TOP ISO 45001 AUDIT QUESTIONS AND HOW TO PREPARE

Workplace safety failures carry severe consequences. The International Labour Organization (ILO) estimates that 2.3 million people die each year from occupational accidents and work-related illnesses. Beyond the human impact, safety lapses expose organizations to reputational damage, legal liabilities and costly disruptions.

ISO 45001 the international standard for Occupational Health & Safety Management Systems (OHSMS), provides organizations with a structured framework to identify hazards, control risks and build a culture of safety. Certification through ISO 45001 audits demonstrates not just compliance, but visible commitment to protecting people and sustaining operations.

Many organizations struggle during audits. Non-conformities often arise from incomplete documentation, poor incident investigations, weak employee participation or inadequate legal registers. These gaps can delay certification or, worse, result in unsafe workplaces.

This blog outlines the top ISO 45001 audit questions from the most basic to the most complex along with practical preparation strategies. With real-world examples across industries, it will help you understand how auditors think and how your business can achieve true audit readiness.

.

WHAT IS AN ISO 45001 AUDIT? 

An ISO 45001 audit is a formal assessment of an organization’s Occupational Health & Safety Management System (OHSMS). Its purpose is to verify whether the system complies with ISO 45001 certification requirements and meets all applicable legal obligations. Unlike routine inspections, an ISO 45001 audit evaluates both the design of processes and the effectiveness of their implementation across the organization.

Organizations undergo ISO 45001 audits for three primary reasons. First, to demonstrate compliance with statutory and regulatory occupational health and safety requirements, ensuring they are legally protected and aligned with national standards. Second, to secure or maintain certification, which is often demanded by clients, supply chains and international contracts as proof of credibility. Finally, audits reinforce a culture of safety and leadership commitment, building employee confidence, reducing incidents and positioning the organization as a responsible and reliable partner in the marketplace.

TYPES OF AUDITS: 

 ISO 45001 audits can take different forms depending on the stage of certification and the organization’s compliance needs.

1. Internal audits: Conducted by trained internal teams or consultants to test readiness and identify gaps.
2. Certification audits: Conducted by accredited third-party bodies to award certification.
3. Surveillance audits: Scheduled audits (typically annual) to confirm ongoing compliance.

.

COMMON ISO 45001 AUDIT QUESTIONS YOU CAN EXPECT

1. What Documents Are Checked In An ISO 45001 Audit? 

Every ISO 45001 audit begins with a documentation review. Auditors verify whether the organization’s Occupational Health & Safety Management System (OHSMS) is supported by accurate and updated records. While many documents are required, five are considered critical evidence during any audit:

• Occupational Health & Safety Policy (Clause 5.2).
• OHS objectives, targets and action plans.
• Hazard identification and risk assessment procedure.
• Emergency preparedness and response plan.
• Management review and internal audit reports.

In a manufacturing audit, an auditor may start with the OHS Policy and then immediately ask for hazard assessments and emergency drill records. If these documents are outdated or missing, it is treated as a major non-conformity.

.

2. How Do You Identify Workplace Hazards?

Auditors expect a structured and repeatable process for hazard identification. This includes site inspections, Job Safety Analysis (JSA), employee inputs and periodic risk register reviews. The goal is to prove that hazards are identified proactively and not just after incidents occur. This question often appears in the list of questions asked in ISO 45001 audit, as hazard recognition forms the foundation of safety culture. A well-maintained hazard register linked with risk controls is strong evidence of compliance during both certification and internal audit ISO 45001.

Examples:

• Construction: Hazards from working at heights or falling objects.
• Pharma: Risks of chemical exposure and laboratory spills.
• Power plants: Electrical hazards and confined space entry risks.

.

3. What Controls Are In Place For Risk Assessment? 

Once hazards are identified, auditors want to see documented risk assessments and controls that align with the Hierarchy of Controls: elimination, substitution, engineering, administrative and PPE. Auditors assess whether risks are reduced “as low as reasonably practicable” and whether controls are reviewed periodically. Strong risk assessments linked to documented controls form a key part of the ISO 45001 audit checklist, demonstrating that the organization systematically manages its workplace risks.

Examples:

• Pharma: Ventilation systems (engineering) + SOPs (administrative) + PPE.
• Automotive: Substitution of hazardous chemicals in painting operations.
• Construction: Guardrails for fall prevention plus mandatory harness use.

.

4. How Do You Track And Investigate Incidents?

Auditors will review whether your organization has a clear system for reporting, recording and investigating incidents, including near misses. They expect to see not only records but also evidence that corrective actions were implemented and closed on time. Root cause analysis methods such as the 5 Whys or Fishbone Diagram are commonly expected. Consistent incident investigation demonstrates that the OHSMS is proactive not reactive.

Examples:

• Construction: Recording and investigating a scaffolding near-miss, then reinforcing controls.
• Food manufacturing: Analyzing slip incidents in production areas using root cause tools.
• Automotive: Reviewing machine stoppages caused by operator injuries.

.

5. How Do You Ensure Compliance With Legal And Regulatory Requirements? 

ISO 45001 requires organizations to maintain a legal register of occupational health and safety requirements and to update it regularly. Auditors check whether laws, rules and industry regulations are tracked and applied in operations. Failure to maintain legal compliance is often classified as a major non-conformity. Demonstrating legal compliance protects both the organization and its workforce, while also strengthening client trust.

Examples:

• Chemical industry: Hazardous substance storage regulations.
• Pharma: Compliance with Good Manufacturing Practices (GMP) and worker safety laws.
• Construction: Building safety and labour law compliance.

.

6. How Do You Engage Employees In Safety Practices? 

Worker participation is not optional under ISO 45001  it is a requirement. Auditors assess whether employees are involved in HIRA (Hazard Identification and Risk Assessment)  identification, decision-making and continuous improvement. Simply conducting meetings is not enough; evidence must show that feedback is acted upon. Engagement builds ownership, reduces resistance and makes the safety system effective in practice.

Examples:

• Construction: Toolbox talks where workers propose safer scaffolding methods.
• Automotive: Operators contributing in FMEA workshops to highlight overlooked hazards.
• Pharma: Staff participating in chemical handling redesign.

.

7. What Emergency Preparedness Plans Exist? 

Auditors will evaluate whether the organization has robust emergency preparedness and response plans, supported by documented drills and corrective actions. They will look at how realistic the scenarios are and whether employees know their roles during crises. Plans must be tested regularly and improvements documented  otherwise they risk being seen as “paper compliance.”

Examples:

• Power plants: Electrical fire evacuation drills with time-to-exit monitoring.
• Food industry: Allergen contamination simulations with product recall testing.
• Chemical factories: Spill response teams trained in containment and PPE.

.

8. How Do You Manage Contractors And Visitors On Site? 

External personnel are often overlooked in safety systems, but auditors specifically check whether contractors and visitors are protected under your OHSMS. This includes induction, supervision, PPE provision and monitoring of contractor compliance. Weak contractor management is a frequent cause of audit findings, as it reflects gaps in control beyond direct employees.

Examples:

• Construction: Contractor safety inductions before site access.
• Manufacturing: Visitor PPE checklists and escorted site tours.
• Pharma: Contractor permits for maintenance work in cleanrooms.

. 

9. How Do You Manage Workplace Health Risks?

ISO 45001 is not limited to accident prevention – it also covers occupational health. Auditors expect organizations to identify and control risks such as ergonomics, dust, noise, vibration and chemical exposure. They will ask for monitoring records, health surveillance data and corrective actions. A strong occupational health program shows that safety is addressed holistically, not only for acute accidents.

Examples:

• Mining: Dust exposure assessments and respiratory health checks.
• Textile industry: Ergonomic reviews for repetitive stitching tasks.
• Pharma: Noise monitoring in production units with high-decibel equipment

. 

10. How Do You Monitor PPE Usage? 

Auditors review how Personal Protective Equipment (PPE) is issued, used and monitored. They expect evidence that PPE is appropriate, employees are trained in its use and compliance is enforced. Records of non-compliance and corrective actions are also assessed. PPE must be treated as the last line of defence, backed by higher-level controls wherever possible.

Examples:

• Pharma: N95 masks and sterile gloves in cleanrooms.
• Construction: Mandatory helmets and harness inspections.
• Automotive: Safety glasses and ear protection during machine operations.

. 

 11. How Does Leadership Demonstrate Commitment?

ISO 45001 places responsibility directly on top management. Auditors evaluate leadership involvement through visible actions, resource allocation and policy communication. Leaders must not only approve policies but also actively participate in reviews and site safety programs. Leadership visibility is often the difference between a “paper system” and a “living safety culture.

Examples:

• Manufacturing: Plant head leading monthly safety reviews.
• Chemical industry: Leadership walk-throughs to check high-risk areas.
• Construction: Directors attending toolbox talks to engage workers.

. 

12. How do you ensure communication of OHS policies? 

An OHS policy is only effective if employees and stakeholders understand it. Auditors check whether policies are communicated, displayed and reinforced through training or briefings. Workers may be asked directly to explain the policy. Auditors look for evidence of understanding, not just availability of documents.

Examples:

• Food manufacturing: Safety policy posters in canteens and common areas.
• Automotive: OHS objectives discussed at daily shift meetings.
• Healthcare: Policies included in induction and refresher training.

.

 13. How Do You Conduct Internal Audits For ISO 45001?

Internal audits are a cornerstone of readiness. Auditors assess whether internal audits are planned, conducted by competent personnel and followed up with corrective actions. A weak internal audit system often leads to major findings during certification. Effective internal audit ISO 45001 system ensures issues are identified internally before certification auditors arrive.

Examples:

• Pharma: Internal audits of chemical storage and handling.
• Construction: Pre-certification mock audits to identify safety gaps.
• Power plants: Internal review of confined space procedures.
• Automotive: Auditing tier-2 suppliers on PPE and machine safety.

. 

14. How Do You Prepare for Non-Routine Operations? 

Non-routine operations such as maintenance shutdowns, plant upgrades or emergency repairs often carry higher risks because they fall outside daily routines. Auditors expect organizations to treat these tasks with the same discipline as routine activities. This means updating risk assessments, training employees and monitoring temporary controls. If non-routine tasks become frequent, they should be reclassified as routine and formally integrated into the OHSMS. Organizations must demonstrate that safety planning for non-routine work is systematic and documented, not improvised.

Examples:

• Construction: Crane lifting during structural modifications.
• Manufacturing: Extended plant shutdown for equipment servicing.
• Pharma: Temporary chemical handling during new line installation.

. 

15. How Do You Manage Psychosocial Risks?

ISO 45001 requires organizations to identify all risks to worker health, including psychosocial risks such as stress, harassment and isolation. With the rise of ISO 45001 in remote work and high-pressure environments, auditors increasingly expect evidence of programs addressing mental health itself already covers these risks. Addressing psychosocial risks demonstrates maturity in safety management and a genuine commitment to worker well-being.

Examples:

• IT & Services: Employee well-being surveys and stress management workshops.
• Manufacturing: Anti-harassment policies and confidential grievance mechanisms.
• Healthcare: Support programs to manage fatigue and burnout among staff.

. 

16. How Do You Evaluate Supplier And External Provider Safety Performance? 

Auditors check whether your OHSMS extends to contractors and suppliers. This includes evaluating their compliance with safety requirements, reviewing their documentation and monitoring performance. Supplier audits, contracts with safety clauses and records of evaluations are common evidence. Supplier and contractor safety performance reflects directly on the organization. Weak oversight is often flagged as a serious audit gap.

Examples:

• Pharma: Assessing chemical suppliers for safe handling and transport.
• Automotive: Auditing tier-2 suppliers on PPE and machine safety.
• Construction: Evaluating subcontractors for compliance with site OHS rules.

. 

17. What Are the Most Common Non-Conformities in ISO 45001 Audits? 

Auditors often find recurring gaps across industries. The most frequent non-conformities include incomplete risk assessments, outdated legal registers, weak incident investigations and poor documentation of training or competence. Another common gap is failing to close corrective actions from internal audits. Understanding these patterns helps organizations strengthen weak areas before the audit

Examples:

• Manufacturing: Missing investigation records for minor injuries.
• Pharma: Outdated chemical handling SOPs.
• Construction: Lack of documented toolbox talks.

. 

18. Who Conducts ISO 45001 Certification Audits And Why Does It Matter? 

Certification audits are conducted by accredited third-party bodies (e.g., BSI, TUV, DNV or NABCB-accredited certifiers). The credibility of your certificate depends on the body you choose. Global clients often prefer certificates from internationally recognized bodies. Selecting the right certification body can enhance market access and client trust.

Examples:

• Pharma exporter: Choosing a globally accepted body for EU market entry.
• Automotive supplier: Certification by IATF-recognized bodies to satisfy OEM requirements.

. 

19. How Do You Prove Continual Improvement in OHS Performance? 

ISO 45001 emphasizes continual improvement, not just compliance. Auditors will ask how performance is measured, reviewed and enhanced over time. This may include incident reduction, improved training or investment in safer technologies. Evidence of continual improvement demonstrates a living, evolving system rather than static compliance.

Examples:

• Food industry: Year-over-year reduction in slips and trips through floor redesign.
• Power plants: Automation of high-risk tasks reducing accident frequency.
• Textile: Ergonomic changes cutting down repetitive strain injuries.

. 

20. How Do You Demonstrate Overall Audit Readiness and Business Value?

Auditors may conclude by asking: Why do you believe your OHSMS is effective? This tests leadership awareness, employee confidence and system maturity. Proof includes internal audit results, management reviews, corrective action closures and employee feedback. Audit readiness is not only about passing the audit but also about showing clients, regulators and enhancing employee well being  that the organization prioritizes safety as a core value.

Examples:

• Construction: Mock audit reports showing closure of non-conformities.
• Manufacturing: Management review minutes highlighting safety KPIs.
• Healthcare: Employee surveys confirming awareness of emergency roles.

. 

HOW 4C CAN HELP YOU PREPARE FOR ISO 45001 AUDIT QUESTIONS?

Navigating ISO 45001 audits can be challenging, especially when faced with detailed auditor queries on compliance, risk management and worker safety. At 4C Consulting, we simplify this process by equipping your team with practical strategies and audit-ready documentation. With 15+ years of consulting expertise, 10,000+ training hours and 50+ workshops, our specialists ensure that you not only understand the top audit questions but also know how to answer them confidently. From conducting mock internal audits and gap assessments to aligning your OHSMS policies with ISO 45001 requirements, we provide end-to-end guidance for smooth certification. Choosing 4C means fewer surprises during audits, stronger compliance records and a workforce culture that prioritizes health and safety. Partner with us today to prepare, perform and excel in your ISO 45001 audits.