Navigated to SafeGuard EHS — See Every Risk. Protect Every Worker.

    Management systems

    ISO 45001 internal audit checklist

    A clause-by-clause internal audit checklist for ISO 45001:2018 covering Clauses 4 to 10 — the auditable clauses. Use it to prepare for your Clause 9.2 internal audit programme, self-assess before a Stage 2 certification audit, or train new internal auditors on the evidence certification bodies actually sample.

    Printable, sign-off-ready PDF · Clauses 4–10 · 4 pages · A4/Letter

    The checklist

    Clause 4–10 internal audit checklist

    Each item is phrased as an evidence question — the same way certification-body auditors sample. Clauses 1–3 (scope, references, definitions) are informational and not auditable.

    Clause 4

    Context of the organisation

    • Is there a written analysis of internal + external issues affecting the OH&S management system (4.1)?
    • Is the list of interested parties (workers, contractors, regulators, communities) documented with their needs and expectations (4.2)?
    • Is the scope statement of the OH&S management system documented, and does it justify any exclusions (4.3)?
    • Are the OH&S processes, their inputs/outputs, and their interactions defined (4.4)?
    Clause 5

    Leadership & worker participation

    • Has top management issued a signed OH&S policy that commits to legal compliance, prevention of injury/ill-health, and continual improvement (5.2)?
    • Are OH&S roles, responsibilities and authorities documented and communicated (5.3)?
    • Is there evidence of consultation with non-managerial workers on hazard identification, risk assessment, incident investigation, and change (5.4)?
    • Are the mechanisms for worker participation free of retaliation, cost, or time barriers (5.4)?
    Clause 6

    Planning: risks, opportunities & objectives

    • Is hazard identification ongoing and proactive, covering routine + non-routine work, human factors, and change (6.1.2)?
    • Is there a documented process to assess OH&S risks and opportunities, and the risks/opportunities to the management system itself (6.1.2)?
    • Is the legal register up to date, with a documented compliance evaluation cycle (6.1.3)?
    • Are OH&S objectives measurable, resourced, time-bound, and tracked against a plan (6.2)?
    Clause 7

    Support: resources, competence, awareness, communication

    • Are competence requirements defined per role, and are training records complete and current (7.2)?
    • Do workers demonstrate awareness of the policy, their hazards, and consequences of non-conformance (7.3)?
    • Is there a documented internal + external communication plan (what, when, to whom, how) (7.4)?
    • Is documented information version-controlled, retrievable, and protected from unauthorised change (7.5)?
    Clause 8

    Operation: controls, MoC, procurement, emergency

    • Are operational controls applied using the hierarchy of controls (elimination → PPE) and documented per activity (8.1.2)?
    • Is there a management-of-change process covering new/altered activities, equipment, and legal changes (8.1.3)?
    • Are procurement, contractor, and outsourcing controls in place to extend OH&S requirements to third parties (8.1.4)?
    • Are emergency preparedness plans documented, drilled at least annually, and reviewed after every activation (8.2)?
    Clause 9

    Performance evaluation

    • Is there a documented plan for monitoring, measurement, analysis and evaluation of OH&S performance (9.1.1)?
    • Is compliance evaluation against the legal register performed and evidenced at a defined frequency (9.1.2)?
    • Is the internal audit programme risk-based, with auditor competence, scope, criteria, and independence documented (9.2)?
    • Are management reviews held at planned intervals with all Clause 9.3 inputs and documented outputs (9.3)?
    Clause 10

    Improvement

    • Are incidents and nonconformities investigated, root-caused, and closed with corrective actions verified for effectiveness (10.2)?
    • Is there evidence of continual improvement across suitability, adequacy and effectiveness of the OH&S management system (10.3)?
    • Do trend data (incidents, near misses, audit findings, corrective actions) feed the management review inputs (10.3)?

    The process

    How to run an ISO 45001 internal audit in six steps

    The audit programme required by Clause 9.2, from planning to closing the loop into management review.

    1. Step 1

      Plan the audit programme

      Build a 12-month audit programme that covers every clause and every site at a frequency proportionate to risk. Assign competent, independent auditors and document their qualifications.

    2. Step 2

      Prepare the audit checklist

      Use the Clause 4–10 checklist below as the baseline. Add site-specific items for high-risk activities (confined space, LOTO, contractor management) and legal register clauses that apply.

    3. Step 3

      Conduct the audit

      Interview workers at all levels, sample records, and observe operations. For each checklist item, capture conforming evidence, minor nonconformities, and major nonconformities separately.

    4. Step 4

      Report findings

      Issue a written report within two weeks: scope, methodology, evidence, findings by clause, and severity. Findings must be traceable back to the specific ISO 45001 clause they breach.

    5. Step 5

      Track corrective actions

      Log every nonconformity as a corrective action with owner, due date and effectiveness verification. Verification is a separate step — signing the action off is not the same as proving it worked.

    6. Step 6

      Feed the management review

      Roll the audit results, trends, and open corrective actions into the next management review (Clause 9.3). This closes the ISO 45001 improvement loop and is a mandatory input.

    Evidence auditors sample

    What certification bodies actually ask for

    Recurring evidence gaps that trigger major nonconformities at Stage 2.

    Signed OH&S policy

    Current version, communicated to workers, aligned to the scope statement.

    Consultation records

    Minutes, sign-offs, or platform logs showing non-managerial worker input — Clause 5.4.

    Legal register + evaluation

    Jurisdiction-specific requirements with a dated compliance evaluation — Clause 6.1.3 + 9.1.2.

    Corrective-action effectiveness

    Not just closure — evidence the action stopped the issue recurring. Clause 10.2.

    FAQ

    ISO 45001 internal audit — common questions

    We value your privacy

    We use strictly necessary storage to run this site and, with your consent, optional analytics and marketing measurement to improve it. Read our cookie policy.