Compliance Audit Checklist: How to Identify and Close Compliance Gaps
A compliance audit is not just a paperwork exercise. It is a practical way to check whether your business can prove it is meeting its legal, safety, contractual and operational obligations.
For Australian construction businesses and high-risk workplaces, this means more than having a WHS policy saved in a folder. It means checking whether your SWMS are current, workers are trained, contractors are approved, incidents are recorded, corrective actions are closed, and site practices match what your documents say.
Many businesses only discover compliance gaps when a client, principal contractor, ISO auditor or regulator asks for evidence. By then, the gap can create stress, delays, failed audits, lost work or increased safety risk.
This compliance audit checklist explains what to review, how to identify compliance gaps, and how to create a practical action plan before small issues become bigger problems.
What Is a Compliance Audit?
A compliance audit is a structured review of whether a business is meeting the requirements that apply to its operations.
These requirements may come from:
- WHS laws and regulations
- Codes of practice
- ISO standards
- Client or principal contractor requirements
- Internal policies and procedures
- Contracts and tender requirements
- Industry-specific obligations
- Insurance or licensing conditions
A compliance audit can be completed internally by your own team or externally by a WHS consultant, auditor, client or certification body.
The purpose is to check whether your business has the right systems, documents, records and practices in place. A good compliance audit does not only ask, “Do we have a procedure?” It also asks, “Is the procedure current, understood, followed and supported by evidence?”
For construction businesses, a compliance audit may review areas such as SWMS, WHS documentation, training records, high-risk work licences, contractor management, incident reporting, plant and equipment inspections, and corrective actions. For a practical view of what site-level checks should include, see our guide to construction site inspections in Australia.
What Is a Compliance Gap Analysis?
A compliance gap analysis is the process of comparing where your business is now against where it needs to be.
It identifies what is missing, outdated, incomplete, inconsistent or not properly implemented.
A useful compliance gap analysis compares three things:
1. What is required
This includes legislation, standards, codes of practice, contracts, client requirements and internal procedures.
2. What is documented
This includes policies, procedures, SWMS, risk assessments, registers, forms, training records and reports.
3. What happens in practice
This includes how work is actually performed, how supervisors manage safety, how workers follow procedures, and how evidence is recorded on site.
The biggest compliance issues often appear between the second and third points. A business may have a procedure, but no evidence that workers have been trained in it. A SWMS may exist, but it may not reflect the actual task. A corrective action may be listed as complete, but there may be no proof that the issue was fixed.
That is why a compliance gap analysis is one of the most useful steps before an audit, ISO certification, tender submission, a regulator visit, or a major project. If your business needs help identifying and prioritising risks, our guide to WHS risk management for Australian businesses explains how to build a stronger risk-based approach.
Compliance Audit vs Compliance Gap Analysis
Although the terms are often used together, they are not exactly the same.
| Area | Compliance Audit | Compliance Gap Analysis |
|---|---|---|
| Main purpose | Checks whether requirements are being met | Identifies the difference between current and required performance |
| Timing | Often scheduled, formal or client-driven | Often completed before an audit or system upgrade |
| Focus | Compliance status and evidence | Gaps, risks and improvement actions |
| Output | Audit findings or audit report | Gap register and corrective action plan |
| Best used for | ISO audits, client audits, regulator checks and internal reviews | Audit preparation, WHS reviews, tender readiness and system improvements |
A gap analysis is often the best first step before a compliance audit because it gives your business time to fix issues before they become formal audit findings.
Why Compliance Audits Matter for Australian Businesses
Compliance audits help businesses move from assumption to evidence.
A business may believe its systems are working, but an audit tests whether that belief can be supported by current documents, complete records and consistent site practices.
1. Reduce legal and regulatory risk
Regular compliance audits help identify issues before they become serious breaches. They can also help demonstrate that the business has taken reasonable steps to manage its obligations.
For high-risk workplaces, this is especially important because gaps in WHS systems, training, supervision or risk controls can expose workers and the business to unnecessary risk. Our article on the importance of risk management consulting services explains when external guidance can help businesses identify and manage these risks more effectively.
2. Improve workplace safety
A safety system is only useful if it works in practice.
A WHS compliance audit can identify whether hazards are being reported, risks are being assessed, controls are being implemented, workers are being consulted, and incidents are being investigated properly.
This helps prevent safety documentation from becoming disconnected from real site conditions.
3. Strengthen tender and client readiness
Many principal contractors and clients require evidence of safety systems, ISO certification, SWMS, licences, insurances and training records before awarding work.
If your records are incomplete or scattered, tendering and prequalification can become difficult. An audit-ready system makes it easier to respond quickly when a client asks for evidence. For businesses preparing for larger tenders, read our guide on whether you need ISO certification to tender.
4. Improve operational consistency
Outdated procedures, uncontrolled documents and inconsistent records can cause confusion across the business.
A compliance audit helps identify where processes need to be standardised, simplified or updated so that managers, supervisors, workers and contractors are working from the same expectations.
5. Protect reputation
A business that can demonstrate strong WHS, ISO and contractor compliance is more likely to build trust with clients, workers, insurers and project partners.
Good compliance is not just about avoiding penalties. It supports safer work sites, better systems and stronger business relationships. A strong compliance approach also supports a healthier safety culture in construction.
Compliance Audit Checklist: Key Areas to Review
The following compliance audit checklist can serve as a practical starting point for Australian businesses, especially construction companies, contractors, and high-risk workplaces.
1. WHS Compliance
Workplace health and safety should be one of the first areas reviewed in any compliance audit.
Your WHS system should show how the business identifies hazards, assesses risks, implements controls, consults with workers, manages incidents and reviews performance.
For businesses seeking a structured approach to daily checks, this daily worksite safety inspection checklist for construction sites can support ongoing WHS monitoring between formal audits.
WHS compliance checklist
Check whether:
- The WHS policy is current and approved by management.
- WHS responsibilities are clearly defined.
- Risk assessments are completed and reviewed.
- SWMS are current, task-specific and relevant to the work.
- Workers have signed onto relevant SWMS.
- Site inspections are completed and recorded.
- Hazard and incident reporting processes are in place.
- Emergency procedures are documented and communicated.
- PPE requirements are identified and followed.
- Plant and equipment inspections are recorded.
- High-risk work licences are current where required.
- Workers and supervisors understand their safety responsibilities.
Evidence to review
Useful evidence may include:
- WHS manual
- WHS policy
- SWMS
- Risk assessments
- Site inspection records
- Toolbox talk records
- Incident reports
- Hazard reports
- Emergency plans
- Plant and equipment inspection logs
- Training records
- Corrective action register
A WHS compliance audit should not stop at document review. It should also check whether workers understand the procedures and whether controls are actually being followed on site.
2. SWMS and Safe Work Procedures
Safe Work Method Statements are critical for high-risk construction work. However, one of the most common audit gaps is having SWMS that are too generic, outdated or disconnected from the actual task.
A SWMS should be specific enough to guide the work being performed. It should identify the high-risk construction work, the hazards involved, the control measures required, and how those controls will be implemented and monitored.
For more details on what a strong SWMS should include, read our guide to the must-have elements for every SWMS in Australia
SWMS audit checklist
Check whether:
- SWMS match the actual work activity.
- SWMS identify high-risk construction work where applicable.
- Control measures are practical and site-specific.
- Workers have been consulted during SWMS development or review.
- Workers have reviewed and signed onto the SWMS.
- SWMS are available where the work is being performed.
- SWMS are reviewed when work methods or site conditions change.
- Supervisors understand and monitor the controls listed in the SWMS.
Common SWMS gaps
Common issues include:
- SWMS copied from previous projects without review.
- Generic controls that do not match site conditions.
- Missing worker sign-on records.
- SWMS not updated after a change in work method.
- Controls listed in the SWMS but not implemented on site.
- Workers signing documents they do not understand
For businesses that need support with task-specific safety documentation, SSOS provides custom SWMS development to help align documents with real site activities. You can also review our guide to SWMS examples and templates for additional context on how SWMS are commonly structured.
3. Training and Competency Records
Training is one of the most common areas where businesses fall short during audits.
It is not enough for workers to be experienced. The business must be able to show evidence that workers are inducted, trained and competent for the tasks they perform.
Training compliance checklist
Check whether:
- Worker induction records are complete.
- Site-specific inductions are recorded.
- A training matrix is maintained.
- Licences, tickets and qualifications are current.
- Expiry dates are monitored.
- Refresher training is scheduled where required.
- Toolbox talks are recorded.
- Workers are trained in relevant SWMS and procedures.
- Supervisors have training appropriate to their responsibilities.
- Training records are easy to locate during an audit.
Common training gaps
Common issues include:
- Missing induction records.
- Expired licences or tickets.
- Training completed but not recorded.
- No training matrix.
- Workers not trained in updated procedures.
- Toolbox talks were completed verbally with no record.
- Supervisors unclear on compliance responsibilities.
A simple training matrix can make a significant difference. It helps the business track who has completed required training, what is due for renewal, and where gaps need to be closed.
4. Contractor Compliance
Contractor compliance is a major audit area for construction and project-based businesses.
If contractors are performing work on your site or on your behalf, you need a process for checking that they are appropriately qualified, insured, inducted and monitored.
Contractor compliance checklist
Check whether:
- Contractors are prequalified before starting work.
- Insurance certificates are current.
- Licences and qualifications are verified.
- Contractor SWMS are reviewed before work begins.
- Contractors complete site inductions.
- Contractor roles and responsibilities are clear.
- Contractor performance is monitored.
- Non-conformances are recorded and followed up.
- Contractor documents are stored in a central location.
Common contractor compliance gaps
Common issues include:
- Contractors are starting work before documentation is complete.
- Expired insurance certificates.
- Licences or tickets not verified.
- Contractor SWMS accepted without review.
- No evidence of site induction.
- No record of contractor monitoring.
- Poor communication of site-specific requirements.
Contractor compliance should be checked before work starts, not after an issue occurs. SSOS can support businesses with construction safety consulting, including contractor documentation and site safety requirements. For more on why specialist support matters, read why professional consultancy is non-negotiable.
5. ISO Compliance and Management Systems
For businesses working toward ISO certification or maintaining certification, compliance audits should review how the management system is operating.
This may include ISO 9001 for quality, ISO 14001 for environmental management, and ISO 45001 for occupational health and safety.
If your audit is connected to WHS management system certification, our guide to the ISO 45001 certification standard provides a deeper explanation of how ISO 45001 works.
ISO compliance checklist
Check whether:
- The scope of the management system is current.
- Policies align with the relevant ISO standard.
- Objectives and targets are documented.
- Risks and opportunities are identified.
- Internal audits are planned and completed.
- Management reviews are recorded.
- Non-conformances are tracked.
- Corrective actions are verified.
- Document control processes are followed.
- Records are retained and accessible.
- Staff understand their responsibilities within the system.
Common ISO audit gaps
Common issues include:
- Internal audits have not been completed.
- Management review minutes are missing.
- Objectives not monitored.
- Corrective actions have not been closed.
- Procedures not updated after business changes.
- Records stored inconsistently.
- Staff are unaware of documented processes.
SSOS provides ISO certification consulting to help businesses prepare for certification, maintain management systems and address audit findings.
6. Document Control
Poor document control is one of the most common reasons businesses struggle during audits.
If staff are using outdated forms, old procedures or uncontrolled templates, the business may not be able to show that its system is current and reliable.
Document control checklist
Check whether:
- A document register is maintained.
- Approved versions are clearly identified.
- Superseded documents are removed from use.
- Review dates are assigned.
- Document owners are listed.
- Templates and forms are controlled.
- Workers know where to access current documents.
- Changes are approved before documents are issued.
- Documents are reviewed after incidents, audits or major changes.
Common document control gaps
Common issues include:
- Multiple versions of the same procedure.
- Outdated forms are still being used.
- No document owner.
- No review schedule.
- Procedures saved across personal drives or emails.
- Staff are unsure which document is the current one.
- Policies not reviewed after changes to work activities.
A controlled document system does not need to be complicated. What matters is that current documents are easy to find, old versions are removed, and changes are managed consistently.
7. Incident, Hazard and Near-Miss Reporting
Incident and hazard reporting shows whether the business is actively identifying and managing risk.
Auditors often look for evidence that incidents are reported, investigated and followed up with corrective actions.
Incident and hazard reporting checklist
Check whether:
- Incident reporting procedures are documented.
- Workers know how to report hazards and near misses.
- Incidents are investigated.
- Root causes are identified.
- Corrective actions are assigned.
- Actions are closed with evidence.
- Serious incidents are escalated appropriately.
- Incident trends are reviewed by management.
- Lessons learned are communicated to workers.
Common incident reporting gaps
Common issues include:
- Near misses not reported.
- Workers unsure how to report hazards.
- Incident investigations incomplete.
- Corrective actions not tracked.
- No evidence that actions were completed.
- Similar incidents occurring repeatedly.
- Management is not reviewing incident trends.
A strong reporting system should make it easy for workers to raise issues and for the business to take practical action.
8. Corrective Action Management
Audit findings, incident investigations, inspections and risk assessments often create corrective actions. The problem is that many businesses record actions but fail to close them properly.
A corrective action is not complete until there is evidence that the issue has been addressed and, where necessary, verified.
Corrective action checklist
Check whether:
- A corrective action register is maintained.
- Each action has a responsible person.
- Each action has a due date.
- Each action has a risk rating or priority.
- Completion evidence is attached.
- Overdue actions are escalated.
- Actions are reviewed for effectiveness.
- Repeat findings are investigated.
Common corrective action gaps
Common issues include:
- Findings recorded but never closed.
- No responsible person assigned.
- No due date.
- No evidence of completion.
- Same issue appearing in repeated audits.
- Actions closed without checking effectiveness.
- High-risk actions are treated the same as low-risk tasks.
A practical action register should make it clear what needs to be done, who is responsible, when it is due, and what evidence is required to close it.
9. Consultation and Communication
Consultation is an important part of WHS management. Businesses should be able to show that workers are informed, consulted and involved in safety matters that affect them.
Consultation checklist
Check whether:
- Toolbox talks are held and recorded.
- Safety meetings are documented.
- Workers are consulted on WHS matters.
- Changes to procedures are communicated.
- Worker feedback is recorded.
- Supervisors understand consultation requirements.
- Safety alerts or updates are distributed where required.
- Consultation records are stored and accessible.
Common consultation gaps
Common issues include:
- Verbal communication with no record.
- Toolbox talks not documented.
- Workers unaware of procedure changes.
- No evidence of consultation before updating SWMS.
- Feedback raised by workers but not actioned.
- Safety meetings are held irregularly.
Communication does not need to be complex, but it does need to be consistent and recorded where appropriate.
10. Legal, Regulatory and Client Requirements
Compliance requirements change over time. Clients may also have specific safety, quality or environmental requirements that go beyond your internal procedures.
A compliance audit should check whether the business has a process for identifying, reviewing and responding to relevant obligations.
Legal and client requirements checklist
Check whether:
- Applicable WHS laws and codes are identified.
- Client requirements are reviewed before projects.
- Tender compliance requirements are checked.
- A legal and other requirements register is maintained.
- Responsibility is assigned for monitoring changes.
- Procedures are updated when requirements change.
- Relevant workers are informed of changes.
- Client-specific requirements are communicated to site teams.
Common gaps
Common issues include:
- Outdated legal registers.
- Client requirements were missed during tender or project setup.
- Procedures not updated after changes.
- No person is responsible for monitoring updates.
- Site teams unaware of project-specific requirements.
- Old templates used for new contracts.
Businesses should review requirements before starting new projects, entering new work types or submitting major tenders.
Top Compliance Gaps That Cause Failed Audits
Many audit failures are caused by repeat issues that could have been identified earlier.
Below are some of the most common compliance gaps Australian businesses should watch for.
1. Outdated policies and procedures
Policies and procedures that have not been reviewed for years may no longer reflect current work practices, client requirements or business structure.
How to fix it:
Create a document register, assign document owners and set review dates.
2. Generic or missing SWMS
Generic SWMS may not properly address the actual risks of the task or site.
How to fix it:
Review SWMS against the specific work activity, site conditions and control measures. For high-risk construction activities, read more about the importance of SWMS for high-risk construction work.
3. Missing training and induction records
If training cannot be proven, it may not satisfy audit requirements.
How to fix it:
Maintain a training matrix and store induction, licence and refresher training records in one location.
4. Expired licences, tickets or insurances
Expired documents can create serious compliance and project risks.
How to fix it:
Track expiry dates and review them before workers or contractors start work.
5. Poor contractor prequalification
Contractors may introduce risk if they are not properly reviewed before starting work.
How to fix it:
Use a contractor prequalification checklist covering insurance, licences, SWMS, inductions and site requirements.
6. Weak document control
Uncontrolled documents make it difficult to prove that workers are using current procedures.
How to fix it:
Use a central document register and remove superseded versions from circulation.
7. No evidence of consultation
Auditors may look for records showing that workers were consulted about WHS matters.
How to fix it:
Record toolbox talks, safety meetings, consultation notes and worker feedback.
8. Incomplete incident investigations
Incident reports without root cause analysis or corrective actions may indicate poor risk management.
How to fix it:
Use a consistent investigation process and link findings to corrective actions.
9. Corrective actions not closed out
Open or repeated corrective actions suggest that the business is not resolving issues effectively.
How to fix it:
Assign owners, due dates and evidence requirements for every action.
10. Site practices not matching documented procedures
This is one of the most important audit gaps. A business may have strong documents, but if workers do not follow them, the system is not working.
How to fix it:
Check actual site practices through inspections, conversations and supervisor reviews.
11. No internal audit schedule
Waiting for an external auditor or client to find issues can create unnecessary pressure.
How to fix it:
Schedule regular internal audits and document the results.
12. No management review records
Management should be able to show that compliance performance is being reviewed.
How to fix it:
Hold regular management review meetings and record decisions, actions and follow-ups.
13. Scattered audit evidence
If records are spread across emails, desktops, paper folders and personal drives, audit preparation becomes difficult.
How to fix it:
Create a central audit evidence folder or register.
14. Failure to track changes
Compliance systems can become outdated when legal, client or business requirements change.
How to fix it:
Assign responsibility for monitoring updates and reviewing affected documents.
15. Treating compliance as a once-a-year task
Compliance should be maintained continuously, not rushed before an audit.
How to fix it:
Use regular reviews, inspections, training updates and corrective action tracking throughout the year.
How Often Should You Conduct a Compliance Audit?
The right audit frequency depends on your business, industry, risk profile and client requirements.
As a general guide, many businesses conduct a full compliance audit annually, with more frequent reviews for higher-risk operations.
You should also consider conducting a compliance audit or gap analysis:
- Before ISO certification or recertification.
- Before major tenders or prequalification.
- Before starting a new high-risk project.
- After a serious incident or near miss.
- After a regulator visit or client audit.
- When expanding into new work types or locations.
- When legislation, standards or client requirements change.
- When previous audit findings have not been fully resolved.
For construction businesses, smaller internal checks throughout the year are often more useful than waiting for one large annual review.
Internal Audit vs External Compliance Consultant
Some compliance audits can be completed internally, while others benefit from external support.
| Internal Audit | External Consultant |
|---|---|
| Useful for regular checks | Useful for independent review |
| Lower cost | More objective |
| Strong knowledge of the business | Specialist WHS, ISO or compliance expertise |
| May miss familiar issues | Can identify gaps internal teams overlook |
| Best for routine monitoring | Best before certification, tenders, incidents or major system changes |
When to Get External Help With Compliance Gaps
External compliance support may be useful when:
- You are preparing for ISO certification.
- You need custom SWMS for specific work activities.
- A principal contractor has requested safety documents.
- You have failed an audit or received major findings.
- Corrective actions keep recurring.
- Internal staff do not have time to manage WHS documentation.
- You are unsure whether your safety system meets project requirements.
- Contractor compliance records are incomplete.
- You need an independent review before a tender or audit.
- Your documentation exists but does not reflect actual site practices.
Getting help early can reduce pressure and give your business a clearer path to compliance.
How SSOS Can Help
Solving Safety On Site helps Australian construction businesses and contractors build practical safety and compliance systems that work in real site conditions.
SSOS can support your business with:
- WHS compliance reviews
- Construction safety consulting
- Custom SWMS development
- ISO certification consulting
- Audit preparation
- Compliance gap analysis
- Corrective action planning
- Contractor compliance documentation
- Practical safety systems for construction and high-risk workplaces
Whether you are preparing for a client audit, improving your WHS system, developing SWMS, or working toward ISO certification, SSOS can help identify gaps and create practical actions to close them.
Final Thoughts
Most businesses do not fail audits because they have no documents. They fail because their documents, records and site practices do not line up.
A strong compliance audit checks more than whether a policy exists. It checks whether the policy is current, whether workers understand it, whether records support it, and whether it is being followed in practice.
Regular compliance audits and gap analyses help businesses identify problems before they become formal findings, project delays or safety risks.
By reviewing WHS systems, SWMS, training records, contractor documentation, corrective actions and site practices, your business can become more confident, more consistent and better prepared for its next audit.
Need Help Preparing for a Compliance Audit?
Need help identifying gaps in your WHS, SWMS, ISO or contractor compliance systems?
Solving Safety On Site can review your current documents, site practices and audit evidence, then help you create practical corrective actions to get your business audit-ready.
Prepare for your next audit with practical WHS, SWMS and ISO compliance support from SSOS.
FAQs
1. What is a compliance audit checklist?
A compliance audit checklist is a structured list of requirements, documents, records and controls used to assess whether a business is meeting its legal, safety, contractual or management system obligations.
For construction businesses, this may include WHS policies, SWMS, training records, contractor documents, incident reports, inspection records and corrective actions.
2. What is the difference between a compliance audit and a gap analysis?
A compliance audit checks whether requirements are being met. A gap analysis identifies the difference between the current state and the required state, then helps create a plan to close those gaps.
A gap analysis is often completed before an audit so the business can identify and fix issues early.
3. What should be included in a WHS compliance audit?
A WHS compliance audit should review policies, SWMS, risk assessments, training records, incident reports, hazard reporting, emergency procedures, consultation records, contractor documents, plant and equipment records, and corrective actions.
It should also check whether workers understand and follow the procedures in practice.
4. What are common compliance gaps in construction?
Common construction compliance gaps include generic SWMS, missing worker sign-ons, expired licences, incomplete inductions, poor contractor prequalification, outdated safety documents, missing toolbox talk records and corrective actions that have not been closed out.
5. How often should a business conduct a compliance audit?
Many businesses conduct a full compliance audit annually, with more frequent reviews for high-risk work, construction projects, ISO certification, major tenders, incidents, regulator visits or changes to legal and client requirements.
The right frequency depends on the business, type of work, risk level and client obligations.
6. Why do businesses fail compliance audits?
Businesses often fail audits because documents are outdated, evidence is missing, workers are not trained, corrective actions remain open, contractors are not properly checked, or actual site practices do not match documented procedures.
7. Can SSOS help with compliance audit preparation?
Yes. SSOS can help review WHS systems, SWMS, ISO documentation, contractor compliance records and audit evidence to identify gaps and create practical corrective actions before your next audit.
