What a safety audit covers
A safety audit is a systematic examination of your safety management system to determine whether it meets the requirements of your chosen framework, applicable legislation, and your own documented procedures. It is not a site walkthrough. That is an inspection. An audit goes deeper, reviewing the system that is supposed to keep your people safe and checking whether that system actually works.
The scope of a safety audit typically covers seven areas: safety policy and objectives, hazard identification and risk assessment processes, operational controls and procedures, training and competency management, incident reporting and investigation, monitoring and measurement, and management review. Each area is assessed against documented criteria, and findings are classified as conformances, observations, or non-conformances.
External audits, whether from a certification body such as SAI Global or BSI, a client, or a regulator like SafeWork, follow a structured process. The auditor reviews documentation in advance, conducts on-site interviews with workers and supervisors, observes workplace practices, and samples records such as training matrices, inspection logs, and corrective action registers. The output is a formal audit report with findings and, for certification audits, a recommendation on whether to maintain, grant, or suspend certification.
Internal audits follow the same methodology but are conducted by your own people. The critical requirement is independence: the auditor must not audit their own area of responsibility. A site manager cannot audit their own site, and a safety manager cannot audit the safety management system they wrote. Cross-site auditing, where Site A's manager audits Site B, is a practical approach for multi-site operations.
Preparation is where most organisations either succeed or stumble. An audit finds what is there, and what is missing. If your records are organised, your corrective actions are closed out, and your procedures reflect reality, the audit validates your system. If your records are scattered, your corrective actions are overdue, and your procedures describe a system that nobody follows, the audit exposes those gaps. The preparation process is your opportunity to close those gaps before the auditor finds them.
Documentation you need ready
Every safety audit begins with a document review. The auditor will request your safety management system documentation before arriving on site. Having these documents organised, current, and accessible is the foundation of a smooth audit. Missing or outdated documents are among the most common non-conformances.
The core documents include your safety policy (signed by senior management and dated within the last 12 months), your risk register (current, with review dates within the required period), your procedures manual (covering all critical safety processes), your training matrix (showing required competencies for each role and current compliance status), your incident register (with investigation reports and corrective actions), and your audit schedule and previous audit reports with evidence of corrective action completion.
Supporting documents that auditors commonly request include Safe Work Method Statements (SWMS) for high-risk work, emergency response plans, first aid assessments, workplace inspection records, plant and equipment compliance registers, chemical registers and safety data sheets, contractor management records, and consultation records showing worker participation in safety decisions.
Version control matters. If the auditor finds a procedure document with no version number, no review date, and no approval signature, that is a non-conformance regardless of how good the content is. Every controlled document should have a document number, version, date of issue, review date, and the name of the person who approved it. A document management system enforces this automatically; a shared drive full of Word documents typically does not.
Digital document management transforms audit preparation from a scramble into a verification exercise. When your documents live in a centralised platform with automatic version control, review reminders, and access logs, you are always audit-ready. The preparation task shifts from "find and organise the documents" to "verify the documents are current," which is a fundamentally different level of effort. Linking your safety documents to your broader asset tracking system ensures that plant compliance records, inspection histories, and maintenance logs are all accessible from the same platform.
Reviewing your risk register
The risk register is the document that auditors spend the most time on, because it demonstrates whether your organisation systematically identifies and controls hazards. An outdated risk register is a red flag. A risk register with review dates more than 12 months old, missing controls, or risks that do not reflect the current work environment will generate non-conformances.
Before the audit, review every entry in the risk register. For each hazard, verify that the description is still accurate, the risk rating reflects the current situation, the controls listed are actually in place and functioning, the residual risk rating accounts for the current controls, and the review date is within the required period. If anything has changed, update the entry and record the change with a date and rationale.
Pay particular attention to risks associated with plant and equipment. Auditors will often select a piece of plant from the risk register and then verify on site that the documented controls are in place. If the risk register says an excavator requires daily pre-start inspections, the auditor will check whether pre-start records exist and are current. A structured risk assessment process that feeds directly into the risk register ensures consistency.
New hazards identified since the last review should be added before the audit. If your operation has introduced new equipment, new processes, new chemicals, or new work environments since the risk register was last updated, these need to be captured. An auditor who observes a hazard on site that is not recorded in the risk register will classify this as a non-conformance, because it indicates a failure in the hazard identification process.
The risk register should also demonstrate the hierarchy of controls. For each hazard, the controls should progress from elimination down to PPE, with documentation showing why higher-order controls were not reasonably practicable. If every risk in your register has PPE as the only control, the auditor will question whether the hierarchy was properly applied.
Inspection and maintenance records
Inspection and maintenance records provide objective evidence that your controls are being implemented. A procedure that says "inspect fire extinguishers monthly" is only as good as the records that prove it happens. Auditors will sample inspection records across different areas and time periods to assess whether the inspection programme is consistent, not just up to date at the time of the audit.
Compile all workplace inspection records for the audit period. This includes site safety inspections, plant and equipment pre-start checks, fire equipment inspections, electrical testing and tagging records, height safety equipment inspections, and any other scheduled inspections in your safety management system. Check for gaps. A missing month of pre-start records for a critical piece of plant is a finding that is difficult to explain.
Maintenance records for safety-critical equipment deserve special attention. Pressure vessels, lifting equipment, electrical installations, and fire protection systems all have regulatory inspection and testing requirements. Verify that all scheduled inspections have been completed, that the records are on file, and that any defects identified have been addressed. Using maintenance tracking with automated scheduling ensures these inspections do not slip.
For plant and equipment, auditors may request registration records, design registration certificates, and evidence of compliance with relevant Australian Standards. If your operation uses registered plant such as cranes, pressure equipment, or amusement devices, verify that registration is current and that the required inspections have been completed by competent persons.
Digital inspection records with timestamps, photos, and geolocated data provide stronger audit evidence than paper records. A paper checklist signed "J. Smith, 15/04/2026" is easy to challenge. A digital record with a timestamp, GPS coordinates, three photos, and a signature captured on a smartphone is substantially harder to dispute. If your current system is paper-based, consider transitioning to digital inspections before your next audit cycle.
Corrective action close-out
Open corrective actions are one of the most damaging audit findings. They demonstrate that your organisation identified a problem, agreed on a fix, assigned responsibility, and then failed to follow through. From an auditor's perspective, this is worse than not having identified the problem at all, because it shows awareness without action.
Before the audit, pull a report of every open corrective action from incidents, previous audits, inspections, and management reviews. For each action, check the status: is it genuinely in progress, or has it stalled? Is it overdue? Has it been completed but not formally closed out with evidence? The most common finding is corrective actions that were completed in practice but never closed in the system because nobody updated the record.
For overdue actions, either complete them before the audit or document a revised timeline with a legitimate reason for the delay. An auditor will accept that a corrective action requiring a capital expenditure approval was delayed by the approval process, provided there is a documented interim control and a revised completion date. An auditor will not accept that a corrective action requiring a supervisor to update a procedure has been overdue for six months with no explanation.
Close-out evidence must match the corrective action. If the action was "install guardrails on the mezzanine," the close-out evidence should include photos of the installed guardrails, the date of installation, and confirmation that they meet the relevant standard. A note that says "completed" without evidence is insufficient. Track corrective actions in the same system as your work orders so they are assigned, scheduled, and closed with evidence.
Look for repeat findings. If the same non-conformance appears in consecutive audits, it indicates that the corrective action addressed the symptom but not the root cause. Repeat findings attract higher scrutiny from auditors and can escalate a minor non-conformance to a major one. Before the audit, review previous audit reports and verify that the root causes of previous findings have been genuinely addressed.
Common audit findings and how to avoid them
After years of safety audits across Australian operations, certain findings appear repeatedly. Knowing what auditors commonly find allows you to check for these issues before they do.
Outdated procedures. The documented procedure does not match the actual practice. This happens when processes evolve over time but the documentation is not updated. Walk through your critical procedures with the people who perform them and verify that the document reflects reality. Where there is a gap, update the document or change the practice, but do not leave the discrepancy for the auditor to find.
Training gaps. Workers are performing tasks for which they do not have documented competency. This is especially common for high-risk work licences that have expired, inductions that were verbal but never recorded, or task-specific training that was assumed but never formally delivered. Run a compliance report from your training matrix and address every gap before the audit.
Incomplete incident investigations. Incidents were reported but the investigation was either not completed, did not identify a root cause, or did not result in corrective actions. Review every incident report for the audit period and ensure each has a completed investigation, an identified root cause, and corrective actions that have been implemented and closed out.
Missing or expired plant compliance. Registered plant without current registration, lifting equipment without current inspection certificates, or electrical equipment without current test and tag records. Run a compliance report for all plant and equipment and address any gaps. This is where an integrated compliance management system proves its value, by flagging expiring registrations and overdue inspections automatically.
No management review. The safety management system has no evidence that senior management reviewed safety performance in the past 12 months. Schedule and document a management review before the audit. This review should cover incident trends, audit findings, corrective action status, training compliance, and leading safety indicators. The minutes of the review, signed by senior management, are the evidence the auditor needs. Preparation is not about creating a perfect system overnight. It is about ensuring that the system you have is functioning as documented, records are current and accessible, and known gaps have been addressed or have documented plans for resolution.
