Audit Evidence: What to Keep, What to Drop, What to Digitise

If you’ve ever prepared for a WHS audit, you know the temptation: keep everything.

Folders expand. Shared drives overflow. Email chains get archived “just in case.”

But experienced auditors don’t reward volume — they look for relevance, reliability, and traceability.

Whether you’re preparing for a regulator interaction, client audit, or certification against ISO 45001, here’s how to decide what audit evidence to keep, what to drop, and what to digitise.

First: What Counts as “Audit Evidence”?

Audit evidence is any information that demonstrates your WHS management system:

• Meets legal requirements (e.g. Work Health and Safety Act 2011 and state equivalents)
• Is implemented in practice
• Is effective and reviewed

Evidence must be:

• Accurate
• Current
• Accessible
• Traceable

If it doesn’t support those criteria, it’s probably clutter.

What to Keep

These are documents and records that auditors consistently request and rely on.

1. Core Governance Documents

Keep:

• WHS policy signed by senior leadership
• Roles and responsibilities
• Organisational chart
• Legal compliance register
• Risk management procedure

These demonstrate structure and accountability.

2. Risk Management Records

Keep:

• Current risk assessments
• SWMS (where applicable)
• Hazard registers
• Control implementation records
• Review evidence

Important: Outdated risk assessments that no longer reflect operations should be archived — not active.

3. Training and Competency Records

Keep:

• Induction records
• High-risk work licences
• Verification of competency (VOC)
• Refresher training logs
• Supervisor competency evidence

Auditors look for proof that workers are competent at the time of work, not just when they were first hired.

4. Incident and Corrective Action Records

Keep:

• Incident reports
• Investigation findings
• Root cause analysis
• Corrective action tracking
• Evidence of close-out

What matters most is showing that actions were implemented and verified.

5. Consultation Evidence

Keep:

• Safety committee minutes
• HSR records
• Toolbox talk records
• Worker consultation feedback

WHS legislation places strong emphasis on consultation — auditors expect to see evidence of it.

What to Drop (or Archive Properly)

Not all documents need to stay in your active audit folder.

1. Superseded Policies and Procedures

If a document has been replaced:

• Archive it with version control
• Remove it from operational folders
• Ensure only current versions are accessible

Auditors often identify “document control failures” when outdated procedures remain in circulation.

2. Redundant Forms

Many organisations collect forms no one reviews:

• Pre-start checklists never analysed
• Hazard reports with no follow-up
• Meeting minutes no one reads

If a record doesn’t inform decisions or improvements, question why it exists.

3. Excessive Email Evidence

Email chains are weak audit evidence unless:

• They demonstrate formal approval
• They verify a decision
• They confirm action completion

Where possible, convert critical decisions into controlled records.

4. Duplicated Records

If information exists in multiple systems:

• Choose one “source of truth”
• Eliminate manual duplication
• Reduce reconciliation errors

Duplication creates audit risk.

What to Digitise

Digitisation isn’t just about convenience — it improves traceability and audit readiness.

1. Training Registers

Move from spreadsheets to:

• Centralised training management systems
• Automated refresher alerts
• Licence expiry tracking

This reduces non-compliance risk.

2. Risk Registers

Digital risk systems allow:

• Version control
• Review tracking
• Control verification
• Dashboard reporting

Auditors appreciate systems that clearly show when risks were last reviewed.

3. Corrective Action Tracking

Manual spreadsheets often fail because:

• Actions aren’t assigned clearly
• Deadlines aren’t monitored
• Close-outs aren’t verified

Digital systems provide accountability and audit trails.

4. Contractor Management

Digitise:

• Prequalification documents
• Insurance currency
• SWMS approvals
• Induction records

This is especially valuable for construction, logistics, and multi-site businesses.

How Long Should You Keep WHS Records?

Retention requirements vary depending on the type of record and state legislation, but common examples include:

• Incident records involving serious injury: often 5+ years
• Health monitoring records (e.g. asbestos exposure): decades
• Training records: duration of employment + additional period

Always align with applicable WHS regulations and industry-specific requirements.

The “Audit-Ready” Test

Ask these five questions about any document:

1. Does this demonstrate compliance or effectiveness?
2. Is it current?
3. Is it controlled (versioned and authorised)?
4. Can we retrieve it within minutes?
5. Does it show follow-through, not just intent?

If the answer is “no” to most of these, reconsider its place in your system.

The Biggest Mistake Businesses Make

They build systems for the audit — not for the business.

Auditors (including those assessing against ISO 45001) are trained to detect:

• Over-documented systems
• Forms created purely for compliance
• Records that exist but aren’t used

Strong evidence is:

• Simple
• Relevant
• Consistent
• Embedded in daily operations

Final Thoughts

Good audit evidence isn’t about volume — it’s about clarity and control.

Keep what proves your system works. Drop what adds noise. Digitise what improves visibility and accountability.

An audit-ready organisation isn’t the one with the most folders. It’s the one where evidence is accurate, current, and easy to find — every day, not just before the auditor arrives.

Sherm Software will help you to become an audit-ready organisation, book a demo today to see how.

Our Audit Readiness Guide explains how businesses can design systems that withstand multiple audit regimes simultaneously.