Welcome Guest! The IOSH forums are a free resource to both members and non-members. Login or register to use them

Postings made by forum users are personal opinions. IOSH is not responsible for the content or accuracy of any of the information contained in forum postings. Please carefully consider any advice you receive.

Notification

Icon
Error
H&S department being audited by internal audit
Options
Go to last post Go to first unread
Previous Topic Next Topic
Cambridge Fox  
#1 Posted : 05 June 2023 15:40:18(UTC)
Rank: New forum user
Cambridge Fox

Afternoon all,

I wondered if any colleagues had experience of being audited by an organisation's internal audit team?

My turn has come around (part of the 2023 audit plan - I'm not under investigation!) and I value the scrutiny and oversight from a third party - after all, we can become complacent in our approach and it can be helpful to have an external eye cast its gaze over what you are doing from time to time.

However... we've just had our first meeting to agree Terms of Reference and I'm feeling a bit disenchanted by the whole process. Effectively, I'm being asked to define the risk areas for consideration, the questions to be asked and the key outcomes required for each. I queried whether the auditors had any experience of H&S and the answer was 'no' and that they didn't need any because 'all they will do is check what our policies say and whether they are being implemented properly'.

They've sent me the IAA guidance on H&S (very basic and I can see why they've come to me for input) but I guess I'm struggling to see where the value lies in what they are doing if the person they are auditing is the very person drawing up the questions. I will be using the process to highlight what I believe are areas of weakness, however, the potential for me to game the system is clear.

This is going to end up consuming a couple of days in work (preparing the questions, collating the evidence for review, various stage meetings, debrief and actions agreed) for something that I could draw up in an afternoon.

Does anyone else have any experience of being subject to internal audit? How did you find it? Was it valuable to your service? Did those carrying out the audit have any H&S knowledge?

Or was I being naive in hoping for some form of rigorous challenge here?

Back to top
peter gotch  
#2 Posted : 05 June 2023 18:21:57(UTC)
Rank: Super forum user
peter gotch

Hi Cambridge Fox

Do the auditors actually know what they want to audit?!?!

Do they want to audit the organisation's health and safety performance or what the H&S team do.

Two entirely different exercises but if the overall rationale of the organisation is that line managers should own H&S along with many other aspects, then perhaps what they are looking for is for you to set out the risk profile and how the business deals with the key risks.

On more than one occasion I have had external auditors come to me and say "You and your team have a problem and this is what you need to do".

To which my retort was usually, "this is a line management responsibility for the relevant line managers to consider and resolve (if needed) and with the support of the H&S team as is appropriate."

As example policy might be that Person doing X should attend such and such health and safety training BUT in most organisations it won't be the H&S team who keep the training records.

So, possibly your role is as much to steer the auditors to where they can find the evidence of compliance as to produce it yourself.
Back to top
thanks 1 user thanked peter gotch for this useful post.
Cambridge Fox on 06/06/2023(UTC)
Kate  
#3 Posted : 05 June 2023 19:12:19(UTC)
Rank: Super forum user
Kate

Yes, my H&S activities have been internally audited by non H&S people.  I certainly did not get any say in what the questions were going to be!

An experienced auditor can audit any topic.  They do this by first asking questions (and looking at documents) to determine what is supposed to happen (including what the standard they are auditing against says should happen).  Then they burrow into what actually has happened and whether or not it matches what is supposed to happen and whether there could be a better way of doing it ("better" doesn't necessarily mean "safer" but could also mean "more efficient").

What are they auditing against?  ISO 9001 or ISO 45001 or something else?  And to repeat Peter's very pertinent question, what exactly is being audited (you shouldn't ever feel it is you - it is processes that are audited, not people).

Back to top
thanks 2 users thanked Kate for this useful post.
Andrew_C on 06/06/2023(UTC), Cambridge Fox on 06/06/2023(UTC)
A Kurdziel  
#4 Posted : 06 June 2023 08:47:58(UTC)
Rank: Super forum user
A Kurdziel

I have  been audited both externally(9001) and internally to see if we fit in to the overall management system of the organisation. For the experience to be satisfactory you need the following:

  • Auditor needs clear criteria (which is where something like ISO 9001 comes in) . Some auditors have a vague wish list so you have to spend ages explaining to  them what you do and how you are actually complying  with their expectations.
  • You need clear documented process for what YOU do: investigations, training, auditing etc
  • You also need it to be clear what your role in the overall organization is: you are not responsible for H&S; you monitor the system and provide advice. As Peter said, line operational managers do the nitty gritty and make health and safety happen. There should be a policy document explaining this.
  • You need evidence that the things are happening as per your procedure. For example in your accident system it will say, incidents are reported and recorded. Do you have that?

Do you have evidence of investigations and follow up, in accordance with YOUR policy ?

  • If you find that there are things missing and you can’t do this then there is a gap in your policy.

 

The auditors, I they are good, simply will look at your policy/procedures and check that you are doing what you promised to do. They should not be telling you how to do your job.

Back to top
thanks 1 user thanked A Kurdziel for this useful post.
Cambridge Fox on 06/06/2023(UTC)
achrn  
#5 Posted : 06 June 2023 09:58:11(UTC)
Rank: Super forum user
achrn

I have some minor quibbles with some of what has been said so far, mainly arising from what is meant by 'audit'.

However, the main point (to address the OP questions), is that I don't believe you need to know much at all about H&S to be an internal auditor auditing a company's H&S processes.  None of our internal auditors are H&S professionals (or even notably engaged in H&S in their other workplace duties).  As noted up the thread, these auditors are checking only that the company is doing what the company has said it will do - if it's written in the procedures you do it (or don't do it, if the procedures say don't do x y z), if it's not written it doesn't matter.

I would not expect to spend a great deal of time telling the auditors what to audit or giving them questions to ask - it should be written in the procedures.  If they are completely clueless you might spend some time running through an overview of the systems, but then I'd expect them to decide from that overview what to drill down into and ask to see evidence of.

I don't honestly expect these to be too challenging - I think the H&S people within a company know for themselves already where the company systems are weak and/or where there are failures in complying with them.

One of my quibbles - I would not expect this sort of audit to identify better ways of doing something - this is only about was it done in accordance with the procedures.  (In most systems, identifying the better ways is part of continuous improvement and is identified other than by auditors).  An auditor might, as a result of their digging, notice a possible improvement and raise it, but that would be as part of their role as a general member of staff to suggest improvements, not an auditor function.

The next different variation would be an audit against ISO19001 (or other system) - here the auditor will also be checking that what your preocedures say aligns with what the standard says they should say. In principle internal auditors could do that, but I wouldn't normally expect it (and ours don't).

A slight varation on that would be a client audit where an external auditor checks that what you do and say you do aligns with what the client requires.  This is similar to the ISO audit but will be checking against something defined (or referenced) in the contract docs.  Conceptually it's basically the same, but in my experience contract-specific requirements are less well thought out and break more easily at 'edge cases'.  These things also seem more changeable - clients suddenly add in new requirements (and may or may not give you enough notice to address them) - and more open to the whims or interpretation by the auditor.  These sometimes suggest things that they consider would be an improvement (but fairly often I / we don't agree).  Again in priciple an internal audit could do this, but ours don't.

Finally, we also have audits that are by a H&S professional / expert - we have appointed an external H&S professional organsiation to come into each of our sites annually and do an audit / inspection against statutory and good practice H&S requirements.  These people don't care much at all about our procedures, they are auditing against what they consider H&S systems and arrangements should be doing.  They are much more likely to find something like a missing fire instructions signage or document past its periodic review date.  These might suggest an improvement. These, I think, are the only sort of auditor taht actually needs H&S expertise.

We get all the above.  Actually they are (nearly) all worth the effort (but do come with varying degrees of pain and reward). 
Back to top
thanks 1 user thanked achrn for this useful post.
Cambridge Fox on 06/06/2023(UTC)
Cambridge Fox  
#6 Posted : 06 June 2023 10:07:57(UTC)
Rank: New forum user
Cambridge Fox
Originally Posted by: peter gotch Go to Quoted Post

Hi Cambridge Fox

Do the auditors actually know what they want to audit?!?!

Do they want to audit the organisation's health and safety performance or what the H&S team do.

Two entirely different exercises but if the overall rationale of the organisation is that line managers should own H&S along with many other aspects, then perhaps what they are looking for is for you to set out the risk profile and how the business deals with the key risks.

On more than one occasion I have had external auditors come to me and say "You and your team have a problem and this is what you need to do".

To which my retort was usually, "this is a line management responsibility for the relevant line managers to consider and resolve (if needed) and with the support of the H&S team as is appropriate."

As example policy might be that Person doing X should attend such and such health and safety training BUT in most organisations it won't be the H&S team who keep the training records.

So, possibly your role is as much to steer the auditors to where they can find the evidence of compliance as to produce it yourself.

Thanks Peter,

Some very good questions and points raised here. Being blunt, no I don't think they do know what they want to audit! Apparently our Risk and Audit Committee have asked them to 'ensure that the organisation is meeting its H&S obligations as an employer'. I think my sticking point is that the people tasked with this have no H&S knowledge so I don't see how they are supposed to be able to provide such assurance with any confidence.

I value scrutiny, but fear this process wont result in any meaningful outcomes. 

Your point about steering auditors to where evidence can be found is very helpful and I'll bear this in mind in my advice to auditors. While I work for a large organisation, there's definitely still a culture of H&S being viewed as a discrete function in which all things H&S must live - a recent and ongoing battle with HR regarding training records being a pertinent example.

Back to top
Cambridge Fox  
#7 Posted : 06 June 2023 10:18:08(UTC)
Rank: New forum user
Cambridge Fox
Originally Posted by: Kate Go to Quoted Post

Yes, my H&S activities have been internally audited by non H&S people.  I certainly did not get any say in what the questions were going to be!

An experienced auditor can audit any topic.  They do this by first asking questions (and looking at documents) to determine what is supposed to happen (including what the standard they are auditing against says should happen).  Then they burrow into what actually has happened and whether or not it matches what is supposed to happen and whether there could be a better way of doing it ("better" doesn't necessarily mean "safer" but could also mean "more efficient").

What are they auditing against?  ISO 9001 or ISO 45001 or something else?  And to repeat Peter's very pertinent question, what exactly is being audited (you shouldn't ever feel it is you - it is processes that are audited, not people).

Thanks Kate,

I agree with the audit process you've outlined and will be nudging them towards this rather than looking to me to devise the question set as currently suggested. 

The audit isn't being carried out against any recongised standard, just what the auditors feel is relveant (based on my advice!) which is part of what is making me uncomfortable about the whole process.

From talking to them, I get the impression most departments say/do whatever it takes to make them go away. Having someone questioning their approach and intended outcomes seems to have caught them off guard.

I don't currently feel like it's me being audited, but I'll be careful to make this clear to them in my advice. As a team of one there is sometimes to a tendancy to consider that the person is the process, if that makes sense.

Back to top
Cambridge Fox  
#8 Posted : 06 June 2023 10:29:44(UTC)
Rank: New forum user
Cambridge Fox

Thanks A Kurdziel, I've replied to some of your points below.

Originally Posted by: A Kurdziel Go to Quoted Post

I have  been audited both externally(9001) and internally to see if we fit in to the overall management system of the organisation. For the experience to be satisfactory you need the following:

  • Auditor needs clear criteria (which is where something like ISO 9001 comes in) . Some auditors have a vague wish list so you have to spend ages explaining to  them what you do and how you are actually complying  with their expectations.

'A vague wishlist' is what we have here and what I've been asked to help shape the criteria for. It just feels odd to me and akin to setting the assessment criteria before I undertake the exam.

Originally Posted by: A Kurdziel Go to Quoted Post

  • You need clear documented process for what YOU do: investigations, training, auditing etc

This is solid advice and definitely something that I can improve on. It's all there somewhere and I come from a background where there was a SOP for everything, however, as a team of one I think I've allowed this to drift in the incorrect assumption that a SOPs audience would only be the H&S team when I can see the wider value here. 

Originally Posted by: A Kurdziel Go to Quoted Post

  • You also need it to be clear what your role in the overall organization is: you are not responsible for H&S; you monitor the system and provide advice. As Peter said, line operational managers do the nitty gritty and make health and safety happen. There should be a policy document explaining this.

Small mercy, but we do have this! It is written into our policy both for my role and responsibilities and for those of others, especially line managers.

Originally Posted by: A Kurdziel Go to Quoted Post

  • You need evidence that the things are happening as per your procedure. For example in your accident system it will say, incidents are reported and recorded. Do you have that?

Do you have evidence of investigations and follow up, in accordance with YOUR policy ?

  • If you find that there are things missing and you can’t do this then there is a gap in your policy.

The auditors, I they are good, simply will look at your policy/procedures and check that you are doing what you promised to do. They should not be telling you how to do your job.

 

This is the part of the audit I was most comfortable with, i.e. checking we are doing what we say we are doing. I'm confident I can evidence this for most areas and provide explanation for areas where we may not.

Back to top
Cambridge Fox  
#9 Posted : 06 June 2023 10:46:09(UTC)
Rank: New forum user
Cambridge Fox
Originally Posted by: achrn Go to Quoted Post

I have some minor quibbles with some of what has been said so far, mainly arising from what is meant by 'audit'.

However, the main point (to address the OP questions), is that I don't believe you need to know much at all about H&S to be an internal auditor auditing a company's H&S processes.  None of our internal auditors are H&S professionals (or even notably engaged in H&S in their other workplace duties).  As noted up the thread, these auditors are checking only that the company is doing what the company has said it will do - if it's written in the procedures you do it (or don't do it, if the procedures say don't do x y z), if it's not written it doesn't matter.

I would not expect to spend a great deal of time telling the auditors what to audit or giving them questions to ask - it should be written in the procedures.  If they are completely clueless you might spend some time running through an overview of the systems, but then I'd expect them to decide from that overview what to drill down into and ask to see evidence of.

I don't honestly expect these to be too challenging - I think the H&S people within a company know for themselves already where the company systems are weak and/or where there are failures in complying with them.

One of my quibbles - I would not expect this sort of audit to identify better ways of doing something - this is only about was it done in accordance with the procedures.  (In most systems, identifying the better ways is part of continuous improvement and is identified other than by auditors).  An auditor might, as a result of their digging, notice a possible improvement and raise it, but that would be as part of their role as a general member of staff to suggest improvements, not an auditor function.

The next different variation would be an audit against ISO19001 (or other system) - here the auditor will also be checking that what your preocedures say aligns with what the standard says they should say. In principle internal auditors could do that, but I wouldn't normally expect it (and ours don't).

A slight varation on that would be a client audit where an external auditor checks that what you do and say you do aligns with what the client requires.  This is similar to the ISO audit but will be checking against something defined (or referenced) in the contract docs.  Conceptually it's basically the same, but in my experience contract-specific requirements are less well thought out and break more easily at 'edge cases'.  These things also seem more changeable - clients suddenly add in new requirements (and may or may not give you enough notice to address them) - and more open to the whims or interpretation by the auditor.  These sometimes suggest things that they consider would be an improvement (but fairly often I / we don't agree).  Again in priciple an internal audit could do this, but ours don't.

Finally, we also have audits that are by a H&S professional / expert - we have appointed an external H&S professional organsiation to come into each of our sites annually and do an audit / inspection against statutory and good practice H&S requirements.  These people don't care much at all about our procedures, they are auditing against what they consider H&S systems and arrangements should be doing.  They are much more likely to find something like a missing fire instructions signage or document past its periodic review date.  These might suggest an improvement. These, I think, are the only sort of auditor taht actually needs H&S expertise.

We get all the above.  Actually they are (nearly) all worth the effort (but do come with varying degrees of pain and reward). 

Thanks Achrn,

I agree with what you are saying about the definition of audit. In defence of other respondents, I think my original post may have led them away from thinking about this as a 'traditional' audit by virtue of the auditors asking me to come up with a question set when a review of actions against published policies/procedures would seem more logical.

I think one of my key takeaways from all commenters is the need for me to formalise some of my procedures.

We aren't currently looking at formal accreditation or external audit just yet, but it is something I've highlighted in my continuous improvement plan and may happen at some point in the future.

I'll brace myself for the pain in anticipation of the reward!

Back to top
achrn  
#10 Posted : 06 June 2023 10:52:44(UTC)
Rank: Super forum user
achrn
Originally Posted by: Cambridge Fox Go to Quoted Post
Apparently our Risk and Audit Committee have asked them to 'ensure that the organisation is meeting its H&S obligations as an employer'. I think my sticking point is that the people tasked with this have no H&S knowledge so I don't see how they are supposed to be able to provide such assurance with any confidence.

That does sound much more like something that requries H&S expertise.

If the 'Risk and Audit Committee' wanted the answer to that question, I would expect it to make more sense for them to ask the H&S function (however that is implemented in your organisation), not the audit function.
Back to top
thanks 1 user thanked achrn for this useful post.
Cambridge Fox on 06/06/2023(UTC)
Kate  
#11 Posted : 06 June 2023 11:02:33(UTC)
Rank: Super forum user
Kate

My experience of auditors, both internal and external, has been that they have indeed raised "Opportunities for improvement" as well as "Non-conformities" as part of the audit process.  It is perfectly plausible of course that this isn't part of other audit programmes. 

Back to top
thanks 1 user thanked Kate for this useful post.
Cambridge Fox on 06/06/2023(UTC)
Kate  
#12 Posted : 06 June 2023 11:09:13(UTC)
Rank: Super forum user
Kate

If they want assurance that H&S obligations are being met then they have two obvious options: they can ask you; or they can get someone from outside who has the relevant knowledge and skills.  I'm not surprised that the internal auditors have asked you for help!
Back to top
thanks 2 users thanked Kate for this useful post.
Cambridge Fox on 06/06/2023(UTC), aud on 14/08/2023(UTC)
A Kurdziel  
#13 Posted : 06 June 2023 11:29:36(UTC)
Rank: Super forum user
A Kurdziel

Can I throw the cat amongst the pigeons! If the “Risk and audit committee” really want to  'ensure that the organisation is meeting its H&S obligations as an employer' they either need to get a suitably H&S qualified  external auditor in  or rather than an “audit” they request that you as the H&S person on the ground produce a H&S review which you can  present to them demonstrating how YOU deliver YOUR part of the  H&S process  and what the organisation needs to do in YOUR opinion to move H&S along. Since you are telling the auditors what to look for, why waste time and effort when you can tell them all about it directly with less opportunity for misunderstanding.

Back to top
thanks 3 users thanked A Kurdziel for this useful post.
Kate on 06/06/2023(UTC), Cambridge Fox on 06/06/2023(UTC), aud on 14/08/2023(UTC)
Cambridge Fox  
#14 Posted : 06 June 2023 12:26:14(UTC)
Rank: New forum user
Cambridge Fox

Thanks again Kate, achrn and A Kurdziel - this is precisely where I am at and I'm immensely grateful for you taking the time to share your thoughts and talk this through with me.

As well as the learning points already identified, I've gone back with some suggestions that allow IA to assess us against our policies/procedures and explained that if RAAC want assurances that all obligations have been met then they only need ask me for details on this, or if they wish for it to be independent that they engage a competent third party.

Much obliged!

Back to top
thanks 2 users thanked Cambridge Fox for this useful post.
Kate on 06/06/2023(UTC), A Kurdziel on 06/06/2023(UTC)
peter gotch  
#15 Posted : 06 June 2023 14:38:32(UTC)
Rank: Super forum user
peter gotch

Hi Cambridge Fox

Well it seems to be a bit clearer now!

'ensure that the organisation is meeting its H&S obligations as an employer'

If the internal auditors are competent then they shouldn't need to know much about H&S to audit whether you (the organisation, NOT you the individual!) are properly implementing whatever policies and procedures are in place.

That's essentially a tick box exercise.

Procedure 2456 says that there has to be a documented risk assessment for whatever is being done.

So the auditors go out to the shop floor and look at a process and ask to see the documented risk assessment. If that is produced fine, if not there is going to be some variant of non-conformance report.

BUTTTT - just because there is a documented risk assessment shouldn't give the Risk and Audit Committee the comfort it needs that 'the organisation is meeting its H&S obligations as an employer'.

....for the simple reason that the risk assessment might be far from "suitable and sufficient" OR that it might not be adequately executed OR numerous other failings.

So, I think that the RAAC have set inappropriate terms of reference.

They could:

1. Ask YOU to do a gap analysis of the organisation's policy and procedures and implementation of same against legislation to come up with recommendations for improvements.

2. Get in auditors to do something similar, if they want an element of independence, but with a brief to audit with a focus on legislative compliance NOT compliance with the organisation's systems (though there is value in that as well).

Some considerable number of years back we infuriated one of the top bosses in a very large organisation, where part of our brief was to audit against OHSAS 18001, but we had drafted our own project brief as part of our proposal for the job and we had indicated that our primary focus would be on legislative compliance.

We looked at a postholder and their job description. The JD said that the postholder needed a minimum of 5 years working in the sector. They had been brought with a background in an entirely different sector.

This was prima facie evidence of sector-specific legislation and in terms of OHSAS 18001 required a Major Non Conformance Report. 

Said top boss commented that the organisation was deliberately trying to bring in new blood. 

That was fine by us, if the postholder had transferable skills and experience - so the problem was an unnecessarily prescriptive person spec - what it needed to say was NOT 5 years experience in that sector but 5 years experience in one or more sectors with comparable risks.

For exactly the same reasons as why this organisation was trying to bring in new blood, we had put together a team some of whom had little or no experience in the sector - because they would come with open eyes and be immune to the industry custom and practice.

One of our team spotted numerous examples of work at height with no fall protection and asked why. "We've always done it that way." In many other sectors very similar scenarios exist and with fall protection provided (so clearly reasonably practicable) so that was another NCR.

Whether the FAAC were to go for options 1 or 2 makes little difference on one issue. Unless they have an infinite budget they are never going to get an audit report that says (with competent honesty) 'the organisation is meeting its H&S obligations as an employer'.

...as audit is always a sampling exercise that never covers EVERYTHING in sufficient depth to provide an entirely clean bill of health!

So, perhaps what they should be asking for is an audit that seeks to identify issues where there is room for improvement with recommendations for how to do this and a proposed action plan.

If the RAAC want a puppet to give them the clean bill of health, then such a puppet is available but their report will be liable to be ripped to shreds when put to the test if it does not provide a valid assessment from an audit of sufficient depth.

So such a report at best could only provide temporary misplaced comfort to the RAAC - and they should know this!!
Back to top
thanks 2 users thanked peter gotch for this useful post.
Kate on 06/06/2023(UTC), Cambridge Fox on 09/08/2023(UTC)
Cambridge Fox  
#16 Posted : 09 August 2023 10:08:37(UTC)
Rank: New forum user
Cambridge Fox

Hi all,

Just a quick follow up in case anyone is tracking this thread.

After considering all the helpful responses provided here, I went back to Internal Audit with my thoughts. The outcome of which is that the audit has been 'deferred' to an unspecified time in the future...

I'm a little disappointed as I do think the process can be of value, but better to do it right, rather than just do it for the sake of it.

My key takeaway here is don't be afraid to ask for the scope of any such audit to be properly and sufficiently defined. Especially where professionals with no H&S knowledge may be being tasked with making comment on suitability/sufficiency of H&S arrangements!

Thanks again to all who commented.

Back to top
thanks 2 users thanked Cambridge Fox for this useful post.
achrn on 09/08/2023(UTC), peter gotch on 16/08/2023(UTC)
Users browsing this topic
Guest (4)
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2024, Yet Another Forum.NET