Auditing Occupational Health & Safety Management Systems Body of Knowledge (BoK) Interactive Version

Backgroun​d

AIHA®, in collaboration with Enlar® Compliance Services, Inc. (ENLAR), worked to develop this technical framework, known as a Body of Knowledge (BoK), to outline the knowledge and skills a person needs to be competent to perform occupational health and safety (OHS) management system audits. This BoK provides structure while allowing for sufficient flexibility for individual companies/organizations to assess the competence of their audit teams relative to their particular business environment/scale and complexity of operations.  This technical framework was developed to be consistent and aligned with ISO 19011:2011, Guidelines for auditing management systems and with ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements.

In April 2016, AIHA conducted a Job Task Analysis (JTA) survey of its members, allied professionals and external stakeholders to determine which competencies were identified as most important in performing OHS management system audits.  The survey results were used to finalize the content of this BoK document.

This BoK has been developed to assist organizations in assessing the competence of individuals as auditors in relation to the objectives that have been set for their internal audit programs. It sets out generic auditor competence criteria that will need to be supplemented by criteria specific to the organization and its technical sector.

This BoK document will be used by AIHA to establish a framework for training programs and competency assessment tools for OHS management system auditors. It’s not intended to define or stipulate employer hiring criteria. It is the employer’s responsibility to ensure that each employee understands his or her specific job and has met the minimum criteria established by relevant regulations, standards, and the specific industry, facility, or project.


OHS Man​agement Systems

OHS Management Systems (OHS MS)

Increasingly, organizations are using a management system approach in managing their OHS programs and improving their OHS performance. The use and popularly of management system standards has increased steadily over the last 20 years. According to a 2011 BSI survey, there were over 100,000 organizations in 127 countries who had certified their OHS management system.  

Currently, there are many different OHS management system standards in use around the world, including OHSAS 18001, ANSI Z10 and CSA Z1000. In order to develop a harmonized approach to OHS management systems, work is underway to develop ISO 45001, Occupational health and safety management systems, Requirements with guidance for use. This standard is scheduled for publication in 2017.

OHS MS Audit​ing

One of the fundamental requirements for an OHS management system is planning and conducting audits as part of a comprehensive internal audit program. An important component of an effective audit program is ensuring the competence of the individuals who plan and conduct the audits.  This includes the auditors, audit team leaders and the audit program manager. Confidence in the results of an audit is often heavily dependent on confidence in the competency of those who conduct the audit. 

The evaluation of individual auditor competence needs to be planned, implemented and documented in accordance with the audit procedures established by an organization. It is the responsibility of the organization to determine that the competence of a particular individual meets the criteria established by that organization based on its needs and applicable legal and other requirements.


Occupational Health & Safety Management System Audit Requirements​

OHS MS Audit Scope/Purpose/Requirements

It is important to distinguish the purpose and intent of a management system audit from other types of assessments, such as inspections and regulatory compliance evaluations. As set out in ISO 19011, an audit is defined as a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Key to this definition is the concept of independence. Auditors are expected to be independent from the functions they are auditing in order to maintain impartiality and objectivity.  Ensuring that this independence is maintained throughout the audit process is important to ensuring the credibility of the audit findings.

There are several requirements set out in OHS management system standards (i.e. OHSAS 18001, ANSI Z10 and ISO/DIS 45001) that organizations are required to meet when establishing and implementing an OHSMS audit program.  These include the following:

  • Defining appropriate audit criteria and scope of each audit that is performed

  • Selecting competent auditors and ensuring objectivity and impartiality throughout the audit process

  • Preparing an audit plan for each audit

  • Utilizing appropriate audit processes and methodologies in collecting and verifying information

  • Ensuring that the results of audits are communicated to relevant individuals

Auditors performing OHSMS audits need to be aware of these audit program requirements and must be able to successfully perform the audit tasks they are assigned.

OHS MS Audit Team

There are often several individuals involved in an audit.  This typically includes the following:

  • Audit Client – The individual or organization who requested the audit. This is the primary recipient for whom the audit report is prepared. For internal audits, this is typically top management of the organization.

  • Audit Program Manager – The individual assigned responsibility for the overall coordination and direction of all audits.

  • Auditors – Individuals who conduct the audit.

  • Audit Team Leader – Individual assigned overall responsibility for conducting the audit.

  • Technical Expert – Individual who provides specific knowledge or expertise to the audit team but who do not act as an auditor. An example would be a translator.

  • Auditee and Guides – Organization being audited and the individuals appointed by the auditee to assist the audit team.

  • Observers – Other individuals (e.g. regulators or other interested parties) who may accompany the audit team. They should not influence or interfere with the audit.

It is not necessary for each auditor in an audit team to have the same level of competence; however, the overall competence of the audit team needs to be sufficient to achieve the objectives established for the audit. When an audit is conducted by a single person, the auditor needs to possess the knowledge and skills needed to complete all aspects of the audit. This includes some of the knowledge and skills needed by an Audit Team Leader, which can include: competence in planning the audit, considering confidential/proprietary information, addressing any conflicts or issues that arise, assessing whether the audit objectives have been achieved, communicating and documenting the audit results in an audit report.

In order to conduct management system audits, each auditor must possess both audit process related knowledge and skills and discipline-specific (i.e. OHS) knowledge and skills. In addition, auditors must possess organizational knowledge/philosophy applicable to the specific organization being audited.  This organization-specific information would include knowledge about an organization’s business and management practices, an understanding of the types of hazards and nature of risks related to the activities being audited and an understanding of relevant legal and contractual requirements.

As set out in ISO 19011, the process used for evaluating the competence of audit personnel should include the following four steps (from section 7.1 of ISO 19011:2011):

  1. Determining the competence necessary to fulfill the needs of the audits to be performed;

  2. Establishing evaluation criteria;

  3. Selecting appropriate evaluation methods; and

  4. Conducting the evaluation.

Evaluation of auditor competence is the responsibility the audit program manager. This BoK has been developed to assist audit program managers in making this competency determination. It does not define the organizational-specific knowledge that would be needed.

Various means of assessing auditor competence can be used. This includes the following auditor evaluation methods (from section 7.4 of ISO 19011:2011): 

  • Review of records, including records of education, training, experience and professional credentials and certificates;

  • Performance feedback, including peer reviews, scenario assessments, post-audit surveys and witnessed audits; and

  • Interviews and testing, including personal interviews, written examples and psychometric testing.

OHS MS Audit ​Stages

There are three stages of an OHS management system audit – 1) planning the audit, 2) conducting the audit and 3) preparing, reviewing and communicating audit results.  The following section of this BoK document outlines the knowledge and skills needed by auditors for each of these audit stages.


Competence ​Requirements for OHSMS Auditors

1.0 Planning OHS Management System Audits

Auditors

1.1. Apply knowledge of the principles and concepts common to all management system standards

1.2. Understand the terminology commonly used in OHS management system standards

1.3. Apply knowledge of the management system auditing principles, including the need for ethical conduct

1.4. Apply knowledge of the audit practices and techniques that are appropriate for conducting OHS management system audits and sufficient for determining if an OHSMS management system has been effectively implemented

1.5. Create a written audit plan to complete assigned audit tasks in accordance with a defined audit schedule

1.6. Understand the OHS management system requirements set out in OHSMS standards (i.e. those set out in OHSAS 18001, ANSI Z10 and ISO/DIS 45001) for the following:

1.6.1. Identifying hazards 

1.6.2. Assessing OHS risks

1.6.3. Identifying legal and other requirement and assessing compliance

1.6.4. Ensuring competence and awareness of those performing work for the organization

1.6.5. Selecting and implementing operational controls

1.6.6. Preparing for and responding to emergency situations

1.6.7. Promoting communication and encouraging worker participation

1.6.8. Monitoring, evaluating and reporting on OHS performance

1.6.9. Evaluating and responding to incidents (i.e. incident investigation)

1.6.10. Responding to non-conformances and undertaking corrective action

1.6.11. Assessing and improving the performance of an OHS management system

1.7. Understand how OHS management system standard requirements are typically implemented within an organization

1.8. Understand the legal issues associated with performing OHS management system audits and the means typically used for minimizing liability risks, including special considerations related to handling personal and health-related information (e.g. privacy of personal data, confidentiality concerns, and any independent regulatory reporting obligations that may arise)

1.9. Understand the types of risks related to management system auditing and means typically used for addressing them

Audit Team Leaders – In addition to competence requirements set out for Auditors:

1.10. Assign audit tasks to audit team members taking into account the type and level of competence needed to perform those tasks

Audit Program Managers

1.11. Basic understanding of the OHS management system requirements set out in OHSMS standards as set out for Auditors above.

1.12. Assess the resources needed to achieve the objectives established for the audit program

1.13. Establish the procedures needed for implementing and maintaining the audit program

1.14. Understand the types of audit methodologies that are appropriate for conducting OHS management system audits

1.15. Understand the types and level of competence needed to perform OHS management system audits and methods used for assessing competence

1.16. Establish objectives, scope and criteria for individual audits and to assign audit responsibilities based on competencies needed

1.17. Identify and evaluate risks related to achieving the objectives established for the audit program 


2.0 Conducting OHS Management System Audits

Auditors

2.1. Use information collection methods (interviews, observations and review of data) appropriately to collect audit evidence

2.2. Conduct interviews to obtain relevant information using well-formatted questions and ability to listen to understand and evaluate the answers

2.3. Record and take notes (i.e. create audit working papers)

2.4. Evaluate information using relevant sampling techniques

2.5. Review management system documentation for conformance with the requirements set out in management system standards

2.6. Understand the processes, procedures and methodologies commonly used by organizations within their OHS management systems for the following:

2.6.1. Identifying hazards

2.6.2. Assessing OHS risks 

2.6.3. Identifying legal and other requirement and assessing compliance

2.6.4. Ensuring required competence and awareness of those performing work for the organization

2.6.5. Promoting communication and encouraging worker participation

2.6.6. Selecting and implementing appropriate operational controls

2.6.7. Preparing for and responding to emergency situations

2.6.8. Monitoring, evaluating and reporting on OHS performance

2.6.9. Evaluating and responding to incidents (i.e. incident investigation)

2.6.10. Responding to non-conformances and undertaking corrective action

2.6.11. Assessing and improving the performance of an OHS management system

2.7. Apply knowledge of relevant performance evaluation methods, including the development and use of performance indicators, for determining if the organization’s monitoring of its OHS performance is appropriate

2.8. Awareness of important considerations when communicating information about OHS risks and management system requirements 

2.9. Knowledge of the role of Top Management leadership and the impact of organizational culture in supporting and promoting an OHS management system

2.10. Organize work in order to complete an audit that achieves the established audit objectives within an agreed upon audit schedule

Audit Team Leaders – In addition to competence requirements set out for Auditors:

2.11. Organize and direct the audit team members to ensure completion of the audit in accordance with the audit schedule

2.12. Resolve conflicts and redirect audit activities to achieve the audit objectives 

2.13. Provide direction and guidance to the audit team members

Audit Program Managers

2.14. Recognize and take the steps needed to ensure the effective implementation of the audit program and completion of individual audits


3.0 Preparing, Reviewing & Communicating Audit Results

Auditors

3.1. Assess the relevance, accuracy and reliability of collected information

3.2. Write appropriate audit findings

3.3. Present and/or communicate audit findings so they are easily understood

Audit Team Leaders – In addition to competence requirements set out for Auditors:

3.4. Resolve conflicts and lead the audit team in reaching consensus conclusions

3.5. Ensure completion of the audit report in accordance with the audit schedule

Audit Program Managers

3.6. Ensure completion of individual audits in accordance with their established audit schedules

3.7. Communicate audit results to the audit client and appropriate personnel

3.8. Ensure audit records are retained appropriated

3.9. Track and monitor the effective implementation of the audit program​​​​​​​​