What Is a Health and Safety Audit?

A health and safety audit is a systematic, independent evaluation of an organisation's health and safety management systems, policies, procedures, and arrangements to determine whether they are effective, legally compliant, and working as intended. A health and safety audit is a way of measuring organisational performance against an agreed standard — focusing on systems, processes, and leadership rather than simply checking whether documents exist. For UK and global businesses, understanding what a health and safety audit is, how it differs from an inspection, what it covers, and how to act on its findings is essential to effective compliance management. This guide answers the question "what is a health and safety audit?" across 12 essential dimensions, with practical guidance on commissioning and using audits effectively.

Why the Question Matters

Most businesses know they should conduct health and safety audits. Fewer understand precisely what an audit is, how it differs from other review activities, or what genuinely useful audit output looks like.

The consequence of this uncertainty is that many organisations treat audits as periodic compliance exercises — a box to tick, a report to file, a credential to produce when a procurement process demands it. This misunderstands what audits are for and significantly limits their value.

A well-designed health and safety audit is one of the most powerful management tools available. It provides independent, evidence-based insight into whether safety arrangements are genuinely working — not whether they look correct on paper. It identifies where the gap between policy and practice is widest. It creates the documented due diligence record that protects directors and organisations in enforcement action. And it generates the improvement priorities that drive safety performance over time.

The HSE states that large public and private sector organisations should have formal procedures in place for auditing and reporting on health and safety performance. Auditing is therefore both a management best practice and an expectation of the regulator.

Health and Safety Consultants who conduct independent Health and Safety Audits bring the objectivity, expertise, and structured methodology that makes audit findings genuinely useful rather than merely reassuring.

1. The Definition of a Health and Safety Audit

A health and safety audit can be defined as an independent, systematic process to gather evidence and evaluate it objectively. Success or failure is judged against whether compliance with a relevant standard (the audit criteria) has been achieved.

The British Safety Council defines it as: "A collection of independent information on the efficiency, effectiveness and reliability of the total health and safety management system, and drawing up plans for corrective action."

The NEBOSH definition captures a critical dimension: an audit is not simply a documentation review. It is an evaluation of whether systems are working in practice — whether risk controls are effective, whether people are behaving as procedures require, and whether the organisation's safety management genuinely protects its people.

A health and safety audit looks in detail at how health and safety arrangements work across an organisation. It examines systems, leadership, and processes, and how these are implemented. To do this, auditors gather evidence to support their findings and recommendations. The focus is whether arrangements are effective at managing and reducing risk to a safe level, rather than checking whether documents are in place.

This last distinction is fundamental. An audit is not satisfied by a risk assessment that exists — it asks whether the risk assessment is suitable and sufficient, whether its controls are implemented, whether employees are aware of it, and whether it has been reviewed when required.

2. How a Health and Safety Audit Differs from an Inspection

The audit/inspection distinction is one of the most commonly misunderstood concepts in health and safety management. Understanding it prevents organisations from mistaking one for the other and missing the value each provides.

Health and safety inspection: - Focuses on physical workplace conditions and observable hazards at a point in time - Asks: "Is this workplace safe right now?" - Uses a checklist to identify immediate hazards requiring correction - Conducted regularly and frequently — from daily pre-use checks to monthly area inspections - Typically conducted by supervisors, managers, or safety representatives - Produces a list of specific items requiring action

Health and safety audit: - Focuses on management systems, policies, procedures, and their effectiveness - Asks: "Are our arrangements for managing health and safety working effectively?" - Uses a structured assessment against defined criteria to evaluate system performance - Conducted periodically — typically annually for most organisations - Conducted by qualified auditors, either internal or external - Produces a comprehensive report on system effectiveness with prioritised recommendations

Audits and inspections are both proactive ways to review health and safety performance. Generally, inspections tend to be based on physical workplace observation, whereas audits focus on systems and processes. An audit might even include an inspection as part of the process — but an inspection alone does not constitute an audit.

Health and Safety Audits complement inspection programmes by providing the systems-level assurance that no amount of routine inspection can generate alone. Together, they form the monitoring pillar of effective health and safety management.

3. The Legal and Regulatory Context for Health and Safety Audits

While no specific piece of UK legislation mandates health and safety audits by name, the obligation to conduct them arises from the broader legal framework.

The Health and Safety at Work Act 1974 requires employers to manage health and safety effectively. Managing effectively means monitoring performance and taking action when arrangements are found to be inadequate — functions that audit directly supports.

The Management of Health and Safety at Work Regulations 1999 require employers to conduct risk assessments and implement appropriate preventive measures. Regular review of whether those measures are working — the function of an audit — is implicit in the ongoing duty to maintain adequate arrangements.

HSG65 — Managing for Health and Safety is the HSE's primary guidance document for health and safety management. Its Plan-Do-Check-Act framework places auditing and review within the "Check" stage — an integral part of the management cycle, not an optional extra. Auditors conducting external audits typically follow the principles outlined in HSG65.

ISO 45001 — the internationally recognised occupational health and safety management system standard — explicitly requires documented audit programmes as part of Clause 9.2, Internal Audit. Organisations seeking ISO 45001 certification must demonstrate a functioning audit programme. Health and Safety Consultants and Software solutions support the documentation and scheduling requirements of ISO 45001 audit programmes.

The HSE's expectation: The HSE states that large public and private sector organisations should have formal procedures in place for auditing and reporting on health and safety performance. In enforcement contexts, the absence of a functioning audit programme is treated as evidence of inadequate management rather than an incidental gap.

4. Types of Health and Safety Audit

Health and safety audits take several distinct forms, each serving a different purpose. Understanding which type is appropriate for a given situation helps organisations get maximum value from their audit investment.

Internal Audits

Internal audits are conducted by trained personnel or designated audit teams within the organisation. They verify adherence to internal policies and regulatory requirements, assess system performance, and prepare the organisation for external scrutiny.

An internal audit can be conducted by a competent person — someone with the necessary skills, knowledge, and experience to conduct a valid assessment. A critical requirement is that auditors must be independent of the area being audited. You cannot have a department head audit their own department and expect objective findings. A member of the health and safety team based at head office auditing a regional site maintains the necessary independence.

Advantages: - Lower cost than external audit - Greater familiarity with the organisation and its systems - Can be conducted more frequently - Builds internal audit capability over time

Limitations: - Less objective than external review - May miss what familiarity has made invisible - Carries less weight with regulators, insurers, and procurement teams

External Audits

External health and safety audits are carried out by independent third parties — specialist Health and Safety Consultants, certification bodies, or regulatory inspectors. External auditors provide an objective assessment of compliance with laws, standards, and contractual obligations.

External audits are often linked to certification programmes (for example, ISO 45001) or regulatory inspections and carry greater weight with clients and authorities due to their impartiality.

An external audit tends to be more comprehensive than an internal audit. External auditors also benchmark organisations against comparable businesses and recognised best practice standards — insight that internal teams cannot generate from within the organisation alone.

Advantages: - Genuinely independent and objective - Expert knowledge of current legislation and best practice - Credibility with regulators, insurers, customers, and procurement teams - Fresh perspective identifying what internal familiarity misses - Benchmarking against external standards

Limitations: - Higher cost than internal audit - Requires management time to facilitate - Less frequent than internal review

Compliance Audit

A compliance audit focuses specifically on whether the organisation meets applicable legal and regulatory requirements. These audits examine documentation, permits, records, and practices to determine conformity with statutory requirements. The primary aim is to confirm legal compliance and identify non-conformities that could lead to enforcement action.

Gap Audit (or Gap Analysis)

A gap audit compares current arrangements against a target standard — whether a specific regulation, an industry standard, or an accreditation such as ISO 45001. It identifies what exists, what is required, and the gap that must be closed. Gap audits are commonly used when preparing for certification or when entering a new jurisdiction requiring unfamiliar compliance.

System Audit

A system audit examines the performance of the entire health and safety management system — how policies, procedures, risk controls, training, monitoring, and leadership interact to produce the organisation's overall safety performance. System audits are the most comprehensive form and are typically what is meant by a "full health and safety audit."

Pre-Certification Audit

A pre-certification audit prepares organisations for formal certification (ISO 45001, SSIP, or similar) by identifying gaps that, if left unaddressed, would result in a failed certification assessment. Pre-certification audits are a cost-effective way to ensure readiness before the formal certification visit.

5. What a Health and Safety Audit Covers

The scope of a health and safety audit varies depending on its type, the organisation, and the criteria against which it is conducted. A comprehensive system audit typically covers the following areas.

Health and safety policy: Is the policy current, signed, appropriate to the business, and communicated to all staff? Does it reflect the actual risk profile of the organisation?

Risk assessment: Are risk assessments suitable and sufficient, covering all significant hazards? Have they been reviewed when required? Are identified controls implemented in practice?

Legal compliance: Does the organisation meet all relevant statutory requirements — COSHH, manual handling, fire, DSE, working at height, RIDDOR, and others applicable to its activities?

Training and competence: Have all employees received appropriate training for their roles? Are training records complete and current? Are refresher dates tracked and managed?

Incident reporting and investigation: Are incidents and near misses reported consistently? Are investigations thorough, identifying root causes? Are corrective actions implemented and verified?

Emergency arrangements: Are fire risk assessments current? Are emergency procedures documented and practised? Are first aid arrangements adequate?

Equipment and maintenance: Are statutory examinations current for relevant equipment? Are maintenance programmes functioning? Are pre-use checks conducted?

Worker involvement: Are employees consulted on health and safety matters? Are safety representatives' rights being respected? Is there evidence of genuine worker participation?

Leadership and culture: Do senior leaders demonstrate visible commitment to health and safety? Is safety integrated into operational decisions? Is the safety culture proactive or reactive?

Monitoring and review: Is there an active inspection programme? Are audit findings reviewed and acted upon? Is health and safety performance reported to senior management?

6. The Health and Safety Audit Process: Step by Step

A structured audit process ensures findings are valid, evidence-based, and actionable. The following steps describe how a professional health and safety audit is conducted.

Step 1: Audit Planning and Scoping

Define what the audit will cover, which standards it will assess against, which locations and activities are in scope, and what evidence will be sought. Agree the audit programme with the organisation and communicate it to relevant managers.

Step 2: Document Review

Before the site visit, review key documentation: the health and safety policy, risk assessments, training records, inspection records, incident reports, and previous audit findings. Document review identifies obvious gaps and focuses the subsequent site visit on areas of greatest concern.

Step 3: Opening Meeting

Conduct an opening meeting with relevant managers and staff to confirm the audit scope, explain the process, agree logistics, and establish how findings will be communicated.

Step 4: Evidence Gathering

This is the substantive stage of the audit. Evidence is gathered through:

Workplace observation: Visiting locations, observing work activities, and comparing actual conditions and behaviours with documented procedures and requirements.

Employee interviews: Speaking with employees at all levels to verify whether policies and procedures are understood and followed in practice. Interviews reveal the gap between documented requirements and operational reality. Auditors should speak with frontline workers, not only managers.

Documentation review (on site): Examining records, permits, certificates, training logs, maintenance records, and incident reports against the audit criteria.

Management interviews: Discussing safety leadership, resource allocation, performance monitoring, and management commitment with relevant managers and directors.

Step 5: Finding Assessment and Risk Ranking

Review all evidence gathered, identify findings (both positive and negative), and assess their significance. Rank findings by priority:

Critical: Immediate action required — material breach of legal requirements or significant risk of serious harm
Major: Significant gap requiring action within a defined short period
Minor: Lower-priority improvement, documentation deficiency, or best practice enhancement
Positive: Commendable practices worth highlighting and sustaining

Step 6: Closing Meeting

Present preliminary findings to management before the written report is produced. The closing meeting enables management to provide context for findings, correct factual errors, and begin planning corrective action.

Step 7: Audit Report

Produce a written report summarising findings, evidence, risk rankings, and specific recommendations. The report should be clear, evidence-based, and actionable — not a generic observations list. Positive findings should be acknowledged alongside improvements required.

Step 8: Action Planning and Follow-Up

Develop an action plan from the report findings, assigning ownership, deadlines, and verification methods for each action. Monitor progress against the action plan and verify completion of critical actions. Health and Safety Consultants and Software solutions automate action tracking, escalation, and completion verification.

7. Who Should Conduct a Health and Safety Audit?

The value of audit findings depends significantly on the competence and independence of the auditor. Understanding who should conduct audits for different purposes helps organisations make informed decisions.

Qualifications for external auditors: External auditors should hold CMIOSH (Chartered Member of IOSH) status or equivalent, demonstrating formal qualification, verified professional experience, and ongoing CPD. OSHCR (Occupational Safety and Health Consultants Register) registration, supported by the HSE, provides independent assurance of competence and professional indemnity insurance.

Independence requirement: The fundamental requirement is independence from the area being audited. External auditors provide the greatest independence. Internal auditors must not audit their own area of responsibility.

Sector expertise: Auditors should understand the industry sector they are auditing. An auditor unfamiliar with construction will not recognise the significance of CDM arrangements. One unfamiliar with food manufacturing may not identify HACCP compliance gaps. Sector-specific audit expertise produces more useful findings.

The case for external audit: For most organisations, external Health and Safety Audits provide the best combination of objectivity, expertise, and credibility. They generate findings that management cannot dismiss as internally produced, carry weight with regulators and procurement teams, and identify what internal familiarity has concealed.

8. How Often Should Health and Safety Audits Be Conducted?

Organisations should conduct health and safety audits at least once per year. High-risk environments may need more frequent checks.

Annual audit is standard practice for most organisations. The appropriate frequency depends on several factors:

Risk profile: Higher-risk operations — construction, manufacturing, chemical processing, healthcare — warrant more frequent audit than lower-risk office environments.

Regulatory requirements: ISO 45001 certification requires a documented annual internal audit programme. Some sector-specific schemes impose their own audit frequency requirements.

Business change: Significant organisational changes — new sites, new activities, acquisitions, workforce changes — should trigger additional audit, not waiting for the next scheduled cycle.

Previous findings: Where previous audits identified significant gaps or critical findings, follow-up audit to verify effective corrective action should occur on a shorter cycle.

Enforcement history: Organisations that have received HSE improvement notices, prohibition notices, or FFI charges benefit from accelerated audit programmes to demonstrate remediation.

Triggers for unscheduled audit: - Serious workplace incidents or near misses - New or significantly changed operations - Entry into a new geographic market - Acquisition of another business - Change in relevant legislation

9. Health and Safety Audits and Business Benefits

Beyond legal compliance, regular Health and Safety Audits generate measurable business benefits.

Incident prevention: By identifying hazards and system weaknesses before incidents occur, audits directly reduce the frequency and severity of workplace accidents and ill health. Every incident prevented saves the direct and indirect costs of the incident — which research estimates at two to three times the direct cost for average workplace accidents.

Legal protection: Audit reports create documented evidence of due diligence. In enforcement action or civil litigation, an organisation that can produce a history of independent audits with implemented corrective actions is significantly better protected than one that cannot.

Insurance benefits: Insurers assess health and safety management quality when pricing employers' liability cover. Regular independent audits with evidence of action on findings demonstrate the quality of management that attracts favourable terms.

Tender qualification: Many procurement processes require evidence of recent independent audit as part of health and safety pre-qualification. Maintaining an annual audit programme keeps the organisation tender-ready.

Continuous improvement: Successive audits create a measurable improvement trajectory — findings reduce over time, residual risks become progressively lower, and the organisation's safety culture strengthens.

Board and governance assurance: Senior leaders and non-executive directors need independent assurance that health and safety is being managed effectively. External audit reports provide this assurance in a format that board committees and audit functions can evaluate.

10. Health and Safety Audits and Technology

Health and Safety Consultants and Software solutions enhance the value of audit programmes significantly — both in conducting audits and in managing the actions they generate.

Digital audit tools provide:

Consistent methodology: Digital audit frameworks ensure the same criteria are applied across all sites, all auditors, and all time periods — enabling meaningful trend analysis and cross-site comparison.

Evidence capture: Mobile-first tools enable auditors to photograph findings, attach documents, and record observations in real time during the audit visit — creating richer, more evidenced reports.

Automatic action generation: Each finding can automatically generate an action record assigned to a named owner with a defined deadline, removing the delay between audit completion and action initiation.

Action tracking and escalation: Overdue actions are escalated automatically. Management dashboards show which actions are complete, which are in progress, and which are overdue — across all sites simultaneously.

Historical comparison: Digital audit records enable comparison across audit cycles, demonstrating improvement over time and identifying persistent problem areas.

Multi-site visibility: For organisations with multiple locations, consolidated dashboards show compliance performance across the entire estate — enabling group management to prioritise resource to highest-risk sites.

Regulatory documentation: Digital audit records in structured formats provide the documented evidence that HSE inspectors, certification auditors, and procurement teams require.

11. International Health and Safety Audits: Consistency Across Jurisdictions

For UK businesses operating internationally, health and safety audits must extend beyond UK operations to cover every jurisdiction where employees work. Each country has its own regulatory framework, and UK audit criteria do not satisfy the requirements of French, Dutch, German, Italian, or Spanish regulators.

International Health and Safety Consultants conduct audit programmes that apply consistent methodology across international operations while accommodating each jurisdiction's specific requirements.

Key international audit considerations:

Netherlands: Audits must verify RI&E compliance, certified review for companies with 25 or more employees, arbodienst arrangements, and PSA (psychosocial workload) management. The NLA's proactive inspection approach makes pre-inspection audit particularly valuable.

France: Audits verify DUERP currency and 40-year retention compliance, PAPRIPACT production and implementation for organisations with 50 or more employees, CSE consultation records, and SPST affiliation. Labour inspector powers to enter without notice and interview employees privately make audit preparation essential.

Germany: DGUV regulation compliance, Gefährdungsbeurteilung quality, Berufsgenossenschaft registration, and works council engagement all require specific audit assessment.

Italy: RSPP arrangements, DVR documentation, DUVRI coordination where applicable, and multi-authority compliance must be verified.

Spain: LPRL compliance including psychosocial risk assessment, digital disconnection protocols, and prevention service modality verification, alongside readiness for ITSS inspection without notice.

ISO 45001 as the international audit framework: ISO 45001 provides a consistent audit framework applicable across all jurisdictions. Auditing against ISO 45001 criteria enables comparable assessment across all international locations, with jurisdiction-specific regulatory requirements incorporated as additional audit criteria.

Health and Safety Audits of international operations enable group management to benchmark compliance across all locations and allocate resource to where the greatest gaps exist.

12. How to Commission and Use a Health and Safety Audit Effectively

Getting maximum value from a health and safety audit requires more than simply arranging for an auditor to visit. The following guidance helps organisations commission and use audits effectively.

Define your purpose clearly: What do you want from the audit? Broad compliance verification? Specific focus on a recent incident or area of concern? Pre-certification assessment? Preparation for a known regulatory inspection? Clear purpose enables the auditor to design the most relevant approach.

Select the right auditor: Verify CMIOSH qualification and OSHCR registration. Confirm relevant sector experience. Check that the individual who will conduct the audit holds these credentials — not just the firm's senior partner.

Prepare honestly: Do not clean up, rearrange, or improve conditions specifically for the audit visit. An audit of how things normally are is far more valuable than an audit of how things look when prepared for inspection. The audit should reflect operational reality.

Facilitate full access: Provide access to all areas, activities, people, and documents that the audit scope requires. Restricting access produces findings that are based on incomplete evidence and reduces the audit's value.

Engage with the process: Management engagement during the audit — including attending the opening and closing meetings, participating in interviews, and responding constructively to preliminary findings — improves the quality and usefulness of the output.

Act on findings systematically: The audit report is the starting point, not the deliverable. Create a structured action plan from findings, assign ownership and deadlines, track progress, and verify completion. An audit that generates a report which is filed without action has no value.

Use the audit cycle: Commission follow-up audit to verify that critical actions have been implemented. Use successive audits to demonstrate improvement over time. Build the audit into the annual management calendar as a standing commitment, not an ad hoc activity.

How Arinite Conducts Health and Safety Audits

Arinite provides independent Health and Safety Audits for UK and international businesses across all sectors, combining CMIOSH-qualified expertise with structured methodology and integrated technology.

Consistent, evidence-based methodology: Arinite's audit framework is structured against UK legal requirements, HSG65 principles, and ISO 45001 criteria, with sector-specific content for each industry we serve.

Genuine independence: Our auditors are external to your organisation and independent of the management systems they assess, providing the objectivity that makes audit findings credible.

Clear, actionable reporting: Audit reports identify findings with risk ratings, specific evidence, and prioritised recommendations — not generic observations. Management can act on findings immediately.

Technology integration: Health and Safety Consultants and Software platforms manage audit scheduling, action tracking, completion verification, and trend analysis across all locations.

International audit programmes: International Health and Safety Audits across 50+ countries using consistent methodology, accommodating each jurisdiction's specific regulatory requirements.

Sector expertise: Audit programmes tailored to the specific hazards, regulatory requirements, and operational characteristics of each sector — financial services, technology, retail, healthcare, construction, hospitality, and more.

Supporting over 1,500 global businesses with a 95%+ client retention rate, Arinite's CMIOSH-qualified consultants deliver audits that are genuinely useful, not merely compliant.

Frequently Asked Questions

A health and safety audit is a way of measuring organisational performance against an agreed standard. It evaluates whether health and safety management systems, policies, procedures, and risk controls are effective, implemented, and legally compliant — asking whether arrangements are genuinely working, not merely whether documents exist.

Is a health and safety audit a legal requirement?

There is no specific legislation mandating health and safety audits by name. However, the Management of Health and Safety at Work Regulations 1999 require employers to monitor the effectiveness of their health and safety arrangements — which auditing directly fulfils. HSG65, the HSE's authoritative management guidance, places auditing within the "Check" stage of the Plan-Do-Check-Act cycle. The HSE states that large organisations should have formal auditing procedures in place.

What is the difference between a health and safety audit and an inspection?

Inspections focus on physical conditions and observable hazards at a specific point in time. Audits focus on systems and processes — evaluating whether management arrangements are effective overall. An inspection asks "is this workplace safe right now?"; an audit asks "are our systems for managing safety working effectively?".

How long does a health and safety audit take?

Duration depends on the scope, size, and complexity of the organisation. A small business audit might be completed in half a day. A large multi-site organisation may require several days of audit activity at each location. For international audit programmes, coordinated visits across multiple countries may span several weeks.

How often should health and safety audits be conducted?

Annual audit is standard practice for most organisations. High-risk operations, those undergoing significant change, or those that have experienced incidents may benefit from more frequent review. ISO 45001 certification requires a documented annual internal audit programme.

Who can conduct a health and safety audit?

Internal audits can be conducted by a competent person independent of the area being audited. External Health and Safety Audits are conducted by independent consultants — look for CMIOSH qualification and OSHCR registration as quality indicators. External audits carry greater objectivity, credibility, and regulatory weight.

What does a health and safety audit report contain?

A quality audit report contains: an executive summary of key findings, the scope and methodology used, findings rated by risk level (critical, major, minor), the evidence base for each finding, specific recommendations with priorities, and positive findings worth sustaining. Findings should be actionable, not generic.

How do health and safety audits differ internationally?

Each jurisdiction has its own regulatory requirements that must be assessed in audit. Dutch audits verify RI&E compliance, French audits verify DUERP and PAPRIPACT compliance, German audits verify DGUV obligations. International Health and Safety Consultants apply consistent methodology while accommodating each country's specific requirements.

Taking the Next Step

A health and safety audit is one of the most valuable investments a business can make in its safety management. The question is not whether to commission one — the question is whether to commission one proactively, on your own terms, or to wait until a regulator, insurer, or procurement team assesses you on theirs.

Assess your readiness: Take our Health and Safety Quiz to evaluate your current compliance position before an independent audit.

Discuss your audit needs: Book a free Gap Analysis Call with an Arinite consultant to understand what an audit of your specific operation would cover and what it would reveal.

Commission your audit: Contact Arinite to arrange an independent Health and Safety Audit from our CMIOSH-qualified, OSHCR-registered consultants, for UK and international operations.

Arinite provides independent Health and Safety Audits and Health and Safety Consultants services to over 1,500 global businesses across the UK and 50+ countries. Key external resources: HSE HSG65 Managing for Health and Safety | British Safety Council audit guidance | NEBOSH auditing guide | ISO 45001 | OSHCR register | HSE enforcement statistics