ISO 45001 Clause 9.2

Internal audits are not paperwork - they are how the organisation finds problems before someone else does.

ISO 45001 Clause 9.2 - Internal Audit of the OH&S Management System

ISO 45001 Clause 9.2 requires the organisation to conduct internal audits at planned intervals, to confirm that the OH&S management system conforms to the standard and to the organisation's own requirements, and is effectively implemented and maintained.

The clause is split into 9.2.1 General (what audits are looking for) and 9.2.2 Internal audit programme (how the programme is planned, run, reported and acted on). UK organisations also commonly use internal audits to verify ongoing legal compliance and to feed into the management review under 9.3.

What Clause 9.2.1 Asks For

The organisation must conduct internal audits at planned intervals to provide information on whether the OH&S management system:

Conforms to the organisation's own requirements for the management system, including the OH&S policy and OH&S objectives
Conforms to the requirements of ISO 45001:2018
Is effectively implemented and maintained

What Clause 9.2.2 Asks For - The Audit Programme

The organisation must plan, establish, implement and maintain an audit programme, taking into account the importance of the processes concerned and the results of previous audits. Specifically the programme must address:

Frequency, methods, responsibilities, consultation, planning and reporting
Defined audit criteria and scope for each audit
Auditor selection that delivers objectivity and impartiality
Reporting of audit results to relevant managers, with results communicated to workers, worker representatives and other relevant interested parties
Action to address nonconformities and continually improve OH&S performance
Documented information as evidence of programme implementation and audit results

Practical Compliance Guidance

alphaZ document	How to use it
ISO 45001 Toolkit	Complete document set for an ISO 45001 management system, including the audit schedule, checklist and report templates listed below.
ER11 Audit Schedule	The forward-looking audit programme for the year. Records what will be audited when, by whom, and against which criteria. Required documented information for 9.2.2.
A-C ISO 45001 Internal Audit Checklist	The clause-by-clause audit checklist. Used during each audit to provide consistent coverage of the standard's requirements and the organisation's own requirements.
F-Q31 Audit Report Template	The standard format for capturing audit findings, observations and nonconformities. Pairs with F-Q16 Improvement Request to track actions through to closure.

For more on these documents see the ISO 45001 Toolkit.

Internal audits should cover all of the standard's requirements, but you do not need to do it in one sitting. Plan the year so that every clause is covered at least once across the schedule. The clause-by-clause checklist is a good starting point - it gives you the structure, and you tailor the depth based on risk and previous findings.

Some organisations see internal audits as painful. They do not have to be. Wrap them into site walkrounds, monthly inspections, or supplier visits. Done well, audits give you advance warning of problems instead of telling you about them after the customer or the regulator has noticed.

I check three things on 9.2. Is there a current audit schedule that actually covers the whole standard over the cycle? Are auditors independent of what they are auditing? And have findings been actioned and closed? An audit schedule with no completed audits, or audits with open findings older than 12 months, is a red flag.

Health and safety audits do more than tick boxes. They surface near-miss patterns, missing risk assessments, contractor gaps and training shortfalls before someone gets hurt. Worth the effort.

Auditor Independence

Clause 9.2.2 requires auditors to deliver objectivity and impartiality. In practice that means an auditor cannot audit their own work, but they can be a colleague from a different team or function. Many organisations use a mix of internal auditors trained in-house and occasional external auditors for higher-risk areas. The principle is simple: the auditor must be in a position to report findings honestly, regardless of who is responsible.

What Happens After an Audit?

Audit findings need a clear route to closure. Nonconformities go through corrective action under Clause 10.2 - logged, root cause identified, action taken, effectiveness checked. Observations and improvement opportunities feed into the issues and actions register or the improvement request form. Audit results are reported to relevant managers and communicated to workers - this is a specific requirement, not optional.

Frequently Asked Questions

How often should we audit?

The standard says at planned intervals, taking into account the importance of the processes and previous audit results. Most organisations cover the full standard once per certification cycle - either annually as one big audit or split across the year as smaller clause-focused audits. Higher-risk areas may need more frequent attention.

Can workers carry out internal audits?

Yes - many organisations train internal auditors from within the workforce. The key is independence from the area being audited and competence to carry out the audit. Auditor competence is set out in ISO 19011 and applies to ISO 45001 audits.

Do we need to audit every clause every year?

Not necessarily. The standard requires the programme to give confidence that the management system is effective. A risk-based programme that covers the whole standard over a defined cycle (often 12 months for smaller systems, 2-3 years for larger ones) is acceptable provided the rationale is documented and significant changes trigger additional audits.

How are audit results communicated to workers?

The clause requires relevant audit results to be communicated to workers and worker representatives. Common methods include safety committee meetings, team briefings, noticeboard summaries, intranet articles or toolbox talks. The communication should match the significance of the findings - a major finding warrants more than a notice on a board.

UK Legislation

Internal auditing supports compliance with UK statutory monitoring and review duties.

Further Resources