Compliance certifier audit
Compliance certifiers are authorised by WorkSafe to certify various types of matters specified in the Health and Safety at Work (Hazardous Substances) Regulations 2017 (the Regulations) that fall within the scope of their authorisation. They provide an important compliance role by checking that PCBUs or other specified persons comply with technical requirements prescribed in the Regulations. Certifiers will issue a compliance certificate if all the requirements are met.
Part 6 of the Regulations requires WorkSafe to audit the performance of each compliance certifier at least once every four years and provides for WorkSafe to recover audit costs using prescribed fees. WorkSafe may require an audit at more frequent intervals or an additional audit at any time; having regard to the certifier’s compliance and audit history, including compliance with relevant hazardous substances legislation in place before the Regulations commenced.
The Regulations specify that WorkSafe must audit the certifier’s compliance with the Health and Safety at Work Act 2015 (HSWA), the Regulations, any applicable safe work instruments (SWI) and performance standards1. The audit is a means to ensure the compliance certifier is following the legal requirements and processes related to compliance certification. It is also an opportunity for WorkSafe to inform the certifier about good practice. It is expected certifiers’ performance will improve over time, as each responds to the non-compliance and opportunities for improvement identified in their audit report.
The purpose of this Compliance Certifier Audit Policy is to describe WorkSafe’s approach to compliance certifier audits. The policy sets out a risk-based approach to assessing the certification decisions and functions undertaken by the compliance certifier.
This policy is designed for internal operational use to guide WorkSafe decisions about the scope of an audit, including which areas to prioritise when planning an audit, when an additional or more frequent audit may be required, and to inform the development of more detailed internal processes and procedures to support this policy. For example, the policy statements clarify factors to consider such as when compliance history may justify a decision for an additional or more frequent audit to the “routine” four year provision.
Relationship to other policies / Related documents
The Compliance Certifier Audit Policy is one of the tools available to WorkSafe to assure compliance. Other tools include the operational policy on Investigation of Hazardous Substances Authorisations, the Enforcement Decision-making Model and compliance certifier Performance Standards.
Where there are concerns about certifier performance, WorkSafe will consider the particular circumstances, including any relevant compliance history, and determine which tools are most appropriate in those circumstances.
This policy applies to the auditing of all compliance certifiers authorised under Part 6 of the Regulations.
Out of scope
The following are not within scope of this policy:
- Matters relevant to undertaking a specific audit and audit follow up, including specifying audit content, standard operating processes, procedures and guidance.
- Policies covering performance standards, investigations and certifier authorisations.
- Processes relating to the grant of a compliance certifier authorisation.
- Reviews that are part of an authorisation application or renewal process.
The objectives of this audit policy are:
- To provide for the selection and scope of cost effective audit of the certifiers’ compliance with HSWA, the Regulations, any applicable SWI and performance standards.
- To inform decisions about initiating an audit or more frequent audits, when there are concerns about a certifier’s performance.
- To enable continued improvement of compliance certifier performance by identifying areas of compliance and non–compliance, potential non-compliance and opportunities for improvement.
- To provide consistency in managing compliance certifier audits and to address any non-compliance identified.
- To enable WorkSafe to carrying out its audit function in line with the government’s policy intent and WorkSafe’s operating principles and intervention approach.
WorkSafe’s intervention approach describes how WorkSafe will fulfill its regulatory functions including acting in the “wider public interest”. While the intervention approach is focused on influencing and responding to behaviours, the principles are also relevant for the audit policy generally and provide a framework for decision-making.
WorkSafe will take a proportionate, risk- based approach to auditing compliance certifiers. Audit frequency, scope and follow up decisions are based on a consideration of risk factors and available evidence, as outlined below. The risk factors are based on risks to health and safety due to the complexity of certifier operations and the range and type of matters covered by the scope of the certifier’s authorisation.
The risk factors assessed include, but are not limited to:
- Whether the compliance certifier is new (such as when they lack experience and/or a compliance and audit history).
- The certifier’s history of compliance with requirements related to the functions of a compliance certifier; including audit reports, investigations, and complaints (excluding those that are very minor, frivolous, vexatious or malicious).
The scope of the certifier’s authorisation, types of matters certified, the types of certificates issued and volumes of each type of certificate (see below).
Any interdependencies of business systems or similar relationships with other certifiers (see below).
Any other relevant existing circumstances that suggest an audit would be in the wider public interest.
WorkSafe will assess relevant risk factors as noted above to identify what to audit and help prioritise, scope and determine the frequency of audits.
The requirement is to audit the certifier’s compliance. For certifiers whose authorisation scope allows them to certify more than one type of certificate the audit will not necessary assess every type of certificate in a single audit. Each audit’s scope will be proportionate and based on assessed risks and available information.
For the sake of efficiency, where a certifier has interdependencies with other certifiers, for example by operating a business with one or more other certifiers, WorkSafe may audit individual certifiers and their business processes and systems collectively.
The assessment of risk factors described above will determine the audit scope and those aspects of the certifier’s activities, certification processes and procedures that will be audited. The audit scope should be reasonable and proportionate to assessed risks. Where the scope of a certifier’s authorisation covers more than one type of certificate, the audit scope may only cover some of these in a single audit.
The audit will assess a certifier’s decision making, systems, processes and procedures for examining and issuing compliance certificates, to verify these comply with the relevant requirements under the HSWA, the Regulations, safe work instruments and performance standards. The audit assesses whether the correct steps and required procedures were followed by examining the certifier’s documented processes and records to trace a decision about issuing
a compliance certificate.
Generally a sample of the certifier’s activities and/or types of certificates within the scope of their authorisation would be audited, in line with accepted audit practices.
An audit will comprise one or more of the following:
- desktop audit of documentation including recent certification activity;
- an audit of the certifier’s processes and procedures, usually at the certifier’s place of business;
- an audit of a certificate issued to a certificate holder or site, to assess more complex types of certification. For example, certain types of stationary container or hazardous location certificate may require a site visit.
To help WorkSafe assess the certifier’s compliance with matters relevant to the audit, WorkSafe may supplement the audit with additional information provided/received during the course of the audit. For example additonal information may be provided when auditing certification records or to verify the assessment of certificates issued to the certificate holder by the compliance certifier.
WorkSafe audit staff who observe non-compliance of a PCBU or duty holder unrelated to the certifier’s audit will respond in line with the operating protocols between WorkSafe audit staff and WorkSafe Inspectors. Non-WorkSafe staff engaged as auditors to assist with desktop audits have limited powers prescribed in the regulations and will not undertake site visits.
The policy intent is that the majority of audits can be completed within 8 hours (equivalent to the basic audit fee), unless a major non-compliance is identified that would require extending the scope. However, the actual time required will depend on the scope of each audit, which is based on the risk assessment, and the range and accessibility of information required for the audit.
WorkSafe will audit each compliance certifier at least once every four years and usually within 24 months of the certifier being issued their initial authorisation (or an extension of their scope); or earlier if their authorisation is for a shorter term.
WorkSafe may determine that an audit is required at more frequent intervals than once every four years, or an additional audit is required at any time, if it has a reasonable concern about the conduct or ability of the compliance certifier, in relation to their compliance with regulatory requirements.
WorkSafe will make this decision on a case by case basis based on the certifier’s history of compliance with certification requirements specified in HSWA, the Regulations, any relevant SWIs and performance standards, and preceding legislation involving hazardous substances. WorkSafe will take a proportionate response after considering all relevant risk factors and any present circumstances, as noted above, including whether an audit is in the wider public interest.
Relevant factors are likely to include, but are not limited to:
- investigations or a pattern of complaints;
- the certifier’s audit history, including the nature and severity of any risks identified in the audit report and any outstanding corrective actions;
- the apparent competence of the certifier and the effectiveness of their certification process and controls for issuing compliance certificates.
For example if a certificate has been issued in circumstances where the matter certified would not have been compliant at the time, that could trigger an audit.
Overall management of audits
The audit assesses the performance of the certifier in issuing compliance certificates, which usually requires reviewing and assessing the certifier’s documentation, records and supporting documentation such as file notes.
The regulations specify WorkSafe is the auditor of compliance certifiers. WorkSafe staff delegated to undertake an audit and persons engaged as an auditor have power to require the production of documents.
In cases where an audit requires entry to the complaince certifier’s or their PCBU client’s place of business, to gather information to inform the audit, WorkSafe will enter either with the consent of the occupier or with a person warranted as a WorkSafe inspector. WorkSafe policy on inspector’s exercising powers of entry will also apply.
WorkSafe may also engage (contract) other persons as auditors to assist, primarily to undertake desktop audits. Contracted auditors will also not hold the appropriate delegations or be appointed as inspectors and will therefore not be authorised to inspect the certifier’s or their PCBU client’s place of business as part of the audit.
WorkSafe may appoint or engage technical experts or specialists to inform the audit, for example to advise on compliance with technical performance standards.
WorkSafe will appoint staff or engage persons to audit compliance certifiers who have the relevant knowledge and experience to assess the matters to be audited, taking into account any foreseeable conflicts of interest or potential for bias.
If WorkSafe is at a PCBU site on an audit and identifies a non-compliance matter, for example quantities of chemicals present exceeding the limit stated on the compliance certificate issued, the response shall be:
- to refer the non-compliant site to a WorkSafe Inspector as this is a PCBU responsibility. The compliance certifier has no immediate role; and
- to examine the certifier’s process and procedures to establish why and how the certifier made the decision to issue the certificate. If the certifier’s records establish that the quantity was within the limit on the day the certifier inspected the site, this would not be raised as audit-related non-compliance.
If the certifier has inconclusive or no records, or the records show the quantity was over the limit, this would be identified as an audit-related non-compliance in the compliance certifier’s audit report.
Provision of information
Should a certifier provide insufficient access or information to WorkSafe, or fail to provide requested information to assure the traceability of the certifier’s decisions within a reasonable time, WorkSafe may seek additional evidence. This will require additional time and may incur additional costs, for which additional prescribed audit fees will be charged. If the certifier fails to provide the requested information or it cannot be obtained in a reasonable time, the audit report will take this into account in determining non-compliance, corrective actions or areas of concern.
Audit findings of non-compliance mean the compliance certifier is not complying with provisions in the HSWA, the regulations; SWI and/or performance standards. Therefore any non-compliance observed in an audit may be grounds for a concern about the conduct or ability of the compliance certifier. When these concerns relate to a serious risk to health and safety an investigation may be initiated, which could lead to an amendment, suspension or cancellation of the authorisation.
Timing of audit
In determining when an audit should occur WorkSafe will consider the impact of the audit on the certifier’s business obligations; for example where the certifier may be engaged in cyclical work that is time sensitive (such as examining and certifying pyrotechnic displays for Guy Fawkes or New Year celebrations).
WorkSafe will charge a fee at the conclusion of the audit, based on time to audit the compliance certifier. WorkSafe’s ability to recover costs of an audit is limited to the fees as set out in the Regulations: $976 plus $137 per hour after the first
8 hours (both fees inclusive of GST).
Audit outcomes and re-audit
WorkSafe will provide the compliance certifier with a copy of the audit report which will group findings based on the following risks:
- major non-compliance.2 These are medium to high risk matters that should be addressed quickly.
- minor non-compliance. These are low risk. That is, they are important to correct but the risk to health and safety is less immediate.
- potential areas of concern. These are potential risks. That is, they are trending towards non-compliance.
- opportunities for improvement. These highlight areas where the certifier’s practice is not aligned with good practice.
WorkSafe will also develop a corrective action plan with the compliance certifier to address non-compliance promptly and to confirm these corrective actions within a reasonable timeframe. The plan should also prevent or remove the risk of any “areas of concern”. Matters identified as “opportunities for improvement” are at the certifier’s discretion to advance continuous improvement. The audit findings and action plan outcomes will inform WorkSafe decisions about audit follow-up and will be used to inform renewal application decisions.
The audit will be closed off by WorkSafe, depending on the nature and assessed risks of non-compliance observed. For major non-compliance, WorkSafe will close the audit either with confirmation that the non-compliance has been addressed or when the time allocated in the corrective action plan has lapsed. For minor non-compliance, areas of concern or opportunities for improvement, WorkSafe will close the audit when the audit report and corrective action plan are given to the compliance certifier.
Certifiers are expected to address any non-compliance or potential non-compliance as soon as practicable. WorkSafe expects confirmation within three months in most situations. If this is not practicable the certifier should contact WorkSafe as soon as possible identifying the reason for the delay, with a plan that is acceptable to WorkSafe indicating when the non-compliance will be addressed. If within three months the certifier fails to demonstrate they have completed the corrective actions or to present an acceptable plan to address these, follow up action may be initiated. For a major non-compliance, this may include a further audit or an investigation.
WorkSafe will engage with the compliance certifier to confirm corrective actions are implemented and completed either by the compliance certifier demonstrating the corrective actions undertaken or by a follow up audit.
WorkSafe may require a follow-up audit to verify that corrective actions were taken, as most matters identified by an audit cannot be remedied at the time of the audit. Where the non-compliance is minor (low risk) or an area of concern (a potential risk), WorkSafe may combine the follow up with the next audit of the certifier. WorkSafe will base this decision on the risks associated with the non-compliance identified and the certifier’s compliance history.
Major non-compliance or failure to undertake remedial actions within the timeframes specified will be regarded as grounds for significant concern about the ability or conduct of the compliance certifier and may trigger an investigation of the certifier leading to suspension or cancellation of the authorisation3.
Compliance certifier organisations
A compliance certifier that is not an individual must obtain and maintain accreditation to ISO/IEC 170204 by International Accreditation New Zealand (IANZ).
WorkSafe will not audit a compliance certifier that is accredited to ISO 17020 who has been audited by IANZ to maintain their accreditation, if WorkSafe receives a copy of the audit reports and is satisfied:
- these reports meet the requirements for an audit under Part 6 of the Regulations.
- with the steps proposed to address any non-compliance issues identified or that they have been satisfactorily resolved5.
WorkSafe will work with IANZ to ensure that the technical requirements and criteria that are inspected and examined by IANZ for the certifier to maintain accreditation are no less than those required by WorkSafe and its audit of individuals authorised as compliance certifiers.
WorkSafe is likely to accept the audit provided by IANZ is satisfactory if conducted in accordance with the operational level agreement with IANZ that provides, amongst other things, for WorkSafe at its discretion to:
- provide input into the technical criteria and content of the surveillance and reassessment inspections undertaken by IANZ
- be informed of and specify technical persons on the reassessment team
- participate in the surveillance and reassessment examinations if
- WorkSafe wishes
- view information, surveillance and reassessment reports IANZ prepares
- about the accreditation of the certifier.
- be informed if the scope of the accreditation or that of any signatories is amended, suspended or revoked.
Review and publication of this policy
This policy will be reviewed as needed to ensure the policy is still achieving its objectives, address any operational inefficiency within the policy; and recognise any relevant legislative amendments.
Policy owner: General Manager, Better Regulation
Policy approved by: SLT
Policy reviewed and approved: October 2017
Next review date: as needed
1. Performance standards set out the information and process requirements that a compliance certifier must comply with when performing the functions of a compliance certifier.
2. Non-compliance indicates the auditor found the certifier did not meet a relevant requirement specified in the HSWA, the Regulations, SWI or performance standards.
3 Investigation of a Compliance Certifier may result in the certifier being suspended or having their activities limited pending the outcome of the investigation.
4 AS/NZS ISO/IEC 17020: 2013 Conformity assessment: Requirements for the operation of various types of bodies performing inspection. This may include one or more specific or supplementary criteria documents setting out technical requirements specific to inspection for the range of hazardous substance compliance certificates. WorkSafe may develop these supplementary criteria with IANZ to ensure they are fit for purpose.
5 Maintaining accreditation requires regular surveillance and reassessment reviews by IANZ covering technical competence, management and quality assurance systems, processes and procedures. For the purposes of this audit policy, reports of these reviews prepared by IANZ for the compliance certifier to maintain accreditation will be accepted as audit reports if there is an agreement in place. Similarly IANZ findings about non-conformance in those reports will be interpreted as a finding about non-compliance.