The legal floor: review is already a duty
Before any voluntary standard enters the picture, the WHS framework itself requires review. The model How to manage work health and safety risks code (reissued November 2024) devotes its fourth step to reviewing controls and opens it bluntly: controls "should be reviewed regularly to make sure they work as planned. Don't wait until something goes wrong." For the specific risks where the WHS Regulations mandate a risk management process, review is compulsory in five circumstances: when a control is not effectively controlling the risk, before a workplace change likely to create a new or different risk, when a new hazard or risk is identified, when consultation indicates a review is needed, and when a health and safety representative requests one. That last item deserves more attention than it gets: an HSR request is a legal trigger, not a suggestion box entry.
For officers, verification is personal. The section 27 due diligence duty lists six reasonable steps, and the sixth is the auditor's clause: "to verify the provision and use of the resources and processes" the business relies on to manage risk and comply. An officer who commissions a safety management system but never tests whether it is used has skipped the step the Act names. The same six-step list appears in the psychosocial and healthcare codes as the working checklist for officers, as covered in our psychosocial code story.
ISO 45001: what the standard is, and is not
AS/NZS ISO 45001:2018 is Australia's adoption of the international occupational health and safety management system standard. Comcare's guidance describes it as specifying the requirements for a WHS management system, with the aim of preventing work-related injury and illness and proactively improving performance, aligned with the ISO 9000 family so it integrates with quality and environmental systems. It replaced AS/NZS 4801:2001, and the transition is finished: JAS-ANZ, the accreditation body for Australia and New Zealand, required certified organisations to migrate to ISO 45001 by 13 July 2023 unless a legally binding obligation held them to the old standard. Two honesty notes. First, the standard's text is paywalled; it is purchased from Standards Australia, and this page describes it only through Comcare's free guidance. Second, certification is voluntary and is not compliance: the WHS duty sits with the PCBU regardless of any certificate, and a code of practice, not a standard, is what a court may treat as evidence of what is reasonably practicable, per Safe Work Australia's model laws hub.
Comcare's guidance also supplies the working definition of a gap analysis: "Start by comparing the intent behind each element in the Australian standard AS/NZS ISO 45001:2018 with the management practices and procedures your organisation currently uses." The gap analysis is the desk exercise that maps distance to the reference frame; the audit is the field exercise that tests whether the map is true.
What a real audit checks
The five elements of Comcare's National Audit Tool (Commonwealth licensee improvement program, report template v6), with the criteria count each carries. 108 criteria in total.
| Element | Criteria | What it tests |
|---|---|---|
| 1. Health and safety policy | 3 | A policy exists, is authorised and is communicated |
| 2. Planning | 11 | Hazard identification, legal requirements, objectives and plans |
| 3. Implementation | 79 | Whether the system is actually used: training, consultation, controls, contractors, emergency readiness |
| 4. Measurement and evaluation | 13 | Inspections, health surveillance, incident investigation, records, and audits of the system itself |
| 5. Management review | 2 | Whether leadership reviews the system and acts on what it finds |
The shape of that table is the story. Nearly three quarters of the criteria sit under implementation, and the tool's own scope note says the audit "consists of examining documentation and records to verify that systems exist and are working", supplemented by observation and interviews on site. Each criterion is rated conformance, non-conformance, not able to be verified, or not applicable. Comcare's system guidance makes the same point in prose: a WHS management system "is much more than simply having safety-related forms and policies in place and documented procedures"; the value is in achieving what the documents say, in an ongoing and managed way. A binder audit that checks documents exist would pass element 1 and stall at element 3.
Note the nesting, because the terms get conflated: workplace inspections are not audits. In the audit tool, the inspection program is itself criterion 4.1.1, one of the things the audit checks, including whether inspections involve the workers who do the inspected tasks (4.1.2) and whether engineering controls are tested for integrity (4.1.3). Incident investigation with corrective action is criterion 4.3, the same loop our incident reporting story shows a regulator running at state scale. And element 4.5 requires an audit program for the management system itself: the system that does not audit itself fails the audit.
Running your own gap analysis
Put together, the layers give a small or mid-sized PCBU a sequence that costs nothing but time. Check the legal floor first: walk the model code's review questions (are controls working in design and operation, have they introduced new problems, are procedures actually followed, are workers reporting problems promptly, are incidents trending down). Keep records as the code specifies, since documentation of the process is itself part of demonstrating compliance, and records are what any future audit will ask for first. Then, if the business wants the management-system frame, use the public artefacts before buying anything: Comcare's audit tool template shows exactly what an auditor will look for, and the gap between your practice and its 108 criteria is your gap analysis, whether or not certification ever follows.
Sourcing note
Criteria counts and quoted audit-scope wording are from Comcare's National Audit Tool report template (v6, as published on comcare.gov.au), downloaded and read 8 July 2026; the element descriptions in the table are our summary of its contents. Code wording is from the November 2024 edition of the model How to manage work health and safety risks code, read 8 July 2026. We have not reproduced any text of AS/NZS ISO 45001:2018 itself, which is paywalled; its description here is via Comcare's guidance. This page is general information about instruments, not advice about any particular workplace.