Sherm Login

Month: February 2026

What WHS Auditors Actually Look For

Posted on by Marnie Cruickshank

Work Health and Safety (WHS) audits can feel intimidating. Whether you’re preparing for a regulator visit, a client prequalification, or certification against ISO 45001, many businesses aren’t entirely sure what auditors are really assessing.

The good news? WHS auditors aren’t looking for perfection. They’re looking for evidence of a functioning safety management system that is practical, understood, and consistently applied.

Here’s what WHS auditors actually focus on.

Legal Compliance with WHS Legislation

First and foremost, auditors assess compliance with the relevant state or territory WHS legislation, such as:

  • Work Health and Safety Act 2011
  • SafeWork NSW requirements
  • WorkSafe Victoria guidance

They want to see that your organisation understands its primary duty of care, officer due diligence obligations, and worker responsibilities.

Typical evidence requested:

  • WHS policy signed by senior management
  • Documented responsibilities
  • Legislative compliance register
  • Evidence of periodic legal reviews

Risk Management Processes

WHS law is risk-based. Auditors expect to see a structured process for:

  • Hazard identification
  • Risk assessment
  • Implementation of controls
  • Review of control effectiveness

They’ll check whether your process aligns with the hierarchy of control (elimination, substitution, engineering, administrative, PPE).

Common areas reviewed:

  • High-risk construction work
  • Plant and equipment
  • Manual handling
  • Hazardous chemicals
  • Psychosocial hazards (increasingly important)

They’re not just checking paperwork — they’ll verify that controls exist in practice.

Consultation and Worker Participation

Under WHS laws, consultation is mandatory. Auditors will examine:

  • Health and Safety Representative (HSR) arrangements
  • Safety committee meeting minutes
  • Toolbox talks
  • Worker feedback mechanisms

They may interview workers directly. If employees can’t explain safety procedures or feel disconnected from the system, that’s a red flag.

Training and Competency

Auditors look for proof that workers are competent to perform their tasks safely.

Evidence may include:

  • Induction records
  • High-risk work licences
  • Verification of Competency (VOC) records
  • Supervisor training
  • Contractor onboarding systems

They’ll also check whether refresher training is scheduled and tracked.

Incident Reporting and Investigation

A strong WHS system treats incidents as learning opportunities.

Auditors review:

  • Incident reports
  • Investigation findings
  • Root cause analysis
  • Corrective actions
  • Evidence that actions were closed out

They may ask:

“Show me an incident from the last 12 months and what changed because of it.”

Documentation vs. Reality

One of the biggest misconceptions is that WHS audits are purely document checks.

They aren’t.

Auditors conduct:

  • Site inspections
  • Worker interviews
  • Observation of work practices

If your procedures say one thing but work is done differently, that gap will be identified. Consistency between Policy, Procedure and Practice is critical.

Contractor and Supplier Management

If you engage contractors, auditors will examine:

  • Prequalification processes
  • SWMS (Safe Work Method Statements)
  • Contractor induction
  • Monitoring and supervision
  • Performance reviews

Principal contractors and businesses conducting high-risk work receive particular scrutiny.

Emergency Preparedness

Auditors assess whether you are prepared for reasonably foreseeable emergencies.

They’ll review:

  • Emergency plans
  • Evacuation diagrams
  • Fire warden training
  • Drill records
  • First aid arrangements

And they’ll often ask workers what they would do in an emergency.

Continuous Improvement

A mature WHS system shows evidence of ongoing improvement.

Auditors look for:

  • Internal audits
  • Management review meetings
  • KPI tracking (e.g. TRIFR, LTIFR)
  • Corrective and preventive action systems

Certification audits (such as ISO 45001) place strong emphasis on leadership commitment and system improvement over time.

Officer Due Diligence

Under WHS law, company officers must exercise due diligence. Auditors may review whether directors and executives:

  • Receive WHS performance reports
  • Allocate adequate resources
  • Understand critical risks
  • Verify the implementation of controls

Board-level visibility of safety is increasingly expected.

What Auditors Are Not Looking For

  • A perfect safety record
  • Zero incidents
  • Overly complex documentation
  • A 500-page safety manual no one reads

They want to see a system that is:

  • Practical
  • Proportionate to your business size and risk
  • Understood by workers
  • Actively maintained

Final Thoughts

WHS audits are about evidence, consistency, and effectiveness.

If your safety system:

  • Identifies real risks
  • Implements appropriate controls
  • Involves workers
  • Learns from incidents
  • Demonstrates leadership commitment

…you’re already aligned with what auditors actually look for.

The key is not preparing for the audit the week before — it’s building a safety system that works every day.

Sherm Software is that safety system, book a demo today and see for yourself.

For a deeper explanation of how these expectations come together, see our guide to Audit Readiness for WHS, ISO and Principal Contractor Audits.

Common Reasons Businesses Fail WHS, ISO or Principal Contractor Audits

Posted on by Marnie Cruickshank

Workplace audits, whether for Work Health and Safety (WHS), ISO certification, or principal contractor compliance, are designed to ensure businesses operate safely, legally, and systematically.

Audits may be conducted under state-based WHS regulators such as Safe Work Australia (policy body), enforcement authorities like SafeWork NSW, or as part of ISO certification through standards developed by International Organisation for Standardisation. Principal contractors on construction projects also conduct prequalification and ongoing compliance audits to manage site risk.

Despite good intentions, many businesses fail these audits for preventable reasons. Below are the most common causes, and how to avoid them.

Incomplete or Outdated Safety Management Systems

A common failure point is having a WHS or ISO system that looks good on paper but hasn’t been updated, or implemented, in practice.

Typical issues include:

  • Policies not reviewed annually
  • Procedures that don’t reflect current operations
  • Missing version control
  • Documents that reference outdated legislation

Auditors look for evidence that your system is live, current, and embedded, not just a template stored in a folder.

How to avoid it:

Schedule annual management reviews and document revisions. Ensure procedures match actual site practices.

Poor Hazard Identification and Risk Assessments

Under harmonised WHS laws, businesses must identify hazards and implement effective controls.

Audit failures often arise from:

  • Generic, copy-paste risk assessments
  • Missing Safe Work Method Statements (SWMS)
  • No evidence of site-specific risk review
  • Controls not aligned with the hierarchy of control

Principal contractors in construction are especially strict about SWMS compliance and site-specific risk management.

How to avoid it:

Ensure risk assessments are task-specific, signed, dated, and reviewed when conditions change.

Inadequate Training and Competency Records

You may have competent workers, but if you can’t prove it, you can fail the audit.

Common documentation gaps include:

  • Expired high-risk work licences
  • Missing VOC (Verification of Competency) records
  • No training matrix
  • No induction records
  • No refresher training evidence

ISO standards such as ISO 9001 and ISO 45001 require documented competency evidence.

How to avoid it:

Maintain a live training register and monitor expiry dates proactively.

Lack of Consultation and Worker Participation

WHS laws require consultation with workers on safety matters.

Auditors may ask:

  • How are workers consulted about hazards?
  • Are toolbox talks documented?
  • Is there evidence of safety meetings?
  • Are HSRs (Health and Safety Representatives) involved?

If consultation is informal and undocumented, it may not meet compliance requirements.

How to avoid it:

Keep minutes of toolbox talks and safety meetings. Record attendance and action items.

Incident Reporting and Investigation Failures

Many businesses fail audits not because incidents occurred, but because they weren’t managed correctly.

Red flags include:

  • No incident register
  • No investigation reports
  • No root cause analysis
  • Corrective actions not tracked
  • Notifiable incidents not reported

Regulators expect a structured approach to incident management and corrective actions.

How to avoid it:

Use a formal incident reporting system and track corrective actions through to completion.

Contractor Management Gaps

Principal contractor audits often focus heavily on subcontractor compliance.

Common issues:

  • No contractor prequalification process
  • Missing insurances
  • No SWMS review process
  • No evidence of subcontractor induction
  • Lack of monitoring and supervision

If you can’t demonstrate oversight of subcontractors, you may fail site audits.

How to avoid it:

Implement a documented contractor management procedure with checklists and approval records.

Internal Audits Not Conducted (or Not Effective)

For ISO-certified businesses, internal audits are mandatory.

Frequent problems include:

  • No internal audit schedule
  • Superficial audits with no findings
  • No evidence of corrective action follow-up
  • Management reviews not conducted

Auditors expect to see continuous improvement, not just compliance.

How to avoid it:

Conduct structured internal audits annually and document management review outcomes.

Poor Document Control

Document control is a major ISO audit focus area.

Typical failures:

  • Uncontrolled forms in circulation
  • Staff using outdated procedures
  • Missing document registers
  • No approval signatures

Even strong systems can fail audits if document control is weak.

How to avoid it:

Use a controlled document register with version numbers and review dates.

Leadership and Due Diligence Gaps

Under WHS laws, company officers must exercise due diligence.

Auditors may question:

  • How leadership monitors WHS performance
  • Whether safety KPIs are reviewed
  • If directors receive safety reports
  • How compliance obligations are tracked

If leadership cannot demonstrate active involvement, this can result in major non-conformances.

How to avoid it:

Document board-level WHS reporting and decision-making processes.

“Paper Compliance” Without Real Implementation

One of the biggest audit failures is when systems exist, but workers don’t follow them.

Auditors commonly:

  • Interview workers
  • Observe work practices
  • Compare procedures against actual behaviour

If there’s a disconnect between documentation and practice, it’s a serious red flag.

How to avoid it:

Ensure supervisors enforce procedures and conduct regular site inspections.

Final Thoughts

Most WHS, ISO, and principal contractor audit failures aren’t caused by catastrophic breaches, they’re caused by:

  • Inconsistent documentation
  • Lack of follow-through
  • Poor monitoring
  • Weak leadership engagement

The key to passing audits is embedding safety and compliance into everyday operations, not treating audits as one-off events.

If your systems are current, documented, implemented, and regularly reviewed, audits become far less stressful, and far more predictable.

Proactive compliance doesn’t just help you pass audits, it strengthens your business resilience, protects workers, and enhances your reputation in competitive industries like construction, manufacturing, and civil works.

This article expands on concepts covered in our Audit Readiness pillar page, which explains how these failures can be prevented structurally.

What Audit Readiness Actually Means

Posted on by Marnie Cruickshank

When organisations say they’re “audit ready,” it often means very different things. For some, it’s a last-minute scramble before the auditor arrives. For others, it’s a year-round discipline embedded in governance, finance, IT, and operations.

True audit readiness isn’t about having neat folders or polished financial statements. It’s about being able to demonstrate compliance, accuracy, and control at any time—under regulatory and accounting standards.

Let’s break down what audit readiness really means in context.

Understanding the Regulatory Landscape

Audit readiness starts with knowing which rules apply to your organisation.

Financial reporting and audit requirements are shaped by:

  • The Australian Securities and Investments Commission (ASIC)
  • The Australian Accounting Standards Board (AASB)
  • The Australian Prudential Regulation Authority (APRA) (for financial institutions)
  • The Australian Charities and Not-for-profits Commission (ACNC) (for charities)

Depending on your structure (company, charity, public sector entity, financial institution), different standards and reporting obligations apply.

Being audit ready means you:

  • Know which standards apply to you
  • Understand reporting deadlines
  • Maintain documentation that aligns with Australian Accounting Standards (AAS)

It’s More Than Just the Annual Audit

Many organisations treat audit readiness as a seasonal project—usually starting a few months before year-end.

In reality, audit readiness means:

  • Clean reconciliations completed monthly
  • Controls operating consistently throughout the year
  • Policies reviewed and updated regularly
  • Evidence retained in real time

If documentation is only assembled when auditors ask for it, you’re not audit ready—you’re audit reactive.

Strong Internal Controls (Not Just Good Intentions)

Auditors focus heavily on internal controls. That includes:

  • Segregation of duties
  • Delegations of authority
  • Approval workflows
  • IT access management
  • Change management processes

For APRA-regulated entities, expectations are even higher around risk governance and operational resilience.

Audit readiness means controls are:

  • Documented
  • Tested
  • Understood by staff
  • Consistently applied

And importantly—evidence exists to prove it.

Documentation Is Everything

In audits, if it isn’t documented, it didn’t happen.

That includes:

  • Board minutes approving financial statements
  • Signed contracts
  • Revenue recognition support
  • Grant acquittals
  • Asset valuations
  • Lease calculations under AASB 16

Being audit ready means documentation is:

  • Centralised
  • Version controlled
  • Accessible
  • Complete

Auditors should not need to chase multiple departments repeatedly for basic evidence.

Alignment with Australian Accounting Standards

Australian Accounting Standards (AAS) align closely with IFRS but have specific local requirements.

Common areas where organisations struggle include:

  • Revenue recognition (AASB 15)
  • Leases (AASB 16)
  • Financial instruments (AASB 9)
  • Impairment assessments
  • Consolidations

Audit readiness means technical accounting positions are:

  • Clearly documented
  • Supported by calculations
  • Reviewed internally
  • Consistent year to year

If your team cannot explain why a treatment was adopted, auditors will flag it.

Governance and Board Oversight

Governance expectations are strong—particularly for public companies, large charities, and regulated entities.

Audit readiness includes:

  • Active audit and risk committees
  • Clear financial oversight
  • Documented risk management frameworks
  • Regular internal reporting

Board members should understand key financial judgments—not just sign off at year-end.

Data Integrity and Systems Reliability

Modern audits increasingly assess:

  • ERP system controls
  • Cybersecurity controls
  • Backup and disaster recovery
  • Data accuracy and integrity

Poor system controls often lead to expanded audit testing, higher fees, and delayed signoffs.

Audit readiness means your systems can:

  • Produce reliable reports
  • Track changes
  • Restrict unauthorised access
  • Maintain audit trails

Being Ready for Regulator Scrutiny

Audit readiness also means being prepared beyond the auditor.

Regulators such as ASIC, APRA, or the ACNC can request documentation, explanations, or supporting materials.

Organisations that are genuinely audit ready can:

  • Produce requested documents quickly
  • Demonstrate compliance clearly
  • Show consistent governance practices

This reduces regulatory risk and reputational damage.

Audit Readiness Reduces Cost and Stress

Audit fees continue to rise—particularly for regulated industries and larger organisations.

Poor readiness leads to:

  • Extended audit timelines
  • Multiple information requests
  • Rework and corrections
  • Increased audit fees

Strong readiness typically results in:

  • Faster fieldwork
  • Fewer audit adjustments
  • Cleaner audit reports
  • Better internal financial confidence

What Audit Readiness Is Not

Let’s be clear about common misconceptions.

Audit readiness is not:

  • A last-minute clean-up
  • Outsourcing responsibility to auditors
  • Relying on one finance team member
  • Assuming “we’ve always done it this way” is sufficient

It’s a structured, organisation-wide discipline.

The Real Definition of Audit Readiness

Audit readiness means:

Your organisation can demonstrate compliance, accuracy, governance, and control at any time—under regulatory and accounting standards—without scrambling for evidence.

It’s proactive, not reactive.

It’s embedded, not seasonal.

And it’s a competitive advantage.

If your organisation is preparing for growth, external funding, regulatory scrutiny, or board-level governance uplift, strengthening audit readiness is one of the most practical investments you can make.

Because when the auditor walks in, readiness shouldn’t start—it should already exist.

Learn more about Audit Readiness and use our free checklist to see how audit ready your organisation is.

App Login