An internal safety audit program is used by an organization to evaluate the effectiveness of the procedures and processes used to meet OHS legislative and other statutory administrative requirements.
An internal safety audit schedule is a considered approach by an organization to identify the extent and methods by which to conduct safety related audit verification activity. The internal audit is also global best practice in safety management systems.
It’s also a vital internal quality check on safety systems and operations. The internal safety audit is a particularly useful management tool for ensuring that the safety management is being conducted efficiently and properly at all levels.
A senior manager should actively participate in the internal audit to ensure currency of management information and proper critical organization-wide scrutiny of administrative and operational functions.
Internal audit scope
The organization will need to identify the types of internal audit activity to be conducted.
These can include one or more of the following audit activity types:
- Safety management system (SMS) audit – system level
- Procedural compliance audit – operational level
- OHS legislative compliance audit – analyzing compliance capability
- Incident management
- Reporting systems
- Records management and documentation
A determination of audit types will be based on requirements defined within the safety management system. Factors relevant to the audits may involve the level of maturity of the SMS, policy initiatives and implementation, and similar issues. The knowledge and understanding of key stakeholders within the organization and Further organizational factors (e.g. number of sites, geographical locations, State, national or international application) may also apply.
Having identified the types of internal audit activity to be conducted, the organization will need to consider the most suitable audit delivery options and scheduling. Best practice is a standardized, thorough and transparent methodology which provides clearly defined outcomes to compliment an organization’s business goals and objectives.
These considerations will include one or more of the following points:
- Mandatory audit requirements (e.g. Defined by statutory authority) – These very useful audit areas may include self-insurers annual requirements for audit activity to be conducted for inclusion in reporting requirements. The internal audit in these cases can also act as “radar” for management, ensuring compliance issues are under proper scrutiny.
- Size of organization and geographical locations – Consideration should be given to the different types of activities (and risk potential) within an organization, similarity of activities at different locations to evaluate uniformity of application, geographical locations that may impact on audit schedule delivery. This approach additionally allows for targeting of areas related directly to policy implementation.
- Identified high risk potential subject areas – These areas naturally have high priority in an SMS. Any high-risk areas identified because of statistical analysis or management review require audit verification to assist in implementing strategic management.
- Changes in legislation or organizational structure – Changes in legislation or organizational structure that may impact on the capacity to implement safety requirements. (Note: Legislative changes usually include a time frame for compliance and may involve significant modifications to the SMS. It’s strongly advised that all compliance issues are included in the audit to ensure management has adequate information regarding these matters.)
- Resource base from which the organization can allocate qualified and competent auditors to conduct the audit verification activity type – Requirements of the provision of internal or external resources depending on scope of activity to meet audit needs. The resource base must be able to deliver the necessary standard of auditing to ensure SMS efficiency and compliance.
- Organizational planning and development cycles – Planning of audits to align provision of audit reports with review cycles. This planning is a particularly useful management tool which can ensure proper control and timeliness of operational data. The forward planning also ensures well integrated SMS reporting.
- Prioritized activities (e.g. Based on risk evaluation or business need) – which will impact on implementation of safety requirements.
Internal Audit schedule detail
The internal audit schedule should be owned by a person who has authority to manage and review the implementation of the schedule. Senior management should have direct oversight of the process, to allow checks on audit functions and efficiency.
The internal audit schedule will provide, as a minimum the following information:
- The type of audit to be conducted
- The expected timeframe in which the audit is to be conducted
- The lead auditor responsible for the audit activity
- Location of the audit
- Timeframe for final report
Common Problems Faced During Internal Audits
One major issue in relation to developing internal audit schedules is that they either do not meet organizational needs and/or merely aim to achieve a level of conformance with statutory body requirements of regulators.
This is quite inadequate and may expose organizations to serious liabilities. To ensure a fully functional SMS which can deal with all safety issues and meets the standards of both statutes and major legal claims, the organization must ensure that the internal audit is conducted on a holistic, best practice, basis in which all areas of liability, risk management and safety are properly audited. The SMS must achieve full coverage of all potential liabilities.
Conversely, the needs of internal audits may exceed the capacity of the organization to meet the requirements defined therein. The organization may lack the expertise required to deal with some areas of risk management. Any internal audit carried out on this basis will inevitably be inadequate and can create a risk of serious deficiencies in the SMS.
Another key problem is to ensure that audit competency (either internal or external) is at a level to achieve a suitable outcome as defined within the internal audit schedule, e.g. There are serious risks in using auditors to conduct compliance audits without the necessary understanding in relation to legislative application of requirements.
It is essential that any audit of an SMS is conducted by auditors having:
- The correct level of audit experience
- Comprehensive experience in statutory compliance, including both self-insurance regulatory requirements and any other relevant statutory issues
- A strong knowledge base and resources, including relevant industry knowledge where applicable
- Proper accreditation for the audit operations required
The safest approach to these issues is to obtain professional guidance. The best SMS consultants can meet all these criteria and can also provide ongoing support and services as required.