A pre-assessment is usually the ante to an external, registrar, or certification audit. If you would like a pre-assessment of your organisation, chances are your system has been conforming to the chosen specification or standard for at least three months, you have conducted a full internal audit of your organisation, and all the findings reported in the internal audit report have been remedied and are closed. You are basically ready but want to have a last look before you bring the big boys in.

A pre-assessment is therefore a rehearsal of an external audit, and consequently there is plenty of document review as well as actual questioning of employees. As with the internal audit, the pre-assessment’s objective is to seek the degree of conformance of your system to the chosen specification or standard. It can also be your green light to go for the certification audit, or maybe a yellow light if some fine tuning is necessary. The pre-assessment report will not give advice but should show if there are any nonconformities and allow the organisation to close those out prior to the certification audit. The better you are prepared for a certification audit, the more you increase your chances of obtaining certification or being recommended for certification on the day of your external audit.

Pre-assessments can be conducted by consultants, registrars, or competent individuals who are experts in the certifications or standards chosen by your organisation.

Available Audits

An internal audit is an activity that also seeks to determine the degree to which your organisation conforms to the requirements of a specification or standard or to your own organisational requirements. This audit is performed in more than one dimension, through review of documentation evidence and also by questioning employees. An internal audit is usually conducted after development of processes (e.g., a quality management system) has been completed and some implementation has occurred.

The reason is that internal auditors will be questioning individuals to assess their knowledge of the system. If implementation is not underway, it may be hard to prove that employees are actually using the system and are knowledgeable of their roles in meeting the specification or standard or of the organisation’s own requirements. Internal audit reports usually present the lead internal auditor’s summary on the overall impression of the organisation’s degree of conformance and a list of findings. Good reports include not just nonconformities, but also observations, noteworthy efforts, and even opportunities for improvement. There is not much advice in an internal audit report, however, “opportunities for improvement” and observations, when presented correctly, should give the organisation enough fuel for action and follow up.

The last issue about internal audits is who conducts them. As the word “internal” says, internal audits should be conducted by internal employees, although this is easier said than done. In large organisations the task is easier because there are departments whose sole function is to perform audits throughout the business units and locations. However, in small organisations, this is a real problem. First, we are dealing with the issue of independence. If you have one auditor who audits the whole facility, who audits his area? If the same auditor also audits his area, then you will not be able to prove that the audit is unbiased. The other big question is how effective are your audits? Internal auditors who only perform audits once or twice a year do not truly have a chance to polish their auditing skills, and therefore you may not be getting good value from your audits.

That’s when hiring an independent consultant sometimes works in your favour: They are independent, bring a lot of expertise from other organisations, and have excellent up-to-date auditing skills. However, if you decide to have your employees perform your audits, make sure you keep them current in auditing techniques by providing continuing education on auditing at least once a year.

A second-party audit is performed following a decision of the organisation’s management by competent personnel from within the organisation and/or by external personnel selected by the organisation and the audit is applied to the activities of a second organisation, usually a supplier of the first organisation. The purpose of the audit is for the auditor to verify if the auditee meets specific requirements and become satisfied with the performance level of the auditee. The conclusions of the audit are communicated to the management of the two organisations and to no other interested party.

A third-party audit is performed following an application for certification/registration against an OSH standard issued by an organisation’s management. It is undertaken by competent personnel from the certification/registration body. It is applied to the applicant’s organisations and the conclusions of the audit are communicated to the certification body and the management of the applicant. Only a positive decision is public or a negative decision after annual surveillance observations, as established in the final records: certificates, communications of withdrawal of certification.

A gap analysis is mainly a determination of the degree of conformance of your organisation to the requirements of a specification or standard. A gap analysis is mainly a document review or a “show me the evidence” activity, evidence which usually will come in the form of a record or document. During a gap analysis, only very minor auditing is done. Rather, key process owner or project stakeholders provide evidence that they have met the requirements set forth in the specification or standard.

Gap analysis is often conducted at the beginning of an organisation’s journey seeking compliance to a chosen specification or standard. However, it may also be conducted after some development of processes for achieving compliance has taken place. The main reason why gap analysis is conducted at the beginning of the development phase or after some development has occurred is because the organisation wants to know where it stands in regard to meeting the standard, and it wants to know specifically what it must do to close the gaps. Basically the organisation wants to know where the holes are—whether few or many—and what it needs to do to close those holes and get closer to fully meeting the requirements.

This leads us into the reporting aspect of gap analysis. A good gap analysis report usually presents a clear summary of where the major gaps exist between the company’s documentation and the chosen requirements. It should also show a detailed account of each requirement and the degree of compliance, with corresponding actions that should be taken to close these gaps.

Legal Registers

OHSAS 18001® and Health & Safety Legal Compliance

Health and Safety Legal Compliance and OHSAS18001®: Differentiating between clause 4.3.2 (Legal & Other Requirements) and 4.5.2 (Evaluation of Compliance). In order to comply with clauses 4.3.2 and 4.5.2 under OHSAS18001®, the differences and similarities between these two clauses must be clearly understood.

Clause 4.3.2: Legal and Other Requirements

In terms of this clause, an organisation must establish, implement and maintain a procedure for identifying and accessing the legal and other occupational health and safety requirements that are applicable to it. This clause therefore directs that an organisation firstly needs to identify all laws and other requirements which it must comply with which relate to health and safety.

The identification of applicable legal compliance requirements should be undertaken by an individual who is competent to do so, such as a person who is legally trained (attorneys, advocates etc) in order to ensure that none of the relevant requirements are overlooked. A list of these legal compliance requirements must be compiled in the form of a legal library, database or register.

Health and Safety Legal Compliance

Sources of legal compliance requirements could include:

  • National, provincial and municipal legislation
  • Decrees and directives
  • Permits, licenses
  • Orders issued by regulatory agencies
  • Customary / indigenous law
  • Treaties
  • Conventions
  • Protocols

Other requirements to which an organisation must comply could include the following:

  • Agreements with customers
  • Non-regulatory guidelines
  • Voluntary principles
  • Codes of practice
  • Agreements with community groups
  • Public commitments of the organisation
  • Company requirements
It is critically important that these “other” requirements are not overlooked, and are also properly managed. It is a common problem that organisations are not aware of the Provincial and Municipal by-laws which are applicable to their operations. This clause then directs that the organisation must have access to the aforementioned requirements, so it is not sufficient to simply list the applicable requirements. Further, this information needs to be kept up to date, and there must be a procedure to communicate the legal compliance and other requirements to employees and interested parties. Updates to the relevant requirements will need to be communicated to these parties too.

Clause 4.5.2: Evaluation of Compliance

As it states, this clause directs that an organisation must establish, implement and maintain a procedure for periodically evaluating compliance with the applicable legal and other requirements which were identified under clause 4.3.2, and that records of the results of these evaluations must be kept. The frequency of the periodic evaluations may vary for differing legal compliance requirements.

In order for an organisation to comply with this clause, it will need to undergo health and safety legal compliance audits. Legal compliance auditing should only be conducted by individuals who are competent to do so, such as individuals who have been legally trained.

It is further important that an organisation is audited against all of the laws which are applicable to it – not only National Legislation, and not only against the Occupational Health and Safety Act. It is a common problem that organisations are not aware of the Provincial and Municipal by-laws which are of application to their operations – this exposes the organisation to significant risks, since the by-laws quite often attract substantial penalties for non-compliance thereto.

There are roughly 250 pieces of South African legislation that relate to safety, health and environment, which could be applicable to any organisation. It is therefore fitting that these legal compliance audits should be conducted by individuals such as attorneys or advocates, who are comfortable with reading, interpreting and applying legislation.


Based on the above discussion, it is evident that the management of Health and Safety legal compliance is critical in order to achieve and maintain OHSAS18001® certification.

So which audit do you need?

Hopefully by now you are more clear on the difference between these three important activities in your continual improvement journey. Depending on the size of your company, you may need all three, although we usually recommend a gap analysis to define the starting point and a thorough internal audit because that’s a “must do” anyway. Your organisation may not need a pre-assessment or benefit from one. Most registrars or certification bodies have implemented a Stage 1 and Stage 2 audit, which seeks to give organisations an opportunity to determine their readiness.

Remember that the quality of these compliance activities is only as good as the quality of people performing the activities. Whether you chose all three or just the internal audit, make sure they are performed by highly competent individuals. Only with expertise on hand and excellent reports will you get closer to world-class quality.