Tag: Audits

If you’ve ever prepared for a WHS audit, you know the temptation: keep everything.

Folders expand. Shared drives overflow. Email chains get archived “just in case.”

But experienced auditors don’t reward volume — they look for relevance, reliability, and traceability.

Whether you’re preparing for a regulator interaction, client audit, or certification against ISO 45001, here’s how to decide what audit evidence to keep, what to drop, and what to digitise.

First: What Counts as “Audit Evidence”?

Audit evidence is any information that demonstrates your WHS management system:

• Meets legal requirements (e.g. Work Health and Safety Act 2011 and state equivalents)
• Is implemented in practice
• Is effective and reviewed

Evidence must be:

• Accurate
• Current
• Accessible
• Traceable

If it doesn’t support those criteria, it’s probably clutter.

What to Keep

These are documents and records that auditors consistently request and rely on.

1. Core Governance Documents

Keep:

• WHS policy signed by senior leadership
• Roles and responsibilities
• Organisational chart
• Legal compliance register
• Risk management procedure

These demonstrate structure and accountability.

2. Risk Management Records

Keep:

• Current risk assessments
• SWMS (where applicable)
• Hazard registers
• Control implementation records
• Review evidence

Important: Outdated risk assessments that no longer reflect operations should be archived — not active.

3. Training and Competency Records

Keep:

• Induction records
• High-risk work licences
• Verification of competency (VOC)
• Refresher training logs
• Supervisor competency evidence

Auditors look for proof that workers are competent at the time of work, not just when they were first hired.

4. Incident and Corrective Action Records

Keep:

• Incident reports
• Investigation findings
• Root cause analysis
• Corrective action tracking
• Evidence of close-out

What matters most is showing that actions were implemented and verified.

5. Consultation Evidence

Keep:

• Safety committee minutes
• HSR records
• Toolbox talk records
• Worker consultation feedback

WHS legislation places strong emphasis on consultation — auditors expect to see evidence of it.

What to Drop (or Archive Properly)

Not all documents need to stay in your active audit folder.

1. Superseded Policies and Procedures

If a document has been replaced:

• Archive it with version control
• Remove it from operational folders
• Ensure only current versions are accessible

Auditors often identify “document control failures” when outdated procedures remain in circulation.

2. Redundant Forms

Many organisations collect forms no one reviews:

• Pre-start checklists never analysed
• Hazard reports with no follow-up
• Meeting minutes no one reads

If a record doesn’t inform decisions or improvements, question why it exists.

3. Excessive Email Evidence

Email chains are weak audit evidence unless:

• They demonstrate formal approval
• They verify a decision
• They confirm action completion

Where possible, convert critical decisions into controlled records.

4. Duplicated Records

If information exists in multiple systems:

• Choose one “source of truth”
• Eliminate manual duplication
• Reduce reconciliation errors

Duplication creates audit risk.

What to Digitise

Digitisation isn’t just about convenience — it improves traceability and audit readiness.

1. Training Registers

Move from spreadsheets to:

• Centralised training management systems
• Automated refresher alerts
• Licence expiry tracking

This reduces non-compliance risk.

2. Risk Registers

Digital risk systems allow:

• Version control
• Review tracking
• Control verification
• Dashboard reporting

Auditors appreciate systems that clearly show when risks were last reviewed.

3. Corrective Action Tracking

Manual spreadsheets often fail because:

• Actions aren’t assigned clearly
• Deadlines aren’t monitored
• Close-outs aren’t verified

Digital systems provide accountability and audit trails.

4. Contractor Management

Digitise:

• Prequalification documents
• Insurance currency
• SWMS approvals
• Induction records

This is especially valuable for construction, logistics, and multi-site businesses.

How Long Should You Keep WHS Records?

Retention requirements vary depending on the type of record and state legislation, but common examples include:

• Incident records involving serious injury: often 5+ years
• Health monitoring records (e.g. asbestos exposure): decades
• Training records: duration of employment + additional period

Always align with applicable WHS regulations and industry-specific requirements.

The “Audit-Ready” Test

Ask these five questions about any document:

1. Does this demonstrate compliance or effectiveness?
2. Is it current?
3. Is it controlled (versioned and authorised)?
4. Can we retrieve it within minutes?
5. Does it show follow-through, not just intent?

If the answer is “no” to most of these, reconsider its place in your system.

The Biggest Mistake Businesses Make

They build systems for the audit — not for the business.

Auditors (including those assessing against ISO 45001) are trained to detect:

• Over-documented systems
• Forms created purely for compliance
• Records that exist but aren’t used

Strong evidence is:

• Simple
• Relevant
• Consistent
• Embedded in daily operations

Final Thoughts

Good audit evidence isn’t about volume — it’s about clarity and control.

Keep what proves your system works. Drop what adds noise. Digitise what improves visibility and accountability.

An audit-ready organisation isn’t the one with the most folders. It’s the one where evidence is accurate, current, and easy to find — every day, not just before the auditor arrives.

Sherm Software will help you to become an audit-ready organisation, book a demo today to see how.

Our Audit Readiness guide explains how businesses can design systems that withstand multiple audit regimes simultaneously.

Work Health and Safety (WHS) audits can feel intimidating. Whether you’re preparing for a regulator visit, a client prequalification, or certification against ISO 45001, many businesses aren’t entirely sure what auditors are really assessing.

The good news? WHS auditors aren’t looking for perfection. They’re looking for evidence of a functioning safety management system that is practical, understood, and consistently applied.

Here’s what WHS auditors actually focus on.

Legal Compliance with WHS Legislation

First and foremost, auditors assess compliance with the relevant state or territory WHS legislation, such as:

• Work Health and Safety Act 2011
• SafeWork NSW requirements
• WorkSafe Victoria guidance

They want to see that your organisation understands its primary duty of care, officer due diligence obligations, and worker responsibilities.

Typical evidence requested:

• WHS policy signed by senior management
• Documented responsibilities
• Legislative compliance register
• Evidence of periodic legal reviews

Risk Management Processes

WHS law is risk-based. Auditors expect to see a structured process for:

• Hazard identification
• Risk assessment
• Implementation of controls
• Review of control effectiveness

They’ll check whether your process aligns with the hierarchy of control (elimination, substitution, engineering, administrative, PPE).

Common areas reviewed:

• High-risk construction work
• Plant and equipment
• Manual handling
• Hazardous chemicals
• Psychosocial hazards (increasingly important)

They’re not just checking paperwork — they’ll verify that controls exist in practice.

Consultation and Worker Participation

Under WHS laws, consultation is mandatory. Auditors will examine:

• Health and Safety Representative (HSR) arrangements
• Safety committee meeting minutes
• Toolbox talks
• Worker feedback mechanisms

They may interview workers directly. If employees can’t explain safety procedures or feel disconnected from the system, that’s a red flag.

Training and Competency

Auditors look for proof that workers are competent to perform their tasks safely.

Evidence may include:

• Induction records
• High-risk work licences
• Verification of Competency (VOC) records
• Supervisor training
• Contractor onboarding systems

They’ll also check whether refresher training is scheduled and tracked.

Incident Reporting and Investigation

A strong WHS system treats incidents as learning opportunities.

Auditors review:

• Incident reports
• Investigation findings
• Root cause analysis
• Corrective actions
• Evidence that actions were closed out

They may ask:

“Show me an incident from the last 12 months and what changed because of it.”

Documentation vs. Reality

One of the biggest misconceptions is that WHS audits are purely document checks.

They aren’t.

Auditors conduct:

• Site inspections
• Worker interviews
• Observation of work practices

If your procedures say one thing but work is done differently, that gap will be identified. Consistency between Policy, Procedure and Practice is critical.

Contractor and Supplier Management

If you engage contractors, auditors will examine:

• Prequalification processes
• SWMS (Safe Work Method Statements)
• Contractor induction
• Monitoring and supervision
• Performance reviews

Principal contractors and businesses conducting high-risk work receive particular scrutiny.

Emergency Preparedness

Auditors assess whether you are prepared for reasonably foreseeable emergencies.

They’ll review:

• Emergency plans
• Evacuation diagrams
• Fire warden training
• Drill records
• First aid arrangements

And they’ll often ask workers what they would do in an emergency.

Continuous Improvement

A mature WHS system shows evidence of ongoing improvement.

Auditors look for:

• Internal audits
• Management review meetings
• KPI tracking (e.g. TRIFR, LTIFR)
• Corrective and preventive action systems

Certification audits (such as ISO 45001) place strong emphasis on leadership commitment and system improvement over time.

Officer Due Diligence

Under WHS law, company officers must exercise due diligence. Auditors may review whether directors and executives:

• Receive WHS performance reports
• Allocate adequate resources
• Understand critical risks
• Verify the implementation of controls

Board-level visibility of safety is increasingly expected.

What Auditors Are Not Looking For

• A perfect safety record
• Zero incidents
• Overly complex documentation
• A 500-page safety manual no one reads

They want to see a system that is:

• Practical
• Proportionate to your business size and risk
• Understood by workers
• Actively maintained

Final Thoughts

WHS audits are about evidence, consistency, and effectiveness.

If your safety system:

• Identifies real risks
• Implements appropriate controls
• Involves workers
• Learns from incidents
• Demonstrates leadership commitment

…you’re already aligned with what auditors actually look for.

The key is not preparing for the audit the week before — it’s building a safety system that works every day.

Sherm Software is that safety system, book a demo today and see for yourself.

For a deeper explanation of how these expectations come together, see our guide to Audit Readiness for WHS, ISO and Principal Contractor Audits.