Sherm Login

Month: March 2026

Queensland Repeals HSR Access to WHSQ Enforcement Information

Posted on by Marnie Cruickshank

The Queensland State Government has made a significant—and controversial—change to the state’s work health and safety (WHS) framework. By repealing provisions that would have allowed Health and Safety Representatives (HSRs) to request and obtain enforcement information from Workplace Health and Safety Queensland (WHSQ), the government has reshaped the balance between transparency, regulatory control, and workplace power dynamics.

This development raises important questions about accountability, worker representation, and the future of safety oversight in Queensland workplaces.

Understanding the Repealed Rights

Under the now-repealed provisions, HSRs—and in some cases union officials—would have been able to request detailed compliance and enforcement information from WHSQ. This included data on:

  • Improvement notices
  • Prohibition notices
  • Non-disturbance notices

These notices are key regulatory tools. Improvement notices require employers to fix safety breaches within a timeframe, while prohibition notices address serious and immediate risks by halting unsafe activities. Non-disturbance notices preserve incident sites for investigation.

Access to this information would have given HSRs greater visibility into an employer’s safety history and regulatory interactions—potentially strengthening their ability to advocate for safer conditions.

Why the Government Repealed the Laws

The repeal forms part of broader amendments to Queensland’s WHS legislation. According to government statements, the decision was driven by concerns about misuse and overreach.

The repealed laws were criticised for:

  • Allowing unlimited requests for information
  • Lacking requirements for justification or relevance
  • Potentially enabling misuse by unions or representatives

The government argued that such provisions could be “weaponised” in industrial disputes, shifting the focus away from safety and toward workplace conflict.

In this context, the repeal is framed as an effort to restore balance and ensure that WHSQ remains focused on its core function: enforcing safety laws and preventing harm.

Implications for Workplace Safety

The removal of HSR access to enforcement data has sparked debate across industry, unions, and legal circles.

Potential Benefits:

  • Reduces administrative burden on WHSQ
  • Limits risk of sensitive information being used for non-safety purposes
  • Reinforces the regulator’s independence

Potential Risks:

  • Decreases transparency around employer compliance history
  • Limits HSR capacity to proactively identify systemic safety issues
  • May weaken worker participation in safety oversight

HSRs still retain important powers, including issuing provisional improvement notices (PINs) within their workgroups and participating in consultation processes.

However, without access to regulator-held information, their ability to form a complete picture of workplace risks may be constrained.

A Broader Policy Direction

This repeal reflects a broader policy direction within Queensland’s WHS reforms—one that appears to prioritise regulatory control and safeguards against perceived misuse over expanded information-sharing.

It also aligns Queensland more closely with the national model WHS framework, which does not provide equivalent broad access rights for HSRs to regulator enforcement data.

At the same time, the move highlights an ongoing tension in workplace safety law: how to balance transparency and worker empowerment with fairness, privacy, and the prevention of misuse.

Conclusion

The repeal of HSR rights to access WHSQ enforcement information marks a pivotal shift in Queensland’s approach to workplace safety governance. While the government frames the change as a necessary safeguard, critics argue it may reduce transparency and weaken frontline safety advocacy.

Ultimately, the long-term impact will depend on how effectively existing mechanisms—consultation processes, inspections, and enforcement actions—continue to protect workers without the added layer of information-sharing that has now been removed.

As Queensland’s WHS landscape evolves, this decision will likely remain a focal point in debates about the role of workers, regulators, and employers in maintaining safe workplaces.

ISO 45001 vs WHS Act: What Businesses Get Wrong

Posted on by Marnie Cruickshank

Many Australian businesses assume that if they’re certified to ISO 45001, they’ve “covered” their legal WHS obligations.

Others assume that if they comply with the WHS Act, there’s no need to worry about ISO certification.

Both assumptions are wrong.

Understanding the difference between ISO 45001 and Australia’s WHS legislation — and how they intersect — is critical to avoiding compliance gaps, wasted effort, and audit findings.

The Legal Foundation: The WHS Act

Australia’s work health and safety laws are built around the model Work Health and Safety Act 2011, adopted (with variations) across most states and territories.

The WHS Act:

  • Is law
  • Imposes mandatory duties
  • Creates enforceable obligations
  • Carries penalties for non-compliance

It establishes the primary duty of care for a PCBU (Person Conducting a Business or Undertaking) and requires risks to be eliminated or minimised so far as is reasonably practicable.

Regulators such as SafeWork NSW and WorkSafe Victoria enforce compliance.

Failure to comply can result in improvement notices, prohibition notices, fines, or prosecution.

The International Standard: ISO 45001

ISO 45001 is an international management system standard published by International Organisation for Standardisation.

It is:

  • Voluntary (unless contractually required)
  • A framework for managing OH&S risks
  • Audited by certification bodies
  • Focused on systems and continual improvement

It does not replace or override legal obligations.

The Core Difference

WHS Act = What you must do (legal duties)

ISO 45001 = How you can structure your system to manage those duties

One is law.

The other is a management framework.

Confusing the two is where businesses go wrong.

What Businesses Commonly Get Wrong

  1. “We’re ISO Certified, So We’re Legally Compliant”

ISO 45001 requires organisations to identify and comply with applicable legal requirements — but certification does not guarantee legal compliance.

Auditors assess whether you have a system to manage compliance. Regulators assess whether you are actually compliant.

An organisation can pass an ISO audit yet still breach the WHS Act.

Certification bodies do not enforce legislation — regulators do.

  1. Treating ISO as a Paper Exercise

Some businesses implement ISO 45001 purely for:

  • Tender eligibility
  • Prequalification
  • Client expectations

They build extensive documentation but fail to ensure controls are embedded operationally.

ISO 45001 emphasises:

  • Leadership commitment
  • Worker consultation
  • Risk-based thinking
  • Continual improvement

If documentation exists without real implementation, both ISO auditors and regulators will identify the gap.

  1. Ignoring Officer Due Diligence

The WHS Act imposes personal duties on officers (e.g. directors and senior executives).

ISO 45001 requires leadership involvement — but it does not create personal criminal liability.

Some businesses mistakenly believe board-level review for ISO purposes automatically satisfies WHS due diligence.

Due diligence under the Act requires officers to:

  • Acquire knowledge of WHS matters
  • Understand operations and risks
  • Ensure resources are provided
  • Verify controls are implemented

That verification element is where many organisations fall short.

  1. Confusing Risk-Based Thinking with “Reasonably Practicable”

ISO 45001 uses risk-based thinking to manage OH&S risks.

The WHS Act uses the legal test of “so far as is reasonably practicable.”

These concepts overlap — but they are not identical.

The legal test considers:

  • Likelihood of hazard or risk occurring
  • Degree of harm
  • What the person knows (or should reasonably know)
  • Availability and suitability of controls
  • Cost relative to risk

If risk assessments don’t reflect this reasoning, legal defensibility may be weak — even if ISO processes exist.

  1. Over-Documenting to Satisfy ISO

ISO 45001 does not require excessive paperwork.

Yet many organisations create:

  • 100+ page manuals
  • Multiple redundant forms
  • Complex approval pathways

The WHS Act does not require elaborate documentation either — it requires effective risk management and control.

Over-complication often creates implementation gaps.

  1. Failing to Integrate Psychosocial Risk Management

Australian regulators are increasingly focused on psychosocial hazards (e.g. bullying, workload, fatigue).

While ISO 45001 covers psychological health risks in scope, many organisations:

  • Focus heavily on physical safety
  • Fail to systematically assess psychosocial risks
  • Lack documented controls

Regulators are far more likely to issue notices for these failures than ISO auditors are to withdraw certification.

Where ISO 45001 Adds Value

When implemented properly, ISO 45001 strengthens WHS compliance by:

  • Creating structured governance
  • Formalising consultation mechanisms
  • Improving documentation control
  • Embedding continual improvement
  • Driving leadership accountability

In mature organisations, ISO becomes a tool to demonstrate WHS compliance — not a substitute for it.

A Practical Comparison

WHS Act ISO 45001
 Mandatory law  Voluntary standard
 Enforced by regulators  Audited by certification bodies
 Breaches can lead to prosecution  Nonconformities affect certification
 Focus on duties and risk control  Focus on systems and improvement
 Personal liability for officers  Organisational certification only

The Smart Approach

Australian businesses should:

  1. Treat the WHS Act as the baseline requirement
  2. Use ISO 45001 as a structured framework
  3. Ensure risk management aligns with the “reasonably practicable” test
  4. Embed leadership accountability beyond symbolic review
  5. Focus on implementation, not paperwork

Final Thoughts

ISO 45001 and the WHS Act are not competitors.

They operate at different levels:

  • The WHS Act defines your legal duty.
  • ISO 45001 provides a management system to help meet that duty.

Businesses get into trouble when they mistake certification for compliance — or treat compliance as a tick-box exercise.

In Australia, the safest position is this:

Build a WHS system that genuinely manages risk and meets legislative duties.

Then use ISO 45001 to strengthen, structure, and continuously improve it.

Get in touch with us today and see how Sherm Software and Safety for Life can help.

Our Audit Readiness Guide explains how businesses can design systems that withstand multiple audit regimes simultaneously.

Why Spreadsheets and Shared Drives Stop Working for Audit Readiness

Posted on by Marnie Cruickshank

For many Australian businesses, spreadsheets and shared drives start as practical solutions for managing compliance evidence, policies, and audit documentation. They are familiar, inexpensive, and flexible.

But as organisations grow and regulatory expectations increase, these tools often become the very thing that slows down — or jeopardises — audit readiness.

From ISO certifications to industry-specific regulations and internal governance reviews, businesses across Australia are finding that spreadsheets and shared folders simply cannot keep up with modern audit requirements.

Let’s explore why.

  1. Version Control Becomes a Nightmare

In a spreadsheet-based compliance system, multiple people often update documents simultaneously.

This creates problems like:

  • Multiple file versions (e.g. RiskRegister_v5_FINAL_FINAL.xlsx)
  • Uncertainty about which document is the latest
  • Edits being overwritten
  • Important changes going untracked

During an audit, this leads to confusion and delays when auditors ask a simple question:

“Which version of this control was in effect during the review period?”

Without clear version history, proving this can become difficult.

  1. Evidence Is Scattered Across Systems

Audits rely heavily on evidence.

However, when organisations rely on shared drives, audit evidence is often spread across:

  • Email attachments
  • Different folders on network drives
  • Personal desktop files
  • Team collaboration tools
  • Individual spreadsheets

This fragmentation creates a huge administrative burden during audits. Teams spend hours — sometimes days — searching for documentation instead of demonstrating compliance.

Worse still, critical evidence can be accidentally missed.

  1. No Clear Ownership or Accountability

Compliance tasks typically involve many people across different teams:

  • IT
  • Finance
  • HR
  • Operations
  • Risk and compliance teams

In spreadsheets and shared drives, responsibilities are rarely structured. Tasks might be written in a sheet, but there’s usually no system enforcing:

  • Ownership of controls
  • Deadlines for reviews
  • Automated reminders
  • Escalation when tasks are overdue

Without clear accountability, controls that look complete on paper may actually be outdated or untested.

  1. Limited Audit Trail

Auditors want to see a clear trail of activity.

They need to know:

  • Who updated a policy
  • When a risk assessment was last reviewed
  • When a control was tested
  • What changes were made

Spreadsheets rarely provide a reliable audit trail, especially when files are downloaded, copied, or edited offline.

This lack of traceability raises questions about the integrity of compliance records.

  1. Scaling Becomes Impossible

A spreadsheet-based compliance approach may work when a business has:

  • One certification
  • A small team
  • Limited regulatory exposure

But as organisations expand, compliance requirements multiply. Businesses may need to manage:

  • Multiple standards
  • Several audits each year
  • Hundreds of controls
  • Dozens of evidence requests

At this point, spreadsheets become unmanageable. Teams end up maintaining multiple disconnected trackers that quickly fall out of sync.

  1. Audit Preparation Becomes a Fire Drill

Perhaps the biggest problem with spreadsheet-driven compliance is what happens before an audit.

Instead of being continuously audit-ready, teams scramble to prepare documentation:

  • Evidence is chased across departments
  • Controls are quickly re-reviewed
  • Policies are updated at the last minute
  • Teams rush to assemble audit folders

This reactive approach increases stress, wastes time, and increases the risk of non-conformities.

  1. Lack of Real-Time Visibility

Executives and compliance leaders need a clear view of risk and compliance status.

However, spreadsheets rarely provide real-time insight into:

  • Which controls are overdue
  • Which risks are increasing
  • Which departments are behind on reviews
  • What evidence is missing

Without this visibility, compliance management becomes reactive instead of proactive.

What Modern Audit-Ready Organisations Do Differently

Organisations that consistently pass audits with minimal disruption typically move beyond spreadsheets and shared drives.

Instead, they implement structured compliance systems that provide:

  • Centralised evidence management
  • Automated control tracking
  • Built-in audit trails
  • Clear ownership and accountability
  • Real-time compliance dashboards

This allows teams to maintain continuous audit readiness, rather than preparing only when an audit is scheduled.

The Bottom Line

Spreadsheets and shared drives are useful tools — but they were never designed to manage complex compliance frameworks or support audit readiness.

As Australian businesses face increasing regulatory expectations, relying on manual systems becomes risky and inefficient.

Moving toward a more structured approach to compliance management helps organisations:

  • Reduce audit stress
  • Improve accountability
  • Save time during reviews
  • Strengthen governance and risk management

And most importantly, it ensures that when auditors arrive, the business is already prepared.

Get in touch with us today and see how Sherm Software can help with that preparation.

Our Audit Readiness Guide explains what scalable, audit-ready systems look like in practice.

Audit Evidence: What to Keep, What to Drop, What to Digitise

Posted on by Marnie Cruickshank

If you’ve ever prepared for a WHS audit, you know the temptation: keep everything.

Folders expand. Shared drives overflow. Email chains get archived “just in case.”

But experienced auditors don’t reward volume — they look for relevance, reliability, and traceability.

Whether you’re preparing for a regulator interaction, client audit, or certification against ISO 45001, here’s how to decide what audit evidence to keep, what to drop, and what to digitise.

First: What Counts as “Audit Evidence”?

Audit evidence is any information that demonstrates your WHS management system:

  • Meets legal requirements (e.g. Work Health and Safety Act 2011 and state equivalents)
  • Is implemented in practice
  • Is effective and reviewed

Evidence must be:

  • Accurate
  • Current
  • Accessible
  • Traceable

If it doesn’t support those criteria, it’s probably clutter.

What to Keep

These are documents and records that auditors consistently request and rely on.

  1. Core Governance Documents

Keep:

  • WHS policy signed by senior leadership
  • Roles and responsibilities
  • Organisational chart
  • Legal compliance register
  • Risk management procedure

These demonstrate structure and accountability.

  1. Risk Management Records

Keep:

  • Current risk assessments
  • SWMS (where applicable)
  • Hazard registers
  • Control implementation records
  • Review evidence

Important: Outdated risk assessments that no longer reflect operations should be archived — not active.

  1. Training and Competency Records

Keep:

  • Induction records
  • High-risk work licences
  • Verification of competency (VOC)
  • Refresher training logs
  • Supervisor competency evidence

Auditors look for proof that workers are competent at the time of work, not just when they were first hired.

  1. Incident and Corrective Action Records

Keep:

  • Incident reports
  • Investigation findings
  • Root cause analysis
  • Corrective action tracking
  • Evidence of close-out

What matters most is showing that actions were implemented and verified.

  1. Consultation Evidence

Keep:

  • Safety committee minutes
  • HSR records
  • Toolbox talk records
  • Worker consultation feedback

WHS legislation places strong emphasis on consultation — auditors expect to see evidence of it.

What to Drop (or Archive Properly)

Not all documents need to stay in your active audit folder.

  1. Superseded Policies and Procedures

If a document has been replaced:

  • Archive it with version control
  • Remove it from operational folders
  • Ensure only current versions are accessible

Auditors often identify “document control failures” when outdated procedures remain in circulation.

  1. Redundant Forms

Many organisations collect forms no one reviews:

  • Pre-start checklists never analysed
  • Hazard reports with no follow-up
  • Meeting minutes no one reads

If a record doesn’t inform decisions or improvements, question why it exists.

  1. Excessive Email Evidence

Email chains are weak audit evidence unless:

  • They demonstrate formal approval
  • They verify a decision
  • They confirm action completion

Where possible, convert critical decisions into controlled records.

  1. Duplicated Records

If information exists in multiple systems:

  • Choose one “source of truth”
  • Eliminate manual duplication
  • Reduce reconciliation errors

Duplication creates audit risk.

What to Digitise

Digitisation isn’t just about convenience — it improves traceability and audit readiness.

  1. Training Registers

Move from spreadsheets to:

  • Centralised training management systems
  • Automated refresher alerts
  • Licence expiry tracking

This reduces non-compliance risk.

  1. Risk Registers

Digital risk systems allow:

  • Version control
  • Review tracking
  • Control verification
  • Dashboard reporting

Auditors appreciate systems that clearly show when risks were last reviewed.

  1. Corrective Action Tracking

Manual spreadsheets often fail because:

  • Actions aren’t assigned clearly
  • Deadlines aren’t monitored
  • Close-outs aren’t verified

Digital systems provide accountability and audit trails.

  1. Contractor Management

Digitise:

  • Prequalification documents
  • Insurance currency
  • SWMS approvals
  • Induction records

This is especially valuable for construction, logistics, and multi-site businesses.

How Long Should You Keep WHS Records?

Retention requirements vary depending on the type of record and state legislation, but common examples include:

  • Incident records involving serious injury: often 5+ years
  • Health monitoring records (e.g. asbestos exposure): decades
  • Training records: duration of employment + additional period

Always align with applicable WHS regulations and industry-specific requirements.

The “Audit-Ready” Test

Ask these five questions about any document:

  1. Does this demonstrate compliance or effectiveness?
  2. Is it current?
  3. Is it controlled (versioned and authorised)?
  4. Can we retrieve it within minutes?
  5. Does it show follow-through, not just intent?

If the answer is “no” to most of these, reconsider its place in your system.

The Biggest Mistake Businesses Make

They build systems for the audit — not for the business.

Auditors (including those assessing against ISO 45001) are trained to detect:

  • Over-documented systems
  • Forms created purely for compliance
  • Records that exist but aren’t used

Strong evidence is:

  • Simple
  • Relevant
  • Consistent
  • Embedded in daily operations

Final Thoughts

Good audit evidence isn’t about volume — it’s about clarity and control.

Keep what proves your system works. Drop what adds noise. Digitise what improves visibility and accountability.

An audit-ready organisation isn’t the one with the most folders. It’s the one where evidence is accurate, current, and easy to find — every day, not just before the auditor arrives.

Sherm Software will help you to become an audit-ready organisation, book a demo today to see how.

Our Audit Readiness guide explains how businesses can design systems that withstand multiple audit regimes simultaneously.

App Login