Internal Auditor Course

BSRM Group

Exam Guideline:

A. There will be 5 short questions each 2 marks.

B. There will be 4 broad question, each having 5 marks
C. There will be 1 scenario where a potential or actual NC exist. Examinee will decide whether it is already an NC or
further investigation required. If further investigation required, participant will list 10 points of investigation. Also
participants will provide opinion which findings will constitute an NC.

Sample short and broad questions. Those in bold represent a broad question.

1. What is the definition of Hazard?

Ans: A hazard is any source of potential damage, harm or adverse health effects on something or someone.

Basically, a hazard is the potential for harm or an adverse effect (for example, to people as health effects, to organizations as
property or equipment losses, or to the environment).

Some examples of hazards are:

 Slips and Trips: single biggest cause of injury at work. Caused by poor housekeeping, unsuitable footwear
and insufficient maintenance.
 Working from Height: one of the major causes of workplace fatalities. Includes ladders, scaffolds, roofs, or
any raised work area.

2. What is Risk and how it is calculated usually?

Risk is effect of uncertainty. When hazard is materialized, an incident happens. The incident may have high, medium
or low impact on health and safety of employees. Risk indicates the probability of the hazard being materialized and
the severity of the impact or consequence.
Usually, we assign a rating for both probability and severity, and then multiply them to obtain the Risk Priority
Number. The rating of probability indicates how easy or how difficult the hazard to be materialized. Similarly the
severity rating indicates if the accident takes place how much will be the effect of the injury or ill-health. If we allocate
rating 1 – 5 for probability then following can be the distribution:

1 = highly unlikely
2= likely
3 = moderately likely
4 = highly probable
5 = inevitable
Similarly severity scales can also be perceived.
For example, if fall is a hazard, and probability of fall is 3 out of 5, and severity is 5 out of 5, then risk is calculate as 3 X
5 = 15.

3. What is the definition of incident?

 An incident, in the context of occupational health and safety, is an unintended event that disturbs normal
operations. OSHA defines an incident as "an unplanned, undesired event that adversely affects completion of
a task. Incidents are not always serious in their effects, as is the case with near misses (events that could have
resulted in a serious accident but all serious damage or harm was avoided). . Accidents are a subset of
incidents, but some events that don't qualify as accidents are counted as incidents which known as Near
misses

4. What are the differences between accident and near miss?

The main difference between ‘accident’ and ‘Near miss’ is the former does result in personal injury or property damage. While
the latter doesn’t result in personal injury or property damage but has the potential to do so.

If an incident is a ‘near miss’, it is an event that doesn’t result in harm, but had the potential to cause it. Such as

An accident is a specific event that results in the injury, death, or ill health of an employee or a member of the public.

As Near miss, which can be investigated and recorded to avoid Accident.

5. Do we need to investigate nearmiss?

Yes, we do need to investigate near-miss. This is because, a near-miss is also an incident. As per the standard ISO
45001, near-miss needs to be investigated. Also, as near-miss has the potential to recur, and cause injury and ill-
health in its recurrence, investigating the near-miss, and taking corrective action can save us from a future accident.
As per the Heinrich’s hierarchy (Shown below) of incident, if we allow near-misses to continue to occur, there will be
low injury accident to fatality in the organization. Therefore, rooting out near-miss is very important to achieve 0
accident.

Fatality

Severe Injury

Minor Injury

Near Misses

Unsafe acts and conditions

6. Give some elements of Internal Issue for the context of the organization.
 o Governance, organizational structure, roles and accountabilities.
o policies, objectives and the strategies that are in place to achieve them
o The capabilities, understood in terms of resources, knowledge and competence (e.g. capital, time, human
resources, processes, systems and technologies).
o Information systems, information 􀀀lows and decision-making processes (both formal and informal).
o Introduction of new products, materials, services, tools, software, premises and equipment.
o relationships with, as well as perceptions and values of, workers
o the culture in the organization
o standards, guidelines and models adopted by the organization

7. Give some elements of external issues for understanding the context of the organization.
1. the cultural, social, political, legal, financial, technological, economic and natural surroundings and market
competition, whether international, national, regional or local;
2. introduction of new competitors, contractors, subcontractors, suppliers, partners and providers, new
technologies, new laws and the emergence of new occupations;
3. new knowledge on products and their effect on health and safety
4. key drivers and trends relevant to the industry or sector having impact on the organization
5. Relationships with, as well as perceptions and values of, its external interested parties.
6. Changes in relation to any of the above.

8. Name 10 stake-holders of your organization with respect to OHSMS and give reason why you consider them your
stakeholder?

Stake Holder Why?

Employee LTI affects KPI
Employer Affected directly by LTI
Legal Authority Needs to achieve compliance
Safety Committees
Regulators Compliance and reporting
Neighbours and communities Consultation and engagement exercises to
identify environmental concerns
Local Authorities and Government
Suppliers
contractors

9. Is there any need or expectation of these stakeholders which become your compliance obligation?

Following can be situations when a requirement of a stake-holder become a compliance obligation:

a. If a requirement is adopted by BSRM as a organizational requirement.

b. If a requirement of stake-holder is covered in law?
c. If a requirement of stake-holder is part of a contract.
d. If a requirement is part of a organizations commitment.
e. If a requirement is overwhelmingly an expectation of the community.
10. Give 5 important elements that organization needs to decide based on consultation with non-managerial workers?
(Read clause 5.4)

1. Determining the needs and expectations of interested parties.

2. Establishing the OH&S policy.
3. Assigning organizational roles, responsibilities and authorities, as applicable.
4. Determining how to fulfil legal requirements and other requirements.
5. Establishing OH&S objectives and planning to achieve them.
6. Determining applicable controls for outsourcing, procurement and contractors.
7. Determining what needs to be monitored, measured and evaluated.
8. Planning, establishing, implementing and maintaining an audit programme(s).
9. Ensuring continual improvement.

11. Give 5 important elements that organization needs to decide based on participation from non-managerial workers?
(Read clause 5.4)
1. Determining the mechanisms for their consultation and participation.
2. Identifying hazards and assessing risks and opportunities.
3. Determining actions to eliminate hazards and reduce OH&S risks.
4. Determining competence requirements, training needs, training and evaluating training.
5. Determining what needs to be communicated and how this will be done.
6. Determining control measures and their effective implementation and use.
7. Investigating incidents and nonconformities and determining corrective actions.

12. What are the commitments that the top management needs to include in OHSMS policy?

When planning for the OH&S management system, the organization shall consider the issues referred
to in 4.1 (context), the requirements referred to in 4.2 (interested parties) and 4.3 (the scope of its
OH&S management system) and determine the risks and opportunities that need to be addressed to:
a) give assurance that the OH&S management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects;
c) Achieve continual improvement.
When determining the risks and opportunities for the OH&S management system and its intended
outcomes that need to be addressed, the organization shall take into account:
— hazards
— OH&S risks and other risks
— OH&S opportunities and other opportunities
 — legal requirements and other requirements
The organization, in its planning process(es), shall determine and assess the risks and opportunities
that are relevant to the intended outcomes of the OH&S management system associated with changes
in the organization, its processes or the OH&S management system. In the case of planned changes,
permanent or temporary, this assessment shall be undertaken before the change is implemented (see
8.1.3).
The organization shall maintain documented information on:
The organization shall maintain documented information on:
— risks and opportunities;
— the process(es) and actions needed to determine and address its risks and opportunities (see 6.1.2 to
6.1.4) to the extent necessary to have confidence that they are carried out as planned.
13. What are the issues the organization needs to consider while carrying out Hazard Identification? Describe at
least 5 different points.

The organization shall establish, implement and maintain a process(es) for hazard identification that is
ongoing and proactive. The process(es) shall take into account, but not be limited to:
a) how work is organized, social factors (including workload, work hours, victimization, harassment
and bullying), leadership and the culture in the organization;
b) routine and non-routine activities and situations, including hazards arising from:
1) infrastructure, equipment, materials, substances and the physical conditions of the workplace;
2) product and service design, research, development, testing, production, assembly,
construction, service delivery, maintenance and disposal;
3) human factors;
4) how the work is performed;
c) past relevant incidents, internal or external to the organization, including emergencies, and
their causes;
d) potential emergency situations;
e) people, including consideration of:
1) those with access to the workplace and their activities, including workers, contractors, visitors
and other persons;
2) those in the vicinity of the workplace who can be affected by the activities of the organization;
3) workers at a location not under the direct control of the organization;
f) other issues, including consideration of:
1) the design of work areas, processes, installations, machinery/equipment, operating procedures
and work organization, including their adaptation to the needs and capabilities of the
workers involved;
2) situations occurring in the vicinity of the workplace caused by work-related activities under
the control of the organization;
3) situations not controlled by the organization and occurring in the vicinity of the workplace
that can cause injury and ill health to persons in the workplace;
g) actual or proposed changes in organization, operations, processes, activities and the OH&S
management system (see 8.1.3);
h) changes in knowledge of, and information about, hazards.

© ISO 2018 – All rights reserved 12

 14. How do we calculate risks of various hazards? What is base risk and what is residual risk?

Usually, we assign a rating for both probability and severity, and then multiply them to obtain the Risk
Priority Number. The probability rating will refer to probability of the hazard being materialized, and the
severity rating will refer to the severing of injury or ill-health that may occur.

When we calculate risk based on probability and severity considering existing controls, we get the base
risk number. If the base risk higher than the acceptance limit, then we need to implement additional
control measures. When we apply additional control, the risk will reduce. However, there will still be
some level of risk remaining. This remaining risk after applying additional control is called the Residual
Risk.

For example, for a fall hazard, probability was 3 and severity was 5. After putting additional control
(increasing height of the parapet) the probability reduced to 2 but severity remains 5. Now the base risk
is 3 X 5 = 15 but the residual risk is 2 X 5 = 10.

15. Give some example of opportunities which can be used to enhance OHSMS performance of the
organization.

The organization shall establish, implement and maintain a process(es) to assess:

a) OH&S opportunities to enhance OH&S performance, while taking into account
planned changes to the organization, its policies, its processes or its activities
and:
1) opportunities to adapt work, work organization and work environment to
workers;
2) opportunities to eliminate hazards and reduce OH&S risks;
b) other opportunities for improving the OH&S management system.
NOTE OH&S risks and OH&S opportunities can result in other risks and other
opportunities for the organization.

16. What are the requirements of identification of legal and other requirements in ISO 45001?

The organization shall establish, implement and maintain a process(es) to:

a) determine and have access to up-to-date legal requirements and other
requirements that are applicable to its hazards, OH&S risks and OH&S
management system;
b) determine how these legal requirements and other requirements apply to
the organization and what needs to be communicated;
c) take these legal requirements and other requirements into account
when establishing, implementing, maintaining and continually improving its
 OH&S management system.
The organization shall maintain and retain documented information on its
legal requirements and other requirements and shall ensure that it is updated to
reflect any changes.
NOTE Legal requirements and other requirements can result in risks and
opportunities for the organization.

17. Write 2 measurable OHSMS objectives for your process/department.

18. As per ISO 45001, what are the important controls on documented information?

Documented information required by the OH&S management system and by this

document shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use or loss
of integrity).
For the control of documented information, the organization shall address the
following activities, as applicable:
— distribution, access, retrieval and use;
— storage and preservation, including preservation of legibility;
— control of changes (e.g. version control);
— retention and disposition.
Documented information of external origin determined by the organization to
be necessary for the planning and operation of the OH&S management system
shall be identified, as appropriate, and controlled.
NOTE 1 Access can imply a decision regarding the permission to view the
documented information only, or the permission and authority to view and change the
documented information.

NOTE 2 Access to relevant documented information includes access by workers,

and, where they exist, workers’ representatives.

19. What is hierarchy of control? What is the most effective type of control and what is the least
effective type of control?

The organization shall establish, implement and maintain a process(es) for the
elimination of hazards and reduction of OH&S risks using the following hierarchy of
controls:
 a) eliminate the hazard;
b) substitute with less hazardous processes, operations, materials or equipment;
c) use engineering controls and reorganization of work;
d) use administrative controls, including training;
e) use adequate personal protective equipment.
NOTE In many countries, legal requirements and other requirements include the requirement
that personal protective equipment (PPE) is provided at no cost to workers.

20. ISO 45001 requires to manage changes to ensure good OHS performance. What are the key
points for management of change?

The organization shall establish a process(es) for the implementation and control of
planned temporary and permanent changes that impact OH&S performance, including:
a) new products, services and processes, or changes to existing products,
services and processes, including:
— workplace locations and surroundings;
— work organization;
— working conditions;
— equipment;
— work force;
b) changes to legal requirements and other requirements;
c) changes in knowledge or information about hazards and OH&S risks;
d) developments in knowledge and technology.
The organization shall review the consequences of unintended changes, taking action to
mitigate any adverse effects, as necessary.
NOTE Changes can result in risks and opportunities.

21. Which part of contractor’s activities are to be brought under HIRA?

The organization shall coordinate its procurement process(es) with its contractors, in
order to identify hazards and to assess and control the OH&S risks arising from:
a) the contractors’ activities and operations that impact the organization;
b)
the organization’s activities and operations that impact the contractors’ workers

c) the contractors’ activities and operations that impact other interested parties in the
 workplace.
The organization shall ensure that the requirements of its OH&S management
system are met by contractors and their workers. The organization’s
procurement process(es) shall define and apply occupational health and safety
criteria for the selection of contractors.
NOTE It can be helpful to include the occupational health and safety criteria for the
selection of contractors in the contractual documents.

22. While preparing Organization’s Emergency Response Plan (ERP) a number of considerations
are to be taken into account. Provide 5 important points to this effect. 8.2

The organization shall establish, implement and maintain a process(es) needed

to prepare for and respond to potential emergency situations, as identified in
6.1.2.1, including:
a) establishing a planned response to emergency situations, including the
provision of first aid;
b) providing training for the planned response;
c) periodically testing and exercising the planned response capability;
d) evaluating performance and, as necessary, revising the planned response,
including after testing and, in particular, after the occurrence of emergency
situations;
e) communicating and providing relevant information to all workers on
their duties and responsibilities;
f) communicating relevant information to contractors, visitors, emergency
response services, government authorities and, as appropriate, the local
community;
g) taking into account the needs and capabilities of all relevant interested parties
and ensuring their involvement, as appropriate, in the development of the
planned response.
The organization shall maintain and retain documented information on the process(es) and on the
plans for responding to potential emergency situations

23. With respect to monitoring and measurement

a. provide 10 parameters or elements that needs to be monitored and measured in
your OHSMS.
 b. How many of these parameters legally required to be monitored and measured?

Noise level

Light

Air

Worker health – bp

Eye Sight

Temperature

Diabetes Screening

Vehicle condition

Infrastructure maintenance

Drinking Water test

Solid Waste Disposal

LTI

Nearmiss

Fire Exntiguisher

Hydrant System

Fire Alarm

Signal of Gates

24. What are the relationship between clause 6.1.3 and clause 9.1.2? In PDCA, which clause is in
which domain?

Clause 6.1.3 is identification of legal requirement and 9.1.2 is for evaluating if those requirements are
fulfilled. Thus 6.1.3 falls under P and 9.1.2 falls under C.

25. Provide 5 major legal requirements that your OHSMS reviews regularly.9.3

26. Why we conduct Internal Audit? 9.2.1

27. What are the 6 basic requirements of ISO 45001 with respect to planning and conducting
Internal Audit? 9.2.2

28. What are the major focus of management review in terms of decision making for OHSMS? 9.3
29. When you are conducting an Internal Audit on your OHSMS, what are the criteria that you will
use?

Criteria: A set of procedure, instruction, legal documents, codes, standards applicable to the process.

All the documents which contain OH&S requirements which are mandatory for the process to fulfil, are
criteria for this audit

30. What are the common types of findings in an internal audit and what do they signify?

Audit Findings

01. Strong Point – where process exceeds requirement

Full body Safety Harness is enough for work at height. Organization uses double full body safety harness.
Safety harnesses are tested annually for acceptable condition.

a.

b.

c.

d.

02. AFI/OFI

Where opportunity exists for the process to do better.

Lux is 102. Using skylights can increase lux to 120. Legal requirement is 100.

03. Observation/PNC

Workers use safety boots. Some of them are very old and may have breaches. They work with hazardous
chemicals.

04. Minor NC

a. Lux is 90 at furnace area.

b. Objectives are not documented.

c. No PtW is followed while working on the high voltage panel board.

05. Major NC

There is no OHSMS Policy in the organization

Organization does not carry out HIRA

Organization does not carry out Internal Audit

Organization does not have a fire safety license.

31. What are the differences between correction and corrective action?

Correction: Action to eliminate a detected NC. (does not prevent recurrence)

CA: Action to eliminate the cause of a detected NC. (CA prevents recurrence)

32. Why we need to conduct RCA?

Root Cause Analysis (RCA) is a method used to identify and document the potential causes of a problem.
This should take place when an incident or breakdown in service occurs, particularly incidents or
breakdowns that lead to undesired outcomes for clients.

Most problems that exist do not have one, clear identifiable cause. A root cause analysis can help
determine possible contributing factors, such as what, how, and why something might have happened.
The main objectives of walking through an RCA are:

Prevent reoccurrence of the issue

Continuous improvement of service quality

Document accountability of breakdown

Identify deficiencies in process or process documentation

Identify training needs and opportunities

For any query, you may send mail to me: [email protected]

Auditor (x) : Have you conducted your HIRA?

Auditee (y): Yes

X: Can you show me the HIRA documents?

Y; Yes

x reviews the document

X: why did you not consider the ammonia plant beside your plant as a hazard?
Y: because it is not under our control. Moreover, there has not been any history of accident in that
plant. It is using state of the art Japanese technology and such new plants are highly unlikely to have
any accident.

NC or not NC?

(to give a straight NC, I must have glaring evidence of non-conformity. If there is any scope of raising a
question against the evidence, then you should give a potential nc or observation)

Not NC.

Why not an NC? Because, there is not enough evidence that the plat beside has a hazard that can cause
injury/illhealth in our plant.

Why I am not giving credit as a conformity. Why I raised a PNC? Because, they excluded in in the HIRA
because it is not under their control. Also, generally Ammonia plants are hazardous.

Ans:

01. This is not an NC at present as objective evidence of NC is not present. Further investigation
required.

02. I will investigate the matter as below:

a. How far is the plant located from the workplace?

b. Is there any probability of ammonia blowing into own plant in case of leakage?

c. What is the reputation of the OEM of that plant? How did the organization decide about their
reliability?

d. How did org. decide about history of such plant?

e. Is there any communication between own plant and neighing plant?

f. Is there any lesser hazard recorded than the potential hazard of the nearby plant?

g. Why did the auditee refer to control being a criteria? Does he know the standard?

I will raise an NC if the result of above investigation show that the auditee does not know the clause
6.1.2.1 f(3) or he does not have enough knowledge of the neighbouring boring plant.
How marks is allocated.

01. Decision for NC or not NC – 3 marks. “This is not an NC at this moment, because auditor does
not have un-questionable evidence of NC. “

02. What further investigation the auditor needs to do, to finally decide whether it is a NC?

a. How far is the plant located from the workplace?

b. Is there any probability of ammonia blowing into own plant in case of leakage?

c. What is the reputation of the OEM of that plant? How did the organization decide about their
reliability?

d. How did org. decide about history of such plant?

e. Is there any communication between own plant and neighing plant?

f. Is there any lesser hazard recorded than the potential hazard of the nearby plant?

g. Why did the auditee refer to control being a criteria? Does he know the standard?

I will raise an NC if the result of above investigation show that the auditee does not know the clause
6.1.2.1 f(3) or he does not have enough knowledge of the neighbouring boring plant.

Scenario

X: have you documented your OHSMS?

Y: yes

X; pls let me review your documentation

X reviews a set of documents as provided by Y.

X; Very good. Where is the OHSMS policy?

Y: The policy is not in hard copy. We maintain it in soft form.

X: Has the policy been communicated?

Y: Yes

X: Can you show me your OHSMS policy?

Y: Yes.

Y shows the policy from a folder in his computer.

X: OK. Now, show me your OHSMS objectives pls.

Y: Mr. X, we have our objectives with Plant Head.

X: Can you bring them to me.

Y: Yes

X reviews the 3 objectives in a file.

OBjecive 1: We will improve the productivity of Mills from ……………….per year to ………………per year.

Objective 2: We will reduce employee turnover from ……………..per year to ………………….per year.

Objective 3: We will improve market share from …………..to ……………………..by 2021.

After reviewing the document

X: Do you have any other document for objectives

Y: no sir.