What’s an audit?

Audits are a systematic review of certifiers’ practices. It assesses their ongoing performance and verifies they’re complying with legal and regulatory requirements under the Health and Safety at Work Act 2016 (HSWA), the Regulations, performance standards, and relevant safe work instruments.

The authorisation process determines whether an individual or organisation can be recognised to carry out the functions of a certifier. This process is distinct from auditing; however, audit outcomes help inform our decisions about a certifier’s ongoing authorisation.

Our audit principles

We follow natural justice and administrative law principles when we audit to ensure our decision making is consistent, fair, reasonable, evidence-based, proportionate, timely, and transparent. We adhere to good audit practice, including impartiality, objectivity, and maintaining confidentiality and security of information.

The legal basis for audits

Regulation 6.37 of the Regulations requires us to audit certifiers at least once every four years. We may conduct audits more frequently where risk factors are identified, including changes to the scope of authorisation, previous audit outcomes, or health and safety concerns.

We’re not required to audit a certifier if they’re:

• accredited by International Accreditation New Zealand (IANZ)
• have been audited by IANZ, and
• we’re satisfied with the audit report.

Who carries out audits

Our audits are conducted by specialist staff who hold the appropriate delegations. Our technical experts may support audits by accompanying auditors on site visits or providing advice on complex technical matters. Our inspectors may also attend site visits where health and safety risks are identified. In some cases, we may engage external auditors for desktop audits or where specialist expertise is required.

Our audit approach

We use a risk-based approach when auditing certifiers to ensure a balanced, proportionate process which optimises our resources. The type of audit we conduct depends on factors such as past audit results and the scope of authorisation. The audit type is proportionate to the assessed risks.

We have three tiers of audit:

• Tier 1: Desktop audit only:
• Tier 2: Desktop audit, interview, and a visit to the certifier’s place of business.
• Tier 3: Desktop audit, interview, a visit to the certifier’s place of business, and a visit to a certified site for complex certifications.

What we consider when we undertake an audit

When we undertake an audit we consider the certifiers:

• relevant processes
• level of experience and competence
• compliance history, including previous audits, complaints and investigations
• compliance with HSWA, the Regulations, relevant safe work instruments and performance standards, and
• scope of authorisation.

We also consider:

• the information on the compliance certifier register, which records a certifier’s authorisation status, the certificates they are authorised to issue, and any conditions that apply
• the evaluation of the certifier that was undertaken when their authorisation was granted or renewed.

We begin all our audits by requesting information from the certifier. If a certifier doesn’t provide us with this information, it may result in adverse audit findings and could trigger further action.

Audit findings and corrective actions

Audit findings are the observations we make about whether certifiers are meeting the relevant requirements. We rate each finding using the traffic light system (green, amber or red). These ratings indicate the certifier’s level of compliance and help us decide if we’ll direct them to complete any corrective actions. We define each of the traffic light colours as follows:

• Green: Meets Standard. The certifier complies with requirements, and no corrective action is needed.
• Amber: Marginal. The certifier complies with most requirements, but improvements are needed. Corrective action is required within three months.
• Red: Significant Improvement Required. The certifier fails to meet key requirements, posing potential health and safety risks. Immediate corrective action is required, and we determine whether an investigation is necessary.

Consequences for uncompleted corrective actions

If certifiers don’t complete the corrective actions within the agreed time limit, we may:

• conduct an additional audit
• initiate an investigation, or
• suspend or cancel their authorisation where there remains serious risk to health or safety.

Audit outcomes

The audit outcome is the conclusion of the audit process. It consolidates all findings and corrective actions into an overall compliance status. There are three compliance statuses:

• Compliant: The certifier meets all regulatory and performance requirements under HSWA and the Regulations. Documentation, processes, and practices demonstrate full adherence to legal obligations and WorkSafe standards. No corrective actions are required.
• Partially compliant: The certifier meets most regulatory and performance requirements but has gaps that require improvement. These gaps don’t pose an immediate health and safety risk but must be addressed within agreed time limits to maintain authorisation.
• Non-compliant: The certifier fails to meet key regulatory or performance requirements, creating potential or actual health and safety risks. Immediate corrective actions are required, and we may escalate to investigation or suspension of authorisation.

Impact of audit outcomes on audit frequency

The outcome of an audit directly influences how often we’ll conduct future audits. Certifiers rated as compliant are typically assessed as lower risk and will generally remain on the standard four-year audit cycle. Certifiers rated partially compliant or non-compliant may be subject to more frequent audits to verify corrective actions and ensure ongoing compliance.

We reassess audit frequency after each audit and may increase or decrease the frequency based on performance and risk indicators.

How we audit organisations

For organisations accredited to ISO 17020, we rely on external audit reports provided the report meets the audit requirements set out in the Regulations. We must still be satisfied with the audit, meaning we check the report against the Regulations. If non compliance has been identified, we confirm that this has been addressed by corrective actions and ensure that the accreditation requirements are equivalent to those for individual certifiers.