HEALTH & SAFETY

INTERNAL AUDIT METHODOLOGY

1. AUDIT METHODOLOGY
1.1 Introduction
This internal health and safety audit methodology provides guidance to auditors and auditees on the internal health and
safety audit process.

The internal audit methodology ensures that Occupational Health and Safety Management System (OHSMS) audits are
conducted to a consistent standard, allowing verification that the OHSMS:
 complies with planned arrangements;
 has been properly implemented and maintained; and
 is effectively implemented throughout the University of Melbourne.

The internal audit methodology includes:

 auditor selection and competencies
 audit Frequency
 audit schedule
 audit scope
 definitions for audit reports
 audit process requirements
 audit opening meetings
 audit closing meetings
 audit report requirements and template
 audit report distribution

1.2 Auditor selection and competencies

The Associate Director, Audit Assurance Services shall ensure that auditors are independent of the OHSMS
component(s) that they are auditing through:
 selecting auditors who have not provided health and safety services, advice or consultancy to the auditee area for
at least two years prior to the commencement of the audit; or
 putting in place suitable arrangements to manage any potential conflicts of interest where auditors have provided
health and safety services, advice or consultancy to the auditee area in the two years prior to the commencement
of the audit.
The Associate Director, Audit Assurance Services shall select auditors that are sufficiently qualified, competent and
experienced to perform health and safety audits. Where the auditor(s) are not sufficiently qualified, competent and
experienced, the auditor(s) may be supported by other experts to enable them to perform audits competently.

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 1 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.
When determining the suitability of auditors the Associate Director, Audit Assurance Services shall take into account the
following criteria:

Essential
 relevant tertiary qualifications;
 knowledge of current Victorian Occupational Health and Safety legislation;
 successful completion of a recognised health and safety auditor training course; and
 at least one year’s experience in a health and safety role.

Preferable
 five years of work experience with at least three years of experience in an health and safety role;
 relevant tertiary qualifications;
 successful completion of a recognised health and safety auditor training course;
 knowledge of current Victorian Occupational Health and Safety legislation; and
 experience conducting at least four OHSMS audits, totaling not less than 20 days on site, within the last three years,
against the NAT, AS/NZS 4801:2001 or equivalent.

1.3 Audit frequency

Each Faculty, Division, Auxiliary Operation and wholly owned subsidiary should be audited at least once over a four-year
cycle.

The Associate Director, Audit Assurance Services, in consultation with the Associate Director, Health & Safety, shall
assess each Faculty, Division, Auxiliary Operation and wholly owned subsidiary, and determine a nominal risk
classification, based on the known operational risks of the organisation.

Some Faculties or Divisions may have departments with nominal risk classifications that vary from the overall risk of the
Faculty or Division.

1.3.1 Risk classifications

High risk
Where multiple regulated hazards are present in a significant proportion of the workplace operations, eg. construction
work, electrical work, working at heights, hazardous substance, dangerous goods, hazardous building materials,
registrable or regulated plant, confined spaces, hazardous manual handling and/or occupational noise.

Moderate risk
Where only a single regulated hazard is present in a significant proportion of the workplace operations, or where
multiple regulated hazards are present, but in less than a significant proportion, of the workplace operations, eg.
construction work, electrical work, working at heights, hazardous substance, dangerous goods, hazardous building
materials, registrable or regulated plant, confined spaces, hazardous manual handling and/or occupational noise.

Low risk
Where regulated hazards are generally not present in the workplace operations. This includes office-based
administrative operations, and non-laboratory or workshop-based teaching/learning/research operations.

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 2 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.
Table 1 describes the frequency of internal audits according to the nominal risk classification:

RISK CLASSIFICATION NOMINAL AUDIT FREQUENCY

NOMINAL RISK CLASSIFICATION
High 2 years
Moderate 3 years
Low 4 years
Table 1: Frequency of internal audit based on risk classification

The Associate Director, Audit Assurance Services, in consultation with the Associate Director, Health & Safety, may
increase internal audit frequency for any audited organisation for one or more of the following reasons:
 significant adverse findings resulting from an internal audit;
 significant adverse findings resulting from an external audit;
 significant escalation in claims or incident frequency rate;
 significant escalation in regulatory activity; or
 other information that may indicate the OHSMS is not performing optimally.

1.4 Audit schedule

The Associate Director, Audit Assurance Services, in consultation with the Associate Director, Health & Safety, shall
develop the internal audit schedule. The schedule shall be based on:
 previous audit results;
 the nominal risk classification of the Division or local area; and
 where applicable, any of the reasons for varying audit frequency that are listed in Section 1.3.

1.5 Audit scope

The Associate Director, Audit Assurance Services, in consultation with the Associate Director, Health & Safety, shall
provide broad instruction to the auditor(s) for each internal audit, by nominating audit workbook subjects to be
assessed.
Audit workbook subjects include:
 policy
 legal requirements and practical guidance
 management plans
 objectives and targets
 structure and responsibility
o resources
o responsibility and accountability
o training and competency
 consultation, communication and reporting
o consultation
o communication
o reporting
 documentation (policy, plans procedures, sops, instructions)

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 3 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.
 document and data control
 risk management program and operational control
 risk management and control
o access control
o workplace facilities and amenities
o safety signage
 hazard identification, risk assessment and control of risks
o purchasing and management of contractors
o product, structures and process design
o chemicals, substances and waste
 risk management
o high risk tasks
o personal protective equipment
o plant and equipment
o materials transport, storage and handling
o supervision
o supply of services and goods to others
 emergency preparedness and response
 monitoring and measurement
o general
o health surveillance
 health and safety nonconformity, incident investigation, corrective and preventive action
 management system audits
 records and records management
 management review.

The auditor(s) shall:

 develop an audit plan detailing the criteria to be verified, using the Audit Workbook subjects nominated by the
Associate Director, Audit Assurance Services ; and
 submit the audit plan to the Associate Director, Audit Assurance Services for approval.

The internal audits shall be undertaken against the criteria of the National Self Insurer’s OHS Audit Tool (NAT) and the
University of Melbourne’s health and safety procedures, requirements and processes. The scope of the matters
assessed shall vary with the type of audited area, as described in Table 2.

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 4 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.
 TYPE OF AUDITED AREA AUDIT SCOPE
University-wide health and safety Procedures, requirements and processes to support the conformance to
systems NAT criteria.
Local Division/Department – Workplace verification to establish that relevant University procedures,
without University-wide functions requirements and processes are sufficiently implemented to conform to
NAT criteria.

Local Division/Department – with Workplace verification to establish that relevant University procedures,
University-wide functions requirements and processes are sufficiently implemented to conform to
NAT criteria.
Procedures, requirements and processes s to support the conformance to
NAT criteria relevant to the Department’s University-wide functions.

Table 2: Audit scope based on type of audited area

1.6 Definitions

The following definitions shall be used by auditors when assessing and reporting against the internal audit criteria.

Auditor
An auditor engaged to undertake an OHSMS audit.

Conformance (C)
The auditee has demonstrated:
 full implementation of University procedures, requirements and processes, and
 compliance with legal requirements, and
 commitment to the principle of continual improvement.

Based upon the evidence audited is it evident that the auditee is conformant with University and legal requirements,
and is active in implementing additional measures to achieve continual improvement.

Corrective action plan (CAP)/Corrective action report (CAR)

A report that documents the reasons for adverse findings (NC and RC), and determines the date on which the corrective
actions will be reviewed. The CAP should include:
 how the requires correction or non-conformance will be resolved
 who is accountable and responsible for ensuring the corrective action(s) is completed; and
 priorities and timeframes for completion of the remedial action.

Non conformance (NC)

The auditor finds evidence that there was:
 an absence of system elements or a part of the system, and/or
 a failure to follow the documented systems or procedures, and/or
 a lapse in the system or procedure, and/or
 apparent systemic legislative non-compliance.

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 5 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.
Corrective action must be undertaken as a priority to prevent injury, ensure continued certification and ensure
legislative compliance. The Auditor is required to report serious hazards or potentially dangerous occurrences to the
Division’s senior management, the Associate Director, Health & Safety and the Associate Director, Audit Assurance
Services.

Non conformances are documented on a corrective action plan (CAP), and remedial action will be confirmed by
subsequent verification. Refer to Occupational health and safety internal audit process.

Not applicable (NA)

There is no indication of the related activity having occurred, and therefore the auditee is not required to implement
systems to satisfy the specified criterion.

Not verified (NV)

The auditor cannot confirm implementation of the system because:
 the related activity has not yet occurred, so objective evidence is not available, or
 the criterion, whilst included in the audit scope, was not examined during the audit, or
 evidence could not be provided due to an unforeseen circumstance.

The auditor may not have reviewed key documents, interviewed staff or visited key areas owing to a number of issues
including staff absence or time constraints. The criterion remains untested and should be considered for inclusion within
the scope of subsequent audits.

Requires correction (RC)

Based on the evidence audited, it is evident that:
 the auditee has not fully, effectively or consistently implemented University procedures, and/or
 there was evidence of isolated instances of apparent legislative non-compliance.

Corrective action should be undertaken as a priority to prevent the area falling into Non Conformance. The audit itself is
a sampling exercise. If the sampling indicates isolated legislative non-compliance, it is likely that a regulator might reveal
systematic non-compliance during more focused inspection or intervention.

Further, it is likely that both internal and external auditors will focus on issues identified as RC during subsequent audits.
The criterion requiring correction may be linked to or interdependent with other key systems. A failure relating to this
criterion may therefore lead to a significant reduction in total system effectiveness, or wider legal non-compliance.

Requires corrections are documented on a corrective action plan (CAP), and remedial action will be confirmed by
subsequent verification. Refer to Occupational health and safety internal audit process.

Scope for improvement (SFI)/Area for improvement (AFI)

The auditor has provided recommendations that may assist the auditee to achieve continual improvement by:
 ensuring more efficient implementation of University procedures, requirements and processes (reductions in time,
cost and resources);
 enhancing the transparency of the system to auditors, regulators and the University.

The auditee is conformant with University and legal requirements, and the recommendations are merely the opinion of
the auditor. While failure to follow this advice will not in itself lead to Non Conformance, the recommendations are
made based on the auditor's experience in reviewing the approach of areas across the entire University.

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 6 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.
1.7 Audit process requirements

The auditor shall undertake the internal audit in accordance with the defined scope of AS/NZS 4801:2001 and the
National Self Insurer OHS Audit Tool (NAT), using the University of Melbourne Health and Safety Audit Workbook, as
amended from time to time.

The auditor should:

 conduct an opening meeting with the relevant auditee representatives
 seek input from a representative sample of stakeholders to review consultative arrangements and the effective
implementation of the OHSMS, including:
o health & safety committee members
o management representative(s)
o employee health and safety representative(s)
o other personnel in the area subject to the audit
 review and assess relevant local workplace documentation, including:
o health and safety management plans, objectives and targets
o health and safety risk register, risk assessments and standard operating procedures
o health and safety training needs analysis, training plan and training records
o health and safety cyclic events checklists and workplace inspections
o pre purchase risk assessments and purchasing documentation
o service provider (contractor) documentation
o emergency and first aid assessments
o chemical inventories, risk assessments and material safety data sheets/safety data sheets
o plant risk assessments, maintenance and inspection records
o health and safety committee meeting minutes
 review and assess the implementation of local workplace risk controls, including:
o plant
o electrical
o chemical storage and handling
o hazardous manual handling
o housekeeping
o workplace facilities and amenities
o emergency and first aid equipment and facilities
o other relevant risks
 conduct any other relevant information gathering required to complete the audit.

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 7 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.
1.8 Audit opening meetings
The auditor should, where reasonably practicable, commence the audit with an opening meeting with the relevant
auditee representatives, addressing the following agenda items:
 introduction
 explanation of the audit process
 confirmation of the audit scope and duration
 expected closing meeting time, date and location
 other business, including questions.

1.9 Audit closing meetings

The Auditor should, where reasonably practicable, conclude the workplace verification component of the audit with a
closing meeting with the relevant auditee representatives, addressing the following agenda items:
 appreciation of those involved in the audit
 brief outline of the findings known to date, that is, areas of:
o good performance
o average performance
o poor performance
 explanation of the next stages in the audit process, including some indication of the expected completion of the
written report
 other business, including questions.

2. REPORTING
2.1 Audit report template

The Associate Director, Audit Assurance Services, in consultation with the Associate Director, Health & Safety, shall
develop and maintain a health and safety audit report template. The auditor(s) shall use the template to report audit
findings to the auditee.

2.2 Audit report distribution

The Associate Director, Audit Assurance Services should provide a health and safety audit report to the Head of Division
four weeks from the audit closing meeting.

The audit report shall include a corrective action plan (CAP) for each:
 non conformance finding; and
 requires correction finding.

The Head of Division shall, within four weeks of receiving the audit report, ensure that documented CAP, including
prioritisation of planned corrective actions, are developed and provided to the Associate Director, Audit Assurance
Services, for each:
 non conformance finding; and
 requires correction finding.

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 8 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.
The Head of Division shall ensure that the Division’s audit reports are tabled at the Division’s Health and Safety or
Environmental committee meetings, for monitoring of implementation of corrective actions.

The Associate Director, Audit Assurance Services shall report Internal health and safety audit results to relevant senior
groups and committees. These may include:
 Occupational Health and Safety Committee
 Risk Management Advisory Group
 Audit and Risk Committee
 University Risk Committee
 Senior executive

3. REFERENCES
 Health & Safety: Management system review and audit requirements

 Other internal OHS audit guidance materials are available from: Occupational health and safety internal audit
process

 Health & Safety: University of Melbourne health & safety audit workbook

www.safety.unimelb.edu.au HEALTH & SAFETY: INTERNAL AUDIT METHODOLOGY 9 of 9

Date: January 2017 Version: 1.0 Authorised by: Associate Director, Health & Safety Next Review: January 2022
© The University of Melbourne – Uncontrolled when printed.