') and to understand the needs and expectations of interested parties. Many organisations have never formally documented this.
Preparation: produce a documented context analysis covering: the nature of your operations and their risks; relevant legal and regulatory requirements; client and supply chain expectations; and any other external factors (industry trends, regulatory changes) that affect your OH&S management.
3. Risk and Opportunity Assessment Is Generic
Clause 6 requires a systematic process for identifying risks and opportunities to the OHSMS itself — distinct from operational risk assessments. Many organisations conflate these. Auditors expect to see a structured process for assessing what could prevent the management system from achieving its objectives, and what opportunities exist to improve it.
4. Objectives Are Not Measurable Or Tracked
Clause 6.2 requires OH&S objectives that are measurable, consistent with the policy, and that the organisation plans to achieve. Objectives such as "to improve our health and safety performance" are not sufficient. Auditors will look for specific, time-bound targets with documented plans for achieving them and evidence that progress is monitored.
5. Competence Records Are Incomplete Or Not Current
Clause 7.2 requires organisations to determine the competence needed to affect OH&S performance, ensure that workers are competent, and retain appropriate documented evidence. This is consistently one of the most common audit findings. Training records that are out of date, not role-specific, or held in formats that are difficult to retrieve will generate a nonconformity.
Preparation: audit your own training and competency records before the auditor does. Ensure you can demonstrate, for every role that influences OH&S performance, what competence is required, who holds it and when it expires.
6. Internal Audit Has Not Been Completed Or Is Not Systematic
Clause 9.2 requires a programme of internal audits conducted at planned intervals. Many organisations have completed a single internal audit before certification and have not maintained the programme systematically. Auditors will expect to see a multi-year audit programme, evidence of completed audits across different parts of the organisation, and records showing that nonconformities from internal audits have been tracked to closure.
7. Management Review Has Not Addressed All Required Inputs
Clause 9.3 specifies the inputs that a management review must address — including monitoring results, audit results, incidents, consultation and participation, risks and opportunities, and actions from previous reviews. Many management reviews are too brief or informal to demonstrate that all required inputs were genuinely considered and minuted.
Preparing Your Documentation
ISO 45001 requires a defined set of documented information. The standard uses "shall be maintained" for documents (procedures, policies) and "shall be retained" for records (evidence of activities). Before your audit, verify that you hold:
- OH&S policy (Clause 5.2)
- Scope of the OHSMS (Clause 4.3)
- Documented context and interested party analysis (Clause 4.1 and 4.2)
- Hazard identification and risk assessment process (Clause 6.1.2)
- OH&S objectives and plans (Clause 6.2.2)
- Competence and training records (Clause 7.2)
- Internal communication and consultation evidence (Clause 7.4)
- Operational controls (Clause 8.1)
- Emergency preparedness and response procedures (Clause 8.2)
- Monitoring and measurement results (Clause 9.1)
- Compliance evaluation records (Clause 9.1.2)
- Internal audit programme and records (Clause 9.2)
- Management review minutes (Clause 9.3)
- Incident investigation records (Clause 10.2)
- Nonconformity and corrective action records (Clause 10.2)
Preparing Your People
An on-site ISO 45001 audit is as much a test of your people as your documentation. Auditors will interview workers at all levels — from operatives to directors. Typical questions include:
- "Can you tell me about your organisation's health and safety policy?"
- "What would you do if you identified a hazard?"
- "Have you had any health and safety training recently? What was it?"
- "Have you ever raised a health and safety concern? What happened?"
- "Are you aware of any near misses or incidents that have been reported recently?"
Workers do not need to know the standard — they need to know your system. Brief them on the policy, the reporting process, what happened after recent incidents, and what training they have received.
The Role Of A Compliance Management System
A recurring challenge in ISO 45001 audits is producing evidence quickly. Auditors ask for specific records — a training record for a named individual, the investigation report for a particular incident, evidence that a corrective action from the last audit was closed — and organisations struggle to retrieve them promptly from fragmented filing systems.
A compliance management system like SRM Genie addresses this directly. Training records, incident investigations, audit findings, corrective actions and competency evidence are all held centrally and accessible immediately. When an auditor asks for evidence, it takes seconds rather than hours to produce.
Your ISO 45001 Audit Preparation Checklist
Use this checklist to structure your preparation in the weeks before an audit:
Eight Weeks Before
- Complete a gap analysis against all ISO 45001 clauses
- Commission or complete an internal audit if not done within the last 12 months
- Review management review minutes and ensure all required inputs are covered
- Check that OH&S objectives are documented with measurable targets and status
Four Weeks Before
- Audit your training and competency records — check for gaps, expired certificates
- Verify that all internal audit corrective actions are closed or have a clear status
- Ensure all required documented information is retrievable quickly
- Check that context and interested party analysis is documented
Two Weeks Before
- Brief leadership team on Clause 5 expectations of top management
- Brief workers on the policy, reporting process and recent incidents
- Test retrieval of key records — can you find what an auditor might ask for?
- Compile a list of recent incidents, near misses and their investigations
After The Audit
If your audit identifies nonconformities, respond constructively. Minor nonconformities require a corrective action plan within an agreed timescale (typically 30–90 days for surveillance audits). Major nonconformities require root cause analysis and robust corrective action before certification can be granted or maintained.
The goal of ISO 45001 is a management system that genuinely reduces risk — not one that only looks good on paper. Treat audit findings as useful feedback about where the system needs strengthening, and use them to drive genuine improvement.
Need Support With ISO 45001 Preparation?
Liam Scott is a Chartered Fellow of IOSH (CFIOSH) with direct experience of ISO 45001 certification and audit preparation across multiple sectors. SRM Genie provides the documented evidence your system needs.